# Reconciling multiple IPsec and firewall policies

Save this PDF as:

Size: px
Start display at page:

## Transcription

4 yet non-obvious algorithm. An impatient reader may want to take first a look in the example in the appendix. An IPsec policy maps IP packets to actions based on their headers. In this section, the header and action spaces are treated as unstructured sets. The set of all IP headers is denoted by H and the set of all actions by A. Our definition of policy actions differs from existing IPsec implementations in that there can be multiple allowed actions for each packet. Definition 1 (policy) A policy entry is a pair s, a where s H is a selector and a A is the set of actions. A policy is a sequence of policy entries p = e 1, e 2,..., e n = s 1, a 1, s 2, a 2,..., s n, a n where n i=1 s i = H. n is called the length of p. In order to define the refinement and equivalence of policies, we need to define how the policy maps IP packets, based on their headers, to actions. The allowed actions for the packet are determined by the first policy entry that matches the packet header. Definition 2 (matching entry) A policy entry s, a matches a header h H iff h s. Definition 3 (catching entry) Let p = e 1,..., e n be a sequence of policy entries. Let h H be a header. If h matches e i and it does not match any e j with j < i, we say that the ith policy entry in p catches h. Definition 4 (allowed actions) Let p = e 1,..., e n be a sequence of policy entries. If e i = s, a catches h H, we say that the allowed actions for h are Allowed(p, h) = a. If there is no policy entry in p that catches h, then we denote Allowed(p, h) =. Note that, in order to accommodate fragments of policies, the above two definitions refer to a sequence of policy entries rather than full policies. Definition 5 (equivalence) Two policies p and p are equivalent iff Allowed(p, h) = Allowed(p, h) for all h H. Definition 6 (refinement) A policy p refines p iff Allowed(p, h) Allowed(p, h) for all h H. Definition 7 (implementability) A policy is implementable iff Allowed(p, h) for all h H. The following lemma follows directly from the definitions of policy and catching entry. Lemma 8 Given a policy and h H, there is a policy entry that catches h. Lemma 9 Let p = e 1,..., e n be a policy and let p = e 1,..., e i 1, e i+1,..., e n be a sequence of policy entries obtained from p by removing the ith entry. Let h H. If e i does not catch or does not match h in p, then Allowed(p, h) = Allowed(p, h). Proof Let p, p and h be as in the lemma and assume that e i does not catch h in p. By lemma 8 there is some e j that catches h where j i. In both p and p, e j is the first entry that matches h. One can see this by considering both situations where j < i and j > i. If j < i, then it does not matter whether e i matches h or not because it is not the first matching entry anyway. On the other hand, if j > i, then e i cannot match h. In neither case is the first matching entry changed by the removal of e i. Lemma 10 Removing one or more policy entries that that do not catch any headers produces an equivalent policy. Proof A selector that does not catch any headers has no effect on the union of selectors. Thus, the union remains equal to H when some such policy entries are deleted. The equivalence follows directly from lemma 9. RFC 4301 defines the concept of decorrelation. The idea is that if the selectors in the policy are independent of each other, then the order of the policy entries does not matter. Definition 11 (decorrelation) Let p = s 1, a 1, s 2, a 2,..., s n, a n be a policy. p is decorrelated iff s i s j = for all 1 i < j n. We denote by Decor(p) the following function: Decor(p) = s i, a i s i = s i \ i 1 j=1 s j and i = 1... n Decor(p) is the obvious way of converting policies to equivalent decorrelated ones. This is verified by the following lemma. Lemma 12 If p is a policy, Decor(p) is a decorrelated policy. 4

