S-VPN Policy: Access List Conflict Automatic Analysis and Resolution
S-VPN gateways are today core elements in network security infrastructure. As networks and services become more complex, managing IPSec access rules becomes an error-prone task. Conflicts in a poiicy can cause holes in security, and often they can be hard to find when performing only visual or manual inspection. We have defined firstly a methodology to systematically classify the severity of rule conflicts and secondly we have proposed two different solutions to automatically resolve conflicts in an access list, implementing and testing one of them.
KeywordsExact Match Security Manager Rule Match Conflict Analysis Redundant Rule
Unable to display preview. Download preview PDF.
- [A1HaO4]E. Al Shaer and H. Hamed, “Modeling and Management of Firewall Policies”, in IEEE eTransactions on Network and Service Management, Volume 1-1, April 2004.Google Scholar
- [AlHaO5]E. Al Shaer, H. Hamed, R. Boutaba, M. Hasan, “Conflict Classification and Analysis of Distributed Firewall Policies”, in IEEE Journal on Selected Areas in Communications, vol. 23, no.10, October 2005.Google Scholar
- [AlHaO3]E. Al Shaer and H. Hamed, “Firewall Policy Advisor for Anomaly Detection and Rule Editing”, in Proceedings of IEEEIIFIP Integrated Management Conference (1M2003),March 2003.Google Scholar
- [A1HMO5]E. Al Shaer, H. Hamed, W. Marrero “Modeling and Verification of IPSec and VPN Security Policies”, Proceedings of IEEE ICNP’2005, November 2005.Google Scholar
- [HaSPOO]HB. Hari, S. Suri and G. Parulkar, “Detecting and Resolving Packet Filter Conflicts”, Proceedings of IEEE INFOCOM 2000, March 2000.Google Scholar
- [GoLiO4]M. Gouda and X. Liu, “Firewall Design: Consistency, Completeness, and Compactness” Proceedings of the 24th IEEE International Conference on Distributed Computing Systems (ICDCS’04), March 2004.Google Scholar
- [IKBSOO]S. Ioannidis, A. Keromytis, S. Bellovin and J. Smith, “Implementing a Distributed Firewall” Proceedings of 7th ACM Conference on Computer and Cornminications Security (CCS’OO), November 2000.Google Scholar
- [ChBe95]W. Cheswick and S. Bellovin, “Firewalls and Internet Security”, AddisonWesley, 1995Google Scholar