CN110099056B - Policy conflict dynamic detection method for IPSec security gateway - Google Patents

Policy conflict dynamic detection method for IPSec security gateway Download PDF

Info

Publication number
CN110099056B
CN110099056B CN201910364168.3A CN201910364168A CN110099056B CN 110099056 B CN110099056 B CN 110099056B CN 201910364168 A CN201910364168 A CN 201910364168A CN 110099056 B CN110099056 B CN 110099056B
Authority
CN
China
Prior art keywords
rule
protect
conflict
policy
esp
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910364168.3A
Other languages
Chinese (zh)
Other versions
CN110099056A (en
Inventor
杨武
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Harbin Insec Information Technology Co ltd
Original Assignee
Harbin Insec Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Harbin Insec Information Technology Co ltd filed Critical Harbin Insec Information Technology Co ltd
Priority to CN201910364168.3A priority Critical patent/CN110099056B/en
Publication of CN110099056A publication Critical patent/CN110099056A/en
Application granted granted Critical
Publication of CN110099056B publication Critical patent/CN110099056B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a dynamic detection method for policy conflict of an IPSec security gateway, which comprises the following steps: step one, carrying out regularized description on the strategy of the IPSec gateway; step two, judging whether the newly added rules possibly have rule conflicts or not; thirdly, inquiring the possibility of the existence of approval redundancy and conflict redundancy of the newly added rule; step four, inquiring the possibility that the newly added rule has rule related conflict; fifthly, inquiring the possibility of tunnel overlapping conflict existing in the newly added protection strategy rules; step six, inquiring the possibility of nonstandard packaging conflict of the newly added protection strategy rules; and step seven, after the four conflict types are detected, solving the existing conflicts, and generating a new rule list after the conflicts are removed. The invention improves the IPCDR algorithm, the improved algorithm has obvious processing effect on the mixed strategy list, and the time complexity and the memory use size are basically equal to the IPCDR algorithm.

Description

Policy conflict dynamic detection method for IPSec security gateway
Technical Field
The invention relates to a network convergence optimization method, in particular to a dynamic policy conflict detection method for an IPSec security gateway.
Background
Because of its flexibility and application transparency, IPSec is widely used as a cost-effective method to establish Virtual Private Networks (VPNs) or secure tunnels between enterprise networks over the Internet. A user or network administrator needs to write a security policy at each device management interface that can be used for IPSec protection operating specifications for each particular traffic. IPSec policies include a list of source and destination IP rules that specify the traffic to be protected, the type of protection (authentication or confidentiality), and the protection parameters (encryption algorithms) required. The IPSec strategy is matched according to the rule sequence until a matching rule which can be triggered is found.
The rules in the IPSec policy are complex and diverse, and the rules affect each other, possibly causing collisions and affecting normal network communication. Since IPSec policies are similar to firewall rules, the initial research into IPSec policy conflict detection techniques has started with firewall rule conflict detection. For general firewall rules including source IP, destination IP, source port, destination port and operation action, these abstract security policies need to be described as a formal language that can be processed by a computer, so earlier research is mainly based on expressing the formal language by boolean formula based on the firewall rules, and subsequent work is performed on this basis.
IPSec policy conflict detection technology has evolved late relative to firewall conflict detection technology, but research on this technology has not been stopped since IPSec was released in the late IETF draft in the nineties. Similar to the mechanism of the firewall policy detection technology, the IPSec policy conflict detection technology is also studied in two aspects, namely modeling of packet filters on one hand and discovery and analysis of conflict policies on the other hand. The author Fu et al started the earliest attempt to trace the IPSec policies applied to each IPSec device traffic to simulate IPSec processing and focused on the impact that conflicting IPSec policies have on network traffic. However, the method only finds that wrong overlapping may cause potential safety hazards, and a specific searching method is not provided. The author, Shaer et al, has taken a critical step in the study of IPSec policy conflicts, and Shaer proposed a method to analyze standard IPSec policies and detect conflicts.
