Automatic Generation of IPSec/VPN Security Policies In an Intra-Domain Environment

Zhi (Judy) Fu, S. Felix Wu

Research output: Chapter in Book/Report/Conference proceedingConference contributionProfessional

35 Downloads (Pure)

Abstract

IPSec [1] policies are widely deployed in firewalls or security gateways to protect information property. The security treatment (e.g. deny, allow or encrypt etc.) of all inbound or outbound traffic will be determined by the security policies, and thus it is critical for policies to be specified and configured correctly. IPSec policies are manually configured to individual security gateway in current practice, which could be very inefficient and error-prone. In this research, we focus on two questions: 1) How to ensure policy correctness? 2) How to systematically specify correct policies instead of manually configuring? Apparently, policies are correct if they do what they are wanted to do. However, there is vague relationship between what they are wanted and what they really do. In our research, we clearly defined a higher level policy, called security requirement, and clearly defined their satisfaction. Therefore, policies are correct only if they satisfy all requirements. Furthermore, we designed algorithms to automatically generate correct policies given security requirements. People can specify their requirements at a high level without concerning specific low level parameters, and then correct low level policies will be automatically generated. The automation can not only save tremendous administrative labor but also guarantee the policies are correct.
Original languageEnglish
Title of host publicationOperations & Management
Subtitle of host publication12th International Workshop on Distributed Systems, DSOM 2001, Nancy, France, October 15-17, 2001: Proceedings
EditorsOlivier Festor, Aiko Pras
Place of PublicationRocquencourt
PublisherINRIA
Pages279-290
Number of pages12
ISBN (Print)9782726111901
DOIs
Publication statusPublished - 2001
Externally publishedYes
Event12th IEEE/IFIP International Workshop on Distributed Systems, DSOM 2001: Internet Services: Management Beyond the Element - Nancy, France
Duration: 15 Oct 200117 Oct 2001
Conference number: 12
https://www.simpleweb.org/ifip/Conferences/DSOM/2001/DSOM2001/index-2.html

Conference

Conference12th IEEE/IFIP International Workshop on Distributed Systems, DSOM 2001
Abbreviated titleDSOM
Country/TerritoryFrance
CityNancy
Period15/10/0117/10/01
Internet address

Fingerprint

Dive into the research topics of 'Automatic Generation of IPSec/VPN Security Policies In an Intra-Domain Environment'. Together they form a unique fingerprint.

Cite this