Skip to main content
SpringerLink
Log in
Book cover

International Conference on Risks and Security of Internet and Systems

CRiSIS 2014: Risks and Security of Internet and Systems pp 148–163Cite as

Inter-technology Conflict Analysis for Communication Protection Policies

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 8924))

Abstract

Usually network administrators implement a protection policy by refining a set of (abstract) communication security requirements into configuration settings for the security controls that will provide the required protection. The refinement consists in evaluating the available technologies that can enforce the policy at node and network level, selecting the most suitable ones, and possibly making fine adjustments, like aggregating several individual channels into a single tunnel. The refinement process is a sensitive task which can lead to incorrect or suboptimal implementations, that in turn affect the overall security, decrease the network throughput and increase the maintenance costs. In literature, several techniques exist that can be used to identify anomalies (i.e. potential incompatibilities and redundancies among policy implementations. However, these techniques usually focus only on a single security technology (e.g. IPsec) and overlook the effects of multiple overlapping protection techniques. This paper presents a novel classification of communication protection policy anomalies and a formal model which is able to detect anomalies among policy implementations relying on technologies that work at different network layers. The result of our analysis allows administrators to have a precise insight on the various alternative implementations, their relations and the possibility of resolving anomalies, thus increasing the overall security and performance of a network.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    It is possible to debate about TLS and SSH being protocols that work at transport or session layer and if SSH is actually a general purpose channel protection protocol. We avoid to enter this discussion as both techniques, from our (practical) point of view, can be used to protect all the communications regarding a given port.

  2. 2.

    To be more precise, from the security point of view, \(i_{\mathcal {C,}\mathcal {S}}\) can be considered equivalent to \(i_{1,1}\) and \(i_{2,1}\) only if both the subnets are considered trusted.

  3. 3.

    An well designed automatic refinement would never introduce these anomalies, but detecting them is nevertheless useful in case of manual refinement.

  4. 4.

    Technically a filtered PI is an anomaly between a communication protection PI and a filtering PI, but in this paper we are only interested in communication protection policies.

  5. 5.

    http://security.polito.it/posecco/sdss/.

  6. 6.

    http://www.posecco.eu/.

References

  1. Wool, A.: Trends in firewall configuration errors: measuring the holes in swiss cheese. IEEE Internet Comput. 14(4), 58–65 (2010)

    Article  Google Scholar 

  2. Center for Strategic and International Studies: Securing cyberspace for the 44th presidency. Technical report, December 2008

    Google Scholar 

  3. Hamed, H., Al-Shaer, E.: Taxonomy of conflicts in network security policies. IEEE Commun. Mag. 44(3), 134–141 (2006)

    Article  Google Scholar 

  4. Hamed, H., Al-Shaer, E., Marrero, W.: Modeling and verification of IPsec and vpn security policies. In: 13th IEEE International Conference on Network Protocols, ICNP 2005, pp. 259–278. IEEE Computer Society, November 2005

    Google Scholar 

  5. Li, Z., Cui, X., Chen, L.: Analysis and classification of IPsec security policy conflicts. In: Japan-China Joint Workshop on Frontier of Computer Science and Technology, FCST 2006, pp. 83–88. IEEE Computer Society, November 2006

    Google Scholar 

  6. Kelly, S., Ramamoorthi, S.: Requirements for IPsec Remote Access Scenarios. RFC 3457, January 2003

    Google Scholar 

  7. Khakpour, A., Liu, A.X.: Quarnet: a tool for quantifying static network reachability. IEEE/ACM Trans. Netw. 21(2), 551–565 (2009)

    Google Scholar 

  8. Group, W.O.W.: OWL 2 web ontology language document overview. Technical report, October 2009. http://www.w3.org/TR/2009/REC-owl2-overview-20091027/

  9. W3C: SWRL: A Semantic Web Rule Language Combining OWL and RuleML. Technical report, World Wide Web Consortium, May 2004

    Google Scholar 

  10. Al-Shaer, E., Hamed, H., Boutaba, R., Hasan, M.: Conflict classification and analysis of distributed firewall policies. IEEE J. Sel. Areas Commun. 23(10), 2069–2084 (2006)