Disclosure of Invention
The invention aims to provide a more comprehensive method for dynamically detecting the policy conflict of an IPSec security gateway.
The purpose of the invention is realized by the following technical scheme:
a method for dynamically detecting policy conflict of IPSec security gateway includes the following steps:
step one, the policy of the IPSec gateway is described in a regularization way, and the specific steps are as follows:
(1) keeping the operation process of the condition part and the operation action contained in the policy list L, the rule R and the rule R of the IPSec policy unchanged;
(2) changing the protection in the operation action set into AH-protection and ESP-protection, wherein the corrected operation action set is shown as the following formula:
Ai∈{bypass,discard,AH-protect,ESP-protect|parameters};
(3) grouping SCs of rule typesprotectTo SCAH-protectAnd SCESP-portectTwo kinds of and adding corresponding protection strategy destination gateway set SWAH-protectAnd SWESP-portectThe corrected and newly added classification set is shown as follows:
SCAH-protect=f3(C1,C2,C3,...,Cn);
SCESP-portect=f4(C1,C2,C3,...,Cn);
SWAH-protect=f5(G1,G2,G3,...,Gn);
SWEPS-protect=f6(G1,G2,G3,...,Gn);
in the formula (f)3~f6Respectively representing Boolean functions, and representing corresponding rule sets by the Boolean functions;
(4) introducing a new variable SallAll pools were polymerized as follows:
Sall=SCbypass∨SCdiacard∨SCAH-protect∨SCESP-portect∨SWAH-protect∨SWESP-portect
step two, judging whether the newly added rules possibly have rule conflicts: the algorithm will generate a corresponding S for the old policyallWhen the strategy rules are added newly, each strategy set is dynamically updated to generate new S'allFor two SallAnd S'allAnd comparing, if the characteristics of the Boolean function of a certain conflict type are met, determining that a policy conflict exists, and taking corresponding solution measures.
Step three, inquiring the newly added rules to have the possibility of approval redundancy and conflict redundancy: under this conflict type, S 'generated after New rule joining'allAnd S generated by all old policiesallAre the sameOf the new rule part CnewIs a subset of all the old strategies before, and the formula is as follows:
Figure GDA0003010584750000031
in the case of compliance with regular redundancy, it is an approved redundancy if the following formula is also met, and a non-compliant is a conflicting redundancy:
Figure GDA0003010584750000032
step four, inquiring the possibility that the newly added rule has rule related conflict: under relevant conflicts, old rule condition part ColdIn which a new rule condition C may existnewThe subsets or the old and new rules have partial overlap, and the judgment method is as follows:
(Cold∧Cnew)==true;
step five, inquiring the possibility of overlapping conflict of the tunnel in the newly added protection strategy rules: under the conflict type, firstly, the new rule is determined to have no two conflict types of rule redundancy and rule correlation, the newly added rule is a protection policy rule, and then the new rule protection policy set and the old rule protection policy set have partial overlap, and the judgment method comprises the following steps:
((SC′AH-protect∨SC′ESP-protect)∨(SCAH-protect∨SCESP-protect))==ture;
step six, inquiring the possibility of nonstandard packaging conflict existing in the newly added protection strategy rules: under the conflict type, firstly, the new rule is confirmed to have no three conflict types of rule redundancy, rule correlation and tunnel overlapping, the newly added rule is a protection strategy ESP type rule, the new rule is compared with an AH type rule set of an old rule, if an overlapping part exists, the problem of non-standard encapsulation sequence conflict of a security protocol is inevitable, and the judgment method comprises the following steps:
(Cnew∈SC′EPS-protect)and(Cnew∧SCAH-protect)==ture;
and step seven, after four conflict types of rule redundancy, rule correlation, tunnel overlapping and a non-standard encapsulation sequence of the safety protocol are detected, the existing conflicts are solved, and a new rule list after the conflicts are removed is generated.
Compared with the prior art, the invention has the following advantages:
the method improves the IPCDR algorithm and increases the detection and recovery of the protection strategy conflict. Through experimental result analysis, the method proves that the IPCDR algorithm is improved to process the conflict types more comprehensively, and the time and space complexity is in the range acceptable for dynamic detection. And further processing and analyzing different strategy lists to obtain an improved IPCDR algorithm which has obvious processing effect on the mixed strategy list and basically keeps the time complexity and the memory use size equal to that of the IPCDR algorithm.
Drawings
Fig. 1 is an example gateway network topology diagram.
FIG. 2 is a diagram of an example gateway tunnel overlap conflict.
FIG. 3 is a diagram of a tunnel overlap conflict detection and resolution algorithm.
FIG. 4 is a diagram of a Security protocol nonstandard encapsulation order conflict detection and resolution algorithm.
Fig. 5 is a diagram of an IPSec policy conflict dynamic detection algorithm based on IPCDR extension.
Fig. 6 is a schematic diagram of a hybrid networking mode.
Fig. 7 is a schematic diagram of a packet filtering network.
Detailed Description
The technical solution of the present invention is further described below with reference to the accompanying drawings, but not limited thereto, and any modification or equivalent replacement of the technical solution of the present invention without departing from the spirit and scope of the technical solution of the present invention shall be covered by the protection scope of the present invention.
The invention provides a dynamic detection method for policy conflict of an IPSec security gateway, as shown in FIG. 5, the method comprises the following steps:
step one, carrying out regularized description on the strategy of the IPSec gateway;
step two, judging whether the newly added rules possibly have rule conflicts or not;
thirdly, inquiring the possibility of the existence of approval redundancy and conflict redundancy of the newly added rule;
step four, inquiring the possibility that the newly added rule has rule related conflict;
fifthly, inquiring the possibility of tunnel overlapping conflict existing in the newly added protection strategy rules;
step six, inquiring the possibility of nonstandard packaging conflict of the newly added protection strategy rules;
step seven, four conflict types are detected: and after the rule redundancy, the rule correlation, the tunnel overlapping and the non-standard encapsulation sequence of the safety protocol are carried out, the existing conflict is solved, and a new rule list after the conflict is removed is generated.
The IPSec policy is an ordered list of IPSec rules, which can be expressed as formula (1), where: l represents an IPSec policy list; r is IPSec rule:
L=R1,R2,...,Rn (1);
where n represents the number of rules in the list. Each filter rule R may in turn be divided into two parts, a condition part and an operation action respectively. When the data packet meets the range of the condition part, the data packet is processed by the operation action. Can be expressed as formulas (2) to (4), in which: riRepresents a certain rule, CiSet of conditions representing a rule, AiRepresenting the operation action of the rule on the packet, fv is usually represented in binary, and is directly compared with the corresponding field in the packet:
Ri:=Ci→Ai (2);
Figure GDA0003010584750000061
Ai∈{bypass,discard,protect|parameters} (4);
in the formula, k is used to distinguish various v.
For the formula (3), since the condition part of each rule may be a single IP address (192.168.100.1) or port number (80), or may be a set of all IP addresses (192.168.100.) or a set of port numbers (netbios is 137-. So CiIs the union of a plurality of conditions, where fv is usually represented in binary, and is directly compared to the corresponding field in the packet. For operation action AiBelonging to one of the action sets, this includes three operations of the IPSec protocol on the packet, which are bypass, discard, and protect, respectively. bypass means bypass IPSec encapsulation and allow pass directly; discard indicates that the packet is directly dropped and not transmitted on the network; protection denotes an operation of performing IPSec encapsulation on a packet.
