Intra and inter policy Conflicts Dynamic Detection Algorithm

IPsec (Internet Protocol security) is a set of mechanisms proposed to secure IP network data communication. However IPsec functioning is not done properly except when the political security requirements are met. The security policy configuration is a complex and error-prone task, due to their complex semantics. In a dynamic environment, where the policy rules are frequently updated, the error rate is higher. Each network device policy should be analyzed carefully to prevent security policy conflicts. Different types of conflicts can be identified due to rule misconfiguration within a single IPsec device (intra-policy conflicts) or due to inconsistency between different IPsec policies (inter-policy conflicts). Policy conflicts can cause serious security infraction, which increase the network vulnerability. In this paper we propose an algorithm for dynamic detection of both intra and inter IPsec Security policy conflicts. The proposed algorithm is based on a simple and comprehensive mechanism that uses Boolean functions to classify and identify. The resolution of intra-policy conflict is also integrated into our algorithm.

[1]  Hung-Min Sun,et al.  The design and implementation of IPSec conflict avoiding and recovering system , 2007, TENCON 2007 - 2007 IEEE Region 10 Conference.

[2]  Heng Yin,et al.  Building an Application-Aware IPsec Policy System , 2005, IEEE/ACM Transactions on Networking.

[3]  Cataldo Basile Chapter 45 – Detection of Conflicts in Security Policies , 2013 .

[4]  Chin-Laung Lei,et al.  Automatic Generation of Conflict-Free IPsec Policies , 2005, FORTE.

[5]  Ehab Al-Shaer Modeling and Verification of Firewall and IPSec Policies Using Binary Decision Diagrams , 2014 .

[6]  Charles U. Martel,et al.  CLID: A general approach to validate security policies in a dynamic network , 2007, 2007 10th IFIP/IEEE International Symposium on Integrated Network Management.

[7]  S. Paraboschi,et al.  Detection of Conflicts in Security Policies , 2013 .

[8]  Ehab Al-Shaer,et al.  Modeling and verification of IPSec and VPN security policies , 2005, 13TH IEEE International Conference on Network Protocols (ICNP'05).

[9]  He Huang,et al.  IPSec/VPN Security Policy: Correctness, Conflict Detection, and Resolution , 2001, POLICY.

[10]  Ehab Al-Shaer,et al.  Taxonomy of conflicts in network security policies , 2006, IEEE Communications Magazine.

[11]  Amjad Gawanmeh Automatic Verification of Security Policies in Firewalls with Dynamic Rule Sequence , 2014, 2014 11th International Conference on Information Technology: New Generations.

[12]  Masoud Sabaei,et al.  Efficient Algorithms for Dynamic Detection and Resolution of IPSec/VPN Security Policy Conflicts , 2010, 2010 24th IEEE International Conference on Advanced Information Networking and Applications.