Efficient Algorithms for Dynamic Detection and Resolution of IPSec/VPN Security Policy Conflicts

Today IPSec virtual private networks are widely used to establish secure network connections between a pair of hosts, between a pair of security gateways, or between a security gateway and a host. The complexity and variety of rules in an IPSec policy may result in a combination of rules which not only do not provide the required security services, but also compromise the security of communication. Efficiency has not been a major concern for existing IPSec policy conflict detection methods since they process the IPSec rules in an offline way. These methods could be inefficient in dynamic conditions that rules are being updated frequently. The performance of the conflict detection is important in environments where network administrator needs to frequently add or delete rules to existing policy and also he/she needs to know of the possible conflicts which may arise due to policy changes. In this paper we extend the formal model proposed by Hamed [6] for IPSec policy analysis and propose novel and efficient algorithms which can dynamically detect and also resolve the policy conflicts. The results of the implementation and evaluation of our proposed algorithms show significantly better performance for detection and resolution of IPSec policy conflicts, comparing to current work.