And then classifying and summarizing all the rules, and classifying the rules according to the operation actions. Can be divided into three Boolean type sets, namely SCbypass、SCdiscard、SCprotect. The elements inside the three sets are the collection of all the conditional parts that trigger the operation, corresponding to equations (5) to (7):
SCbypass=f1(C1,C2,C3,...,Cn) (5);
SCdiscard=f2(C1,C2,C3,...,Cn) (6);
SCprotect=f3(C1,C2,C3,...,Cn) (7);
in the formula, SCbypass、SCdiscard、SCprotectSets of rules, respectively, of Boolean type, classified by action, CiRepresenting a set of conditions of the rule, the elements within the three sets being the union of all the conditional parts that trigger the operation, f1、f2、f3Boolean functions representing a set of rules that conform to the actions of bypass, discard, and protect, respectively.
The strategy triggering is divided into two modes, one mode is single strategy triggering, and when the rules are matched, the rules are directly returned after being matched for the first time, so that only one rule is set as true; the other is a multi-trigger policy, and when the rules are matched, the conditions of the multiple rules are set to true. Equations (8) to (9) may represent a one-trigger policy and a multi-trigger policy, respectively.
Figure GDA0003010584750000071
Figure GDA0003010584750000081
As is apparent from equation (8), a single policy trigger has only one rule set to true at a time, whereas a multi-trigger policy may have multiple instances of true. The two strategy triggering modes are embodied in an IPSec protocol, when a data packet is received, single strategy triggering is adopted, and flow operation is directly carried out if matching exists; when sending data packet, it uses multi-strategy trigger, needs to encrypt and map, finds all trigger conditions, and executes them one by one.
Basically defines the extension:
to fit the subsequent algorithm, the definition needs to be extended. Firstly, the strategy list L and the rule R are not changed, and the condition part and the operation process of the operation action contained in the R are not changed. The protects in the operation action set are changed into AH-protect and ESP-protect. And further analyzing the protection strategy rules, wherein the operation actions in the protection strategy comprise an encapsulation protocol, a destination gateway, an encryption algorithm and the like. AH-protect and ESP-protect are different protection strategies to distinguish between the two encapsulation protocols. The corrected operation action set is shown in equation (10).
Ai∈{bypass,discard,AH-protect,ESP-protect|parameters} (10)。
The same set of classifications for rule types also needs to be changed, SCprotectIs divided into SCAH-protectAnd SCESP-portectTwo kinds of destination gateways with corresponding protection strategiesSet SWAH-protectAnd SWESP-portect. When generating SCAH-protectAnd SCESP-portectThen, the destination gateway is collected into SWAH-protectAnd SWESP-portectAre also generated together and in one-to-one correspondence with the rule type set. The corrected and newly added classification sets are shown in equations (11) to (14).
SCAH-protect=f3(C1,C2,C3,...,Cn) (11);
SCESP-portect=f4(C1,C2,C3,...,Cn) (12);
SWAH-protect=f5(G1,G2,G3,...,Gn) (13);
SWEPS-protect=f6(G1,G2,G3,...,Gn) (14)。
In the formula, SCAH-protectAnd SCESP-portectA set of gateways for protection policy purposes. For a set of AH rule types: SC (Single chip computer)AH-protect(ii) a For a set of ESP rule types: SC (Single chip computer)ESP-portect
Then a new variable S is introducedallAll sets are aggregated and the set as a whole can be operated as shown in equation (15).
Sall=SCbypass∨SCdiacard∨SCAH-protect∨SCESP-portect∨SWAH-protect∨SWESP-portect(15)。
In the formula, SallAggregating for all sets, SCbypass、SCdiscardAnd SCprotectRepresents the collection of all the conditions that trigger bypass, discard and protect actions, SCAH-protectRepresenting a collection of conditions for triggering a protection policy of AH type, SCESP-portectRepresenting the set of conditions that trigger the ESP type of protection policy.
