ZERO-conflict: a grouping-based approach for automatic generation of IPSec/VPN security policies

  • Authors:

  • Kuong-Ho Chen;Yuan-Siao Liu;Tzong-Jye Liu;Chyi-Ren Dow

  • Affiliations:

  • Department of Computer Science, Feng Chia University, Seatwen, Taichung, Taiwan R.O.C;Department of Computer Science, Feng Chia University, Seatwen, Taichung, Taiwan R.O.C;Department of Computer Science, Feng Chia University, Seatwen, Taichung, Taiwan R.O.C;Department of Computer Science, Feng Chia University, Seatwen, Taichung, Taiwan R.O.C

  • Venue:
  • DSOM'06 Proceedings of the 17th IFIP/IEEE international conference on Distributed Systems: operations and management
  • Year:
  • 2006

Quantified Score

Hi-index 0.00

Visualization

Abstract

IPSec/VPN management is a complicated challenge, since IPSec functions correctly only if its security policies satisfy all administrated requirements. Computer-generated security policies tend to conflict with each other, which would causes network congestion or creates security vulnerability. Thus conflict resolving has become an issue. In this paper, a method to automatically generate policies is proposed. Instead of performing complicated conflict-checking procedures as most existing works do, the proposed Zero-Conflict algorithm is able to predict and avoid conflict in advance by using requirement groups and cut points techniques. Since policies are established without the need to perform backward conflict check, thus yielding a significantly less time-complexity, which is O(nlogn). Experimental results show that it maintains a satisfactorily minimal numbers of generated tunnels.