Managing and Using Information Systems: A Strategic Approach – Sixth Edition

Keri Pearlson, Carol Saunders, and Dennis Galletta

© Copyright 2016 John Wiley & Sons, Inc.

Chapter 7 Security

2

Opening Case

What are some important lessons from the opening case?

How long did the theft take? How did the theft likely occur?

How long did it take Office of Personnel Management (OPM) to detect the theft?

How damaging are the early reports of the data theft for the OPM?

© 2016 John Wiley & Sons, Inc.

3

The hackers did not carry out a dramatic and quick theft; they had a year to steal the records at their leisure.

The theft took place over a year, and the hackers stole a password.

It took many months for OPM to detect the theft.

Early reports say that at least 4 million, and as many as 14 million records were stolen. Each record contained 127-page security clearances that include sensitive medical, personal, and relationship information.

3

How Long Does it Take?

How long do you think it usually takes for someone to discover a security compromise in a system after the evidence shows up?

Several seconds

Several minutes

Several hours

Several days

Several months

A Mandiant study revealed that the median for 2014 was 205 days! That’s almost 7 months!

The record is 2,982 which is 11 years!

© 2016 John Wiley & Sons, Inc.

4

Timeline of a Breach - Fantasy

Hollywood has a fairly consistent script:

0: Crooks get password and locate the file

Minute 1: Crooks start downloading data and destroying the original

Minute 2: Officials sense the breach

Minute 3: Officials try to block the breach

Minute 4: Crooks’ download completes

Minute 5: Officials lose all data

Source: http:// www.verizonbusiness.com/resources/reports/rp_2010-DBIR-combined-reports_en_xg.pdf

© 2016 John Wiley & Sons, Inc.

5

Timeline of a Breach - Reality

IT Security Decision Framework

Decision Who is Responsible Why? Otherwise?
Information Security Strategy Business Leaders They know business strategies Security is an afterthought and patched on
Information Security Infrastructure IT Leaders Technical knowledge is needed Incorrect infrastructure decisions
Information Security Policy Shared: IT and Business Leaders Trade-offs need to be handled correctly Unenforceable policies that don’t fit the IT and the users
SETA (training) Shared: IT and Business Leaders Business buy-in and technical correctness Insufficient training; errors
Information Security Investments Shared: IT and Business Leaders Evaluation of business goals and technical requirements Over- or under-investment in security

© 2016 John Wiley & Sons, Inc.

7

How Have Big Breaches Occurred?

Date Detected Company What was stolen How
November 2013 Target 40 million credit & debit cards Contractor opened virus-laden email attachment
May 2014 Ebay #1 145 million user names, physical addresses, phones, birthdays, encrypted passwords Employee’s password obtained
September 2014 Ebay #2 Small but unknown Cross-site scripting
September 2014 Home Depot 56 million credit card numbers 53 million email addresses Obtaining a vendor’s password/exploiting OS vulnerability
January 2015 Anthem Blue Cross 80 million names, birthdays, emails, Social security numbers, addresses, and employment data Obtaining passwords from 5 or more high-level employees

© 2016 John Wiley & Sons, Inc.

8

Password Breaches

80% of breaches are caused by stealing a password.

You can steal a password by:

Phishing attack

Key logger (hardware or software)

Guessing weak passwords (123456 is most common)

Evil twin wifi

© 2016 John Wiley & Sons, Inc.

9

Insecurity of WiFi– a Dutch study

“We took a hacker to a café and, in 20 minutes, he knew where everyone else was born, what schools they attended, and the last five things they googled.”

Had WiFi transmitter broadcasting “Starbucks” as ID

Because they were connected to him, he scanned for unpatched or vulnerable mobile devices or laptops

He also saw passwords and could lock them out of their own accounts.

The correspondent: “I will never again be connecting to an insecure public WiFi network without taking security measures.”

© 2016 John Wiley & Sons, Inc.

Slide 5-10

Other Approaches

Cross-site scripting (malicious code pointing to a link requiring log-in at an imposter site)

Third parties

Target’s HVAC system was connected to main systems

Contractors had access

Hackers gained contractors’ password

Malware captured customer credit card info before it could be encrypted

© 2016 John Wiley & Sons, Inc.

11

Cost of Breaches

Estimated at $145 to $154 per stolen record

Revenue lost when sales decline

Some costs can be recouped by insurance

© 2016 John Wiley & Sons, Inc.

12

Can You be Safe?

No, unless the information is permanently inaccessible

“You cannot make a computer secure” – from Dain Gary, former CERT chief

97% of all firms have been breached

Sometimes security makes systems less usable

© 2016 John Wiley & Sons, Inc.

13

What Motivates the Hackers?

Sell stolen credit card numbers for up to $50 each

2 million Target card numbers were sold for $20 each on average

Street gang members can usually get $400 out of a card

Some “kits” (card number plus SSN plus medical information) sell for up to $1,000

They allow opening new account cards

Stolen cards can be sold for bitcoin on the Deep Web

© 2016 John Wiley & Sons, Inc.

14

What Should Management Do?

Security strategy

Infrastructure

Access tools *

Storage and transmission tools *

Security policies *

Training *

Investments

* Described next

© 2016 John Wiley & Sons, Inc.

