S-VPN Policy: Access List Conflict Automatic Analysis and Resolution

Ferraresi, Simone; Pesic, Stefano; Trazza, Livia; Baiocchi, Andrea

doi:10.1007/978-3-8348-9195-2_29

Simone Ferraresi^1,2,
Stefano Pesic¹,
Livia Trazza¹ &
…
Andrea Baiocchi²

509 Accesses

Abstract

S-VPN gateways are today core elements in network security infrastructure. As networks and services become more complex, managing IPSec access rules becomes an error-prone task. Conflicts in a poiicy can cause holes in security, and often they can be hard to find when performing only visual or manual inspection. We have defined firstly a methodology to systematically classify the severity of rule conflicts and secondly we have proposed two different solutions to automatically resolve conflicts in an access list, implementing and testing one of them.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

E. Al Shaer and H. Hamed, “Modeling and Management of Firewall Policies”, in IEEE eTransactions on Network and Service Management, Volume 1-1, April 2004.
Google Scholar
E. Al Shaer, H. Hamed, R. Boutaba, M. Hasan, “Conflict Classification and Analysis of Distributed Firewall Policies”, in IEEE Journal on Selected Areas in Communications, vol. 23, no.10, October 2005.
Google Scholar
E. Al Shaer and H. Hamed, “Firewall Policy Advisor for Anomaly Detection and Rule Editing”, in Proceedings of IEEEIIFIP Integrated Management Conference (1M2003),March 2003.
Google Scholar
E. Al Shaer, H. Hamed, W. Marrero “Modeling and Verification of IPSec and VPN Security Policies”, Proceedings of IEEE ICNP’2005, November 2005.
Google Scholar
HB. Hari, S. Suri and G. Parulkar, “Detecting and Resolving Packet Filter Conflicts”, Proceedings of IEEE INFOCOM 2000, March 2000.
Google Scholar
M. Gouda and X. Liu, “Firewall Design: Consistency, Completeness, and Compactness” Proceedings of the 24th IEEE International Conference on Distributed Computing Systems (ICDCS’04), March 2004.
Google Scholar
S. Ioannidis, A. Keromytis, S. Bellovin and J. Smith, “Implementing a Distributed Firewall” Proceedings of 7th ACM Conference on Computer and Cornminications Security (CCS’OO), November 2000.
Google Scholar
W. Cheswick and S. Bellovin, “Firewalls and Internet Security”, AddisonWesley, 1995
Google Scholar

Download references

Author information

Authors and Affiliations

Elsag S.p.A., Via Naide, 43, 00155, Rome, Italy
Simone Ferraresi, Stefano Pesic & Livia Trazza
INFOCOM Dept., University of Rome “La Sapienza”, Via Eudossiana, 18, 00184, Rome, Italy
Simone Ferraresi & Andrea Baiocchi

Authors

Simone Ferraresi
View author publications
You can also search for this author in PubMed Google Scholar
Stefano Pesic
View author publications
You can also search for this author in PubMed Google Scholar
Livia Trazza
View author publications
You can also search for this author in PubMed Google Scholar
Andrea Baiocchi
View author publications
You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

About this chapter

Cite this chapter

Ferraresi, S., Pesic, S., Trazza, L., Baiocchi, A. (2006). S-VPN Policy: Access List Conflict Automatic Analysis and Resolution. In: ISSE 2006 — Securing Electronic Busines Processes. Vieweg. https://doi.org/10.1007/978-3-8348-9195-2_29

Download citation

DOI: https://doi.org/10.1007/978-3-8348-9195-2_29
Publisher Name: Vieweg
Print ISBN: 978-3-8348-0213-2
Online ISBN: 978-3-8348-9195-2
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics