Inter-technology Conflict Analysis for Communication Protection Policies

  • Cataldo Basile
  • Daniele Canavese
  • Antonio Lioy
  • Fulvio Valenza
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8924)


Usually network administrators implement a protection policy by refining a set of (abstract) communication security requirements into configuration settings for the security controls that will provide the required protection. The refinement consists in evaluating the available technologies that can enforce the policy at node and network level, selecting the most suitable ones, and possibly making fine adjustments, like aggregating several individual channels into a single tunnel. The refinement process is a sensitive task which can lead to incorrect or suboptimal implementations, that in turn affect the overall security, decrease the network throughput and increase the maintenance costs. In literature, several techniques exist that can be used to identify anomalies (i.e. potential incompatibilities and redundancies among policy implementations. However, these techniques usually focus only on a single security technology (e.g. IPsec) and overlook the effects of multiple overlapping protection techniques. This paper presents a novel classification of communication protection policy anomalies and a formal model which is able to detect anomalies among policy implementations relying on technologies that work at different network layers. The result of our analysis allows administrators to have a precise insight on the various alternative implementations, their relations and the possibility of resolving anomalies, thus increasing the overall security and performance of a network.


Network Node Security Requirement Policy Implementation Security Property Horn Clause 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



The research described in this paper is part of the SECURED project, co-funded by the European Commission under the ICT theme of FP7 (grant agreement no. 611458).


  1. 1.
    Wool, A.: Trends in firewall configuration errors: measuring the holes in swiss cheese. IEEE Internet Comput. 14(4), 58–65 (2010)CrossRefGoogle Scholar
  2. 2.
    Center for Strategic and International Studies: Securing cyberspace for the 44th presidency. Technical report, December 2008Google Scholar
  3. 3.
    Hamed, H., Al-Shaer, E.: Taxonomy of conflicts in network security policies. IEEE Commun. Mag. 44(3), 134–141 (2006)CrossRefGoogle Scholar
  4. 4.
    Hamed, H., Al-Shaer, E., Marrero, W.: Modeling and verification of IPsec and vpn security policies. In: 13th IEEE International Conference on Network Protocols, ICNP 2005, pp. 259–278. IEEE Computer Society, November 2005Google Scholar
  5. 5.
    Li, Z., Cui, X., Chen, L.: Analysis and classification of IPsec security policy conflicts. In: Japan-China Joint Workshop on Frontier of Computer Science and Technology, FCST 2006, pp. 83–88. IEEE Computer Society, November 2006Google Scholar
  6. 6.
    Kelly, S., Ramamoorthi, S.: Requirements for IPsec Remote Access Scenarios. RFC 3457, January 2003Google Scholar
  7. 7.
    Khakpour, A., Liu, A.X.: Quarnet: a tool for quantifying static network reachability. IEEE/ACM Trans. Netw. 21(2), 551–565 (2009)Google Scholar
  8. 8.
    Group, W.O.W.: OWL 2 web ontology language document overview. Technical report, October 2009.
  9. 9.
    W3C: SWRL: A Semantic Web Rule Language Combining OWL and RuleML. Technical report, World Wide Web Consortium, May 2004Google Scholar
  10. 10.
    Al-Shaer, E., Hamed, H., Boutaba, R., Hasan, M.: Conflict classification and analysis of distributed firewall policies. IEEE J. Sel. Areas Commun. 23(10), 2069–2084 (2006)CrossRefGoogle Scholar
  11. 11.
    Zao, J.: Semantic model for IPsec policy interaction. Technical report, Internet Draft, March 2000Google Scholar
  12. 12.
    Fu, Z., Wu, S.F., Huang, H., Loh, K., Gong, F., Baldine, I., Xu, C.: IPSec/VPN security policy: correctness, conflict detection, and resolution. In: Sloman, M., Lobo, J., Lupu, E.C. (eds.) POLICY 2001. LNCS, vol. 1995, p. 39. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  13. 13.
    Basile, C., Cappadonia, A., Lioy, A.: Network-level access control policy analysis and transformation. IEEE/ACM Trans. Netw. 20(4), 985–998 (2012)CrossRefGoogle Scholar
  14. 14.
    Hu, H., Ahn, G.J., Kulkarni, K.: Detecting and resolving firewall policy anomalies. IEEE Trans. Dependable Secure Comput. 9(3), 318–331 (2012)CrossRefGoogle Scholar
  15. 15.
    Hu, H., Ahn, G.J., Kulkarni, K.: Ontology-based policy anomaly management for autonomic computing. In: 7th International Conference on Collaborative Computing: Networking, Applications and Worksharing. CollaborateCom, IEEE Computer Society, pp. 487–494, October 2011Google Scholar
  16. 16.
    Bandara, A.K., Kakas, A.C., Lupu, E.C., Russo, A.: Using argumentation logic for firewall configuration management. In: Integrated Network Management-Workshops, 2009, IM 2009, pp. 180–187. IEEE Computer Society, June 2009Google Scholar
  17. 17.
    Alfaro, J.G., Boulahia-Cuppens, N., Cuppens, F.: Complete analysis of configuration rules to guarantee reliable network security policies. Int. J. Inf. Secur. 7(2), 103–122 (2008)CrossRefGoogle Scholar
  18. 18.
    Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N., Preda, S.: MIRAGE: a management tool for the analysis and deployment of network security policies. In: Garcia-Alfaro, J., Navarro-Arribas, G., Cavalli, A., Leneutre, J. (eds.) DPM 2010 and SETOP 2010. LNCS, vol. 6514, pp. 203–215. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  19. 19.
    Thanasegaran, S., Yin, Y., Tateiwa, Y., Katayama, Y., Takahashi, N.: A topological approach to detect conflicts in firewall policies. In: IEEE International Symposium on Parallel & Distributed Processing, IPDPS 2009, pp. 1–7. IEEE Computer Society, May 2009Google Scholar
  20. 20.
    Ferraresi, S., Pesic, S., Trazza, L., Baiocchi, A.: Automatic conflict analysis and resolution of traffic filtering policy for firewall and security gateway. In: International Chamber of Commerce, ICC 2007, pp. 1304–1310. IEEE Computer Society, June 2007Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Cataldo Basile
    • 1
  • Daniele Canavese
    • 1
  • Antonio Lioy
    • 1
  • Fulvio Valenza
    • 1
  1. 1.Dip. di Automatica E InformaticaPolitecnico di TorinoTurinItaly

Personalised recommendations