ZERO-Conflict: A Grouping-Based Approach for Automatic Generation of IPSec/VPN Security Policies
نویسندگان
چکیده
IPSec/VPN management is a complicated challenge, since IPSec functions correctly only if its security policies satisfy all administrated requirements. Computer-generated security policies tend to conflict with each other, which would causes network congestion or creates security vulnerability. Thus conflict resolving has become an issue. In this paper, a method to automatically generate policies is proposed. Instead of performing complicated conflict-checking procedures as most existing works do, the proposed ZeroConflict algorithm is able to predict and avoid conflict in advance by using requirement groups and cut points techniques. Since policies are established without the need to perform backward conflict check, thus yielding a significantly less time-complexity, which is O(nlogn). Experimental results show that it maintains a satisfactorily minimal numbers of generated tunnels.
منابع مشابه
Ipsec / Vpn Security Policy Engineering : Automatic Generation and Conflict Detection
IPsec is a useful IP layer security protocol which can provide authentication and encryption for end-to-end traffic flow, but configuring IPsec VPN tunnels is notoriously complicated because it has so many options (key exchange, ciphers, authentication etc) to configure. Thus the ultimate solutions to the security requirements are often prone to errors, let alone that dynamic routing changes ca...
متن کاملIPsec/VPN security policy correctness and assurance
With IPSec/VPN policies being widely deployed, how to correctly specify and configure them is critical in enforcing security requirements. Under current practice, IPSec/VPN policies are usually specified manually by system administrators and thus prone to errors. However, dynamic aspects in the network may interfere with the existing policy set up and thus cause unexpected conflict. To deal wit...
متن کاملBANDS: An Inter-domain Internet Security Policy Management System for IPSec/VPN
IPSecNPN is widely deployed for users to remotely access their corporate data. IPSec policies must be correctly set up for VPN to provide anticipated protection. Manual policy setup is unscalable, inefficient and error-prone. Automated policy generation to comply with and enforce high-level security policies is desired but difficult, especially in an inter-domain environment when a VPN traverse...
متن کاملOn Securing Wireless LANs and Supporting Nomadic Users with Microsoft’s IPSec Implementation
Wireless LANs, like the IEEE 802.11 WLANs, are more vulnerable than their wired counterparts. The IEEE 802.11 specification includes an encryption protocol, WEP (Wired Equivalent Protocol), but this protocol inhibits severe weaknesses: there is no automatic key distribution protocol and WEP’s security itself has been shown to be seriously flawed. As a result, many of today’s IEEE 802.11 network...
متن کاملIPSec/VPN Security Policy: Correctness, Conflict Detection and Resolution1
IPSec (Internet Security Protocol Suite) functions will be executed correctly only if its policies are correctly specified and configured. Manual IPSec policy configuration is inefficient and error-prone. An erroneous policy could lead to communication blockade or serious security breach. In addition, even if policies are specified correctly in each domain, the diversified regional security pol...
متن کامل