Modeling and Verification of Firewall and IPSec Policies Using Binary Decision Diagrams

Al-Shaer, Ehab

doi:10.1007/978-3-319-10371-6_2

Ehab Al-Shaer²

1106 Accesses
2 Citations

Abstract

As firewall is the main front-end defense, IPSec is the standard for secure Internet communications, providing traffic integrity, confidentiality and authentication. Although IPSec supports a rich set of protection modes and operations, its policy configuration remains a complex and error-prone task. Unlike firewalls, IPSec exhibits more complex semantic that allows for triggering multiple rule actions of different security modes. This inherent complexity increases significantly the potential of policy misconfiguration and can violate the integrity of IPSec VPN security. Secure and safe deployment of IPSec requires thorough and automated analysis of the policy configuration consistency for firewall and IPSec devices across the entire network. In this chapter, we present a general composable model based on using Boolean expressions that can represent different ACL filtering semantics. We use this model to derive a canonical representation for firewall and IPSec policies using Ordered Binary Decision Diagrams. Based on this representation, we develop a comprehensive framework to classify and identify conflicts in a single firewall and IPSec device (intra-policy conflicts) or between different firewall and IPSec devices (inter-policy conflicts) in enterprise networks. Our testing and evaluation study on different network environments demonstrates the effectiveness and efficiency of our approach for identifying conflicts in firewall and IPSec policies.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 84.99; Price excludes VAT (USA)

Softcover Book: USD 109.99; Price excludes VAT (USA)

Hardcover Book: USD 109.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

1.
If the result of a OBDD operation does not evaluate to true, then it is either false or a predicate representing the resulting expression.
2.
Recall that, in general, the inbound policy of an IPSec device is a mirror image of the outbound policy.

References

E. Al-Shaer and H. Hamed. “Modeling and Management of Firewall Policies.” IEEE eTransactions on Network and Service Management, Volume 1-1, April 2004. http://www.etnsm.org/
E. Al-Shaer and H. Hamed. “Discovery of Policy Anomalies in Distributed Firewalls.” Proc. of IEEE INFOCOM’2004, March 2004.
Google Scholar
R. Bryant. “Graph-Based Algorithms for Boolean Function Manipulation.” IEEE Transactions on Computers, August 1986.
Google Scholar
J. Burch, E. Clarke, K. McMillan, D. Dill and J. Hwang. “Symbolic Model Checking: 10²⁰ States and Beyond.” Journal of Information and Computation, Volume 98-2, 1992.
Google Scholar
“Configuring IPSec Network Security.” Cisco IOS Security Configuration Guide, Release 12.2, Cisco Systems, Inc.
Google Scholar
N. Doraswamy and D. Harkins. “IPSec: The New Security Standard for the Internet, Intranets, and Virtual Private Networks”, second edition. Prentice Hall PTR, March 2003.
Google Scholar
P. Eronen and J. Zitting. “An Expert System for Analyzing Firewall Rules.” Proc. of 6 ^th Nordic Workshop on Secure Systems, November 2001.
Google Scholar
Z. Fu, F. Wu, H. Huang, K. Loh, F. Gong, I. Baldine and C. Xu. “IPSec/VPN Security Policy: Correctness, Conflict Detection and Resolution.” Proc. of Policy’2001 Workshop, January 2001.
Google Scholar
H. Hamed, E. Al-Shaer and W. Marrero. “Design and Implementation of Security Policy Advisor Tools.” Technical Report: CTI-TR-05-010, May 2005. http://www.mnlab.cs.depaul.edu/projects/SPA/files/spa-tr05010.pdf
S. Hazelhurst, A. Attar and R. Sinnappan. “Algorithms for Improving the Dependability of Firewall and Filter Rule Lists.” Proc. of IEEE Workshop on Dependability of IP Applications, Platforms and Networks, June 2000.
Google Scholar
K. Jason, L. Rafalow and E. Vyncke. “IPsec Configuration Policy Information Model.” RFC 3585, IETF, August 2003.
Google Scholar
S. Kent and R. Atkinson. “Security Architecture for the Internet Protocol.” RFC-2401, IETF, November 1998.
Google Scholar
S. Kent and R. Atkinson. “IP Authentication Header (AH).” RFC 2402, IETF, November 1998.
Google Scholar
S. Kent and R. Atkinson. “IP Encapsulating Security Payload (ESP).” RFC 2406, IETF, November 1998.
Google Scholar
J. Lind-Nielsen. “The BuDDy OBDD package.” http://www.bdd-portal.org/buddy.html
A. Mayer, A. Wool and E. Ziskind. “Fang: A Firewall Analysis Engine.” Proc. of IEEE Symposium on Security and Privacy (SSP’00), May 2000.
Google Scholar

Download references

Author information

Authors and Affiliations

University of North Carolina Charlotte, Charlotte, NC, USA
Ehab Al-Shaer

Authors

Ehab Al-Shaer
View author publications
You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

About this chapter

Cite this chapter

Al-Shaer, E. (2014). Modeling and Verification of Firewall and IPSec Policies Using Binary Decision Diagrams. In: Automated Firewall Analytics. Springer, Cham. https://doi.org/10.1007/978-3-319-10371-6_2

Download citation

DOI: https://doi.org/10.1007/978-3-319-10371-6_2
Published: 27 August 2014
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-10370-9
Online ISBN: 978-3-319-10371-6
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics