• Discuss an organization’s need for physical security. What methods, approaches, and models can be used by organizations when designing physical security needs? Lastly, explain how these security measures will safeguard the organization.
• Please make your initial post and two response posts substantive. A substantive post will do at least TWO of the following:
• Ask an interesting, thoughtful question pertaining to the topic
• Answer a question (in detail) posted by another student or the instructor
• Provide extensive additional information on the topic
• Explain, define, or analyze the topic in detail
• Share an applicable personal experience
• Provide an outside source (for example, an article from the UC Library) that applies to the topic, along with additional information about the topic or the source (please cite properly in APA)
• Make an argument concerning the topic.
• At least one scholarly source should be used in the initial discussion thread. Be sure to use information from your readings and other sources from the UC Library. Use proper citations and references in your post.

IPsec/Firewall Security Policy Analysis : A Survey

Roumaissa Khelf

Networks and System Laborator

y

Computer Science Department
Badji Mokhtar-Annaba University

Annaba, Algeria
khelfroumaissa@yahoo.com

Nacira Ghoualmi-Zine

Networks and System Laboratory
Computer Science Department

Badji Mokhtar-Annaba University
Annaba, Algeria

ghoualmi@yahoo.com

Abstract—As the technology reliance increases, computer
networks are getting bigger and larger and so are threats and
attacks. Therefore Network security becomes a major concer

n

during this last decade. Network Security requires a
combination of hardware devices and software applications.
Namely, Firewalls and IPsec gateways are two technologie

s

that provide network security protection and repose on
security policies which are maintained to ensure traffic contro

l

and network safety. Nevertheless, security policy
misconfigurations and inconsistency between the policy’s rules
produce errors and conflicts, which are often very hard to
detect and consequently cause security holes and compromise
the entire system functionality. In This paper, we review the
related approaches which have been proposed for security
policy management along with surveying the literature for
conflicts detection and resolution techniques. This work
highlights the advantages and limitations of the proposed
solutions for security policy verification in IPsec and Firewalls
and gives an overall comparison and classification of the
existing approaches.

Keywords—Network Security; Security policy; IPsec;
Firewall; Security policy anomalies; policy analysis; Conflicts
analysis.

I. INTRODUCTION
To enforce network security, several functionalities are

implemented by the security to ensure security within a
computer network. Some of security controls are used to
control traffic like firewalls (Network protection), others
have the capability to control and modify the traffic as IPsec
gateways (VPNs Protection) [1]. Despite that IPsec is newer
than firewall technology, firewall studies are more common
and various. This can be due to the fact that firewalls are
more market-share. So, this gives us a motivation to regroup
both technologies in this survey in order to show up which
one of them is the best choice for the network security
verification. Whereas studies are varied, Firewall and IPsec
share the similar nature, thus security policies are an
essential component for both of them. Basically, security
policies are considered complex in large systems, and it is
hard to find faults. In addition, network administrators
cannot always have a deep insight of the network
configuration; hence, those challenges make the security
policy testing and verification much harder. To solve this
problem, several approaches have been proposed in
literature. The main objective of those studies was to find out
a way to automatize the verification and the management of
security policy by introducing different techniques for

conflicts identification and resolution. So, this survey
highlights different studies for policy analysis context and
especially on conflict management. Regarding studies on
policy analysis topic, we can notice that there is no global or
general solution that can be applied directly to solve the
problem. Most of the studies focus on sub-problems parts
solutions, thus the proposed works does not grant compatible
solutions. Also, as regards to the network topology, dynamic
environment of distributed networks must be taken into
consideration (enterprise networks); because some of the
proposed approaches are inefficient for dynamic conditions.
More details will be given in next sections.

This work highlights the existing researches in the field
of security policy verification and analysis. We highlight the
most important approaches in a chronological order, while
emphasizing the different advantages and disadvantages of
these approaches. We also discuss the differences between
these works, and propose solutions in order to overcome
prior studies drawbacks and also we propose a categorization
schema for the existing approaches in this area.

This paper is organized as follows. Section 2 presents a
global overview on both technologies Firewall and IPsec
hence the basic differences between them. In Section 3 we
present a brief definition of security policy and the notion of
filtering rules, as well as the policy analysis and its different
fields. Section 4 presents the researches carried out on
different types of security policy concerning firewalls and
IPsec. In section 5 we compare the cited works and discuss
the main differences between those approaches in addition to
a proposition of a categorization schema.

II. FIREWALL VS IPSEC
Firewall and IPsec are both complementary components

for network security. We can’t really compare them;
however, there are some differences between IPsec and
firewalls. In this section we try to identify those differences
and understand subtleties of both technologies.

A. Firewalls
Firewalls are network devices which enforce an

organization’s security policy [2]. It can be a router, an
access server, or a several services modules. Firewall
monitors the outgoing and incoming traffic from and to a
network. The monitoring operation is done using packet
filters and aims to allow or deny the traffic. Firewall filters
the packets according to various criteria such as IP addresses,

Ports, network interfaces… etc. All those information are
ordered in a set of rules which constitute security policies of
firewalls. The main objective of a firewall is to determine the
accessibility of a type of traffic in a particular network.
Indeed the principal is simple; a firewall protects the network
by allowing or discarding wanted or unwanted traffic
respectively. However, firewalls do not secure or modify the
actual traffic going back and forth. Beside the fact that not all
attacks types are handled, the emerging technologies like
VPN and P2P present new challenges for firewalls.

B. IPsec
Internet Protocol security (IPsec) is known as a cost-

effective way to establish security in Virtual Private
Networks (VPNs). IPsec is a set of open standard that
provide data authentication, integrity and confidentiality. It
can be used to protect the data flow between a pair of hosts, a
pair of gateways or between a host and a gateway. Regarding
IPsec security architecture, it defines two types of security
policies: the access control list and the crypto map list.
Access control list defines the protected traffic and the
crypto access list defines the protection parameters to be
applied on this traffic. In other words, the distribution of
protection in IPsec depends on the design of the security
policy and its distribution.

C. Firewall and IPsec Comparison
To sum up, Firewall is used to protect a network from

unwanted traffic, however, IPsec is used to protect a server
or a group of servers in a network IPsec protect the wanted
traffic while crossing the network, hence IPsec is not just
controlling traffic but also protecting it. In other words,
firewall security policies are defined to control the traffic
access to the network. It aims to permit legitimate traffic and
blocks unwanted traffic. On the other hand, IPsec’s access
control policy has a similar aim of firewall policy; however
legitimate traffic is either permitted directly or protected
before the transmission. Therefrom, the main distinction
comes between the firewall and IPsec. When the legitimate
traffic is judged to be protected, the IPsec encryption list
takes place, and the traffic is compared to its filtering rules to
find out which IPsec perform (AH, ESP, Tunnel, Transport
mode) must be applied on this traffic.

Despite the differences, both technologies can be used to
ensure the network protection; the firewall is more
convenient in term of the centralized protection. Hence IPsec
is more powerful in the term of flexible protection and
servers/domains isolations.

III. POLICY VERIFICATION BACKGROUND

A. Network Security Policy
A network security policy is a set of requirements and

that control the behavior of an entity in a network. This
behavior is defined by a set of constraints, which are meant
to govern data access, use, and transfer inside the network.
The security policy requirement is defined as a set of
filtering rules; these rules are tried in a particular order that
ensure the correct execution of policy directives. Generally,
security policies are used to ensure three main

functionalities: Confidentiality (data secrecy), Integrity (data
originality) and Availability (data access).

B. Security Policy Analysis
After the definition of security policy directives, comes

the specification of filtering rules. This phase is called
policy configuration, which is typically complicated and
error-prone. Despite the huge importance of security
policies on the security of communication networks,
conflicts can lead to security breaches and high risk attacks.
Thus, conflicts in network security policy can be a result of
misconfiguration or inconsistency between different rules in
the same policy or in different policies. Therefore, to ensure
the correct functioning of the policy, conflicts should be
avoided or at least identified in order to remove them. This
solution is not as easy as it sounds because of many
difficulties that make the conflict management a very hard
task for network administrator such as; the growing number
of internet applications, the nature of distributed networks,
different types of security controls and the large number of
policies and rules which can cause an extremely high
number of conflicts, hence it become intractable for network
administrator. Therefrom, the need arises to find more
suitable solutions for the verification of security policies.

C. Policy Analysis
As discussed before, Network security cannot be

guaranteed without a well-designed security policy. Hence,
several studies have been carried out to overcome the
problem of conflicts and configuration errors in different
types of security policies such as in social network policies
[3] or cloud computing [4], Policy analysis consists of the
verification of policy configuration in order to monitor the
changes in policies, behavior or security violation caused by
a conflict. To be noted that during the analysis of policy,
devices which are already deployed remains unchangeable
and under the control of a network administrator.

Regarding the proposed works in literature that extend
the concept of policy analysis, we can divide them into three
main categories: reachability, policy comparison and conflict
analysis. (Fig. 1) Essentially, our focus will be on conflicts

Fig. 1. Classification of Policy Analysis Approaches

analysis.

The analysis of conflicts aims to identify potential errors
in single or multiple security policies (intra and inter
domains). Without the loss of generality, the approaches
used for conflict analysis can be also categorized into three
main categories: verification of configurations, conflicts
detection and policy optimization. Thus, the proposed
solutions for the conflicts detection across last years, can be
divided in three sub-categories: the first one is the policy
management sub-category, which is based on data structures
like [5], the second one is the proposition of novel formal
models as in [6] and lastly, the proposition of new tools such
as [7].

IV. STATE OF THE ART
In literature, firewall policy verification is a very

common research field; a lot of approaches were proposed
in order to provide a complete solution of the main problem:
the conflict analysis. In this section, we show some of these
proposed approaches for firewall policy verification.

A. Firewall Approaches
The Proposition of Al in [8] was the first paper that
introduced the concept of conflict analysis of firewall
policy. Authors in this paper define all the existing relations
between policy rules, their classification defines 5 types of
relationships: complete disjoint where rules are independent
and do not have any intersection, exactly matched: two rules
match the same traffic and apply the same action for this
traffic. The other type is: Inclusively matched, this relation
occurs when the rules do not exactly match the same traffic,
in other words, every field in the first rule is a subset or
equal to the corresponding fields in the second rule.
Partially disjoint: is when at least one of the first rule fields
is a subset or equal to the other rule and finally Correlation
is when some fields of the rule are subsets or equals to the
corresponding fields in the second rules, and the rest of
other fields are superset or equals. The authors present
policy using a single rooted tree (policy tree) so every node
in the policy tree represents a field of a filtering rule and
each branch at this node represents a possible value for the
associated field. Then they give a classification of 4 types of
anomalies (shadowing, correlation, generalization and
redundancy). The authors use a tool called policy advisor
that help the administrator to manage a firewall policy
without prior analysis of filtering rules. Thus, it implements
two management tools: policy anomaly detector: identify
anomalies and notify the administrator and policy editor;
which reorder the updated or inserted rules. However policy
advisor is limited in detecting only pairwise anomalies in
firewall rules. This work was extended next to [9]. In this
work, the authors add a new classification which includes
the multi-firewall environment anomalies. So they develop
their technique to detect anomalies in centralized and
distributed legacy firewall. The new defined conflicts are
(shadowing, spuriousness, correlation, redundancy and
irrelevance). Shadowing occurs between two rules in two
different firewalls that match the same packets and the first

rule blocks a packet that is permitted by the second rule.
The case of spuriousness is defined when two rules match
the same packet and the first rule permit this packet which is
blocked by the second rule. According to their definition,
rules in correlation are rules in different firewall. These
rules match some common packets, but apply different
actions. However, if these two rules block the traffic, it’s
then a redundancy conflict. The irrelevances anomaly is
defined by rules which do not have any corresponding
matched traffic. Authors specify that rules insertion phase is
performed in two steps, the first one is the rule placement
which aims to find the corresponded firewall by identifying
all the possible paths, and the next step is to verify the
relation between the new rule and the existing rules in order
to avoid intra-firewall anomalies. Despite this work was
very helpful for next studies, it has the drawback of
detecting anomalies only afterward, and do not provide a
recovery mechanism, also it’s not suitable for all the
security controls. In addition, high performances are
guaranteed only for a limited number of rules. Another
extension of Al-Shaer’s work is [10]. This work proved that
conflicts classified by Al-Shaer cation are the only conflicts
that could exist in firewall policies. The authors present a set
of algorithms to detect rule anomalies within a single
firewall (intra-firewall anomalies), and between
interconnected firewalls (inter-firewall anomalies) in the
network. In addition to their previous works they presented
a user-friendly Java-based implementation of the Firewall
Policy Advisor. This work was also extended by Al-Shaer in
[11]. The Authors in [12] also proposed a novel tool
“FIREMAN” for the analysis of firewall policies. They use
the Binary Decision Diagram (BDD) [13] to represent the
packet filtering policies. This work provides intra-policy
packets analysis and verifies the correct implementation on
end-to-end policy.

The FIREMAN detection technique is based on the
analysis of potential relationships between a filtering rule
and a packet space. Hence this packet space is derived from
the set of all the preceding rules. The main limitation of
FIREMAN is that it can only detect the anomaly without
identifying the rules involved. Also, subsequent rules are
ignored during the anomaly analysis. In [14] FIREMAN toll
was extended to deal with NAT and routing tables. Their
tool, Prometheus, unlike Fireman, is able to detect the
misconfiguration beside rules responsible for it. Prometheus
identifies the anomaly when two different paths within the
same firewall execute several decisions for the same packet.
In Addition some corrections are also available with this
tool. In [15], the authors define a methodology to classify
firewall policy rule conflicts, according to their severity
level. Authors present a classification of different intra-
policy conflicts, where severity defines the rank of
correlation between the presences of conflict in policy and
the erroneous behavior of the respective device. Exact
match, shadowing, and post redundancy are severe conflicts
according to authors’ definition. The resolution of conflicts
depends in some cases, on the network manager decision;

that can associate priorities to the conflictual rules. One of
the major limitations of this work is that the approach
concerns only a one firewall policy implementation; it is not
applied on distributed firewall policies. Al-Shaer approach
was very helpful for researches thus, a lot of works has been
proposed based on it. Those novel approaches prove that al-
Shaer classification is general and applicable for multiple
scenarios. Additionally, some researchers introduce
different security component for the security policy analysis
context, for instance in [16], authors add the possibility to
manage security policies over a distributed network security
as network intrusion detection systems (NIDS) for the
detection of conflicts in filtering packet rules, the authors
presented a network model that allows identification of
components which are crossed by a given packet knowing
its source and destination. Based on this model they defined
two new types of conflicts (irrelevance and miss-
connection). In this work, the security policy is rewritten in
a positive and negative format (only allows rule or only
deny rules). The extended work of this approach is [7]
where the MIRAGE tool is proposed. This tool represents a
management tool for analysis and deployment of
configuration policies over network security components,
such as firewalls, intrusion detection systems, and VPN
routers. In the same context, another tool was proposed in
[17]. The authors propose the Margrave; a novel tool for
firewall analysis. Beside the analysis of the policy this tool
is able to define the consequences resulting from
configuration updates. Margrave is also capable to generate
separate policies for other functions other than access
filtering, like routing and switching which ensure the
analysis of the whole firewall behavior. Other studies
present formal models for security policy generation, such
as [18]. In this work, the authors present a new formal
model for the ACL policies, this model called geometric
model is based on a set of rules a default limited number of
actions and use an ad-hoc resolution strategy. For the
resolution of anomalies, the authors present several
techniques such as the First matching Rule (FMR) and the
Last Matching Rule (LMR). In addition, the authors define a
new type of anomalies which result from the union of more
than two rules (general shadowing and general redundancy).
In [19] authors adopt a novel technique of rule segmentation
for the identification and resolution of anomalies in firewall
policies based on Binary Decision Diagram (BDD). For this
purpose, they adopt a grid-based representation technique
which provides an intuitive cognitive sense about anomaly,
in order to identify policy anomalies and resolve them.
Based on this technique the network packet space is divided
into disjoint packet space segments associated with a unique
set of firewall rules. The work in [20] presents a formal
model of firewall rules sequence, the authors focus on rules
reordering problem, their method verifies if a given firewall
rule sequence maintains the correct specification of a
security policy, by checking the relation between rules.
They proposed a verification method divided into two parts.
The first part is decision conflicts rules set generator; where

the set of security policy is translated into rules and ordered
correctly is in the rule base, then identifying rules that
generate conflict with the policy abstraction technique. The
second part is the Policy consistency engine which ensures
that rules reordering maintain the correctness of the security
policy. In case of violation another rule reordering is
needed. In [21], authors present a framework in order to
facilitate the detection of firewall policy conflicts inside
dynamic open flow networks, in addition to the previous
works in this area, this work present a model for the
detection and the resolution of conflicts in a real-time
situations, the proposed tool FLOWGUARD checks
network flow path spaces to detect firewall policy violations
when network states are updated. However, there is no
analysis model in their framework. And it does not cover
stateful firewalls in SDN’s. Basically, most of precedent
cited paper has focus on the detection and resolution of
conflicts with the human intervention, which is in some
cases difficult and error prone. Authors in [22] focus on this
point and propose an alternative solution to make amends of
human intervention, where they use a query engine for
firewall security policy analysis. Their proposition aims to
automate the whole process of anomaly resolution, without
referring to the administrator intervention. In other words,
instead of prompting the administrator for inserting the
proper order of rules, they implemented a tool (FPQE)
which executes a set of queries against a high level firewall
policy.

In [5] Authors propose an analysis method; this method
aims to detect anomalies in a firewall file configuration and
to determine consequences resulting from deleting or
updating filtering rules in the configuration file. The method
key is to represent the set of rules with a data structure
which is the tree. Firewall Anomaly Tree (FAT) can be
dynamically updated by adding or deleting filtering rules
and it gives to administrator an idea about the adequate
position to insert a rule.

Authors in [23] use a data structure called Firewall
Decision Diagram FDD and an inference system. They
propose a novel approach to automatically remove fix
firewall misconfigurations. In this work, a classification of
different anomalies in the multi firewall environment is
provided, where anomalies are divided into two main parts;
real misconfiguration and intended anomaly Resolution of
configuration errors, according to this work is done by
several techniques such as modifying the rules fields,
reordering and removing some rules. In brief they propose a
method to rules sets optimization by removing unused rules
in the policy. The authors define shadowed and redundant
rules as superfluous rules. Superfluous rules identification is
based on an inference system. Thus, this kind of rules is
removed from the policy. After the removal of superfluous
rules the discovery of misconfiguration phase begins.
Misconfigurations are identified in both simple firewall
(when different actions are applied on the same traffic in the
same firewall configuration) and distributed firewalls

(different firewalls apply different actions on the same
traffic).

B. IPsec Approaches
In literature, IPsec policies verification and management

approaches are not as common as firewall polices, this can
be caused by the similarity between the two technologies,
and the novelty of IPsec comparing to firewalls. The
concept of verification of IPsec security policies was firstly
introduced in [24]; the analysis is performed on several
policy implementations in order to detect conflicts. Authors
define a conflict as the case when policy implementations
do not satisfy the security policy requirements. They define
a requirement as the high level policy objective while policy
implementations are specified to meet that objective. Thus
the policy specification process transforms a requirement to
specific policy implementation. Beside the conflicts
detection, authors propose also a recovery mechanism. The
resolution aims to define new implementation that satisfies
the desired policy while minimizing possible damage causes
by the violation of any security requirement. However, this
method is quite complicated due to the use of non-standard
high level security requirement, which are not always
available in existing standards. Furthermore, updating
requirements cause the re-initialization of algorithm each
time, which is a tedious task. Next the schema proposed in
this work was formalized in [6]. The authors propose a
method for conflict detection by analyzing IPsec policies.
This work can be also considered as the extension of [10].
The proposed model incorporates encryption and packet
filter capabilities of IPsec. Thus, two types of conflicts are
defined for both the intra and inter-policy. the overlapping
session conflicts occurs when multiple IPsec session are
established to delivered a packet to several hosts, and the
packet is delivered to the farther host before the near one.
The second type of conflict is the Multi-Transform conflict.
It is the result of the application of a weaker protection to an
already encapsulated traffic. Authors also use BDD to
compares rules translated into Boolean functions. The main
drawback of this method is that is limited to detection
conflicts only without any recovery process. In addition, the
processing of the policy rules each time is highly time
consuming and inefficient in dynamic environment.

In [25] and [26] authors present a complete taxonomy of
possible existing conflicts in an IPsec security policy,
including both packet-filter and IPsec configuration. Their
proposed classification of intra and inter-policy is quite
similar; however they define conflicts in a simpler way that
makes the implementation much easier. In [27] an
architecture that stores all the IPsec policy in a center is
proposed. Thus, this center is accessible by a manager and
enforced by an access control policy. IPsec implementations
manipulate IPsec databases via a database manager. The
authors define IPsec implementation as programs which can
establish IPsec channels and access to databases (for
instance Strongswan and Openswan). The essential
contribution is that the use of this manager aims to avoid
access to databases by unauthorized implementations. In

another part, this work aims to prevent conflict before it
occurs, which is described as some kind of conflict
recovery. However, recovery is only made for conflict
diffusion, which is the authors’ definition of the inter-policy
conflicts.

The proposed algorithm in [28] can be considered as an
improvement of the solution proposed in [6]. The authors
propose an algorithm for the dynamic verification of an
IPsec policy. The proposed algorithm defines some type of
conflicts (does not support all the defined conflicts in the
previous works). The method uses essentially the BDD to
represent the IPsec policy and manipulate Boolean functions
in order to dynamically detect conflicts. On the whole, the
proposed algorithm generates conflict-free policies from
conflicting policies. Thus, beside the conflicts detection
authors also present some recovery mechanisms in their
approach

Authors in [29] extend the idea of, they improved the
conflicts classification in a way to be easier to implement.
An algorithm is proposed for dynamic detection of both
intra and inter-policy conflicts. The proposed classification
includes all the possible conflicts of an IPsec Access control
list; the proposed algorithm is based on a generic model
where each type of conflict is associated with a Boolean
expression. The use of Boolean expression for the
presentation of IPsec policy is obtained thanks to the Binary
Decision Diagram. Beside the improvement of classification
this method can also detect inter-policy conflicts. However
the method was not evaluated to show up the efficiency of
the algorithm.

TABLE 1 Comparison between different approaches for security policy
analysis

A
p

p
ro

ac
he

s

C
on

fl
ic

t
C

la
ss

if
ic

at
io

n
C
on
fl
ic

t
R

es
o

lu
ti

on

In
te

r-
p

ol
ic

y
co

n
fl

ic
ts

D
at

a

S
tr

u
ct

u
re

P

o
li

cy

re
g

en
er

at
io
n

P
o

li
cy

f
o

rm
al

m

o
de

l
C
on
fl
ic

t
p

re
v

en
ti

on

D
y

na
m

ic
it

y

[8] √ √
[9] √
[10] √
[12] √
[14] √ √
[15] √ √
[16] √ √ √

[7] √ √

[17] √ √ √

[18] √ √ √

[19] √ √ √

[20] √ √ √

[5] √ √ √

[23] √ √ √ √ √ √

[24] √ √

[6] √

[26] √ √ √

[27] √ √

[28] √ √ √

[29] √ √ √ √

V. DISSCUSION AND COMPARISON

In this section, we compare the different works cited in
this paper. Table 1 summarizes the main differences
between all cited works in this article. Each row in the table
stands for a proposed approach identified by its citation
number. The first fourteen rows present approaches for
Firewalls and the last six rows present approaches for IPsec.
Columns present the different considered fields of policy
analysis. Thus the most pertinent fields used for the
comparison are:

� Conflict classification
Some works has proposed novel classification for the
existing conflicts, other introduced novel types of conflicts
and some works uses the already existing classification in
literature.
� Conflict Resolution

Although the majority of approaches and methods can
detect conflicts efficiently, not all those approaches have
guaranteed the resolution of conflicts.
� Data structure

This come to approaches in which authors use a kind of data
structure like trees, grids and binary decision diagram, to
facilitate the representation of policy or the analysis process.
� Dynamicity

Although the effect of dynamicity in networks, it was not
the major concern of authors when analyzing the security
policy, only few papers has taken into consideration the
dynamic conditions.

By comparing the different proposed approaches for the
analysis of security policy, we provided a categorizatiON
schema presented in (fig. 2) which classifies those works
according to their contribution. We divided the approaches
into three main categories:

� Classification and discovery of conflict approaches

The first proposed approaches for firewall policy analysis
[5-13] and IPsec policy management [24-26] focus on the
representation of security policy in order to extract the
possible existing conflicts.

Fig. 2. Categorization of Conflicts Analysis Approches

Several conflicts types where added by novel classification
models, thus based on those classifications, researchers have
builds on several conflicts detection techniques.
Nevertheless, those approaches did not guarantee the
resolution of the detected conflicts, which bring us to the
second categories of policy analysis approaches.
� Approaches for conflict resolution

The resolution of conflict is the ultimate goal of security
policy analysis, hence several techniques have been
proposed in literature. For this purpose, different tool were
created such as Mirage in [7], Prometheus in [14], Margrave
in [17], Flowguard for a real time resolution in [21] and
FPQE for a resolution without the administrator intervention
in [22]. Other resolution techniques were proposed like: Re-
writing security policy introduced in [16], Rule Re-ordering
used in [18] & [20], and Rule segmentation presented in
[19]. Noted that some works have combine different
techniques and some other belongs to different categories at
same time such in [23] where authors present a novel
classification and propose a novel resolution technique
based on an FDD representation.
� Performances optimization approaches

Other solutions were proposed based on previous works, in
order to optimize the analysis process performances, such in
[28] and [29] where authors propose novel algorithms for
the management of IPsec security policy, where the
proposed algorithm aims to optimize the time and
complexity beside the detection and resolution of conflicts.

VI. PERSPECTIVES
Despite that conflict analysis studies are plenty; there are

still a lot of lakes in this context. One of the major
drawbacks of the previous approaches is that they are
limited to a single type of security control, thus such type of
solution is inefficient for complex and distributed networks,
where a network can have a combination of different type of
security controls (NAT, Firewall, IPsec). Another major
limitation concerning conflict analysis is that the majority of
paper focuses only on policy analysis and ignores the aspect
of the performances and network topology. Thus,
performances are quite important when network
administrator is involved in policy verification and
recovery.

The comparison between the different works presented
in this paper, leads us to conclude that a lot of approaches
share the same techniques, however not all of them are
compatible with each other. An alternative solution is to
combine all the advantages of previous works to provide a
unique approach suitable for all security controls. Another
observation is that researches on IPsec are not sufficient
despite the importance of security policy for the correct
IPsec functioning. Consequently, the proposed future
solution must take network topology into consideration and
convenient to dynamic conditions imposed by distributing
networks while regarding other

performance

aspect like
execution time. To accomplish this objective, proposed

Conflict
Analysis

Approaches

Classification
of conflict

Resolution
of conflicts

Re-writing policy

Re-ordering of rules

Segmentation of rules

Tool proposition

Optimization
of

performance

approaches must guarantee well-defined formats of input
data; and use extendible data structure. So the aim is to
provide a model that can perform policy analysis on
different types of security controls while conserving
network security, flexibility and transparency.

VII. CONCLUSION
With the dynamic growth of the internet, network

security has become a focal concern. Firewall and IPsec
gateways are widely used in private networks as an
important part of their security. However, their efficiency
can be affected by the conflict produced in their security
policies. Furthermore, the complexity of security policy
makes their verification and configuration more difficult.
Along this last decade, a lot of researches were carried out
in this field. In this paper we present some of those works
concerning the verification of policies of firewall and IPsec.
We define the outlines of both technologies and compare
different proposed approaches. A comparison between those
works, lead us to propose potential solutions in order to
overcome security policy problem. One of the main
propositions is to find out a way to combine proposed
solutions into one single general and standard approach,
while ensuring the best performances in the network.

REFERENCES
[1] Snader, Jon C. VPNs Illustrated: Tunnels, VPNs, and IPsec. Addison-

Wesley Professional, 2015.

[2] Ingham, Kenneth et Forrest, Stephanie. A history and survey of
network firewalls. University of New Mexico, Tech. Rep, 2002.

[3] Wu, Zhengping et Liu, Yuanyao. Knowledge-based policy conflict
analysis in mobile social networks. Wireless personal communications,
2013, vol. 73, no 1, p. 5-22.

[4] Pisharody, Sandeep, Chowdhary, Ankur, et Huang, Dijiang. Security
policy checking in distributed SDN based clouds. In : Communications
and Network Security (CNS), 2016 IEEE Conference on. IEEE, 2016.
p. 19-27.

[5] ABBES, Tarek, BOUHOULA, Adel, et RUSINOWITCH, Michaël.
Detection of firewall configuration errors with updatable tree.
International Journal of Information Security, 2016, vol. 15, no 3, p.
301-317.

[6] HAMED, Hazem, AL-SHAER, Ehab, et MARRERO, Will. Modeling
and verification of IPSec and VPN security policies. In : Network
Protocols, 2005. ICNP 2005. 13th IEEE International Conference on.
IEEE, 2005. p. 10 pp.-278.

[7] GARCIA-ALFARO, Joaquin, CUPPENS, Frédéric, CUPPENS-
BOULAHIA, Nora, et al. MIRAGE: a management tool for the
analysis and deployment of network security policies. Data Privacy
Management and Autonomous Spontaneous Security, 2011, p. 203-
215.

[8] Al-Shaer, Ehab S. et Hamed, Hazem H. Firewall policy advisor for
anomaly discovery and rule editing. In : Integrated Network
Management, 2003. IFIP/IEEE Eighth International Symposium on.
IEEE, 2003. p. 17-30.

[9] AL-SHAER, Ehab S. Et HAMED, Hazem H. Discovery of Policy
Anomalies In Distributed Firewalls. in : INFOCOM 2004. Twenty-
Third Annualjoint Conference Of The IEEE Computer and
Communications Societies. IEEE, 2004. P. 2605-2616.

[10] AL-SHAER, Ehab, HAMED, Hazem, BOUTABA, Raouf, et al.
Conflict classification and analysis of distributed firewall policies.
IEEE journal on selected areas in communications, 2005, vol. 23, no
10, p. 2069-2084.

[11] Al-Shaer, E. Modeling and verification of firewall and ipsec policies
using binary decision diagrams. 2014 In Automated Firewall Analytics
(pp. 25-48). Springer, Cham.

[12] YUAN, Lihua, CHEN, Hao, MAI, Jianning, et al. Fireman: A toolkit
for firewall modeling and analysis. In : Security and Privacy, 2006
IEEE Symposium on. IEEE, 2006. p. 15 pp.-213.

[13] BRYANT, Randal E. et MEINEL, Christoph. Ordered binary decision
diagrams. In : Logic Synthesis and Verification. Springer US, 2002. p.
285-307.

[14] OLIVEIRA, Ricardo M., LEE, Sihyung, et KIM, Hyong S. Automatic
detection of firewall misconfigurations using firewall and network
routing policies. In : IEEE DSN Workshop on Proactive Failure
Avoidance, Recovery, and Maintenance (PFARM). 2009.

[15] FERRARESI, Simone, PESIC, Stefano, TRAZZA, Livia, et al.
Automatic conflict analysis and resolution of traffic filtering policy for
firewall and security gateway. In : Communications, 2007. ICC’07.
IEEE International Conference on. IEEE, 2007. p. 1304-1310.

[16] ALFARO, Joaquin Garcia, BOULAHIA-CUPPENS, Nora, et
CUPPENS, Frédéric. Complete analysis of configuration rules to
guarantee reliable network security policies. International Journal of
Information Security, 2008, vol. 7, no 2, p. 103-122.

[17] NELSON, Timothy, BARRATT, Christopher, DOUGHERTY, Daniel
J., et al. The Margrave Tool for Firewall Analysis. In : LISA. 2010. p.
1-18.

[18] BASILE, Cataldo, CAPPADONIA, Alberto, et LIOY, Antonio.
Network-level access control policy analysis and transformation.
IEEE/ACM Transactions on Networking (TON), 2012, vol. 20, no 4,
p. 985-998.

[19] HU, Hongxin, AHN, Gail-Joon, et KULKARNI, Ketan. Detecting and
resolving firewall policy anomalies. IEEE Transactions on dependable
and secure computing, 2012, vol. 9, no 3, p. 318-331.

[20] GAWANMEH, Amjad. Automatic verification of security policies in
firewalls with dynamic rule sequence. In : Information Technology:
New Generations (ITNG), 2014 11th International Conference on.
IEEE, 2014. p. 279-284.

[21] Hu, H., Han, W., Ahn, G. J., & Zhao, Z. FLOWGUARD: building
robust firewalls for software-defined networks, 2014 In Proceedings of
the third workshop on Hot topics in software defined networking (pp.
97-102). ACM.

[22] Bouhoula, A., & Yazidi, A. A security policy query engine for fully
automated resolution of anomalies in firewall configurations. In
Network Computing and Applications (NCA), 2016 IEEE 15th
International Symposium on (pp. 76-80). IEEE

[23] SAÂDAOUI, Amina, SOUAYEH, Nihel Ben Youssef Ben, et
BOUHOULA, Adel. FARE: FDD-based firewall anomalies resolution
tool. Journal of Computational Science, 2017, vol. 23, p. 181-191.

