Step by Step Guide to Identify Network Security Policy Conflicts


Due to the popularity of internet, which is actually the global connectivity system, the need to research on online security measures has gained significant importance. This network now needs more organized security as increasing threat of network attacks.

This is the reason why at industrial and user level, network security devices like firewalls and IPSec gateways have become vital integrated elements. These devices required to be configured by administrator according to specific security needs of that particular network, often called security policies. However, study shows that even expert administrator can make serious conflict while configuring security policies while customizing these devices. These conflict occur due to main two reasons:

  1. Lack of the knowledge about the type of security policies conflicts
  2. Un arability of automated system

And the main reason why policy conflicts occur is because of misconfiguration within a single policy, which is called intra policy conflicts and due to between policies in different devices, which is called inter-policy conflicts in particular language. There are many approaches have been adopted to deal this issues such as [4], [7], [11] that use a query-based approach for firewall policies and [5] that is built to find the conflicts of overlapping IPSec tunnels using a simulation-based technique.

This study will provide of one of the best solution comprehensive classification and identification of rule conflicts in network security devices, that consist of eight (VIII) sections including the Introduction to the topic already given.

What is Network Security Policies:

A network security policy, or NSP, is a generic document that outlines rules for computer network access, determines how policies are enforced and lays out some of the basic architecture of the company security/ network security environment. Firewalls and IPSec are the devices that control the traversal of packets in all network segments following the prompt network policy. The devices are installed at end host, and sometimes at intermediate networks, depending of requirements and usability.

The whole policy consists of transport protocol, source address, port number, and destination address and port number. And mainly, two lists of packet-filtering rules form a network security policy:

Access List: A control list (ACL), that is actually a table that tells which access rights each user has to a particular network. In short, it is a mechanism to filter packets based on their properties.

Map List: Often called route map, Map list is a generalization of Access list, capability to match packets or prefixes and permit or deny them.

The identification of conflicts in network policies required to be followed by specific modeling rules relations, classification of access list and map list conflicts. Then finally, we are required to implement and evaluate the results.

Necessity to Model Rules Relation:

This is one of the first step to find if any conflicts exist in security policy. Rules are matched sequentially, especially the inter-rules. This section explains all the possible relations are to be exit between filtering rules by comparing the fields of filtering rules such as Exactly matching rules (Rx=Ry), Inclusively matching rules (Rx⊂Ry), Correlated rules (Rx./Ry), Disjoint rules in which rules Rx and Ry are completely disjoint.

Classifying Access and Map List Conflicts:

The second steps administrator must adopt is to classify the access list conflicts, that are the type of rules. These conflicts could be existing between the same security device or in different devices often called intra-policy conflicts and inter-policy conflicts respectively. Intra-policy access-list conflicts should include intra-policy shadowing, intra-policy correlation, intra-policy exception and intra-policy redundancy, to find out or filter the conflicts. And Inter-policy access-list conflicts mainly include inter-policy shadowing and inter-policy spuriousness. Moreover, the map-list conflicts could be figure out through overlapping-session conflicts and multi-transform conflicts. These sections of the articles mainly discuss the aforementioned lines and segments.

Implementation and Related Work:

Finally, the time is to implement the security policies and evaluate the result, and study the related work if its beneficial for the improvement to dig out conflicts, and enhance the security. The result show that that this study is one of the latest and the best research on the topic till the date its written. Moreover, different experiment show that even expert administrator when applying security policies not following these suggested taxonomy, find many conflicts, what to be said of intermediate network security managers.

Final Words:

All that shows that it is not the final research on topic, and required lot more hard work do find out how to minimize security conflicts in more appropriate manner.