Policy Validation

It can be useful to have standing policy checks that are scripted to be run against configurations at key points in the network security implementation lifecycle. InfoSecter provides Querent to help you write and manage descriptions of sets of packets and their expected actions. InfoSecter can process these packet descriptions or expressions against a device configuration in one of two ways: as a query or a constraint.

In both cases, Analyzer computes the lines of the configuration that affect the packets in the description. In the query case, Analyzer creates a report that includes the packet processing configuration lines that match the packet expression. In the constraint case, Analyzer creates a report that includes that packet processing configuration lines that do not match the packet expression.

Invoke a query if there are key areas of the packet space you particularly want to review. This is very similar to settting filters within Visualizer while reviewing a dissected configuration.

Invoke a constraint if there are key action and packet settings that must always be preserved. The packet expression specifies this constraint. You only need to be informed if the constraint is violated. Thus, you can develop a library of constraints based on the operations in your information and run the constraints against every proposed configuration change.

In both cases, the report describes the affected packet areas and provides lines from the packet expression to the configuration lines that impact the packet for this configuration.