Abstract
Usually network administrators implement a protection policy by refining a set of (abstract) communication security requirements into configuration settings for the security controls that will provide the required protection. The refinement consists in evaluating the available technologies that can enforce the policy at node and network level, selecting the most suitable ones, and possibly making fine adjustments, like aggregating several individual channels into a single tunnel. The refinement process is a sensitive task which can lead to incorrect or suboptimal implementations, that in turn affect the overall security, decrease the network throughput and increase the maintenance costs. In literature, several techniques exist that can be used to identify anomalies (i.e. potential incompatibilities and redundancies among policy implementations. However, these techniques usually focus only on a single security technology (e.g. IPsec) and overlook the effects of multiple overlapping protection techniques. This paper presents a novel classification of communication protection policy anomalies and a formal model which is able to detect anomalies among policy implementations relying on technologies that work at different network layers. The result of our analysis allows administrators to have a precise insight on the various alternative implementations, their relations and the possibility of resolving anomalies, thus increasing the overall security and performance of a network.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
It is possible to debate about TLS and SSH being protocols that work at transport or session layer and if SSH is actually a general purpose channel protection protocol. We avoid to enter this discussion as both techniques, from our (practical) point of view, can be used to protect all the communications regarding a given port.
- 2.
To be more precise, from the security point of view, \(i_{\mathcal {C,}\mathcal {S}}\) can be considered equivalent to \(i_{1,1}\) and \(i_{2,1}\) only if both the subnets are considered trusted.
- 3.
An well designed automatic refinement would never introduce these anomalies, but detecting them is nevertheless useful in case of manual refinement.
- 4.
Technically a filtered PI is an anomaly between a communication protection PI and a filtering PI, but in this paper we are only interested in communication protection policies.
- 5.
- 6.
References
Wool, A.: Trends in firewall configuration errors: measuring the holes in swiss cheese. IEEE Internet Comput. 14(4), 58–65 (2010)
Center for Strategic and International Studies: Securing cyberspace for the 44th presidency. Technical report, December 2008
Hamed, H., Al-Shaer, E.: Taxonomy of conflicts in network security policies. IEEE Commun. Mag. 44(3), 134–141 (2006)
Hamed, H., Al-Shaer, E., Marrero, W.: Modeling and verification of IPsec and vpn security policies. In: 13th IEEE International Conference on Network Protocols, ICNP 2005, pp. 259–278. IEEE Computer Society, November 2005
Li, Z., Cui, X., Chen, L.: Analysis and classification of IPsec security policy conflicts. In: Japan-China Joint Workshop on Frontier of Computer Science and Technology, FCST 2006, pp. 83–88. IEEE Computer Society, November 2006
Kelly, S., Ramamoorthi, S.: Requirements for IPsec Remote Access Scenarios. RFC 3457, January 2003
Khakpour, A., Liu, A.X.: Quarnet: a tool for quantifying static network reachability. IEEE/ACM Trans. Netw. 21(2), 551–565 (2009)
Group, W.O.W.: OWL 2 web ontology language document overview. Technical report, October 2009. http://www.w3.org/TR/2009/REC-owl2-overview-20091027/
W3C: SWRL: A Semantic Web Rule Language Combining OWL and RuleML. Technical report, World Wide Web Consortium, May 2004
Al-Shaer, E., Hamed, H., Boutaba, R., Hasan, M.: Conflict classification and analysis of distributed firewall policies. IEEE J. Sel. Areas Commun. 23(10), 2069–2084 (2006)
Zao, J.: Semantic model for IPsec policy interaction. Technical report, Internet Draft, March 2000
Fu, Z., Wu, S.F., Huang, H., Loh, K., Gong, F., Baldine, I., Xu, C.: IPSec/VPN security policy: correctness, conflict detection, and resolution. In: Sloman, M., Lobo, J., Lupu, E.C. (eds.) POLICY 2001. LNCS, vol. 1995, p. 39. Springer, Heidelberg (2001)
Basile, C., Cappadonia, A., Lioy, A.: Network-level access control policy analysis and transformation. IEEE/ACM Trans. Netw. 20(4), 985–998 (2012)
Hu, H., Ahn, G.J., Kulkarni, K.: Detecting and resolving firewall policy anomalies. IEEE Trans. Dependable Secure Comput. 9(3), 318–331 (2012)
Hu, H., Ahn, G.J., Kulkarni, K.: Ontology-based policy anomaly management for autonomic computing. In: 7th International Conference on Collaborative Computing: Networking, Applications and Worksharing. CollaborateCom, IEEE Computer Society, pp. 487–494, October 2011
Bandara, A.K., Kakas, A.C., Lupu, E.C., Russo, A.: Using argumentation logic for firewall configuration management. In: Integrated Network Management-Workshops, 2009, IM 2009, pp. 180–187. IEEE Computer Society, June 2009
Alfaro, J.G., Boulahia-Cuppens, N., Cuppens, F.: Complete analysis of configuration rules to guarantee reliable network security policies. Int. J. Inf. Secur. 7(2), 103–122 (2008)
Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N., Preda, S.: MIRAGE: a management tool for the analysis and deployment of network security policies. In: Garcia-Alfaro, J., Navarro-Arribas, G., Cavalli, A., Leneutre, J. (eds.) DPM 2010 and SETOP 2010. LNCS, vol. 6514, pp. 203–215. Springer, Heidelberg (2011)
Thanasegaran, S., Yin, Y., Tateiwa, Y., Katayama, Y., Takahashi, N.: A topological approach to detect conflicts in firewall policies. In: IEEE International Symposium on Parallel & Distributed Processing, IPDPS 2009, pp. 1–7. IEEE Computer Society, May 2009
Ferraresi, S., Pesic, S., Trazza, L., Baiocchi, A.: Automatic conflict analysis and resolution of traffic filtering policy for firewall and security gateway. In: International Chamber of Commerce, ICC 2007, pp. 1304–1310. IEEE Computer Society, June 2007
Acknowledgement
The research described in this paper is part of the SECURED project, co-funded by the European Commission under the ICT theme of FP7 (grant agreement no. 611458).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Basile, C., Canavese, D., Lioy, A., Valenza, F. (2015). Inter-technology Conflict Analysis for Communication Protection Policies. In: Lopez, J., Ray, I., Crispo, B. (eds) Risks and Security of Internet and Systems. CRiSIS 2014. Lecture Notes in Computer Science(), vol 8924. Springer, Cham. https://doi.org/10.1007/978-3-319-17127-2_10
Download citation
DOI: https://doi.org/10.1007/978-3-319-17127-2_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-17126-5
Online ISBN: 978-3-319-17127-2
eBook Packages: Computer ScienceComputer Science (R0)