Managing and Using Information Systems: A Strategic Approach – Sixth Edition

Keri Pearlson, Carol Saunders, and Dennis Galletta

IPsec/Firewall Security Policy Analysis : A Survey

Roumaissa Khelf Networks and System Laboratory

Computer Science Department Badji Mokhtar-Annaba University

Annaba, Algeria [email protected]

Nacira Ghoualmi-Zine

Networks and System Laboratory Computer Science Department

Badji Mokhtar-Annaba University Annaba, Algeria

[email protected]

Abstract—As the technology reliance increases, computer networks are getting bigger and larger and so are threats and attacks. Therefore Network security becomes a major concern during this last decade. Network Security requires a combination of hardware devices and software applications. Namely, Firewalls and IPsec gateways are two technologies that provide network security protection and repose on security policies which are maintained to ensure traffic control and network safety. Nevertheless, security policy misconfigurations and inconsistency between the policy’s rules produce errors and conflicts, which are often very hard to detect and consequently cause security holes and compromise the entire system functionality. In This paper, we review the related approaches which have been proposed for security policy management along with surveying the literature for conflicts detection and resolution techniques. This work highlights the advantages and limitations of the proposed solutions for security policy verification in IPsec and Firewalls and gives an overall comparison and classification of the existing approaches.

Keywords—Network Security; Security policy; IPsec; Firewall; Security policy anomalies; policy analysis; Conflicts analysis.

I. INTRODUCTION To enforce network security, several functionalities are

implemented by the security to ensure security within a computer network. Some of security controls are used to control traffic like firewalls (Network protection), others have the capability to control and modify the traffic as IPsec gateways (VPNs Protection) [1]. Despite that IPsec is newer than firewall technology, firewall studies are more common and various. This can be due to the fact that firewalls are more market-share. So, this gives us a motivation to regroup both technologies in this survey in order to show up which one of them is the best choice for the network security verification. Whereas studies are varied, Firewall and IPsec share the similar nature, thus security policies are an essential component for both of them. Basically, security policies are considered complex in large systems, and it is hard to find faults. In addition, network administrators cannot always have a deep insight of the network configuration; hence, those challenges make the security policy testing and verification much harder. To solve this problem, several approaches have been proposed in literature. The main objective of those studies was to find out a way to automatize the verification and the management of security policy by introducing different techniques for

conflicts identification and resolution. So, this survey highlights different studies for policy analysis context and especially on conflict management. Regarding studies on policy analysis topic, we can notice that there is no global or general solution that can be applied directly to solve the problem. Most of the studies focus on sub-problems parts solutions, thus the proposed works does not grant compatible solutions. Also, as regards to the network topology, dynamic environment of distributed networks must be taken into consideration (enterprise networks); because some of the proposed approaches are inefficient for dynamic conditions. More details will be given in next sections.

This work highlights the existing researches in the field of security policy verification and analysis. We highlight the most important approaches in a chronological order, while emphasizing the different advantages and disadvantages of these approaches. We also discuss the differences between these works, and propose solutions in order to overcome prior studies drawbacks and also we propose a categorization schema for the existing approaches in this area.

This paper is organized as follows. Section 2 presents a global overview on both technologies Firewall and IPsec hence the basic differences between them. In Section 3 we present a brief definition of security policy and the notion of filtering rules, as well as the policy analysis and its different fields. Section 4 presents the researches carried out on different types of security policy concerning firewalls and IPsec. In section 5 we compare the cited works and discuss the main differences between those approaches in addition to a proposition of a categorization schema.

II. FIREWALL VS IPSEC Firewall and IPsec are both complementary components

for network security. We can't really compare them; however, there are some differences between IPsec and firewalls. In this section we try to identify those differences and understand subtleties of both technologies.

A. Firewalls Firewalls are network devices which enforce an

organization’s security policy [2]. It can be a router, an access server, or a several services modules. Firewall monitors the outgoing and incoming traffic from and to a network. The monitoring operation is done using packet filters and aims to allow or deny the traffic. Firewall filters the packets according to various criteria such as IP addresses,

Ports, network interfaces… etc. All those information are ordered in a set of rules which constitute security policies of firewalls. The main objective of a firewall is to determine the accessibility of a type of traffic in a particular network. Indeed the principal is simple; a firewall protects the network by allowing or discarding wanted or unwanted traffic respectively. However, firewalls do not secure or modify the actual traffic going back and forth. Beside the fact that not all attacks types are handled, the emerging technologies like VPN and P2P present new challenges for firewalls.

B. IPsec Internet Protocol security (IPsec) is known as a cost-

effective way to establish security in Virtual Private Networks (VPNs). IPsec is a set of open standard that provide data authentication, integrity and confidentiality. It can be used to protect the data flow between a pair of hosts, a pair of gateways or between a host and a gateway. Regarding IPsec security architecture, it defines two types of security policies: the access control list and the crypto map list. Access control list defines the protected traffic and the crypto access list defines the protection parameters to be applied on this traffic. In other words, the distribution of protection in IPsec depends on the design of the security policy and its distribution.

C. Firewall and IPsec Comparison To sum up, Firewall is used to protect a network from

unwanted traffic, however, IPsec is used to protect a server or a group of servers in a network IPsec protect the wanted traffic while crossing the network, hence IPsec is not just controlling traffic but also protecting it. In other words, firewall security policies are defined to control the traffic access to the network. It aims to permit legitimate traffic and blocks unwanted traffic. On the other hand, IPsec’s access control policy has a similar aim of firewall policy; however legitimate traffic is either permitted directly or protected before the transmission. Therefrom, the main distinction comes between the firewall and IPsec. When the legitimate traffic is judged to be protected, the IPsec encryption list takes place, and the traffic is compared to its filtering rules to find out which IPsec perform (AH, ESP, Tunnel, Transport mode) must be applied on this traffic.

Despite the differences, both technologies can be used to ensure the network protection; the firewall is more convenient in term of the centralized protection. Hence IPsec is more powerful in the term of flexible protection and servers/domains isolations.

III. POLICY VERIFICATION BACKGROUND

A. Network Security Policy A network security policy is a set of requirements and

that control the behavior of an entity in a network. This behavior is defined by a set of constraints, which are meant to govern data access, use, and transfer inside the network. The security policy requirement is defined as a set of filtering rules; these rules are tried in a particular order that ensure the correct execution of policy directives. Generally, security policies are used to ensure three main

functionalities: Confidentiality (data secrecy), Integrity (data originality) and Availability (data access).

B. Security Policy Analysis After the definition of security policy directives, comes

the specification of filtering rules. This phase is called policy configuration, which is typically complicated and error-prone. Despite the huge importance of security policies on the security of communication networks, conflicts can lead to security breaches and high risk attacks. Thus, conflicts in network security policy can be a result of misconfiguration or inconsistency between different rules in the same policy or in different policies. Therefore, to ensure the correct functioning of the policy, conflicts should be avoided or at least identified in order to remove them. This solution is not as easy as it sounds because of many difficulties that make the conflict management a very hard task for network administrator such as; the growing number of internet applications, the nature of distributed networks, different types of security controls and the large number of policies and rules which can cause an extremely high number of conflicts, hence it become intractable for network administrator. Therefrom, the need arises to find more suitable solutions for the verification of security policies.

C. Policy Analysis As discussed before, Network security cannot be

guaranteed without a well-designed security policy. Hence, several studies have been carried out to overcome the problem of conflicts and configuration errors in different types of security policies such as in social network policies [3] or cloud computing [4], Policy analysis consists of the verification of policy configuration in order to monitor the changes in policies, behavior or security violation caused by a conflict. To be noted that during the analysis of policy, devices which are already deployed remains unchangeable and under the control of a network administrator.

Regarding the proposed works in literature that extend the concept of policy analysis, we can divide them into three main categories: reachability, policy comparison and conflict analysis. (Fig. 1) Essentially, our focus will be on conflicts

Fig. 1. Classification of Policy Analysis Approaches

analysis.

The analysis of conflicts aims to identify potential errors in single or multiple security policies (intra and inter domains). Without the loss of generality, the approaches used for conflict analysis can be also categorized into three main categories: verification of configurations, conflicts detection and policy optimization. Thus, the proposed solutions for the conflicts detection across last years, can be divided in three sub-categories: the first one is the policy management sub-category, which is based on data structures like [5], the second one is the proposition of novel formal models as in [6] and lastly, the proposition of new tools such as [7].