15

Access Tools

Access Tool Ubiquity Advantages Disadvantages
Physical locks Very high Excellent if guarded Locks can be picked Physical Access is often not needed Keys can be lost
Passwords Very high User acceptance and familiarity Ease of use Mature practices Poor by themselves Sometimes forgotten Sometimes stolen from users using deception or key loggers
Biometrics Medium Can be reliable Never forgotten Cannot be stolen Can be inexpensive False positives/negatives Some are expensive Some might change (e.g., voice) Lost limbs Loopholes (e.g., photo)

© 2016 John Wiley & Sons, Inc.

16

Access Tools (continued)

Access Tool Ubiquity Advantages Disadvantages
Challenge questions Medium (high in banking) Not forgotten Multitude of questions can be used Social networking might reveal some answers Personal knowledge of an individual might reveal the answers Spelling might not be consistent
Token Low Stolen passkey is useless quickly Requires carrying a device
Text message Medium Stolen passkey is useless Mobile phone already owned by users Useful as a secondary mechanism too Requires mobile phone ownership by all users Home phone option requires speech synthesis Requires alternative access control if mobile phone lost
Multi-factor authentication Medium Stolen password is useless Enhanced security Requires an additional technique if one of the two fails Temptation for easy password

© 2016 John Wiley & Sons, Inc.

17

Storage and Transmission Tools

Tool Ubiquity Advantages Disadvantages
Antivirus/ antispyware Very high Blocks many known threats Blocks some “zero-day” threats Slow down operating system “Zero day” threats can be missed
Firewall High Can prevent some targeted traffic Can only filter known threats Can have well-known “holes”
System logs Very high Can reveal IP address of attacker Can estimate the extent of the breach Hackers can conceal their IP address Hackers can delete logs Logs can be huge Irregular inspections
System alerts High Can help point to logs Can detect an attack in process High sensitivity Low selectivity

© 2016 John Wiley & Sons, Inc.

18

Storage and Transmission Tools (continued)

Tool Ubiquity Advantages Disadvantages
Encryption Very high Difficult to access a file without the key Long keys could take years to break Keys are unnecessary if password is known If the key is not strong, hackers could uncover it by trial and error
WEP/WPA Very high Same as encryption Most devices have the capability Provides secure wifi connection Same as encryption Some older devices have limited protections WEP is not secure, yet it is still provided
VPN Medium Trusted connection is as if you were connected on site Hard to decrypt Device could be stolen while connected Sometimes slows the connection

© 2016 John Wiley & Sons, Inc.

19

Security Policies

Perform security updates promptly

Separate unrelated networks

Keep passwords secret

Manage mobile devices (BYOD)

Formulate data policies (retention and disposal)

Manage social media (rules as to what can be shared, how to identify yourself)

Use consultants (Managed Security Services Providers)

© 2016 John Wiley & Sons, Inc.

20

SETA (Security Education, Training, and Awareness)

Training on access tools

Limitations of passwords

Formulating a password

Changing passwords periodically

Using multi-factor authentication

Using password managers

© 2016 John Wiley & Sons, Inc.

21

SETA (Security Education, Training, and Awareness)

BYOD

Rules

How to follow them

Social Media

Rules

How to follow them

Cases from the past that created problems

© 2016 John Wiley & Sons, Inc.

22

SETA (Security Education, Training, and Awareness)

Vigilance: Recognizing:

Bogus warning messages

Phishing emails

Physical intrusions

Ports and access channels to examine

© 2016 John Wiley & Sons, Inc.

23

Classic Signs of Phishing

Account is being closed

Email in-box is full

Winning a contest or lottery

Inheritance or commission to handle funds

Product delivery failed

Odd URL when hovering

Familiar name but strange email address

Poor grammar/spelling

Impossibly low prices

Attachment with EXE, ZIP, or BAT (etc.)

© 2016 John Wiley & Sons, Inc.

24

Managing and Using Information Systems: A Strategic Approach – Sixth Edition

Keri Pearlson, Carol Saunders, and Dennis Galletta

© Copyright 2016 John Wiley & Sons, Inc.

IPsec/Firewall Security Policy Analysis : A Survey

Roumaissa Khelf Networks and System Laboratory

Computer Science Department Badji Mokhtar-Annaba University

Annaba, Algeria [email protected]

Nacira Ghoualmi-Zine

Networks and System Laboratory Computer Science Department

Badji Mokhtar-Annaba University Annaba, Algeria

[email protected]

Abstract—As the technology reliance increases, computer networks are getting bigger and larger and so are threats and attacks. Therefore Network security becomes a major concern during this last decade. Network Security requires a combination of hardware devices and software applications. Namely, Firewalls and IPsec gateways are two technologies that provide network security protection and repose on security policies which are maintained to ensure traffic control and network safety. Nevertheless, security policy misconfigurations and inconsistency between the policy’s rules produce errors and conflicts, which are often very hard to detect and consequently cause security holes and compromise the entire system functionality. In This paper, we review the related approaches which have been proposed for security policy management along with surveying the literature for conflicts detection and resolution techniques. This work highlights the advantages and limitations of the proposed solutions for security policy verification in IPsec and Firewalls and gives an overall comparison and classification of the existing approaches.

Keywords—Network Security; Security policy; IPsec; Firewall; Security policy anomalies; policy analysis; Conflicts analysis.

I. INTRODUCTION To enforce network security, several functionalities are

implemented by the security to ensure security within a computer network. Some of security controls are used to control traffic like firewalls (Network protection), others have the capability to control and modify the traffic as IPsec gateways (VPNs Protection) [1]. Despite that IPsec is newer than firewall technology, firewall studies are more common and various. This can be due to the fact that firewalls are more market-share. So, this gives us a motivation to regroup both technologies in this survey in order to show up which one of them is the best choice for the network security verification. Whereas studies are varied, Firewall and IPsec share the similar nature, thus security policies are an essential component for both of them. Basically, security policies are considered complex in large systems, and it is hard to find faults. In addition, network administrators cannot always have a deep insight of the network configuration; hence, those challenges make the security policy testing and verification much harder. To solve this problem, several approaches have been proposed in literature. The main objective of those studies was to find out a way to automatize the verification and the management of security policy by introducing different techniques for

conflicts identification and resolution. So, this survey highlights different studies for policy analysis context and especially on conflict management. Regarding studies on policy analysis topic, we can notice that there is no global or general solution that can be applied directly to solve the problem. Most of the studies focus on sub-problems parts solutions, thus the proposed works does not grant compatible solutions. Also, as regards to the network topology, dynamic environment of distributed networks must be taken into consideration (enterprise networks); because some of the proposed approaches are inefficient for dynamic conditions. More details will be given in next sections.

This work highlights the existing researches in the field of security policy verification and analysis. We highlight the most important approaches in a chronological order, while emphasizing the different advantages and disadvantages of these approaches. We also discuss the differences between these works, and propose solutions in order to overcome prior studies drawbacks and also we propose a categorization schema for the existing approaches in this area.

This paper is organized as follows. Section 2 presents a global overview on both technologies Firewall and IPsec hence the basic differences between them. In Section 3 we present a brief definition of security policy and the notion of filtering rules, as well as the policy analysis and its different fields. Section 4 presents the researches carried out on different types of security policy concerning firewalls and IPsec. In section 5 we compare the cited works and discuss the main differences between those approaches in addition to a proposition of a categorization schema.

II. FIREWALL VS IPSEC Firewall and IPsec are both complementary components

for network security. We can't really compare them; however, there are some differences between IPsec and firewalls. In this section we try to identify those differences and understand subtleties of both technologies.

A. Firewalls Firewalls are network devices which enforce an

organization’s security policy [2]. It can be a router, an access server, or a several services modules. Firewall monitors the outgoing and incoming traffic from and to a network. The monitoring operation is done using packet filters and aims to allow or deny the traffic. Firewall filters the packets according to various criteria such as IP addresses,

Ports, network interfaces… etc. All those information are ordered in a set of rules which constitute security policies of firewalls. The main objective of a firewall is to determine the accessibility of a type of traffic in a particular network. Indeed the principal is simple; a firewall protects the network by allowing or discarding wanted or unwanted traffic respectively. However, firewalls do not secure or modify the actual traffic going back and forth. Beside the fact that not all attacks types are handled, the emerging technologies like VPN and P2P present new challenges for firewalls.

B. IPsec Internet Protocol security (IPsec) is known as a cost-

effective way to establish security in Virtual Private Networks (VPNs). IPsec is a set of open standard that provide data authentication, integrity and confidentiality. It can be used to protect the data flow between a pair of hosts, a pair of gateways or between a host and a gateway. Regarding IPsec security architecture, it defines two types of security policies: the access control list and the crypto map list. Access control list defines the protected traffic and the crypto access list defines the protection parameters to be applied on this traffic. In other words, the distribution of protection in IPsec depends on the design of the security policy and its distribution.

C. Firewall and IPsec Comparison To sum up, Firewall is used to protect a network from

unwanted traffic, however, IPsec is used to protect a server or a group of servers in a network IPsec protect the wanted traffic while crossing the network, hence IPsec is not just controlling traffic but also protecting it. In other words, firewall security policies are defined to control the traffic access to the network. It aims to permit legitimate traffic and blocks unwanted traffic. On the other hand, IPsec’s access control policy has a similar aim of firewall policy; however legitimate traffic is either permitted directly or protected before the transmission. Therefrom, the main distinction comes between the firewall and IPsec. When the legitimate traffic is judged to be protected, the IPsec encryption list takes place, and the traffic is compared to its filtering rules to find out which IPsec perform (AH, ESP, Tunnel, Transport mode) must be applied on this traffic.

Despite the differences, both technologies can be used to ensure the network protection; the firewall is more convenient in term of the centralized protection. Hence IPsec is more powerful in the term of flexible protection and servers/domains isolations.

III. POLICY VERIFICATION BACKGROUND

A. Network Security Policy A network security policy is a set of requirements and

that control the behavior of an entity in a network. This behavior is defined by a set of constraints, which are meant to govern data access, use, and transfer inside the network. The security policy requirement is defined as a set of filtering rules; these rules are tried in a particular order that ensure the correct execution of policy directives. Generally, security policies are used to ensure three main

functionalities: Confidentiality (data secrecy), Integrity (data originality) and Availability (data access).