5 Proof Let p = s 1, a 1,..., s n, a n be a policy. We show first that Decor(p) is a policy. n i=1 s i = n i=1 (s i \ i 1 j=1 s j) = n i=1 s i. Since p is a policy this is equal to H and, thus, Decor(p) is a policy. Next, we show that Decor(p) is decorrelated. Consider any s i = s i \ i 1 j=1 s j and s l = s l \ l 1 j=1 s j with i < l. Then, s i s i l 1 j=1 s j, which does not intersect with s l İf p is a decorrelated policy, then Decor(p) = p. We can also prove the following two lemmas to show that the equivalence of policies is preserved by decorrelation and by arbitrary reordering of the policy entries in the decorrelated policy. Theorem 13 Any policy p is equivalent with Decor(p). Proof Let p be a policy and h a header. The actions in the ith entries of p and Decor(p) are the same for any i. Thus, it suffices to show that the same (ith) entry in both policies catches h. If the ith entry in p catches h, it means that h s i and h s j for j = 1... i 1. This is equivalent with h s i \ i 1 j=1 s j, which is the selector of the ith entry in Decor(p). Since Decor(p) is decorrelated, this can happen if and only if the ith entry in Decor(p) catches h. We now define formally the main requirement for reconciliation algorithms, i.e., the fact that the reconciled policy must not violate any of the component policies. Definition 14 (correct reconciliation) Let P be a set of policies and p a policy. p is a correct reconciliation of P iff p refines every p P. The following lemma follows from the definitions of correct reconciliation, refinement and equivalence. Lemma 15 Let P = {p 1,..., p m } and P = {p 1,..., p m} be sets of policies such that p k is equivalent with p k for k = 1... m. If a policy p is a correct reconciliation of P, it is also a correct reconciliation of P. Lemma 16 Let P be a set of policies and p a correct reconciliation of P. If a policy p is equivalent with p, then p is also a correct reconciliation of P. Proof The lemma, too, follows directly from the definitions of correct reconciliation, refinement and equivalence. Probably the most intuitive way of reconciling policies is to decorrelate them first and then take a cross product of the component policies. The number of entries in the reconciled policy is equal to the product of the number of entries in the component policies. The selectors in the reconciled policy are computed as intersections of the component selectors and the actions as intersections of the component actions. Definition 17 (crossproduct set) Let P = {p 1,... p m } be a set of policies where p k = e k 1,..., e k n k = s k 1, a k 1,..., s k n k, a k n k and n k is the length of p k for k = 1... m. Furthermore, denote s (i1,i 2,...,i m) = m k=1 sk i k, a (i1,i 2,...,i m) e (i1,i 2,...,i m) = m k=1 a k i k, and = s (i1,i 2,...,i m), a (i1,i 2,...,i m). We call the set of policy entries E = {e (i1,i 2,...,i m) 1 i k n k for k = 1... m} the crossproduct set of P. Definition 18 (policy crossproduct) Let P be a set of policies. Any policy that is obtained by ordering the crossproduct set of P linearly is a crossproduct of P. Lemma 19 Let P be a set of policies and E its crossproduct set. Any linear ordering of E is a policy. Proof Let P be a set of decorrelated policies and E its crossproduct set. Denote the elements of P and E be as in definition 17. We observe that the following reduction holds: {s (i1,i 2,...,i m) 1 i k n k for k = 1... m} = n1 i 1=1 n2 i 2=1... nm 1 i m 1=1 nm i m=1 ( m k=1s k i k ) = n1 i 1=1 n2 i 2=1... nm 1 i m 1=1 nm i m=1 (( m 1 k=1 sk i k ) s m i m ) = n1 i 1=1 n2 i 2=1... nm 1 i m 1=1 (( m 1 k=1 sk i k ) ( nm i m=1 sm i m )) = n1 i 1=1 n2 i 2=1... nm 1 i m 1=1 (( m 1 k=1 sk i k ) H) = n1 i 1=1 n2 i 2=1... nm 1 i m 1=1 ( m 1 k=1 sk i k ) =... = H The equivalence with H results from repeating the same reduction m times. Lemma 20 Let P be a set of decorrelated policies and E its crossproduct set. Any linear ordering of E is a decorrelated policy. 5

6 Proof Let P be a set of decorrelated policies and E its crossproduct set. Denote the elements of P and E as in definition 17. By lemma 19, a linearization of E is a policy. We need to show that a linearization of E is decorrelated. Assume the contrary, i.e., that for some e (i1,i 2,...,i m) e (j1,j 2,...,j m) E, there exist an h H such that h s (i1,i 2,...,i m) and h s (j1,j 2,...,j m). From the definition of s (i1,i 2,...,i m) it follows that h s k i k and h s k j k for all k = 1... m. Since all p k are decorrelated, it must be the case that i k = j k for all k = 1... m. Thus, e (i1,i 2,...,i m) = e (j1,j 2,...,j m). This contradicts with our assumption, which proves the claim. Theorem 21 Let P be a set of decorrelated policies. Every crossproduct of P is a correct reconciliation of P. Proof Let P be a set of decorrelated policies and E its crossproduct set. Denote the elements of P and E be as in definition 17. Let p be a sequence obtained by ordering linearly the elements of E. From lemma 20, we know that p is a decorrelated policy. It remains to show that p refines all policies in P. Consider an arbitrary p l P and h H. There is a unique policy entry e (i1,i 2,...,i m) = s (i1,i 2,...,i m), a (i1,i 2,...,i m) in p that matches h. s (i1,i 2,...,i m) = m k=1 sk i k s l i l where i l is the index of the unique policy entry in p l that matches h. The allowed actions for h in p l are a l i l. The allowed actions for h in p are a (i1,i 2,...,i m) = m k=1 ak i k a l i l. This shows that, for an arbitrary h, Allowed(p, h) Allowed(p l, h). Thus, p refines p l, which concludes the proof. Theorem 22 The following algorithm computes a correct reconciliation of a set of policies: 1. Decorrelate each input policy by computing Decor(p). 2. Compute a crossproduct of the non-repetitive, decorrelated policies. 3. Remove all policy entries that have empty selectors from the crossproduct. Proof By theorem 21, step 2 computes a correct reconciliation. By lemmas 15 and 16, we can replace policies with equivalent ones before and after the reconciliation step. By theorem 13 and lemma 10, steps 1 and 3 replace policies with equivalent ones. Thus, the algorithm produces a correct reconciliation. Note that step 1, i.e., computing the decorrelated policy is non-trivial because it involves set intersections and minus operations on sets. The resulting selectors may produce selectors that are not simple ranges even if all the selectors in the input were. It is not surprising that the decorrelated policies can be reconciled by taking the cross product of their entries. What is more surprising is that the decorrelation step is, in fact, unnecessary. Instead, it suffices to retain some of the order from the component policies. The advantage of this algorithm is that that intersection is the only set operation required. Definition 23 (crossproduct lattice order) Let P be a set of policies and E its crossproduct set. Denote the elements of P and E as in definition 17. The crossproduct lattice order on E is the partial order on E such that e (i1,i 2,...,i m) e (j1,j 2,...,j m) iff i k j k for all k = 1... m. Definition 24 (ordered crossproduct) Let P be a set of policies. Any policy that is obtained by extending the crossproduct lattice order on E to a linear order is an ordered crossproduct of P. An ordered crossproduct is clearly a crossproduct, only with more restrictions on the order of items. Thus, lemma 19 is sufficient to show that an ordered crossproduct is a policy. It would be possible to further relax the requirements on the order policy entries. The order of two entries is unimportant, for example, if the selectors do not intersect or if the actions are equal. The above definition is, however, sufficient to prove the correctness of the algorithms presented in this paper. Further optimisations may be possible with a more relaxed definition of the ordering. Lemma 25 Let P be a set of policies, E its crossproduct set, and p an ordered crossproduct of P. Denote the elements of P and E as in definition 17. Let h H. If e (j1,j 2,...,j m) catches h in p, then e k j k catches h in p k for all k = 1... m. Proof Let P, E and p be as in the theorem, h H, and e (j1,j 2,...,j m) the policy entry that catches h in p. Denote by the crossproduct lattice order on E. h 6

7 s (j1,j 2,...,j m) = m l=1 al j l a k j k for k = 1... m. Thus, e k j k = s k j k, a k j k matches h in p k for k = 1... m. We need to show that the j k th entry is the first entry that matches h in p k for k = 1... m. Assume the contrary, i.e., for some particular 1 l m, the first entry in p l that matches h is e l i l and i l < j l. Let i k = j k for k l. Now, the condition of definition 23 is fulfilled. Therefore, e (i1,i 2,...,i m) e (j1,j 2,...,j m). Moreover, h s k i k for k = 1... m, which implies h m l=1 sl i l = s (i1,i 2,...,i m), i.e., that s (i1,i 2,...,i m) matches h. But if that is the case, then s (j1,j 2,...,j m) is not the first matching entry for h in p, which contradicts with the fact that e (j1,j 2,...,j m) catches h. Since our assumption lead to this contradiction, it must be false and the j k th entry must be the first one that matches h in each p k for k = 1... m. This implies the lemma. Theorem 26 Let P be a set of policies and p an ordered crossproduct of P. p is a correct reconciliation of P. Proof Let P be a set of policies, E its crossproduct set, and p an ordered crossproduct of P. Denote the elements of P and E as in definition 17. We need to show that p refines p k P for k = 1... m. Consider arbitrary 1 k m and h H. By lemma 8, there is some e (j1,j 2,...,j m) that catches h in p. By lemma 25, e k j k catches h in p k. a (j1,j 2,...,j m) = m l=1 al j l a k j k, i.e., Allowed(p, h) Allowed(p k, h). Since this is true for an arbitrary k and h, p refines p k for all k = 1... m, which implies that p is a correct reconciliation of P. A policy set may have correct reconciliations that are not an ordered crossproducts. They may be either more restrictive policies (e.g., a trivial policy that maps all headers to an empty action set), or equivalent policies with different order or granularity of entries. The following theorem proves that the ordered crossproduct is, in this sense, the most general reconciliation. Theorem 27 Let P be a set of policies and p an ordered crossproduct of P. Every correct reconciliation of P refines p. Proof Let P be a set of policies, E its crossproduct set, and p an ordered crossproduct of P. Denote the elements of P and E as in definition 17. Consider any h H. By construction of p, Allowed(p, h) = m k=1 ak i k. This is equal Reconcile(in p1, in p2, out p) OrderedCrossproduct(p1, p2, p); RemoveEmpty(p); OrderedCrossproduct(in p1, in p2, out p) p = ; for (e1 p1) for (e2 p2) p.append( e1.selector e2.selector, e1.action e2.action ); RemoveEmpty(in/out p) for (i = e1.length downto 1) if (e1.entry(i).selector == ) e1.delete(i); Figure 1: Pseudocode for reconciling two policies to m k=1 Allowed(p k, h), by lemma 25, or, equivalently, p P Allowed(p, h). Now suppose some policy q is a correct reconciliation of P, that is, for all p P, Allowed(q, h) Allowed(p, h). Therefore, Allowed(q, h) p P Allowed(p, h) = Allowed(p, h), as required. Theorem 28 The following algorithm computes a correct reconciliation of a set of policies: 1. Compute an ordered cross-product of the input policies. 2. Remove all policy entries that have empty selectors from the crossproduct. Proof By theorem 26, step 2 computes a correct reconciliation. By lemma 16, we can replace the policy with an equivalent one after the reconciliation step. By lemma 10, step 2 replaces policies with equivalent ones. Thus, the algorithm produces a correct reconciliation. 7 Reconciliation algorithm Theorem 22 gives an intuitive algorithm for reconciling a set of IPsec policies. The policy entries are decorrelated before the reconciliation step. The problem with this algorithm is that the selectors in most IPsec policies and implementations are simple multi-dimensional ranges (e.g. address ranges or port ranges or both). Decorrelation, however, requires one to compute set union and 7

10 where decision trees are used to identify and remove shadowing and collected entries in firewall policies. In is important to note, however, that the algorithms described in this paper do not need to be implemented very efficiently because they are executed during policy configuration and not when processing each IP packet. The selectors in the final policy are still simple ranges if the selectors in the input policies are. Only the intermediate computation requires handling of complex sets of selectors. 10 Conclusion In this paper, we presented an algorithm for reconciling two or more IPsec policies. The algorithm produces short and efficient policies without decorrelating the component policies first. Since the correctness of the algorithm is not obvious, we gave a formal definition of correct reconciliation and proved that the algorithm meets it. We also showed how to remove redundant entries from the policy and proved that it remains a correct reconciliation. The results can be used to implement composition of multiple IPsec and firewall policies. We expect it to be much easier for the administrators and users to specify independent component policies, which are automatically compiled into one policy, than to manually configure one monolithic policy for each device. References [1] K. J. Arrow. Social Choice and Individual Values. Yale University Press, [2] J. D. Guttman and A. L. Herzog. Rigorous automated network security management. International Journal of Information Security, To appear. [3] H. H. Hamed, E. S. Al-Shaer, and W. Marrero. Modeling and verification of IPSec and VPN security policies. In 13th IEEE International Conference on Network Protocols (ICNP 2005), pages , [4] D. B. Johnson, C. Perkins, and J. Arkko. Mobility support in IPv6. RFC 3775, IETF Mobile IP Working Group, June [5] S. Kent and K. Seo. Security architecture for the Internet Protocol. RFC 4301, IETF, Dec [6] A. X. Liu and M. G. Gouda. Complete redundancy detection in firewalls. In Proceedings of 19th Annual IFIP Conference on Data and Applications Security, LNCS 3654, pages , Storrs, CT USA, Aug Springer. Reconcile2(in p1, in p2, out p, out conflicts) OrderedCrossproduct(p1, p2, p); RemoveEmpty(p); SelectUniqueActions(p); // Not defined here Decorrelate(p, d); CheckConflicts(p, conflicts); RemoveShadowed(p, d); RemoveCollected(p, d); Decorrelate(in p, out d) d = ; union = ; for (i = 1 to p.length) e = p.entry(i); d.append( e.selector \ u, e.action ); union = union e.selector; CheckConflicts(in d, out conflicts) conflicts = ; for (e d) if (e.action == ) conflicts = conflicts e.selector; RemoveShadowed(in/out p, in/out d) for (i = p.length downto 1) if (d.entry(i).selector == ) p.delete(i); d.delete(i); RemoveCollected(in/out p, in/out d) aset = ; for (e p) aset = aset { e.action }; for (a aset) RemoveCollectedForAction(p, d, a) RemoveCollectedForAction(in/out p, in/out d, in a) for (i = p.length downto 1) e = p.entry(i); if (e.action == a) if (d.entry(i).selector c) p.delete(i); d.delete(i); else collect = collect e.selector; else collect = collect e.selector; Figure 2: Removing shadowed and collected entries 10

### Firewall Verification and Redundancy Checking are Equivalent

Firewall Verification and Redundancy Checking are Equivalent H. B. Acharya University of Texas at Austin acharya@cs.utexas.edu M. G. Gouda National Science Foundation University of Texas at Austin mgouda@nsf.gov

### Design and Implementation of Firewall Policy Advisor Tools

Design and Implementation of Firewall Policy Advisor Tools Ehab S. Al-Shaer and Hazem H. Hamed Multimedia Networking Research Laboratory School of Computer Science, Telecommunications and Information Systems

### Determination of the normalization level of database schemas through equivalence classes of attributes

Computer Science Journal of Moldova, vol.17, no.2(50), 2009 Determination of the normalization level of database schemas through equivalence classes of attributes Cotelea Vitalie Abstract In this paper,

### IPv6 SECURITY. May 2011. The Government of the Hong Kong Special Administrative Region

IPv6 SECURITY May 2011 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without the express

### Protocol Security Where?

IPsec: AH and ESP 1 Protocol Security Where? Application layer: (+) easy access to user credentials, extend without waiting for OS vendor, understand data; (-) design again and again; e.g., PGP, ssh, Kerberos

### CSCI 454/554 Computer and Network Security. Topic 8.1 IPsec

CSCI 454/554 Computer and Network Security Topic 8.1 IPsec Outline IPsec Objectives IPsec architecture & concepts IPsec authentication header IPsec encapsulating security payload 2 IPsec Objectives Why

### MAT2400 Analysis I. A brief introduction to proofs, sets, and functions

MAT2400 Analysis I A brief introduction to proofs, sets, and functions In Analysis I there is a lot of manipulations with sets and functions. It is probably also the first course where you have to take

### Implementing and Managing Security for Network Communications

3 Implementing and Managing Security for Network Communications............................................... Terms you ll need to understand: Internet Protocol Security (IPSec) Authentication Authentication

### Factoring & Primality

Factoring & Primality Lecturer: Dimitris Papadopoulos In this lecture we will discuss the problem of integer factorization and primality testing, two problems that have been the focus of a great amount

### Chapter 4 Virtual Private Networking

Chapter 4 Virtual Private Networking This chapter describes how to use the virtual private networking (VPN) features of the FVL328 Firewall. VPN tunnels provide secure, encrypted communications between