[24] FU, Zhi, WU, S. Felix, HUANG, He, et al. IPSec/VPN security policy:
Correctness, conflict detection, and resolution. In : Policies for
Distributed Systems and Networks. Springer, Berlin, Heidelberg, 2001.
p. 39-56.

[25] LI, Zhitang, CUI, Xue, et CHEN, Lin. Analysis and classification of
ipsec security policy conflicts. In : Frontier of Computer Science and
Technology, 2006. FCST’06. Japan-China Joint Workshop on. IEEE,
2006. p. 83-88.

[26] HAMED, Hazem et AL-SHAER, Ehab. Taxonomy of conflicts in
network security policies. IEEE Communications Magazine, 2006, vol.
44, no 3, p. 134-141.

[27] SUN, Hung-Min, CHANG, Shih-Ying, CHEN, Yao-Hsin, et al. The
design and implementation of IPSec conflict avoiding and recovering
system. In : TENCON 2007-2007 IEEE Region 10 Conference. IEEE,
2007. p. 1-4.

[28] NIKSEFAT, Salman et SABAEI, Masoud. Efficient algorithms for
dynamic detection and resolution of IPSec/VPN security policy
conflicts. In : Advanced Information Networking and Applications
(AINA), 2010 24th IEEE International Conference on. IEEE, 2010. p.
737-744.

[29] KHELF, Roumaissa et Ghoualmi, Nassira. Intra and inter policy
Conflicts Dynamic Detection Algorithm. In : Detection Systems
Architectures and Technologies (DAT), Seminar on. IEEE, 2017. p 1-6

Managing and Using Information Systems:
A Strategic Approach – Sixth Edition

Keri Pearlson, Carol Saunders,
and Dennis Galletta

© Copyright 2016
John Wiley & Sons, Inc.

Chapter 7
Security

2

Opening Case
What are some important lessons from the opening case?
How long did the theft take? How did the theft likely occur?
How long did it take Office of Personnel Management (OPM) to detect the theft?
How damaging are the early reports of the data theft for the OPM?

© 2016 John Wiley & Sons, Inc.
3

The hackers did not carry out a dramatic and quick theft; they had a year to steal the records at their leisure.
The theft took place over a year, and the hackers stole a password.
It took many months for OPM to detect the theft.
Early reports say that at least 4 million, and as many as 14 million records were stolen. Each record contained 127-page security clearances that include sensitive medical, personal, and relationship information.
3

How Long Does it Take?
How long do you think it usually takes for someone to discover a security compromise in a system after the evidence shows up?
Several seconds
Several minutes
Several hours
Several days
Several months
A Mandiant study revealed that the median for 2014 was 205 days! That’s almost 7 months!
The record is 2,982 which is 11 years!
© 2016 John Wiley & Sons, Inc.
4

Timeline of a Breach – Fantasy
Hollywood has a fairly consistent script:
0: Crooks get password and locate the file
Minute 1: Crooks start downloading data and destroying the original
Minute 2: Officials sense the breach
Minute 3: Officials try to block the breach
Minute 4: Crooks’ download completes
Minute 5: Officials lose all data
Source: http://
www.verizonbusiness.com/resources/reports/rp_2010-DBIR-combined-reports_en_xg
© 2016 John Wiley & Sons, Inc.
5

Timeline of a Breach – Reality

Source: http://
www.verizonbusiness.com/resources/reports/rp_2010-DBIR-combined-reports_en_xg
© 2016 John Wiley & Sons, Inc.
6

IT Security Decision Framework
Decision Who is Responsible Why? Otherwise?
Information Security Strategy Business Leaders They know business strategies Security is an afterthought and patched on
Information Security Infrastructure IT Leaders Technical knowledge is needed Incorrect infrastructure decisions
Information Security Policy Shared: IT and Business Leaders Trade-offs need to be handled correctly Unenforceable policies that don’t fit the IT and the users
SETA (training) Shared: IT and Business Leaders Business buy-in and technical correctness Insufficient training; errors
Information Security Investments Shared: IT and Business Leaders Evaluation of business goals and technical requirements Over- or under-investment in security

© 2016 John Wiley & Sons, Inc.
7

How Have Big Breaches Occurred?
Date Detected Company What was stolen How
November 2013 Target 40 million credit & debit cards Contractor opened virus-laden email attachment
May 2014 Ebay #1 145 million user names, physical addresses, phones, birthdays, encrypted passwords Employee’s password obtained
September 2014 Ebay #2 Small but unknown Cross-site scripting
September 2014 Home Depot 56 million credit card numbers
53 million email addresses Obtaining a vendor’s password/exploiting OS vulnerability
January 2015 Anthem Blue Cross 80 million names, birthdays, emails, Social security numbers, addresses, and employment data Obtaining passwords from 5 or more high-level employees

© 2016 John Wiley & Sons, Inc.
8

Password Breaches
80% of breaches are caused by stealing a password.
You can steal a password by:
Phishing attack
Key logger (hardware or software)
Guessing weak passwords (123456 is most common)
Evil twin wifi
© 2016 John Wiley & Sons, Inc.
9

Insecurity of WiFi– a Dutch study
“We took a hacker to a café and, in 20 minutes, he knew where everyone else was born, what schools they attended, and the last five things they googled.”
Had WiFi transmitter broadcasting “Starbucks” as ID
Because they were connected to him, he scanned for unpatched or vulnerable mobile devices or laptops
He also saw passwords and could lock them out of their own accounts.
The correspondent: “I will never again be connecting to an insecure public WiFi network without taking security measures.”
© 2016 John Wiley & Sons, Inc.
Slide 5-10