B. Security Policy Analysis After the definition of security policy directives, comes

the specification of filtering rules. This phase is called policy configuration, which is typically complicated and error-prone. Despite the huge importance of security policies on the security of communication networks, conflicts can lead to security breaches and high risk attacks. Thus, conflicts in network security policy can be a result of misconfiguration or inconsistency between different rules in the same policy or in different policies. Therefore, to ensure the correct functioning of the policy, conflicts should be avoided or at least identified in order to remove them. This solution is not as easy as it sounds because of many difficulties that make the conflict management a very hard task for network administrator such as; the growing number of internet applications, the nature of distributed networks, different types of security controls and the large number of policies and rules which can cause an extremely high number of conflicts, hence it become intractable for network administrator. Therefrom, the need arises to find more suitable solutions for the verification of security policies.

C. Policy Analysis As discussed before, Network security cannot be

guaranteed without a well-designed security policy. Hence, several studies have been carried out to overcome the problem of conflicts and configuration errors in different types of security policies such as in social network policies [3] or cloud computing [4], Policy analysis consists of the verification of policy configuration in order to monitor the changes in policies, behavior or security violation caused by a conflict. To be noted that during the analysis of policy, devices which are already deployed remains unchangeable and under the control of a network administrator.

Regarding the proposed works in literature that extend the concept of policy analysis, we can divide them into three main categories: reachability, policy comparison and conflict analysis. (Fig. 1) Essentially, our focus will be on conflicts

Fig. 1. Classification of Policy Analysis Approaches

analysis.

The analysis of conflicts aims to identify potential errors in single or multiple security policies (intra and inter domains). Without the loss of generality, the approaches used for conflict analysis can be also categorized into three main categories: verification of configurations, conflicts detection and policy optimization. Thus, the proposed solutions for the conflicts detection across last years, can be divided in three sub-categories: the first one is the policy management sub-category, which is based on data structures like [5], the second one is the proposition of novel formal models as in [6] and lastly, the proposition of new tools such as [7].

IV. STATE OF THE ART In literature, firewall policy verification is a very

common research field; a lot of approaches were proposed in order to provide a complete solution of the main problem: the conflict analysis. In this section, we show some of these proposed approaches for firewall policy verification.

A. Firewall Approaches The Proposition of Al in [8] was the first paper that introduced the concept of conflict analysis of firewall policy. Authors in this paper define all the existing relations between policy rules, their classification defines 5 types of relationships: complete disjoint where rules are independent and do not have any intersection, exactly matched: two rules match the same traffic and apply the same action for this traffic. The other type is: Inclusively matched, this relation occurs when the rules do not exactly match the same traffic, in other words, every field in the first rule is a subset or equal to the corresponding fields in the second rule. Partially disjoint: is when at least one of the first rule fields is a subset or equal to the other rule and finally Correlation is when some fields of the rule are subsets or equals to the corresponding fields in the second rules, and the rest of other fields are superset or equals. The authors present policy using a single rooted tree (policy tree) so every node in the policy tree represents a field of a filtering rule and each branch at this node represents a possible value for the associated field. Then they give a classification of 4 types of anomalies (shadowing, correlation, generalization and redundancy). The authors use a tool called policy advisor that help the administrator to manage a firewall policy without prior analysis of filtering rules. Thus, it implements two management tools: policy anomaly detector: identify anomalies and notify the administrator and policy editor; which reorder the updated or inserted rules. However policy advisor is limited in detecting only pairwise anomalies in firewall rules. This work was extended next to [9]. In this work, the authors add a new classification which includes the multi-firewall environment anomalies. So they develop their technique to detect anomalies in centralized and distributed legacy firewall. The new defined conflicts are (shadowing, spuriousness, correlation, redundancy and irrelevance). Shadowing occurs between two rules in two different firewalls that match the same packets and the first

rule blocks a packet that is permitted by the second rule. The case of spuriousness is defined when two rules match the same packet and the first rule permit this packet which is blocked by the second rule. According to their definition, rules in correlation are rules in different firewall. These rules match some common packets, but apply different actions. However, if these two rules block the traffic, it’s then a redundancy conflict. The irrelevances anomaly is defined by rules which do not have any corresponding matched traffic. Authors specify that rules insertion phase is performed in two steps, the first one is the rule placement which aims to find the corresponded firewall by identifying all the possible paths, and the next step is to verify the relation between the new rule and the existing rules in order to avoid intra-firewall anomalies. Despite this work was very helpful for next studies, it has the drawback of detecting anomalies only afterward, and do not provide a recovery mechanism, also it’s not suitable for all the security controls. In addition, high performances are guaranteed only for a limited number of rules. Another extension of Al-Shaer’s work is [10]. This work proved that conflicts classified by Al-Shaer cation are the only conflicts that could exist in firewall policies. The authors present a set of algorithms to detect rule anomalies within a single firewall (intra-firewall anomalies), and between interconnected firewalls (inter-firewall anomalies) in the network. In addition to their previous works they presented a user-friendly Java-based implementation of the Firewall Policy Advisor. This work was also extended by Al-Shaer in [11]. The Authors in [12] also proposed a novel tool “FIREMAN” for the analysis of firewall policies. They use the Binary Decision Diagram (BDD) [13] to represent the packet filtering policies. This work provides intra-policy packets analysis and verifies the correct implementation on end-to-end policy.

The FIREMAN detection technique is based on the analysis of potential relationships between a filtering rule and a packet space. Hence this packet space is derived from the set of all the preceding rules. The main limitation of FIREMAN is that it can only detect the anomaly without identifying the rules involved. Also, subsequent rules are ignored during the anomaly analysis. In [14] FIREMAN toll was extended to deal with NAT and routing tables. Their tool, Prometheus, unlike Fireman, is able to detect the misconfiguration beside rules responsible for it. Prometheus identifies the anomaly when two different paths within the same firewall execute several decisions for the same packet. In Addition some corrections are also available with this tool. In [15], the authors define a methodology to classify firewall policy rule conflicts, according to their severity level. Authors present a classification of different intra- policy conflicts, where severity defines the rank of correlation between the presences of conflict in policy and the erroneous behavior of the respective device. Exact match, shadowing, and post redundancy are severe conflicts according to authors’ definition. The resolution of conflicts depends in some cases, on the network manager decision;

that can associate priorities to the conflictual rules. One of the major limitations of this work is that the approach concerns only a one firewall policy implementation; it is not applied on distributed firewall policies. Al-Shaer approach was very helpful for researches thus, a lot of works has been proposed based on it. Those novel approaches prove that al- Shaer classification is general and applicable for multiple scenarios. Additionally, some researchers introduce different security component for the security policy analysis context, for instance in [16], authors add the possibility to manage security policies over a distributed network security as network intrusion detection systems (NIDS) for the detection of conflicts in filtering packet rules, the authors presented a network model that allows identification of components which are crossed by a given packet knowing its source and destination. Based on this model they defined two new types of conflicts (irrelevance and miss- connection). In this work, the security policy is rewritten in a positive and negative format (only allows rule or only deny rules). The extended work of this approach is [7] where the MIRAGE tool is proposed. This tool represents a management tool for analysis and deployment of configuration policies over network security components, such as firewalls, intrusion detection systems, and VPN routers. In the same context, another tool was proposed in [17]. The authors propose the Margrave; a novel tool for firewall analysis. Beside the analysis of the policy this tool is able to define the consequences resulting from configuration updates. Margrave is also capable to generate separate policies for other functions other than access filtering, like routing and switching which ensure the analysis of the whole firewall behavior. Other studies present formal models for security policy generation, such as [18]. In this work, the authors present a new formal model for the ACL policies, this model called geometric model is based on a set of rules a default limited number of actions and use an ad-hoc resolution strategy. For the resolution of anomalies, the authors present several techniques such as the First matching Rule (FMR) and the Last Matching Rule (LMR). In addition, the authors define a new type of anomalies which result from the union of more than two rules (general shadowing and general redundancy). In [19] authors adopt a novel technique of rule segmentation for the identification and resolution of anomalies in firewall policies based on Binary Decision Diagram (BDD). For this purpose, they adopt a grid-based representation technique which provides an intuitive cognitive sense about anomaly, in order to identify policy anomalies and resolve them. Based on this technique the network packet space is divided into disjoint packet space segments associated with a unique set of firewall rules. The work in [20] presents a formal model of firewall rules sequence, the authors focus on rules reordering problem, their method verifies if a given firewall rule sequence maintains the correct specification of a security policy, by checking the relation between rules. They proposed a verification method divided into two parts. The first part is decision conflicts rules set generator; where

the set of security policy is translated into rules and ordered correctly is in the rule base, then identifying rules that generate conflict with the policy abstraction technique. The second part is the Policy consistency engine which ensures that rules reordering maintain the correctness of the security policy. In case of violation another rule reordering is needed. In [21], authors present a framework in order to facilitate the detection of firewall policy conflicts inside dynamic open flow networks, in addition to the previous works in this area, this work present a model for the detection and the resolution of conflicts in a real-time situations, the proposed tool FLOWGUARD checks network flow path spaces to detect firewall policy violations when network states are updated. However, there is no analysis model in their framework. And it does not cover stateful firewalls in SDN’s. Basically, most of precedent cited paper has focus on the detection and resolution of conflicts with the human intervention, which is in some cases difficult and error prone. Authors in [22] focus on this point and propose an alternative solution to make amends of human intervention, where they use a query engine for firewall security policy analysis. Their proposition aims to automate the whole process of anomaly resolution, without referring to the administrator intervention. In other words, instead of prompting the administrator for inserting the proper order of rules, they implemented a tool (FPQE) which executes a set of queries against a high level firewall policy.

In [5] Authors propose an analysis method; this method aims to detect anomalies in a firewall file configuration and to determine consequences resulting from deleting or updating filtering rules in the configuration file. The method key is to represent the set of rules with a data structure which is the tree. Firewall Anomaly Tree (FAT) can be dynamically updated by adding or deleting filtering rules and it gives to administrator an idea about the adequate position to insert a rule.

Authors in [23] use a data structure called Firewall Decision Diagram FDD and an inference system. They propose a novel approach to automatically remove fix firewall misconfigurations. In this work, a classification of different anomalies in the multi firewall environment is provided, where anomalies are divided into two main parts; real misconfiguration and intended anomaly Resolution of configuration errors, according to this work is done by several techniques such as modifying the rules fields, reordering and removing some rules. In brief they propose a method to rules sets optimization by removing unused rules in the policy. The authors define shadowed and redundant rules as superfluous rules. Superfluous rules identification is based on an inference system. Thus, this kind of rules is removed from the policy. After the removal of superfluous rules the discovery of misconfiguration phase begins. Misconfigurations are identified in both simple firewall (when different actions are applied on the same traffic in the same firewall configuration) and distributed firewalls

(different firewalls apply different actions on the same traffic).