### A Model of Stateful Firewalls and its Properties

A Model of Stateful Firewalls and its Properties Mohamed G. Gouda and Alex X. Liu 1 Department of Computer Sciences, The University of Texas at Austin, Austin, Texas 78712-1188, U.S.A. Email: {gouda, alex}@cs.utexas.edu

### Solutions to In-Class Problems Week 4, Mon.

Massachusetts Institute of Technology 6.042J/18.062J, Fall 05: Mathematics for Computer Science September 26 Prof. Albert R. Meyer and Prof. Ronitt Rubinfeld revised September 26, 2005, 1050 minutes Solutions

### 13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) 13.2 Layer 2/3/4 VPNs 13.3 Multi-Protocol Label Switching 13.4 IPsec Transport Mode

13 Virtual Private Networks 13.1 Point-to-Point Protocol (PPP) PPP-based remote access using dial-in PPP encryption control protocol (ECP) PPP extensible authentication protocol (EAP) 13.2 Layer 2/3/4

### Discovery of Policy Anomalies in Distributed Firewalls

Discovery of Policy Anomalies in Distributed Firewalls Ehab S. Al-Shaer and Hazem H. Hamed Multimedia Networking Research Laboratory School of Computer Science, Telecommunications and Information Systems

### Testing LTL Formula Translation into Büchi Automata

Testing LTL Formula Translation into Büchi Automata Heikki Tauriainen and Keijo Heljanko Helsinki University of Technology, Laboratory for Theoretical Computer Science, P. O. Box 5400, FIN-02015 HUT, Finland

### Virtual Private Networks: IPSec vs. SSL

Virtual Private Networks: IPSec vs. SSL IPSec SSL Michael Daye Jr. Instructor: Dr. Lunsford ICTN 4040-001 April 16 th 2007 Virtual Private Networks: IPSec vs. SSL In today s society organizations and companies

### CHAPTER 7 GENERAL PROOF SYSTEMS

CHAPTER 7 GENERAL PROOF SYSTEMS 1 Introduction Proof systems are built to prove statements. They can be thought as an inference machine with special statements, called provable statements, or sometimes

### On the Hardness of Topology Inference

On the Hardness of Topology Inference H. B. Acharya 1 and M. G. Gouda 2 1 The University of Texas at Austin, USA acharya@cs.utexas.edu 2 The National Science Foundation, USA mgouda@nsf.gov Abstract. Many

### Methods for Firewall Policy Detection and Prevention

Methods for Firewall Policy Detection and Prevention Hemkumar D Asst Professor Dept. of Computer science and Engineering Sharda University, Greater Noida NCR Mohit Chugh B.tech (Information Technology)

### Efficiently Managing Firewall Conflicting Policies

Efficiently Managing Firewall Conflicting Policies 1 K.Raghavendra swamy, 2 B.Prashant 1 Final M Tech Student, 2 Associate professor, Dept of Computer Science and Engineering 12, Eluru College of Engineeering

### Verification of Computing Policies and Other Hard Problems

Verification of Computing Policies and Other Hard Problems Mohamed G Gouda University of Texas at Austin gouda@cs.utexas.edu Presentation at METIS-2014 1 Computing Policy A computing policy is a formalism

### POWER SETS AND RELATIONS

POWER SETS AND RELATIONS L. MARIZZA A. BAILEY 1. The Power Set Now that we have defined sets as best we can, we can consider a sets of sets. If we were to assume nothing, except the existence of the empty

### Comparing and debugging firewall rule tables

Comparing and debugging firewall rule tables L. Lu, R. Safavi-Naini, J. Horton and W. Susilo Abstract: Firewalls are one of the essential components of secure networks. However, configuring firewall rule

### CS 356 Lecture 27 Internet Security Protocols. Spring 2013

CS 356 Lecture 27 Internet Security Protocols Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists

### Security Considerations for Intrinsic Monitoring within IPv6 Networks: Work in Progress

Security Considerations for Intrinsic Monitoring within IPv6 Networks: Work in Progress Alan Davy and Lei Shi Telecommunication Software&Systems Group, Waterford Institute of Technology, Ireland adavy,lshi@tssg.org

### KNOWLEDGE FACTORING USING NORMALIZATION THEORY

KNOWLEDGE FACTORING USING NORMALIZATION THEORY J. VANTHIENEN M. SNOECK Katholieke Universiteit Leuven Department of Applied Economic Sciences Dekenstraat 2, 3000 Leuven (Belgium) tel. (+32) 16 28 58 09

### Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300 This example explains how to configure pre-shared key based simple IPSec tunnel between NetScreen Remote Client and RN300 VPN Gateway.

### Chapter 5 Virtual Private Networking Using IPsec

Chapter 5 Virtual Private Networking Using IPsec This chapter describes how to use the IPsec virtual private networking (VPN) features of the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN to provide

### Lecture 2: Universality

CS 710: Complexity Theory 1/21/2010 Lecture 2: Universality Instructor: Dieter van Melkebeek Scribe: Tyson Williams In this lecture, we introduce the notion of a universal machine, develop efficient universal

### Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

http://technet.microsoft.com/en-us/library/cc757501(ws.10).aspx Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003 Updated: October 7, 2005 Applies To: Windows Server 2003 with

### Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract

Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart

### 7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

7 Network Security 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework 7.4 Firewalls 7.5 Absolute Security? 7.1 Introduction Security of Communications data transport e.g. risk

### Secure Networking Using Mobile IP

Secure Networking Using Mobile IP Alexandros Karakos and Konstantinos Siozios Democritus University of Thrace eepartment of Electrical and Computer Engineering GR-671 00 Xanthi, GREECE Abstract. The increasing

### Conflict Classification and Analysis of Distributed Firewall Policies

Conflict Classification and Analysis of Distributed Firewall Policies 1 Ehab Al-Shaer and Hazem Hamed School of Computer Science DePaul University, Chicago, USA Email: {ehab, hhamed}@cs.depaul.edu Raouf

### Supporting Document Mandatory Technical Document. Evaluation Activities for Stateful Traffic Filter Firewalls cpp. February-2015. Version 1.

