Abstract
One of the most important protocols for implementing tunnels in order to take action of secure virtual private network is IPsec protocol. IPsec policies are used widely in order to limit access to information in security gateways or firewalls. The security treatment, namely (Deny, Allow or Encrypt) is done for outbound as well as inbound traffic by security policies. It is so important that they adjust properly. The current methods for security policies creation as seen in given security requirements are not efficient enough i.e. there are much more created policies than requirements. In this paper, we define a new method to decrease adopted security policies for a specific set of security requirements without any undesirable effect. Our measurement shows that security policies creation will be improved efficiently, and their updating time will be decreased.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Doraswamy, N., Harkind, D.: IPSEC, The New Security Standard for Internet, Intranets, Virtual Private Network. Prentice Hall PTR, Englewood Cliffs (1999)
Kent, S., Atkinson, R.: Security Architecture for the Internet Protocol. RFC 2401 (1998)
Lupu, E.C., Sloman, M.: Conflict Analysis for Management Policies. In: 5th IFIP/IEEE International Symposium on Integrated Network Management, pp. 430–443 (1997)
Lupu, E.C., Sloman, M.: Conflicts in Policy Based Distributed Systems Management. IEEE Transaction on Software Engineering 25(6), 852–869 (1999)
Fu, Z., Wu, S.F.: Automatic Generation of IPsec/VPN policies in an Intra-Domain Environment. In: 12th International Workshop on Distributed System: operation & management (DSOM 2001), Nancy, France (2001)
Moffett, J.D., Sloman, M.S.: Policy Hierarchies for Distributed Systems Management. IEEE Journal on Selected Areas in Communication 11, 1404–1414 (1993)
Blaze, M., Keromytis, A., Richardson, M., Sanchez, L.: IP Security Policy Requirements. Internet draft, draft-ietf-ipsp-requirements-02.txt, IPSP Working Group (2002)
Condell, M., Lynn, C., Zao, J.: Security Policy Specification Language. Internet Draft, draft_ietf_ipsp_spsl_00.txt (2000)
Jason, J.: IPsec Configuration Policy Model. Internet Draft, draft_ietf_ipsp_config_ policy_model_00.txt (2000)
Pereira, R., Bhattacharya, P.: IPSec Policy Data Model. Internet Draft, draft_ietf_ipsec_policy_model_00.txt (1998)
Law, K.L.E.: Scalable Design of a Policy-Based Management System and its Performance. IEEE Communication Magazine 41(6), 72–97 (2003)
Zao, J., Sanchez, L., Condell, M., Lyn, C., Fredette, M., Helinek, P., Krishnan, P., Jackson, A., Mankins, D., Shepard, M., Kent, S.: Domain Based Internet Security Policy Management. In: Proceedings of DARPA Information Survivability Conference and Exposition (2000)
Baek, S., Jeong, M., Park, J., Chung, T.: Policy-based Hybrid Management Architecture for IP-based VPN. In: Proceedings of 7th IEEE/IFIP Network Operations and management Symposium (NOMS 2000), Honolulu, Hawaii (2000)
Fu, Z., Wu, S.F., Huang, H., Loh, K., Gong, F.: IPSec/VPN Security Policy: Correctness, Conflict Detection and Resolution. In: IEEE policy 2001 Workshop (2001)
Yang, Y., Martel, C., Fu, Z., Wu, S.F.: IPsec/VPN Security Policy Correctness and Assurance. In: Proceedings of Journal of High Speed Networking, Special issue on Managing Security Polices: Modeling, Verification and Configuration (2006)
Yang, Y., Martel, C., Wu, S.F.: On Building the Minimum Number of Tunnels – An Ordered-Split approach to manage IPsec/VPN policies. In: Proceedings of 9th IEEE/IFIP Network Operations and Management Symposium (NOMS 2004), Seoul, Korea (2004)
Yang, Y., Fu, Z., Wu, S.F.: BANDS: An Inter-Domain Internet Security Policy Management System for IPSec/VPN. In: Proceedings of 8th IFIP/IEEE International Symposium on Integrated Network Management (IM 2003), Colorado (2003)
Al-Shaer, E., Hamed, H.: Taxonomy of Conflicts in Network Security Policies. Proceedings of IEEE Communications Magazine 44(3) (2006)
Hamed, H., Al-Shaer, E., Marrero, W.: Modeling and Verification of IPsec and VPN Security Policies. In: Proceedings of 13th IEEE International Conference on Network Protocols, ICNP 2005 (2005)
Chang, C.L., Chiu, Y.P., Lei, C.L.: Automatic Generation of Conflict-Free IPsec Policies. In: Wang, F. (ed.) FORTE 2005. LNCS, vol. 3731, pp. 233–246. Springer, Heidelberg (2005)
Sheridan-Smith, N., Neill, T.O., Leaney, J.: Enhancements to Policy Distribution for Control Flow, Looping and Transactions. In: Schönwälder, J., Serrat, J. (eds.) DSOM 2005. LNCS, vol. 3775, pp. 269–280. Springer, Heidelberg (2005)
Kempter, B., Danciu, V.: Generic policy conflict handling using a priori models. In: Schönwälder, J., Serrat, J. (eds.) DSOM 2005. LNCS, vol. 3775, pp. 84–96. Springer, Heidelberg (2005)
Yuan, L., Mai, J., Su, Z., Chen, H., Chuah, C.N., Mohapatra, P.: FIREMAN: A Toolkit for Firewall Modeling and Analysis. In: Proceedings of IEEE Symposium on Security and Privacy (2006)
Moffett, J.D.: Requirements and Policies. In: Position paper for Policy Workshop (1999)
Adiseshu, H., Suri, S., Parulkar, G.: Detecting and Resolving Packet Filter Conflicts. In: INFOCOM (2000)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Sadeghi, M.M.G., Mohd Ali, B., Pedram, H., Deghan, M., Sabaei, M. (2009). A New Method for Creating Efficient Security Policies in Virtual Private Network. In: Bertino, E., Joshi, J.B.D. (eds) Collaborative Computing: Networking, Applications and Worksharing. CollaborateCom 2008. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 10. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-03354-4_49
Download citation
DOI: https://doi.org/10.1007/978-3-642-03354-4_49
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-03353-7
Online ISBN: 978-3-642-03354-4
eBook Packages: Computer ScienceComputer Science (R0)