B. IPsec Approaches In literature, IPsec policies verification and management

approaches are not as common as firewall polices, this can be caused by the similarity between the two technologies, and the novelty of IPsec comparing to firewalls. The concept of verification of IPsec security policies was firstly introduced in [24]; the analysis is performed on several policy implementations in order to detect conflicts. Authors define a conflict as the case when policy implementations do not satisfy the security policy requirements. They define a requirement as the high level policy objective while policy implementations are specified to meet that objective. Thus the policy specification process transforms a requirement to specific policy implementation. Beside the conflicts detection, authors propose also a recovery mechanism. The resolution aims to define new implementation that satisfies the desired policy while minimizing possible damage causes by the violation of any security requirement. However, this method is quite complicated due to the use of non-standard high level security requirement, which are not always available in existing standards. Furthermore, updating requirements cause the re-initialization of algorithm each time, which is a tedious task. Next the schema proposed in this work was formalized in [6]. The authors propose a method for conflict detection by analyzing IPsec policies. This work can be also considered as the extension of [10]. The proposed model incorporates encryption and packet filter capabilities of IPsec. Thus, two types of conflicts are defined for both the intra and inter-policy. the overlapping session conflicts occurs when multiple IPsec session are established to delivered a packet to several hosts, and the packet is delivered to the farther host before the near one. The second type of conflict is the Multi-Transform conflict. It is the result of the application of a weaker protection to an already encapsulated traffic. Authors also use BDD to compares rules translated into Boolean functions. The main drawback of this method is that is limited to detection conflicts only without any recovery process. In addition, the processing of the policy rules each time is highly time consuming and inefficient in dynamic environment.

In [25] and [26] authors present a complete taxonomy of possible existing conflicts in an IPsec security policy, including both packet-filter and IPsec configuration. Their proposed classification of intra and inter-policy is quite similar; however they define conflicts in a simpler way that makes the implementation much easier. In [27] an architecture that stores all the IPsec policy in a center is proposed. Thus, this center is accessible by a manager and enforced by an access control policy. IPsec implementations manipulate IPsec databases via a database manager. The authors define IPsec implementation as programs which can establish IPsec channels and access to databases (for instance Strongswan and Openswan). The essential contribution is that the use of this manager aims to avoid access to databases by unauthorized implementations. In

another part, this work aims to prevent conflict before it occurs, which is described as some kind of conflict recovery. However, recovery is only made for conflict diffusion, which is the authors’ definition of the inter-policy conflicts.

The proposed algorithm in [28] can be considered as an improvement of the solution proposed in [6]. The authors propose an algorithm for the dynamic verification of an IPsec policy. The proposed algorithm defines some type of conflicts (does not support all the defined conflicts in the previous works). The method uses essentially the BDD to represent the IPsec policy and manipulate Boolean functions in order to dynamically detect conflicts. On the whole, the proposed algorithm generates conflict-free policies from conflicting policies. Thus, beside the conflicts detection authors also present some recovery mechanisms in their approach

Authors in [29] extend the idea of, they improved the conflicts classification in a way to be easier to implement. An algorithm is proposed for dynamic detection of both intra and inter-policy conflicts. The proposed classification includes all the possible conflicts of an IPsec Access control list; the proposed algorithm is based on a generic model where each type of conflict is associated with a Boolean expression. The use of Boolean expression for the presentation of IPsec policy is obtained thanks to the Binary Decision Diagram. Beside the improvement of classification this method can also detect inter-policy conflicts. However the method was not evaluated to show up the efficiency of the algorithm.

TABLE 1 Comparison between different approaches for security policy analysis

A p

p ro

ac he

s

C on

fl ic

t C

la ss

if ic

at io

n

C on

fl ic

t R

es o

lu ti

on

In te

r- p

ol ic

y co

n fl

ic ts

D at

a

S tr

u ct

u re

P

o li

cy

re g

en er

at io

n

P o

li cy

f o

rm al

m

o de

l

C on

fl ic

t p

re v

en ti

on

D y

na m

ic it

y

[8] √ √ [9] √ [10] √ [12] √ [14] √ √ [15] √ √ [16] √ √ √

[7] √ √

[17] √ √ √

[18] √ √ √

[19] √ √ √

[20] √ √ √

[5] √ √ √

[23] √ √ √ √ √ √

[24] √ √

[6] √

[26] √ √ √

[27] √ √

[28] √ √ √

[29] √ √ √ √

V. DISSCUSION AND COMPARISON

In this section, we compare the different works cited in this paper. Table 1 summarizes the main differences between all cited works in this article. Each row in the table stands for a proposed approach identified by its citation number. The first fourteen rows present approaches for Firewalls and the last six rows present approaches for IPsec. Columns present the different considered fields of policy analysis. Thus the most pertinent fields used for the comparison are:

� Conflict classification Some works has proposed novel classification for the existing conflicts, other introduced novel types of conflicts and some works uses the already existing classification in literature. � Conflict Resolution

Although the majority of approaches and methods can detect conflicts efficiently, not all those approaches have guaranteed the resolution of conflicts. � Data structure

This come to approaches in which authors use a kind of data structure like trees, grids and binary decision diagram, to facilitate the representation of policy or the analysis process. � Dynamicity

Although the effect of dynamicity in networks, it was not the major concern of authors when analyzing the security policy, only few papers has taken into consideration the dynamic conditions.

