Vulnerability analysis For evaluating quality of protection of security policies
Proceedings of the 2nd ACM workshop on Quality of protection
Specifications of a high-level conflict-free firewall policy language for multi-domain networks
Proceedings of the 12th ACM symposium on Access control models and technologies
PolicyVis: firewall security policy visualization and inspection
LISA'07 Proceedings of the 21st conference on Large Installation System Administration Conference
Shadow configuration as a network management primitive
Proceedings of the ACM SIGCOMM 2008 conference on Data communication
A comprehensive objective network security metric framework for proactive security configuration
Proceedings of the 4th annual workshop on Cyber security and information intelligence research: developing strategies to meet the cyber security and information intelligence challenges ahead
Modeling and understanding end-to-end class of service policies in operational networks
Proceedings of the ACM SIGCOMM 2009 conference on Data communication
Automated pseudo-live testing of firewall configuration enforcement
IEEE Journal on Selected Areas in Communications - Special issue on network infrastructure configuration
Towards network security policy generation for configuration analysis and testing
Proceedings of the 2nd ACM workshop on Assurable and usable security configuration
Managing intrusion detection rule sets
Proceedings of the Third European Workshop on System Security
Model checking firewall policy configurations
POLICY'09 Proceedings of the 10th IEEE international conference on Policies for distributed systems and networks
Towards automatic creation of usable security configuration
INFOCOM'10 Proceedings of the 29th conference on Information communications
Synthetic security policy generation via network traffic clustering
Proceedings of the 3rd ACM workshop on Artificial intelligence and security
FlowChecker: configuration analysis and verification of federated openflow infrastructures
Proceedings of the 3rd ACM workshop on Assurable and usable security configuration
Idle port scanning and non-interference analysis of network protocol stacks using model checking
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Reconciling multiple IPsec and firewall policies
Proceedings of the 15th international conference on Security protocols
Objective Risk Evaluation for Automated Security Management
Journal of Network and Systems Management
Debugging the data plane with anteater
Proceedings of the ACM SIGCOMM 2011 conference
ZERO-conflict: a grouping-based approach for automatic generation of IPSec/VPN security policies
DSOM'06 Proceedings of the 17th IFIP/IEEE international conference on Distributed Systems: operations and management
On synthesizing distributed firewall configurations considering risk, usability and cost constraints
Proceedings of the 7th International Conference on Network and Services Management
WS-Governance: a policy language for SOA governance
ICSOC'11 Proceedings of the 9th international conference on Service-Oriented Computing
Towards an efficient verification approach on network configuration
Proceedings of the 8th International Conference on Network and Service Management
Hi-index | 0.00 |
IPSec has become the defacto standard protocol for secure Internet communications, providing traffic integrity, confidentiality and authentication. Although IPSec supports a rich set of protection modes and operations, its policy configuration remains a complex and error-prone task. The complex semantics of IPSec policies that allow for triggering multiple rule actions with different security modes/operations coordinated between different IPSec gateways in the network increases significantly the potential of policy misconfiguration and thereby insecure transmission. Successful deployment of IPSec requires thorough and automated analysis of the policy configuration consistency for IPSec devices across the entire network.In this paper, we present a generic model that captures various filtering policy semantics using Boolean expressions. We use this model to derive a canonical representation for IPSec policies using Ordered Binary Decision Diagrams. Based on this representation, we develop a comprehensive framework to classify and identify conflicts that could exist in a single IPSec device (intra-policy conflicts) or between different IPSec devices (inter-policy conflicts) in enterprise networks. Our testing and evaluation study on different network environments demonstrates the effectiveness and efficiency of our approach.