Managing network security policies: Firewall and IPSec/VPN

The importance of network security has been significantly increasing in the past few years. However, the increasing complexity of managing security polices particularly in enterprise networks poses real challenge for efficient security solutions. Network security perimeters such as Firewalls, IPSec gateways, Intrusion Detection and Prevention Systems operate based on locally configured policies. Yet these policies are not necessarily autonomous and might interact between each other to construct a global network security policy. In fact, security policies are configured not only in manual and ad hoc manner, but in isolation from each other due to different administrative roles or personnel. As a result, rules conflicts and policy inconsistency are very likely to exits, leading to serious security breach and network vulnerability. In addition, enterprise networks continuously grow in size and complexity, which makes policy modification, inspection and evaluation nightmare. Addressing these issues is a key requirement for obtaining provable security and seamless policy configuration. In this tutorial, we present techniques to develop automated management tools for security policies particularly firewall and IPSec/VPN polices. The tutorial presents a comprehensive classification of policy anomalies or conflicts in a single device or across multiple devices. Special focus is given to modeling and verification of filtering-base security polices. The tutorial will also covers techniques and tools used to automatically discover and rectify policy anomalies in centralized and distributed security devices such as firewalls and IPSec gateways. Special topics to be discussed in this tutorial includes firewall and IPSec architectures, classification of intra- and inter-policy conflicts in firewalls and IPSec polices, policy modeling and verification, conflicts discovery and resolution in security policy, automated policy management and optimization.