Modeling and verification of IPSec and VPN security policies

IPSec has become the defacto standard protocol for secure Internet communications, providing traffic integrity, confidentiality and authentication. Although IPSec supports a rich set of protection modes and operations, its policy configuration remains a complex and error-prone task. The complex semantics of IP Sec policies that allow for triggering multiple rule actions with different security modes/operations coordinated between different IPSec gateways in the network increases significantly the potential of policy misconfiguration and thereby insecure transmission. Successful deployment of IPSec requires thorough and automated analysis of the policy configuration consistency for IPSec devices across the entire network. In this paper, we present a generic model that captures various filtering policy semantics using Boolean expressions. We use this model to derive a canonical representation for IPSec policies using ordered binary decision diagrams. Based on this representation, we develop a comprehensive framework to classify and identify conflicts that could exist in a single IPSec device (intra-policy conflicts) or between different IPSec devices (inter-policy conflicts) in enterprise networks. Our testing and evaluation study on different network environments demonstrates the effectiveness and efficiency of our approach.

[1]  Emil C. Lupu,et al.  Conflict Analysis for Management Policies , 1997, Integrated Network Management.

[2]  Nick McKeown,et al.  Algorithms for packet classification , 2001, IEEE Netw..

[3]  Ehab Al-Shaer,et al.  Discovery of policy anomalies in distributed firewalls , 2004, IEEE INFOCOM 2004.

[4]  Steven M. Bellovin,et al.  Problem Areas for the IP Security Protocols , 1996, USENIX Security Symposium.

[5]  Avishai Wool,et al.  Fang: a firewall analysis engine , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[6]  Randall J. Atkinson,et al.  Security Architecture for the Internet Protocol , 1995, RFC.

[7]  Naganand Doraswamy,et al.  Ipsec: the new security standard for the internet , 1999 .

[8]  Edmund M. Clarke,et al.  Symbolic Model Checking: 10^20 States and Beyond , 1990, Inf. Comput..

[9]  Ehab Al-Shaer,et al.  Modeling and Management of Firewall Policies , 2004, IEEE Transactions on Network and Service Management.

[10]  He Huang,et al.  IPSec/VPN Security Policy: Correctness, Conflict Detection, and Resolution , 2001, POLICY.

[11]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[12]  David Eppstein,et al.  Internet packet filter management and rectangle geometry , 2000, SODA '01.

[13]  Mohamed G. Gouda,et al.  Firewall design: consistency, completeness, and compactness , 2004, 24th International Conference on Distributed Computing Systems, 2004. Proceedings..

[14]  Pasi Eronen,et al.  An expert system for analyzing firewall rules , 2001 .

[15]  Guru M. Parulkar,et al.  Detecting and resolving packet filter conflicts , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[16]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[17]  Scott Hazelhurst,et al.  Algorithms for improving the dependability of firewall and filter rule lists , 2000, Proceeding International Conference on Dependable Systems and Networks. DSN 2000.

[18]  Mohamed G. Gouda,et al.  Complete Redundancy Detection in Firewalls , 2005, DBSec.

[19]  Eric Vyncke,et al.  IPsec Configuration Policy Information Model , 2003, RFC.