By comparing the different proposed approaches for the analysis of security policy, we provided a categorizatiON schema presented in (fig. 2) which classifies those works according to their contribution. We divided the approaches into three main categories:

� Classification and discovery of conflict approaches

The first proposed approaches for firewall policy analysis [5-13] and IPsec policy management [24-26] focus on the representation of security policy in order to extract the possible existing conflicts.

Fig. 2. Categorization of Conflicts Analysis Approches

Several conflicts types where added by novel classification models, thus based on those classifications, researchers have builds on several conflicts detection techniques. Nevertheless, those approaches did not guarantee the resolution of the detected conflicts, which bring us to the second categories of policy analysis approaches. � Approaches for conflict resolution

The resolution of conflict is the ultimate goal of security policy analysis, hence several techniques have been proposed in literature. For this purpose, different tool were created such as Mirage in [7], Prometheus in [14], Margrave in [17], Flowguard for a real time resolution in [21] and FPQE for a resolution without the administrator intervention in [22]. Other resolution techniques were proposed like: Re- writing security policy introduced in [16], Rule Re-ordering used in [18] & [20], and Rule segmentation presented in [19]. Noted that some works have combine different techniques and some other belongs to different categories at same time such in [23] where authors present a novel classification and propose a novel resolution technique based on an FDD representation. � Performances optimization approaches

Other solutions were proposed based on previous works, in order to optimize the analysis process performances, such in [28] and [29] where authors propose novel algorithms for the management of IPsec security policy, where the proposed algorithm aims to optimize the time and complexity beside the detection and resolution of conflicts.

VI. PERSPECTIVES Despite that conflict analysis studies are plenty; there are

still a lot of lakes in this context. One of the major drawbacks of the previous approaches is that they are limited to a single type of security control, thus such type of solution is inefficient for complex and distributed networks, where a network can have a combination of different type of security controls (NAT, Firewall, IPsec). Another major limitation concerning conflict analysis is that the majority of paper focuses only on policy analysis and ignores the aspect of the performances and network topology. Thus, performances are quite important when network administrator is involved in policy verification and recovery.

The comparison between the different works presented in this paper, leads us to conclude that a lot of approaches share the same techniques, however not all of them are compatible with each other. An alternative solution is to combine all the advantages of previous works to provide a unique approach suitable for all security controls. Another observation is that researches on IPsec are not sufficient despite the importance of security policy for the correct IPsec functioning. Consequently, the proposed future solution must take network topology into consideration and convenient to dynamic conditions imposed by distributing networks while regarding other performance aspect like execution time. To accomplish this objective, proposed

Conflict Analysis

Approaches

Classification of conflict

Resolution of conflicts

Re-writing policy

Re-ordering of rules

Segmentation of rules

Tool proposition

Optimization of

performance

approaches must guarantee well-defined formats of input data; and use extendible data structure. So the aim is to provide a model that can perform policy analysis on different types of security controls while conserving network security, flexibility and transparency.

VII. CONCLUSION With the dynamic growth of the internet, network

security has become a focal concern. Firewall and IPsec gateways are widely used in private networks as an important part of their security. However, their efficiency can be affected by the conflict produced in their security policies. Furthermore, the complexity of security policy makes their verification and configuration more difficult. Along this last decade, a lot of researches were carried out in this field. In this paper we present some of those works concerning the verification of policies of firewall and IPsec. We define the outlines of both technologies and compare different proposed approaches. A comparison between those works, lead us to propose potential solutions in order to overcome security policy problem. One of the main propositions is to find out a way to combine proposed solutions into one single general and standard approach, while ensuring the best performances in the network.

REFERENCES [1] Snader, Jon C. VPNs Illustrated: Tunnels, VPNs, and IPsec. Addison-

Wesley Professional, 2015.

[2] Ingham, Kenneth et Forrest, Stephanie. A history and survey of network firewalls. University of New Mexico, Tech. Rep, 2002.

[3] Wu, Zhengping et Liu, Yuanyao. Knowledge-based policy conflict analysis in mobile social networks. Wireless personal communications, 2013, vol. 73, no 1, p. 5-22.

[4] Pisharody, Sandeep, Chowdhary, Ankur, et Huang, Dijiang. Security policy checking in distributed SDN based clouds. In : Communications and Network Security (CNS), 2016 IEEE Conference on. IEEE, 2016. p. 19-27.

[5] ABBES, Tarek, BOUHOULA, Adel, et RUSINOWITCH, Michaël. Detection of firewall configuration errors with updatable tree. International Journal of Information Security, 2016, vol. 15, no 3, p. 301-317.

[6] HAMED, Hazem, AL-SHAER, Ehab, et MARRERO, Will. Modeling and verification of IPSec and VPN security policies. In : Network Protocols, 2005. ICNP 2005. 13th IEEE International Conference on. IEEE, 2005. p. 10 pp.-278.

[7] GARCIA-ALFARO, Joaquin, CUPPENS, Frédéric, CUPPENS- BOULAHIA, Nora, et al. MIRAGE: a management tool for the analysis and deployment of network security policies. Data Privacy Management and Autonomous Spontaneous Security, 2011, p. 203- 215.

[8] Al-Shaer, Ehab S. et Hamed, Hazem H. Firewall policy advisor for anomaly discovery and rule editing. In : Integrated Network Management, 2003. IFIP/IEEE Eighth International Symposium on. IEEE, 2003. p. 17-30.

[9] AL-SHAER, Ehab S. Et HAMED, Hazem H. Discovery of Policy Anomalies In Distributed Firewalls. in : INFOCOM 2004. Twenty- Third Annualjoint Conference Of The IEEE Computer and Communications Societies. IEEE, 2004. P. 2605-2616.

[10] AL-SHAER, Ehab, HAMED, Hazem, BOUTABA, Raouf, et al. Conflict classification and analysis of distributed firewall policies. IEEE journal on selected areas in communications, 2005, vol. 23, no 10, p. 2069-2084.

[11] Al-Shaer, E. Modeling and verification of firewall and ipsec policies using binary decision diagrams. 2014 In Automated Firewall Analytics (pp. 25-48). Springer, Cham.

[12] YUAN, Lihua, CHEN, Hao, MAI, Jianning, et al. Fireman: A toolkit for firewall modeling and analysis. In : Security and Privacy, 2006 IEEE Symposium on. IEEE, 2006. p. 15 pp.-213.

[13] BRYANT, Randal E. et MEINEL, Christoph. Ordered binary decision diagrams. In : Logic Synthesis and Verification. Springer US, 2002. p. 285-307.

[14] OLIVEIRA, Ricardo M., LEE, Sihyung, et KIM, Hyong S. Automatic detection of firewall misconfigurations using firewall and network routing policies. In : IEEE DSN Workshop on Proactive Failure Avoidance, Recovery, and Maintenance (PFARM). 2009.

[15] FERRARESI, Simone, PESIC, Stefano, TRAZZA, Livia, et al. Automatic conflict analysis and resolution of traffic filtering policy for firewall and security gateway. In : Communications, 2007. ICC'07. IEEE International Conference on. IEEE, 2007. p. 1304-1310.

[16] ALFARO, Joaquin Garcia, BOULAHIA-CUPPENS, Nora, et CUPPENS, Frédéric. Complete analysis of configuration rules to guarantee reliable network security policies. International Journal of Information Security, 2008, vol. 7, no 2, p. 103-122.

[17] NELSON, Timothy, BARRATT, Christopher, DOUGHERTY, Daniel J., et al. The Margrave Tool for Firewall Analysis. In : LISA. 2010. p. 1-18.

[18] BASILE, Cataldo, CAPPADONIA, Alberto, et LIOY, Antonio. Network-level access control policy analysis and transformation. IEEE/ACM Transactions on Networking (TON), 2012, vol. 20, no 4, p. 985-998.

[19] HU, Hongxin, AHN, Gail-Joon, et KULKARNI, Ketan. Detecting and resolving firewall policy anomalies. IEEE Transactions on dependable and secure computing, 2012, vol. 9, no 3, p. 318-331.

[20] GAWANMEH, Amjad. Automatic verification of security policies in firewalls with dynamic rule sequence. In : Information Technology: New Generations (ITNG), 2014 11th International Conference on. IEEE, 2014. p. 279-284.

[21] Hu, H., Han, W., Ahn, G. J., & Zhao, Z. FLOWGUARD: building robust firewalls for software-defined networks, 2014 In Proceedings of the third workshop on Hot topics in software defined networking (pp. 97-102). ACM.

[22] Bouhoula, A., & Yazidi, A. A security policy query engine for fully automated resolution of anomalies in firewall configurations. In Network Computing and Applications (NCA), 2016 IEEE 15th International Symposium on (pp. 76-80). IEEE

[23] SAÂDAOUI, Amina, SOUAYEH, Nihel Ben Youssef Ben, et BOUHOULA, Adel. FARE: FDD-based firewall anomalies resolution tool. Journal of Computational Science, 2017, vol. 23, p. 181-191.

[24] FU, Zhi, WU, S. Felix, HUANG, He, et al. IPSec/VPN security policy: Correctness, conflict detection, and resolution. In : Policies for Distributed Systems and Networks. Springer, Berlin, Heidelberg, 2001. p. 39-56.

[25] LI, Zhitang, CUI, Xue, et CHEN, Lin. Analysis and classification of ipsec security policy conflicts. In : Frontier of Computer Science and Technology, 2006. FCST'06. Japan-China Joint Workshop on. IEEE, 2006. p. 83-88.

[26] HAMED, Hazem et AL-SHAER, Ehab. Taxonomy of conflicts in network security policies. IEEE Communications Magazine, 2006, vol. 44, no 3, p. 134-141.

[27] SUN, Hung-Min, CHANG, Shih-Ying, CHEN, Yao-Hsin, et al. The design and implementation of IPSec conflict avoiding and recovering system. In : TENCON 2007-2007 IEEE Region 10 Conference. IEEE, 2007. p. 1-4.

[28] NIKSEFAT, Salman et SABAEI, Masoud. Efficient algorithms for dynamic detection and resolution of IPSec/VPN security policy conflicts. In : Advanced Information Networking and Applications (AINA), 2010 24th IEEE International Conference on. IEEE, 2010. p. 737-744.

[29] KHELF, Roumaissa et Ghoualmi, Nassira. Intra and inter policy Conflicts Dynamic Detection Algorithm. In : Detection Systems Architectures and Technologies (DAT), Seminar on. IEEE, 2017. p 1-6

Get help from top-rated tutors in any subject.

Efficiently complete your homework and academic assignments by getting help from the experts at homeworkarchive.com