IV. STATE OF THE ART In literature, firewall policy verification is a very

common research field; a lot of approaches were proposed in order to provide a complete solution of the main problem: the conflict analysis. In this section, we show some of these proposed approaches for firewall policy verification.

A. Firewall Approaches The Proposition of Al in [8] was the first paper that introduced the concept of conflict analysis of firewall policy. Authors in this paper define all the existing relations between policy rules, their classification defines 5 types of relationships: complete disjoint where rules are independent and do not have any intersection, exactly matched: two rules match the same traffic and apply the same action for this traffic. The other type is: Inclusively matched, this relation occurs when the rules do not exactly match the same traffic, in other words, every field in the first rule is a subset or equal to the corresponding fields in the second rule. Partially disjoint: is when at least one of the first rule fields is a subset or equal to the other rule and finally Correlation is when some fields of the rule are subsets or equals to the corresponding fields in the second rules, and the rest of other fields are superset or equals. The authors present policy using a single rooted tree (policy tree) so every node in the policy tree represents a field of a filtering rule and each branch at this node represents a possible value for the associated field. Then they give a classification of 4 types of anomalies (shadowing, correlation, generalization and redundancy). The authors use a tool called policy advisor that help the administrator to manage a firewall policy without prior analysis of filtering rules. Thus, it implements two management tools: policy anomaly detector: identify anomalies and notify the administrator and policy editor; which reorder the updated or inserted rules. However policy advisor is limited in detecting only pairwise anomalies in firewall rules. This work was extended next to [9]. In this work, the authors add a new classification which includes the multi-firewall environment anomalies. So they develop their technique to detect anomalies in centralized and distributed legacy firewall. The new defined conflicts are (shadowing, spuriousness, correlation, redundancy and irrelevance). Shadowing occurs between two rules in two different firewalls that match the same packets and the first

rule blocks a packet that is permitted by the second rule. The case of spuriousness is defined when two rules match the same packet and the first rule permit this packet which is blocked by the second rule. According to their definition, rules in correlation are rules in different firewall. These rules match some common packets, but apply different actions. However, if these two rules block the traffic, it’s then a redundancy conflict. The irrelevances anomaly is defined by rules which do not have any corresponding matched traffic. Authors specify that rules insertion phase is performed in two steps, the first one is the rule placement which aims to find the corresponded firewall by identifying all the possible paths, and the next step is to verify the relation between the new rule and the existing rules in order to avoid intra-firewall anomalies. Despite this work was very helpful for next studies, it has the drawback of detecting anomalies only afterward, and do not provide a recovery mechanism, also it’s not suitable for all the security controls. In addition, high performances are guaranteed only for a limited number of rules. Another extension of Al-Shaer’s work is [10]. This work proved that conflicts classified by Al-Shaer cation are the only conflicts that could exist in firewall policies. The authors present a set of algorithms to detect rule anomalies within a single firewall (intra-firewall anomalies), and between interconnected firewalls (inter-firewall anomalies) in the network. In addition to their previous works they presented a user-friendly Java-based implementation of the Firewall Policy Advisor. This work was also extended by Al-Shaer in [11]. The Authors in [12] also proposed a novel tool “FIREMAN” for the analysis of firewall policies. They use the Binary Decision Diagram (BDD) [13] to represent the packet filtering policies. This work provides intra-policy packets analysis and verifies the correct implementation on end-to-end policy.

The FIREMAN detection technique is based on the analysis of potential relationships between a filtering rule and a packet space. Hence this packet space is derived from the set of all the preceding rules. The main limitation of FIREMAN is that it can only detect the anomaly without identifying the rules involved. Also, subsequent rules are ignored during the anomaly analysis. In [14] FIREMAN toll was extended to deal with NAT and routing tables. Their tool, Prometheus, unlike Fireman, is able to detect the misconfiguration beside rules responsible for it. Prometheus identifies the anomaly when two different paths within the same firewall execute several decisions for the same packet. In Addition some corrections are also available with this tool. In [15], the authors define a methodology to classify firewall policy rule conflicts, according to their severity level. Authors present a classification of different intra- policy conflicts, where severity defines the rank of correlation between the presences of conflict in policy and the erroneous behavior of the respective device. Exact match, shadowing, and post redundancy are severe conflicts according to authors’ definition. The resolution of conflicts depends in some cases, on the network manager decision;

that can associate priorities to the conflictual rules. One of the major limitations of this work is that the approach concerns only a one firewall policy implementation; it is not applied on distributed firewall policies. Al-Shaer approach was very helpful for researches thus, a lot of works has been proposed based on it. Those novel approaches prove that al- Shaer classification is general and applicable for multiple scenarios. Additionally, some researchers introduce different security component for the security policy analysis context, for instance in [16], authors add the possibility to manage security policies over a distributed network security as network intrusion detection systems (NIDS) for the detection of conflicts in filtering packet rules, the authors presented a network model that allows identification of components which are crossed by a given packet knowing its source and destination. Based on this model they defined two new types of conflicts (irrelevance and miss- connection). In this work, the security policy is rewritten in a positive and negative format (only allows rule or only deny rules). The extended work of this approach is [7] where the MIRAGE tool is proposed. This tool represents a management tool for analysis and deployment of configuration policies over network security components, such as firewalls, intrusion detection systems, and VPN routers. In the same context, another tool was proposed in [17]. The authors propose the Margrave; a novel tool for firewall analysis. Beside the analysis of the policy this tool is able to define the consequences resulting from configuration updates. Margrave is also capable to generate separate policies for other functions other than access filtering, like routing and switching which ensure the analysis of the whole firewall behavior. Other studies present formal models for security policy generation, such as [18]. In this work, the authors present a new formal model for the ACL policies, this model called geometric model is based on a set of rules a default limited number of actions and use an ad-hoc resolution strategy. For the resolution of anomalies, the authors present several techniques such as the First matching Rule (FMR) and the Last Matching Rule (LMR). In addition, the authors define a new type of anomalies which result from the union of more than two rules (general shadowing and general redundancy). In [19] authors adopt a novel technique of rule segmentation for the identification and resolution of anomalies in firewall policies based on Binary Decision Diagram (BDD). For this purpose, they adopt a grid-based representation technique which provides an intuitive cognitive sense about anomaly, in order to identify policy anomalies and resolve them. Based on this technique the network packet space is divided into disjoint packet space segments associated with a unique set of firewall rules. The work in [20] presents a formal model of firewall rules sequence, the authors focus on rules reordering problem, their method verifies if a given firewall rule sequence maintains the correct specification of a security policy, by checking the relation between rules. They proposed a verification method divided into two parts. The first part is decision conflicts rules set generator; where

the set of security policy is translated into rules and ordered correctly is in the rule base, then identifying rules that generate conflict with the policy abstraction technique. The second part is the Policy consistency engine which ensures that rules reordering maintain the correctness of the security policy. In case of violation another rule reordering is needed. In [21], authors present a framework in order to facilitate the detection of firewall policy conflicts inside dynamic open flow networks, in addition to the previous works in this area, this work present a model for the detection and the resolution of conflicts in a real-time situations, the proposed tool FLOWGUARD checks network flow path spaces to detect firewall policy violations when network states are updated. However, there is no analysis model in their framework. And it does not cover stateful firewalls in SDN’s. Basically, most of precedent cited paper has focus on the detection and resolution of conflicts with the human intervention, which is in some cases difficult and error prone. Authors in [22] focus on this point and propose an alternative solution to make amends of human intervention, where they use a query engine for firewall security policy analysis. Their proposition aims to automate the whole process of anomaly resolution, without referring to the administrator intervention. In other words, instead of prompting the administrator for inserting the proper order of rules, they implemented a tool (FPQE) which executes a set of queries against a high level firewall policy.

In [5] Authors propose an analysis method; this method aims to detect anomalies in a firewall file configuration and to determine consequences resulting from deleting or updating filtering rules in the configuration file. The method key is to represent the set of rules with a data structure which is the tree. Firewall Anomaly Tree (FAT) can be dynamically updated by adding or deleting filtering rules and it gives to administrator an idea about the adequate position to insert a rule.

Authors in [23] use a data structure called Firewall Decision Diagram FDD and an inference system. They propose a novel approach to automatically remove fix firewall misconfigurations. In this work, a classification of different anomalies in the multi firewall environment is provided, where anomalies are divided into two main parts; real misconfiguration and intended anomaly Resolution of configuration errors, according to this work is done by several techniques such as modifying the rules fields, reordering and removing some rules. In brief they propose a method to rules sets optimization by removing unused rules in the policy. The authors define shadowed and redundant rules as superfluous rules. Superfluous rules identification is based on an inference system. Thus, this kind of rules is removed from the policy. After the removal of superfluous rules the discovery of misconfiguration phase begins. Misconfigurations are identified in both simple firewall (when different actions are applied on the same traffic in the same firewall configuration) and distributed firewalls

(different firewalls apply different actions on the same traffic).

B. IPsec Approaches In literature, IPsec policies verification and management

approaches are not as common as firewall polices, this can be caused by the similarity between the two technologies, and the novelty of IPsec comparing to firewalls. The concept of verification of IPsec security policies was firstly introduced in [24]; the analysis is performed on several policy implementations in order to detect conflicts. Authors define a conflict as the case when policy implementations do not satisfy the security policy requirements. They define a requirement as the high level policy objective while policy implementations are specified to meet that objective. Thus the policy specification process transforms a requirement to specific policy implementation. Beside the conflicts detection, authors propose also a recovery mechanism. The resolution aims to define new implementation that satisfies the desired policy while minimizing possible damage causes by the violation of any security requirement. However, this method is quite complicated due to the use of non-standard high level security requirement, which are not always available in existing standards. Furthermore, updating requirements cause the re-initialization of algorithm each time, which is a tedious task. Next the schema proposed in this work was formalized in [6]. The authors propose a method for conflict detection by analyzing IPsec policies. This work can be also considered as the extension of [10]. The proposed model incorporates encryption and packet filter capabilities of IPsec. Thus, two types of conflicts are defined for both the intra and inter-policy. the overlapping session conflicts occurs when multiple IPsec session are established to delivered a packet to several hosts, and the packet is delivered to the farther host before the near one. The second type of conflict is the Multi-Transform conflict. It is the result of the application of a weaker protection to an already encapsulated traffic. Authors also use BDD to compares rules translated into Boolean functions. The main drawback of this method is that is limited to detection conflicts only without any recovery process. In addition, the processing of the policy rules each time is highly time consuming and inefficient in dynamic environment.

In [25] and [26] authors present a complete taxonomy of possible existing conflicts in an IPsec security policy, including both packet-filter and IPsec configuration. Their proposed classification of intra and inter-policy is quite similar; however they define conflicts in a simpler way that makes the implementation much easier. In [27] an architecture that stores all the IPsec policy in a center is proposed. Thus, this center is accessible by a manager and enforced by an access control policy. IPsec implementations manipulate IPsec databases via a database manager. The authors define IPsec implementation as programs which can establish IPsec channels and access to databases (for instance Strongswan and Openswan). The essential contribution is that the use of this manager aims to avoid access to databases by unauthorized implementations. In

another part, this work aims to prevent conflict before it occurs, which is described as some kind of conflict recovery. However, recovery is only made for conflict diffusion, which is the authors’ definition of the inter-policy conflicts.

The proposed algorithm in [28] can be considered as an improvement of the solution proposed in [6]. The authors propose an algorithm for the dynamic verification of an IPsec policy. The proposed algorithm defines some type of conflicts (does not support all the defined conflicts in the previous works). The method uses essentially the BDD to represent the IPsec policy and manipulate Boolean functions in order to dynamically detect conflicts. On the whole, the proposed algorithm generates conflict-free policies from conflicting policies. Thus, beside the conflicts detection authors also present some recovery mechanisms in their approach

Authors in [29] extend the idea of, they improved the conflicts classification in a way to be easier to implement. An algorithm is proposed for dynamic detection of both intra and inter-policy conflicts. The proposed classification includes all the possible conflicts of an IPsec Access control list; the proposed algorithm is based on a generic model where each type of conflict is associated with a Boolean expression. The use of Boolean expression for the presentation of IPsec policy is obtained thanks to the Binary Decision Diagram. Beside the improvement of classification this method can also detect inter-policy conflicts. However the method was not evaluated to show up the efficiency of the algorithm.

TABLE 1 Comparison between different approaches for security policy analysis

A p

p ro

ac he

s

C on

fl ic

t C

la ss

if ic

at io

n

C on

fl ic

t R

es o

lu ti

on

In te

r- p

ol ic

y co

n fl

ic ts

D at

a

S tr

u ct

u re

P

o li

cy

re g

en er

at io

n

P o

li cy

f o

rm al

m

o de

l

C on

fl ic

t p

re v

en ti

on

D y

na m

ic it

y

[8] √ √ [9] √ [10] √ [12] √ [14] √ √ [15] √ √ [16] √ √ √

[7] √ √

[17] √ √ √

[18] √ √ √

[19] √ √ √

[20] √ √ √

[5] √ √ √

[23] √ √ √ √ √ √

[24] √ √

[6] √

[26] √ √ √

[27] √ √

[28] √ √ √

[29] √ √ √ √

V. DISSCUSION AND COMPARISON

In this section, we compare the different works cited in this paper. Table 1 summarizes the main differences between all cited works in this article. Each row in the table stands for a proposed approach identified by its citation number. The first fourteen rows present approaches for Firewalls and the last six rows present approaches for IPsec. Columns present the different considered fields of policy analysis. Thus the most pertinent fields used for the comparison are:

� Conflict classification Some works has proposed novel classification for the existing conflicts, other introduced novel types of conflicts and some works uses the already existing classification in literature. � Conflict Resolution

Although the majority of approaches and methods can detect conflicts efficiently, not all those approaches have guaranteed the resolution of conflicts. � Data structure

This come to approaches in which authors use a kind of data structure like trees, grids and binary decision diagram, to facilitate the representation of policy or the analysis process. � Dynamicity

Although the effect of dynamicity in networks, it was not the major concern of authors when analyzing the security policy, only few papers has taken into consideration the dynamic conditions.

By comparing the different proposed approaches for the analysis of security policy, we provided a categorizatiON schema presented in (fig. 2) which classifies those works according to their contribution. We divided the approaches into three main categories:

� Classification and discovery of conflict approaches

The first proposed approaches for firewall policy analysis [5-13] and IPsec policy management [24-26] focus on the representation of security policy in order to extract the possible existing conflicts.

Fig. 2. Categorization of Conflicts Analysis Approches

Several conflicts types where added by novel classification models, thus based on those classifications, researchers have builds on several conflicts detection techniques. Nevertheless, those approaches did not guarantee the resolution of the detected conflicts, which bring us to the second categories of policy analysis approaches. � Approaches for conflict resolution

The resolution of conflict is the ultimate goal of security policy analysis, hence several techniques have been proposed in literature. For this purpose, different tool were created such as Mirage in [7], Prometheus in [14], Margrave in [17], Flowguard for a real time resolution in [21] and FPQE for a resolution without the administrator intervention in [22]. Other resolution techniques were proposed like: Re- writing security policy introduced in [16], Rule Re-ordering used in [18] & [20], and Rule segmentation presented in [19]. Noted that some works have combine different techniques and some other belongs to different categories at same time such in [23] where authors present a novel classification and propose a novel resolution technique based on an FDD representation. � Performances optimization approaches

Other solutions were proposed based on previous works, in order to optimize the analysis process performances, such in [28] and [29] where authors propose novel algorithms for the management of IPsec security policy, where the proposed algorithm aims to optimize the time and complexity beside the detection and resolution of conflicts.

VI. PERSPECTIVES Despite that conflict analysis studies are plenty; there are

still a lot of lakes in this context. One of the major drawbacks of the previous approaches is that they are limited to a single type of security control, thus such type of solution is inefficient for complex and distributed networks, where a network can have a combination of different type of security controls (NAT, Firewall, IPsec). Another major limitation concerning conflict analysis is that the majority of paper focuses only on policy analysis and ignores the aspect of the performances and network topology. Thus, performances are quite important when network administrator is involved in policy verification and recovery.

The comparison between the different works presented in this paper, leads us to conclude that a lot of approaches share the same techniques, however not all of them are compatible with each other. An alternative solution is to combine all the advantages of previous works to provide a unique approach suitable for all security controls. Another observation is that researches on IPsec are not sufficient despite the importance of security policy for the correct IPsec functioning. Consequently, the proposed future solution must take network topology into consideration and convenient to dynamic conditions imposed by distributing networks while regarding other performance aspect like execution time. To accomplish this objective, proposed

Conflict Analysis

Approaches

Classification of conflict

Resolution of conflicts

Re-writing policy

Re-ordering of rules

Segmentation of rules

Tool proposition

Optimization of

performance

approaches must guarantee well-defined formats of input data; and use extendible data structure. So the aim is to provide a model that can perform policy analysis on different types of security controls while conserving network security, flexibility and transparency.

VII. CONCLUSION With the dynamic growth of the internet, network

security has become a focal concern. Firewall and IPsec gateways are widely used in private networks as an important part of their security. However, their efficiency can be affected by the conflict produced in their security policies. Furthermore, the complexity of security policy makes their verification and configuration more difficult. Along this last decade, a lot of researches were carried out in this field. In this paper we present some of those works concerning the verification of policies of firewall and IPsec. We define the outlines of both technologies and compare different proposed approaches. A comparison between those works, lead us to propose potential solutions in order to overcome security policy problem. One of the main propositions is to find out a way to combine proposed solutions into one single general and standard approach, while ensuring the best performances in the network.

REFERENCES [1] Snader, Jon C. VPNs Illustrated: Tunnels, VPNs, and IPsec. Addison-

Wesley Professional, 2015.

[2] Ingham, Kenneth et Forrest, Stephanie. A history and survey of network firewalls. University of New Mexico, Tech. Rep, 2002.

[3] Wu, Zhengping et Liu, Yuanyao. Knowledge-based policy conflict analysis in mobile social networks. Wireless personal communications, 2013, vol. 73, no 1, p. 5-22.

[4] Pisharody, Sandeep, Chowdhary, Ankur, et Huang, Dijiang. Security policy checking in distributed SDN based clouds. In : Communications and Network Security (CNS), 2016 IEEE Conference on. IEEE, 2016. p. 19-27.

[5] ABBES, Tarek, BOUHOULA, Adel, et RUSINOWITCH, Michaël. Detection of firewall configuration errors with updatable tree. International Journal of Information Security, 2016, vol. 15, no 3, p. 301-317.

[6] HAMED, Hazem, AL-SHAER, Ehab, et MARRERO, Will. Modeling and verification of IPSec and VPN security policies. In : Network Protocols, 2005. ICNP 2005. 13th IEEE International Conference on. IEEE, 2005. p. 10 pp.-278.

[7] GARCIA-ALFARO, Joaquin, CUPPENS, Frédéric, CUPPENS- BOULAHIA, Nora, et al. MIRAGE: a management tool for the analysis and deployment of network security policies. Data Privacy Management and Autonomous Spontaneous Security, 2011, p. 203- 215.

[8] Al-Shaer, Ehab S. et Hamed, Hazem H. Firewall policy advisor for anomaly discovery and rule editing. In : Integrated Network Management, 2003. IFIP/IEEE Eighth International Symposium on. IEEE, 2003. p. 17-30.

[9] AL-SHAER, Ehab S. Et HAMED, Hazem H. Discovery of Policy Anomalies In Distributed Firewalls. in : INFOCOM 2004. Twenty- Third Annualjoint Conference Of The IEEE Computer and Communications Societies. IEEE, 2004. P. 2605-2616.

[10] AL-SHAER, Ehab, HAMED, Hazem, BOUTABA, Raouf, et al. Conflict classification and analysis of distributed firewall policies. IEEE journal on selected areas in communications, 2005, vol. 23, no 10, p. 2069-2084.

[11] Al-Shaer, E. Modeling and verification of firewall and ipsec policies using binary decision diagrams. 2014 In Automated Firewall Analytics (pp. 25-48). Springer, Cham.

[12] YUAN, Lihua, CHEN, Hao, MAI, Jianning, et al. Fireman: A toolkit for firewall modeling and analysis. In : Security and Privacy, 2006 IEEE Symposium on. IEEE, 2006. p. 15 pp.-213.

[13] BRYANT, Randal E. et MEINEL, Christoph. Ordered binary decision diagrams. In : Logic Synthesis and Verification. Springer US, 2002. p. 285-307.

[14] OLIVEIRA, Ricardo M., LEE, Sihyung, et KIM, Hyong S. Automatic detection of firewall misconfigurations using firewall and network routing policies. In : IEEE DSN Workshop on Proactive Failure Avoidance, Recovery, and Maintenance (PFARM). 2009.

[15] FERRARESI, Simone, PESIC, Stefano, TRAZZA, Livia, et al. Automatic conflict analysis and resolution of traffic filtering policy for firewall and security gateway. In : Communications, 2007. ICC'07. IEEE International Conference on. IEEE, 2007. p. 1304-1310.

[16] ALFARO, Joaquin Garcia, BOULAHIA-CUPPENS, Nora, et CUPPENS, Frédéric. Complete analysis of configuration rules to guarantee reliable network security policies. International Journal of Information Security, 2008, vol. 7, no 2, p. 103-122.

[17] NELSON, Timothy, BARRATT, Christopher, DOUGHERTY, Daniel J., et al. The Margrave Tool for Firewall Analysis. In : LISA. 2010. p. 1-18.

[18] BASILE, Cataldo, CAPPADONIA, Alberto, et LIOY, Antonio. Network-level access control policy analysis and transformation. IEEE/ACM Transactions on Networking (TON), 2012, vol. 20, no 4, p. 985-998.

[19] HU, Hongxin, AHN, Gail-Joon, et KULKARNI, Ketan. Detecting and resolving firewall policy anomalies. IEEE Transactions on dependable and secure computing, 2012, vol. 9, no 3, p. 318-331.

[20] GAWANMEH, Amjad. Automatic verification of security policies in firewalls with dynamic rule sequence. In : Information Technology: New Generations (ITNG), 2014 11th International Conference on. IEEE, 2014. p. 279-284.

[21] Hu, H., Han, W., Ahn, G. J., & Zhao, Z. FLOWGUARD: building robust firewalls for software-defined networks, 2014 In Proceedings of the third workshop on Hot topics in software defined networking (pp. 97-102). ACM.

[22] Bouhoula, A., & Yazidi, A. A security policy query engine for fully automated resolution of anomalies in firewall configurations. In Network Computing and Applications (NCA), 2016 IEEE 15th International Symposium on (pp. 76-80). IEEE

[23] SAÂDAOUI, Amina, SOUAYEH, Nihel Ben Youssef Ben, et BOUHOULA, Adel. FARE: FDD-based firewall anomalies resolution tool. Journal of Computational Science, 2017, vol. 23, p. 181-191.

[24] FU, Zhi, WU, S. Felix, HUANG, He, et al. IPSec/VPN security policy: Correctness, conflict detection, and resolution. In : Policies for Distributed Systems and Networks. Springer, Berlin, Heidelberg, 2001. p. 39-56.

[25] LI, Zhitang, CUI, Xue, et CHEN, Lin. Analysis and classification of ipsec security policy conflicts. In : Frontier of Computer Science and Technology, 2006. FCST'06. Japan-China Joint Workshop on. IEEE, 2006. p. 83-88.

[26] HAMED, Hazem et AL-SHAER, Ehab. Taxonomy of conflicts in network security policies. IEEE Communications Magazine, 2006, vol. 44, no 3, p. 134-141.

[27] SUN, Hung-Min, CHANG, Shih-Ying, CHEN, Yao-Hsin, et al. The design and implementation of IPSec conflict avoiding and recovering system. In : TENCON 2007-2007 IEEE Region 10 Conference. IEEE, 2007. p. 1-4.

[28] NIKSEFAT, Salman et SABAEI, Masoud. Efficient algorithms for dynamic detection and resolution of IPSec/VPN security policy conflicts. In : Advanced Information Networking and Applications (AINA), 2010 24th IEEE International Conference on. IEEE, 2010. p. 737-744.

[29] KHELF, Roumaissa et Ghoualmi, Nassira. Intra and inter policy Conflicts Dynamic Detection Algorithm. In : Detection Systems Architectures and Technologies (DAT), Seminar on. IEEE, 2017. p 1-6