How to Find Conflicts in Network Security Policies – Guideline


This article focuses today’s greatest challenge of Network Security configuration. As firewalls and IPSec gateways have become important integrated factors in all network systems be it business or personal, an expert administrator is inevitably required to configure the network security policy of the mentioned devices. However, even an expert can make serious conflicts while deploying these security policies, therefore this article suggests complete guideline to readers on how to avoid security policy conflicts and miss-configurations in firewalls and IPSec gateways. Hence, we are going to discuss:

  • Components of network security policies
  • How to filter the security rules
  • Classifying Conflicts related to access-list
  • and map-list
  • Analyzing the suggested solution to fight conflicts
  • Summary of previous researches
  • Plans for the coming research

Firewalls and IPSec devices are installed on hosts or intermediate network nodes based on applied network policies. This network security policy is made of two lists of packet-filtering rules, namely, access list, and map list. Access List is enlisted with rules satisfying the conditions of applied rules, and used to define firewall policies and IPSec protection rules, whereas, Map List is defined with the rules that map to protect the traffic selected by the access list, and to define IPSec transformation rules.

Read Also About: Identify Network Security Policy Conflicts – Step by Step

As the inter-rule relation is vital to identify if any conflict exist in the security policy, the security policy is valid, if the rules are disjoint. Therefore, to determine the source of conflicts in rules, classifying all types of possible relations between filtering rules including exactly matching rules, inclusively matching rules, correlated rules, disjoint rules, is required first of all.

When we successfully determined the rules conflicts between relations as first step, the second step is to classify the types of rules. When classifying conflicts related to access list, we found that these may exist between rules in intra-policy and inter-policy. Furthermore, intra-policy conflicts in access list includes the types such as intra-policy shadowing, intra-policy correlation, intra-policy exception and intra-policy redundancy. However, the inter-policy access-list conflicts includes inter-policy shadowing which further divided into partial shadowing and complete shadowing, and inter-policy spuriousness which further divided into partial and complete spuriousness.

To specify the traffic security requirements, classification of map list conflicts is essential, because map list rules may also exist conflicts in both, single and multiple IPSec devices. The example of these conflicts are such as overlapping-session conflicts and multi-transform conflicts.

The security policies we have implemented in previous steps, now it’s time to evaluate them manually. We now going to evaluate them by implementing a set of conflict discovery algorithms. There algorithms are said to be the expression of Boolean operations to enable the analysis of policy semantics and pointing out the rule conflicts. The main article also has Ordered Binary Decision Diagram (OBDD) in order to explain the policy effectively. A software tool called Security Policy Advisor (SPA) is used to implemented the algorithms. The reason why SPA is used, is simple, that proven to be effective than manual humanly efforts in discovering most of the policy conflicts.

It has also been experimented by 7 experts, 12 intermediate and 19 beginners in two IPSec policy exercises, making the total of 38 network administrators expert in their respective fields. Moreover, SPA tool has also been tried in university and in some local industrial networks in the area. The result of those experiments were very surprising, as 29% of experts created intra-policy and inter-policy conflicts. And you can think if expert were doing so, then what about intermediate and beginner administrators? Their conflicts figures were much higher than experts as expected.

Now the question is, what are the plans for the future result to conclude our discussion. The number of approaches have been proposed time to time. One of the most meaningful and useful approach that is proposed is reporting any violation of the security policy requirements through IPSec processing. However, in this process cannot gives guarantee to discover every violation possible. Therefore, the suggest policy in this paper is most advance, that deals with firewall policy analysis. However, it is also limited to firewall, and more research work is required offering query-based tools. Thus more work is required to be done to avoid serious network vulnerabilities.

Click Here for reference article.