Supporting Document Mandatory Technical Document Evaluation Activities for Stateful Traffic Filter Firewalls cpp February-2015 Version 1.0 CCDB-2015-01-002 Foreword This is a supporting document, intended

### Firewall Design: Consistency, Completeness, Compactness

Firewall Design: Consistency, Completeness, Compactness Alex X. Liu alex@cs.utexas.edu Department of Computer Sciences The University of Texas at Austin Austin, Texas 78712-1188, U.S.A. March, 2004 Co-author:

### Internet Firewall CSIS 3230. Internet Firewall. Spring 2012 CSIS 4222. net13 1. Firewalls. Stateless Packet Filtering

Internet Firewall CSIS 3230 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 8.8: Packet filtering, firewalls, intrusion detection Ch

### Unified Language for Network Security Policy Implementation

Unified Language for Network Security Policy Implementation Dmitry Chernyavskiy Information Security Faculty National Research Nuclear University MEPhI Moscow, Russia milnat2004@yahoo.co.uk Natalia Miloslavskaya

### APNIC elearning: IPSec Basics. Contact: training@apnic.net. esec03_v1.0

APNIC elearning: IPSec Basics Contact: training@apnic.net esec03_v1.0 Overview Virtual Private Networks What is IPsec? Benefits of IPsec Tunnel and Transport Mode IPsec Architecture Security Associations

### American Scientific Research Journal for Engineering, Technology, and Sciences (ASRJETS)

American Scientific Research Journal for Engineering, Technology, and Sciences (ASRJETS) (Print & Online) ---------------------------------------------------------------------------------------------------------------------------

### Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Final exam review, Fall 2005 FSU (CIS-5357) Network Security Instructor: Breno de Medeiros 1. What is an insertion attack against a NIDS? Answer: An insertion attack against a network intrusion detection

### Security vulnerabilities in the Internet and possible solutions

Security vulnerabilities in the Internet and possible solutions 1. Introduction The foundation of today's Internet is the TCP/IP protocol suite. Since the time when these specifications were finished in

### 1 Construction of CCA-secure encryption

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.

### Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

### Complete Redundancy Detection in Firewalls

Complete Redundancy Detection in Firewalls Alex X. Liu and Mohamed G. Gouda Department of Computer Sciences, The University of Texas at Austin, Austin, Texas 78712-0233, USA {alex, gouda}@cs.utexas.edu

### VPN. Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu

VPN Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu What is VPN? A VPN (virtual private network) is a private data network that uses public telecommunicating infrastructure (Internet), maintaining

### Information Security Basic Concepts

Information Security Basic Concepts 1 What is security in general Security is about protecting assets from damage or harm Focuses on all types of assets Example: your body, possessions, the environment,

### Chapter 10. Network Security

Chapter 10 Network Security 10.1. Chapter 10: Outline 10.1 INTRODUCTION 10.2 CONFIDENTIALITY 10.3 OTHER ASPECTS OF SECURITY 10.4 INTERNET SECURITY 10.5 FIREWALLS 10.2 Chapter 10: Objective We introduce

### International Journal of Scientific & Engineering Research, Volume 4, Issue 8, August-2013 1300 ISSN 2229-5518

International Journal of Scientific & Engineering Research, Volume 4, Issue 8, August-2013 1300 Efficient Packet Filtering for Stateful Firewall using the Geometric Efficient Matching Algorithm. Shriya.A.

### Relations Graphical View

Relations Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry Introduction Recall that a relation between elements of two sets is a subset of their Cartesian product (of ordered pairs). A binary

### IPsec Details 1 / 43. IPsec Details

Header (AH) AH Layout Other AH Fields Mutable Parts of the IP Header What is an SPI? What s an SA? Encapsulating Security Payload (ESP) ESP Layout Padding Using ESP IPsec and Firewalls IPsec and the DNS

### 4. Number Theory (Part 2)

4. Number Theory (Part 2) Terence Sim Mathematics is the queen of the sciences and number theory is the queen of mathematics. Reading Sections 4.8, 5.2 5.4 of Epp. Carl Friedrich Gauss, 1777 1855 4.3.