    Article  Google Scholar 

  11. Zao, J.: Semantic model for IPsec policy interaction. Technical report, Internet Draft, March 2000

    Google Scholar 

  12. Fu, Z., Wu, S.F., Huang, H., Loh, K., Gong, F., Baldine, I., Xu, C.: IPSec/VPN security policy: correctness, conflict detection, and resolution. In: Sloman, M., Lobo, J., Lupu, E.C. (eds.) POLICY 2001. LNCS, vol. 1995, p. 39. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  13. Basile, C., Cappadonia, A., Lioy, A.: Network-level access control policy analysis and transformation. IEEE/ACM Trans. Netw. 20(4), 985–998 (2012)

    Article  Google Scholar 

  14. Hu, H., Ahn, G.J., Kulkarni, K.: Detecting and resolving firewall policy anomalies. IEEE Trans. Dependable Secure Comput. 9(3), 318–331 (2012)

    Article  Google Scholar 

  15. Hu, H., Ahn, G.J., Kulkarni, K.: Ontology-based policy anomaly management for autonomic computing. In: 7th International Conference on Collaborative Computing: Networking, Applications and Worksharing. CollaborateCom, IEEE Computer Society, pp. 487–494, October 2011

    Google Scholar 

  16. Bandara, A.K., Kakas, A.C., Lupu, E.C., Russo, A.: Using argumentation logic for firewall configuration management. In: Integrated Network Management-Workshops, 2009, IM 2009, pp. 180–187. IEEE Computer Society, June 2009

    Google Scholar 

  17. Alfaro, J.G., Boulahia-Cuppens, N., Cuppens, F.: Complete analysis of configuration rules to guarantee reliable network security policies. Int. J. Inf. Secur. 7(2), 103–122 (2008)

    Article  Google Scholar 

  18. Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N., Preda, S.: MIRAGE: a management tool for the analysis and deployment of network security policies. In: Garcia-Alfaro, J., Navarro-Arribas, G., Cavalli, A., Leneutre, J. (eds.) DPM 2010 and SETOP 2010. LNCS, vol. 6514, pp. 203–215. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  19. Thanasegaran, S., Yin, Y., Tateiwa, Y., Katayama, Y., Takahashi, N.: A topological approach to detect conflicts in firewall policies. In: IEEE International Symposium on Parallel & Distributed Processing, IPDPS 2009, pp. 1–7. IEEE Computer Society, May 2009

    Google Scholar 

  20. Ferraresi, S., Pesic, S., Trazza, L., Baiocchi, A.: Automatic conflict analysis and resolution of traffic filtering policy for firewall and security gateway. In: International Chamber of Commerce, ICC 2007, pp. 1304–1310. IEEE Computer Society, June 2007

    Google Scholar 

Download references

Acknowledgement

The research described in this paper is part of the SECURED project, co-funded by the European Commission under the ICT theme of FP7 (grant agreement no. 611458).

Author information

Authors and Affiliations

  1. Dip. di Automatica E Informatica, Politecnico di Torino, Turin, Italy

    Cataldo Basile, Daniele Canavese, Antonio Lioy & Fulvio Valenza

Authors
  1. Cataldo Basile
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Daniele Canavese
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Antonio Lioy
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Fulvio Valenza
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Fulvio Valenza .

Editor information

Editors and Affiliations

  1. University of Málaga, Malaga, Spain

    Javier Lopez

  2. Colorado State University, Fort Collins, Colorado, USA

    Indrajit Ray

  3. University of Trento, Trento, Italy

    Bruno Crispo

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Basile, C., Canavese, D., Lioy, A., Valenza, F. (2015). Inter-technology Conflict Analysis for Communication Protection Policies. In: Lopez, J., Ray, I., Crispo, B. (eds) Risks and Security of Internet and Systems. CRiSIS 2014. Lecture Notes in Computer Science(), vol 8924. Springer, Cham. https://doi.org/10.1007/978-3-319-17127-2_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-17127-2_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-17126-5

  • Online ISBN: 978-3-319-17127-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation