• DocumentCode
    868700
  • Title

    Taxonomy of conflicts in network security policies

  • Author

    Hamed, Hazem ; Al-Shaer, Ehab

  • Author_Institution
    DePaul Univ., Chicago, IL, USA
  • Volume
    44
  • Issue
    3
  • fYear
    2006
  • fDate
    3/1/2006 12:00:00 AM
  • Firstpage
    134
  • Lastpage
    141
  • Abstract
    Network security polices are essential elements in Internet security devices that provide traffic filtering, integrity, confidentiality, and authentication. Network security perimeter devices such as firewalls, IPSec, and IDS/IPS devices operate based on locally configured policies. However, configuring network security policies remains a complex and error-prone task due to rule dependency semantics and the interaction between policies in the network. This complexity is likely to increase as the network size increases. A successful deployment of a network security system requires global analysis of policy configurations of all network security devices in order to avoid policy conflicts and inconsistency. Policy conflicts may cause serious security breaches and network vulnerability such as blocking legitimate traffic, permitting unwanted traffic, and insecure data transmission. This article presents a comprehensive classification of security policy conflicts that might potentially exist in a single security device (intrapolicy conflicts) or between different network devices (interpolicy conflicts) in enterprise networks. We also show the high probability of creating such conflicts even by expert system administrators and network practitioners.
  • Keywords
    Internet; business communication; telecommunication security; Internet security; enterprise networks; interpolicy conflicts; intrapolicy conflicts; network security policies; security policy conflicts; Authentication; Data communication; Data security; Expert systems; IP networks; Information filtering; Information filters; Intrusion detection; Taxonomy; Telecommunication traffic;
  • fLanguage
    English
  • Journal_Title
    Communications Magazine, IEEE
  • Publisher
    ieee
  • ISSN
    0163-6804
  • Type

    jour

  • DOI
    10.1109/MCOM.2006.1607877
  • Filename
    1607877