Other Approaches
Cross-site scripting (malicious code pointing to a link requiring log-in at an imposter site)
Third parties
Target’s HVAC system was connected to main systems
Contractors had access
Hackers gained contractors’ password
Malware captured customer credit card info before it could be encrypted
© 2016 John Wiley & Sons, Inc.
11

Cost of Breaches
Estimated at $145 to $154 per stolen record
Revenue lost when sales decline
Some costs can be recouped by insurance

© 2016 John Wiley & Sons, Inc.
12

Can You be Safe?
No, unless the information is permanently inaccessible
“You cannot make a computer secure” – from Dain Gary, former CERT chief
97% of all firms have been breached
Sometimes security makes systems less usable
© 2016 John Wiley & Sons, Inc.
13

What Motivates the Hackers?
Sell stolen credit card numbers for up to $50 each
2 million Target card numbers were sold for $20 each on average
Street gang members can usually get $400 out of a card
Some “kits” (card number plus SSN plus medical information) sell for up to $1,000
They allow opening new account cards
Stolen cards can be sold for bitcoin on the Deep Web
© 2016 John Wiley & Sons, Inc.
14

What Should Management Do?
Security strategy
Infrastructure
Access tools *
Storage and transmission tools *
Security policies *
Training *
Investments
* Described next
© 2016 John Wiley & Sons, Inc.
15

Access Tools
Access Tool Ubiquity Advantages Disadvantages
Physical locks Very high Excellent if guarded Locks can be picked
Physical Access is often not needed
Keys can be lost
Passwords Very high User acceptance and familiarity
Ease of use
Mature practices Poor by themselves
Sometimes forgotten
Sometimes stolen from users using deception or key loggers
Biometrics Medium Can be reliable
Never forgotten
Cannot be stolen
Can be inexpensive False positives/negatives
Some are expensive
Some might change (e.g., voice)
Lost limbs
Loopholes (e.g., photo)

© 2016 John Wiley & Sons, Inc.
16

Access Tools (continued)
Access Tool Ubiquity Advantages Disadvantages
Challenge questions Medium (high in banking) Not forgotten
Multitude of questions can be used Social networking might reveal some answers
Personal knowledge of an individual might reveal the answers
Spelling might not be consistent
Token Low Stolen passkey is useless quickly Requires carrying a device
Text message Medium Stolen passkey is useless
Mobile phone already owned by users
Useful as a secondary mechanism too Requires mobile phone ownership by all users
Home phone option requires speech synthesis
Requires alternative access control if mobile phone lost
Multi-factor authentication Medium Stolen password is useless
Enhanced security Requires an additional technique if one of the two fails
Temptation for easy password

© 2016 John Wiley & Sons, Inc.
17

Storage and Transmission Tools
Tool Ubiquity Advantages Disadvantages
Antivirus/ antispyware Very high Blocks many known threats
Blocks some “zero-day” threats Slow down operating system
“Zero day” threats can be missed
Firewall High Can prevent some targeted traffic Can only filter known threats
Can have well-known “holes”
System logs Very high Can reveal IP address of attacker
Can estimate the extent of the breach Hackers can conceal their IP address
Hackers can delete logs
Logs can be huge
Irregular inspections
System alerts High Can help point to logs
Can detect an attack in process
High sensitivity Low selectivity

© 2016 John Wiley & Sons, Inc.
18

Storage and Transmission Tools (continued)
Tool Ubiquity Advantages Disadvantages
Encryption Very high Difficult to access a file without the key
Long keys could take years to break Keys are unnecessary if password is known
If the key is not strong, hackers could uncover it by trial and error
WEP/WPA Very high Same as encryption
Most devices have the capability
Provides secure wifi connection Same as encryption
Some older devices have limited protections
WEP is not secure, yet it is still provided
VPN Medium Trusted connection is as if you were connected on site
Hard to decrypt Device could be stolen while connected
Sometimes slows the connection

© 2016 John Wiley & Sons, Inc.
19

Security Policies
Perform security updates promptly
Separate unrelated networks
Keep passwords secret
Manage mobile devices (BYOD)
Formulate data policies (retention and disposal)
Manage social media (rules as to what can be shared, how to identify yourself)
Use consultants (Managed Security Services Providers)
© 2016 John Wiley & Sons, Inc.
20

SETA (Security Education, Training, and Awareness)
Training on access tools
Limitations of passwords
Formulating a password
Changing passwords periodically
Using multi-factor authentication
Using password managers
© 2016 John Wiley & Sons, Inc.
21

SETA (Security Education, Training, and Awareness)
BYOD
Rules
How to follow them
Social Media
Rules
How to follow them
Cases from the past that created problems
© 2016 John Wiley & Sons, Inc.
22

SETA (Security Education, Training, and Awareness)
Vigilance: Recognizing:
Bogus warning messages
Phishing emails
Physical intrusions
Ports and access channels to examine
© 2016 John Wiley & Sons, Inc.
23

Classic Signs of Phishing
Account is being closed
Email in-box is full
Winning a contest or lottery
Inheritance or commission to handle funds
Product delivery failed
Odd URL when hovering
Familiar name but strange email address
Poor grammar/spelling
Impossibly low prices
Attachment with EXE, ZIP, or BAT (etc.)
© 2016 John Wiley & Sons, Inc.
24

Managing and Using Information Systems:
A Strategic Approach – Sixth Edition
Keri Pearlson, Carol Saunders,
and Dennis Galletta

© Copyright 2016
John Wiley & Sons, Inc.