### Redundancy Removing Protocol to Minimize the Firewall Policies in Cross Domain

Redundancy Removing Protocol to Minimize the Firewall Policies in Cross Domain Kamarasa V D S Santhosh M.Tech Student, Department of ComputerScience & Engineering, School of Technology, Gitam University,

### Securing EtherNet/IP Using DPI Firewall Technology

Securing EtherNet/IP Using DPI Firewall Technology www.odva.org Technical Track About Us Erik Schweigert Leads device firmware development at Tofino Security BSc in Computer Science from VIU Michael Thomas

### Mathematics for Computer Science/Software Engineering. Notes for the course MSM1F3 Dr. R. A. Wilson

Mathematics for Computer Science/Software Engineering Notes for the course MSM1F3 Dr. R. A. Wilson October 1996 Chapter 1 Logic Lecture no. 1. We introduce the concept of a proposition, which is a statement

### II. BASICS OF PACKET FILTERING

Use of Formal models for the Firewall Policy Optimization ShatanandPatil* and B. B. Meshram** *(Department of Computer Technology, Veermata Jijabai Technical Institute, Mumbai 19) *(Department of Computer

### Dr. Arjan Durresi. Baton Rouge, LA 70810 Durresi@csc.LSU.Edu These slides are available at: http://www.csc.lsu.edu/~durresi/csc4601_07/

Set of Problems 2 Dr. Arjan Durresi Louisiana State University Baton Rouge, LA 70810 Durresi@csc.LSU.Edu These slides are available at: http://www.csc.lsu.edu/~durresi/csc4601_07/ Louisiana State University

### Virtual Private Networks (VPN) Connectivity and Management Policy

Connectivity and Management Policy VPN Policy for Connectivity into the State of Idaho s Wide Area Network (WAN) 02 September 2005, v1.9 (Previous revision: 14 December, v1.8) Applicability: All VPN connections

### Computer Networks. Secure Systems

Computer Networks Secure Systems Summary Common Secure Protocols SSH HTTPS (SSL/TSL) IPSec Wireless Security WPA2 PSK vs EAP Firewalls Discussion Secure Shell (SSH) A protocol to allow secure login to

### First Step Towards Automatic Correction of Firewall Policy Faults

First Step Towards Automatic Correction of Firewall Policy Faults Fei Chen Alex X. Liu Computer Science and Engineering Michigan State University JeeHyun Hwang Tao Xie Computer Science North Carolina State

### Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Network Security [2] Public Key Encryption Also used in message authentication & key distribution Based on mathematical algorithms, not only on operations over bit patterns (as conventional) => much overhead

### INF3510 Information Security University of Oslo Spring 2011. Lecture 9 Communication Security. Audun Jøsang

INF3510 Information Security University of Oslo Spring 2011 Lecture 9 Communication Security Audun Jøsang Outline Network security concepts Communication security Perimeter security Protocol architecture

### 21.4 Network Address Translation (NAT) 21.4.1 NAT concept

21.4 Network Address Translation (NAT) This section explains Network Address Translation (NAT). NAT is also known as IP masquerading. It provides a mapping between internal IP addresses and officially

### Formal Verification Coverage: Computing the Coverage Gap between Temporal Specifications

Formal Verification Coverage: Computing the Coverage Gap between Temporal Specifications Sayantan Das Prasenjit Basu Ansuman Banerjee Pallab Dasgupta P.P. Chakrabarti Department of Computer Science & Engineering

### Project 2: Firewall Design (Phase I)

Project 2: Firewall Design (Phase I) CS 161 - Joseph/Tygar November 12, 2006 1 Edits If we need to make clarifications or corrections to this document after distributing it, we will post a new version

### Firewall Policy Anomalies- Detection and Resolution

Firewall Policy Anomalies- Detection and Resolution Jitha C K #1, Sreekesh Namboodiri *2 #1 MTech student(cse),mes College of Engineering,Kuttippuram,India #2 Assistant Professor(CSE),MES College of Engineering,Kuttippuram,India

### Chapter 3. Network Domain Security

Communication System Security, Chapter 3, Draft, L.D. Chen and G. Gong, 2008 1 Chapter 3. Network Domain Security A network can be considered as the physical resource for a communication system. This chapter

### Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

### Security Technology: Firewalls and VPNs

Security Technology: Firewalls and VPNs 1 Learning Objectives Understand firewall technology and the various approaches to firewall implementation Identify the various approaches to remote and dial-up

### An Experimental Study of Cross-Layer Security Protocols in Public Access Wireless Networks

An Experimental Study of Cross-Layer Security Protocols in Public Access Wireless Networks Avesh K. Agarwal Wenye Wang Department of Electrical and Computer Engineering North Carolina State University,

### Internet Protocol Security IPSec

Internet Protocol Security IPSec Summer Semester 2011 Integrated Communication Systems Group Ilmenau University of Technology Outline Introduction Authentication Header (AH) Encapsulating Security Payload

### Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.

### Wireless ATA: A New Data Transport Protocol for Wireless Storage

Wireless ATA: A New Data Transport Protocol for Wireless Storage Serdar Ozler and Ibrahim Korpeoglu Department of Computer Engineering, Bilkent University, 06800 Bilkent, Ankara, Turkey {ozler, korpe}@cs.bilkent.edu.tr

### VPN Lesson 2: VPN Implementation. Summary

VPN Lesson 2: VPN Implementation Summary 1 Notations VPN client (ok) Firewall Router VPN firewall VPN router VPN server VPN concentrator 2 Basic Questions 1. VPN implementation options for remote users

### CMPT 471 Networking II

CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access

### Firewalls (IPTABLES)

Firewalls (IPTABLES) Objectives Understand the technical essentials of firewalls. Realize the limitations and capabilities of firewalls. To be familiar with iptables firewall. Introduction: In the context

