Abstract
IPSec (Internet Security Protocol Suite) functions will be executed correctly only if its policies are correctly specified and configured. Manual IPSec policy configuration is inefficient and error-prone. An erroneous policy could lead to communication blockade or serious security breach. In addition, even if policies are specified correctly in each domain, the diversified regional security policy enforcement can create significant problems for end-to-end communication because of interaction among policies in different domains. A policy management system is, therefore, demanded to systematically manage and verify various IPSec policies in order to ensure an end-to-end security service. This paper contributes to the development of an IPSec policy management system in two aspects. First, we defined a high-level security requirement, which not only is an essential component to automate the policy specification process of transforming from security requirements to specific IPSec policies but also can be used as criteria to detect conflicts among IPSec policies, i.e. policies are correct only if they satisfy all requirements. Second, we developed mechanisms to detect and resolve conflicts among IPSec policies in both intra-domain and inter-domain environment.
This Research is supported in part by the U.S. Department of Defense Advanced Research Projects Agency under contract DABT63-97-C-0045 and in part by Nortel Networks.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Kent, S., Atkinson, R.: Security Architecture for the Internet Protocol. RFC-2401, IETF, Nov. 1998.
Moffett, J. D., Sloman, M. S.: Policy Hierarchies for Distributed Systems Management. IEEE Journal on Selected Areas in Communication, vol. 11, pp. 1404–1414, 1993
Condell, M., Lynn, C., Zao, J.: Security Policy Specification Language. Internet Draft, 〈draft-ietf-ipsp-spsl-00.txt〉, March, 2000
Jason, J.: IPsec Configuration Policy Model. Internet Draft 〈draft-ietf-ipsp-config-policy-model-00.txt〉, March, 2000
Pereira, R., Bhattacharya, P., IPSec Policy Data Model. Internet Draft 〈draft-ietf-ipsec-policy-model-00.txt〉, Feb. 1998
Moffett, J. D.: Requirements and Policies. Position paper for Policy Workshop 1999
Horowitz, E., Sahni, S.: Fundamentals of Computer Algorithms. Computer Science Press Inc.,1978.
Gen, M., Cheng, R.: Genetic Algorithms & Engineering Optimization. Wiley-Interscience, 2000
Xu, C., Gong, F., Baldine, I., Sargor, C., Jou, F., Wu, S. F., Fu, Z., Huang, H.: Celestial Security Management System. DARPA Information Survivability Conference and Exposition, 2000. DISCEX’ 00. Proceedings, Volume: 1, 1999, Page(s): 162–172 vol.1
Fu, Z., Huang, H., Wu, T., Wu, S.F., Gong, F., Xu, C., Baldine, I: ISCP: Design and Implementation of An Inter-Domain Security Management Agent (SMA) Coordination Protocol. Proceedings, NOMS 2000, Pages 565–578.
Sanchez, L.A., Condell, M.N: Security Policy System. Internet Draft, 〈draft-ietf-ipsec-sps-00.txt〉, Nov. 1998
Zao, J., Sanchez, L., Condell, M. Lyn, C., Fredette, M., Helinek, P., Krishnan, P., Jackson, A., Mankins, D., Shepard, M., Kent, S.: Domain Based Internet Security Policy Management. DARPA Information Survivability Conference and Exposition, 2000. DISCEX’ 00. Proceedings,1999, Pages: 41–53 vol.1
Lupu, E.C., Sloman, M: Conflict Analysis for Management Polcies. Proc. 5th IFIP/IEEE International Symposium on Integrated Network Management, pages 430–443, 1997
Lupu E.C., Sloman, M: Conflicts in Policy-Based Distributed Systems Management. IEEE Transaction on Software Engineering. Vol. 25, No. 6, pages 852–869, Nov./Dec. 1999
Cholvy L. and Cuppens, F.: Analyzing Consistency of Security Policies. IEEE Symposium on Security and Privacy, 1997, Proceedings
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2001 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Fu, Z. et al. (2001). IPSec/VPN Security Policy: Correctness, Conflict Detection, and Resolution. In: Sloman, M., Lupu, E.C., Lobo, J. (eds) Policies for Distributed Systems and Networks. POLICY 2001. Lecture Notes in Computer Science, vol 1995. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-44569-2_3
Download citation
DOI: https://doi.org/10.1007/3-540-44569-2_3
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-41610-4
Online ISBN: 978-3-540-44569-2
eBook Packages: Springer Book Archive