IPSec/VPN Security Policy: Correctness, Conflict Detection and Resolution1
نویسندگان
چکیده
IPSec (Internet Security Protocol Suite) functions will be executed correctly only if its policies are correctly specified and configured. Manual IPSec policy configuration is inefficient and error-prone. An erroneous policy could lead to communication blockade or serious security breach. In addition, even if policies are specified correctly in each domain, the diversified regional security policy enforcement can create significant problems for end-to-end communication because of interaction or conflicts among policies in different domains. A policy management system is, therefore, demanded to systematically manage and verify various IPSec policies in order to ensure an end-to-end security service. This paper contributes to the development of an IPSec policy management system in two aspects. First, we defined a high-level security requirement, which not only is an essential component to automate the policy specification process of transforming from security requirements to specific IPSec policies but also can be used as criteria to detect conflicts among IPSec policies, i.e. policies are correct only if they satisfy all requirements. Second, we developed mechanisms to detect and resolve conflicts among IPSec policies in both intra-domain and inter-domain environment.
منابع مشابه
IPsec/VPN security policy correctness and assurance
With IPSec/VPN policies being widely deployed, how to correctly specify and configure them is critical in enforcing security requirements. Under current practice, IPSec/VPN policies are usually specified manually by system administrators and thus prone to errors. However, dynamic aspects in the network may interfere with the existing policy set up and thus cause unexpected conflict. To deal wit...
متن کاملIPSec/VPN Security Policy: Correctness, Conflict Detection, and Resolution
IPSec (Internet Security Protocol Suite) functions will be executed correctly only if its policies are correctly specified and configured. Manual IPSec policy configuration is inefficient and error-prone. An erroneous policy could lead to communication blockade or serious security breach. In addition, even if policies are specified correctly in each domain, the diversified regional security pol...
متن کاملIpsec / Vpn Security Policy Engineering : Automatic Generation and Conflict Detection
IPsec is a useful IP layer security protocol which can provide authentication and encryption for end-to-end traffic flow, but configuring IPsec VPN tunnels is notoriously complicated because it has so many options (key exchange, ciphers, authentication etc) to configure. Thus the ultimate solutions to the security requirements are often prone to errors, let alone that dynamic routing changes ca...
متن کاملAutomatic Generation of IPSec/VPN Security Policies In an Intra-Domain Environment
IPSec [1] policies are widely deployed in firewalls or security gateways to protect information property. The security treatment (e.g. deny, allow or encrypt etc.) of all inbound or outbound traffic will be determined by the security policies, and thus it is critical for policies to be specified and configured correctly. IPSec policies are manually configured to individual security gateway in c...
متن کاملSecuring the Networked e-Business Throughout an Internet Distributed Organization
This paper explores an Internet-based VPN solution, built upon IPSec, which combines tunneling with PKI authentication and encryption. To protect the valuable company resources, an efficient intrusion/misuse detection and response system was incorporated into deployed security solution. This approach enabled a large-scale customer provide their global e-business safely. As a result, an integrat...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2000