Abstract
As firewall is the main front-end defense, IPSec is the standard for secure Internet communications, providing traffic integrity, confidentiality and authentication. Although IPSec supports a rich set of protection modes and operations, its policy configuration remains a complex and error-prone task. Unlike firewalls, IPSec exhibits more complex semantic that allows for triggering multiple rule actions of different security modes. This inherent complexity increases significantly the potential of policy misconfiguration and can violate the integrity of IPSec VPN security. Secure and safe deployment of IPSec requires thorough and automated analysis of the policy configuration consistency for firewall and IPSec devices across the entire network. In this chapter, we present a general composable model based on using Boolean expressions that can represent different ACL filtering semantics. We use this model to derive a canonical representation for firewall and IPSec policies using Ordered Binary Decision Diagrams. Based on this representation, we develop a comprehensive framework to classify and identify conflicts in a single firewall and IPSec device (intra-policy conflicts) or between different firewall and IPSec devices (inter-policy conflicts) in enterprise networks. Our testing and evaluation study on different network environments demonstrates the effectiveness and efficiency of our approach for identifying conflicts in firewall and IPSec policies.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
If the result of a OBDD operation does not evaluate to true, then it is either false or a predicate representing the resulting expression.
- 2.
Recall that, in general, the inbound policy of an IPSec device is a mirror image of the outbound policy.
References
E. Al-Shaer and H. Hamed. “Modeling and Management of Firewall Policies.” IEEE eTransactions on Network and Service Management, Volume 1-1, April 2004. http://www.etnsm.org/
E. Al-Shaer and H. Hamed. “Discovery of Policy Anomalies in Distributed Firewalls.” Proc. of IEEE INFOCOM’2004, March 2004.
R. Bryant. “Graph-Based Algorithms for Boolean Function Manipulation.” IEEE Transactions on Computers, August 1986.
J. Burch, E. Clarke, K. McMillan, D. Dill and J. Hwang. “Symbolic Model Checking: 1020 States and Beyond.” Journal of Information and Computation, Volume 98-2, 1992.
“Configuring IPSec Network Security.” Cisco IOS Security Configuration Guide, Release 12.2, Cisco Systems, Inc.
N. Doraswamy and D. Harkins. “IPSec: The New Security Standard for the Internet, Intranets, and Virtual Private Networks”, second edition. Prentice Hall PTR, March 2003.
P. Eronen and J. Zitting. “An Expert System for Analyzing Firewall Rules.” Proc. of 6 th Nordic Workshop on Secure Systems, November 2001.
Z. Fu, F. Wu, H. Huang, K. Loh, F. Gong, I. Baldine and C. Xu. “IPSec/VPN Security Policy: Correctness, Conflict Detection and Resolution.” Proc. of Policy’2001 Workshop, January 2001.
H. Hamed, E. Al-Shaer and W. Marrero. “Design and Implementation of Security Policy Advisor Tools.” Technical Report: CTI-TR-05-010, May 2005. http://www.mnlab.cs.depaul.edu/projects/SPA/files/spa-tr05010.pdf
S. Hazelhurst, A. Attar and R. Sinnappan. “Algorithms for Improving the Dependability of Firewall and Filter Rule Lists.” Proc. of IEEE Workshop on Dependability of IP Applications, Platforms and Networks, June 2000.
K. Jason, L. Rafalow and E. Vyncke. “IPsec Configuration Policy Information Model.” RFC 3585, IETF, August 2003.
S. Kent and R. Atkinson. “Security Architecture for the Internet Protocol.” RFC-2401, IETF, November 1998.
S. Kent and R. Atkinson. “IP Authentication Header (AH).” RFC 2402, IETF, November 1998.
S. Kent and R. Atkinson. “IP Encapsulating Security Payload (ESP).” RFC 2406, IETF, November 1998.
J. Lind-Nielsen. “The BuDDy OBDD package.” http://www.bdd-portal.org/buddy.html
A. Mayer, A. Wool and E. Ziskind. “Fang: A Firewall Analysis Engine.” Proc. of IEEE Symposium on Security and Privacy (SSP’00), May 2000.
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Al-Shaer, E. (2014). Modeling and Verification of Firewall and IPSec Policies Using Binary Decision Diagrams. In: Automated Firewall Analytics. Springer, Cham. https://doi.org/10.1007/978-3-319-10371-6_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-10371-6_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-10370-9
Online ISBN: 978-3-319-10371-6
eBook Packages: Computer ScienceComputer Science (R0)