### Prime Numbers. Chapter Primes and Composites

Chapter 2 Prime Numbers The term factoring or factorization refers to the process of expressing an integer as the product of two or more integers in a nontrivial way, e.g., 42 = 6 7. Prime numbers are

### The next generation of knowledge and expertise Wireless Security Basics

The next generation of knowledge and expertise Wireless Security Basics HTA Technology Security Consulting., 30 S. Wacker Dr, 22 nd Floor, Chicago, IL 60606, 708-862-6348 (voice), 708-868-2404 (fax), www.hta-inc.com

### Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

BlackBerry Enterprise Service 10 BlackBerry Device Service Solution Version: 10.2 Security Technical Overview Published: 2014-09-10 SWD-20140908123239883 Contents 1 About BlackBerry Device Service solution

### Firewall Troubleshooting

Firewall Troubleshooting (Checkpoint Specific) For typical connectivity issues where a firewall is in question follow these steps to eliminate any issues relating to the firewall. Firewall 1. From the

### Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Module 8 Network Security Lesson 3 Firewalls Specific Instructional Objectives On completion of this lesson, the students will be able to answer: What a firewall is? What are the design goals of Firewalls

### NP-Completeness and Cook s Theorem

NP-Completeness and Cook s Theorem Lecture notes for COM3412 Logic and Computation 15th January 2002 1 NP decision problems The decision problem D L for a formal language L Σ is the computational task:

### Math 317 HW #7 Solutions

Math 17 HW #7 Solutions 1. Exercise..5. Decide which of the following sets are compact. For those that are not compact, show how Definition..1 breaks down. In other words, give an example of a sequence

### CSCI 7000-001 Firewalls and Packet Filtering

CSCI 7000-001 Firewalls and Packet Filtering November 1, 2001 Firewalls are the wrong approach. They don t solve the general problem, and they make it very difficult or impossible to do many things. On

### Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation

Basic ViPNet VPN Deployment Schemes Supplement to ViPNet Documentation 1991 2015 Infotecs Americas. All rights reserved. Version: 00121-04 90 01 ENU This document is included in the software distribution

### CSE 135: Introduction to Theory of Computation Decidability and Recognizability

CSE 135: Introduction to Theory of Computation Decidability and Recognizability Sungjin Im University of California, Merced 04-28, 30-2014 High-Level Descriptions of Computation Instead of giving a Turing

### We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

Chapter 10 Firewall Firewalls are devices used to protect a local network from network based security threats while at the same time affording access to the wide area network and the internet. Basically,

### 3-6 Toward Realizing Privacy-Preserving IP-Traceback

3-6 Toward Realizing Privacy-Preserving IP-Traceback The IP-traceback technology enables us to trace widely spread illegal users on Internet. However, to deploy this attractive technology, some problems

### CS 4803 Computer and Network Security

Network layers CS 4803 Computer and Network Security Application Transport Network Lower level Alexandra (Sasha) Boldyreva IPsec 1 2 Roughly Application layer: the communicating processes themselves and

### THE BCS PROFESSIONAL EXAMINATIONS BCS Level 6 Professional Graduate Diploma in IT. April 2009 EXAMINERS' REPORT. Network Information Systems

THE BCS PROFESSIONAL EXAMINATIONS BCS Level 6 Professional Graduate Diploma in IT April 2009 EXAMINERS' REPORT Network Information Systems General Comments Last year examiners report a good pass rate with

### 12. Firewalls Content

Content 1 / 17 12.1 Definition 12.2 Packet Filtering & Proxy Servers 12.3 Architectures - Dual-Homed Host Firewall 12.4 Architectures - Screened Host Firewall 12.5 Architectures - Screened Subnet Firewall

### 1. R In this and the next section we are going to study the properties of sequences of real numbers.

+a 1. R In this and the next section we are going to study the properties of sequences of real numbers. Definition 1.1. (Sequence) A sequence is a function with domain N. Example 1.2. A sequence of real

### Chapter 7 Transport-Level Security

Cryptography and Network Security Chapter 7 Transport-Level Security Lectured by Nguyễn Đức Thái Outline Web Security Issues Security Socket Layer (SSL) Transport Layer Security (TLS) HTTPS Secure Shell

### A Formalization of the Turing Test Evgeny Chutchev

A Formalization of the Turing Test Evgeny Chutchev 1. Introduction The Turing test was described by A. Turing in his paper [4] as follows: An interrogator questions both Turing machine and second participant

### Enterprise Security Management CheckPoint SecuRemote VPN v4.0 for pcanywhere

Enterprise Security Management CheckPoint SecuRemote VPN v4.0 for pcanywhere White Paper 7KH#&KDOOHQJH Virtual Private Networks (VPNs) provides a powerful means of protecting the privacy and integrity

### Client Server Registration Protocol

Client Server Registration Protocol The Client-Server protocol involves these following steps: 1. Login 2. Discovery phase User (Alice or Bob) has K s Server (S) has hash[pw A ].The passwords hashes are

### Fig. 4.2.1: Packet Filtering

4.2 Types of Firewalls /DKo98/ FIREWALL CHARACTERISTICS 1. All traffic from inside to outside, and vice versa, must pass through the firewall. This is achieved by physically blocking all access to the