According to the extended definition, the changes to the definition are mainly embodied in the grouping of protection operations and the gateway set is increased. The method mainly carries out classification analysis on the encapsulation protocol and the target gateway in the protection strategy, and then can establish an efficient model through the Boolean expressions to complete dynamic detection on IPSec strategy conflicts.
(1) Tunnel overlay
Under the conflict type, firstly, the new rule is confirmed to have no rule redundancy and rule related conflict type, and the newly added rule is a protection policy rule. Then, the new rule protection policy set and the old rule protection policy set have partial overlap, and the judgment method is as shown in formula (21):
((SC′AH-protect∨SC′ESP-protect)∨(SCAH-protect∨SCESP-protect))==ture (21);
in formula (II) to (III)'AH-protectAfter the representative adds the new rule, the AH protocol protects the collection of the policy rule types; SC'ESP-portectThe ESP protocol protects the set of policy rule types after the new rule is added.
As shown in fig. 3, the solution of tunnel overlap: the tunnel overlapping needs to confirm the near-far relationship of the destination gateway relative to the IPSec gateway, so the topology sorting Boolean function SW of the nearby gateway taking the IPSec gateway as the center needs to be introducedsortFirst the conditions in the old rule that overlap the new rule are found, then according to SWAH-protect、SWESP-portectAnd SWsortConfirming how to handle the rules, if there is a conflict, deleting the conflicting rules, and reinserting the policy list in the correct order. The corresponding operation is shown in equations (22) to (24):
Figure GDA0003010584750000101
(SWAH-protect∨SWESP-protect)∴SWsort (23);
Figure GDA0003010584750000102
in the formula, SWAH-protectRepresenting the set of gateways, SW, to which the AH protocol protection policy correspondsESP-portectRepresenting the gateway set, S, corresponding to the protection policy of the ESP protocolallIs the set of all sets generated after the new rule is added.
Corresponding to equation (23), the new definitional symbols represent the set aligned in order, and the new definitional symbols represent the set elements aligned in reverse order.
(2) Security protocol non-standard encapsulation order
Under the conflict type, firstly, the new rule is confirmed to have no conflict types of rule redundancy, rule correlation and tunnel overlapping, and the newly added rule is a protection policy (ESP) type rule. Comparing the AH type rule sets of the new rule and the old rule, if an overlapped part exists, the problem of nonstandard encapsulation sequence conflict of the security protocol is inevitable, and the judgment method is shown as a formula (25):
(Cnew∈SC′EPS-protect)and(Cnew∧SCAH-protect)==ture (25)。
in the formula, CnewRepresents the newly added rule, SC'AH-protectAfter the representative adds the new rule, the AH protocol protects the collection of the policy rule types; SC'ESP-portectThe ESP protocol protects the set of policy rule types after the new rule is added.
As shown in fig. 4, the solution of the non-standard encapsulation order of the security protocol: the new rule can be confirmed to have the conflict situation through the boolean function, and the conflict can be resolved by first finding the corresponding conflict condition in the AH type rule set of the old rule, deleting it, and reinserting it into the policy list, and the corresponding operations are shown in equations (26) to (27):
Figure GDA0003010584750000111
Figure GDA0003010584750000112
the IPSec security gateway is generally applied to the IPSec VPN network, and mainly establishes secure connections between a plurality of virtual subnets in an insecure network. The establishment of multiple network modes can be realized by using the strategy of the security gateway, and the network modes mainly comprise two modes, namely a hybrid networking mode and a packet filtering network mode. A schematic diagram of a hybrid networking scheme is shown in fig. 6.
The IPSec security gateway is erected between the IP network and the security subnet, and can protect servers in the subnet. As can be seen from the schematic diagram of fig. 7, IPSec security gateway protects secure subnet one, and subnets two and three are insecure subnets in the IP network. Through the policy setting of the IPSec security gateway, normal access of the subnet two to the security subnet one can be realized, but the subnet three cannot access the security subnet one, and the function similar to a packet filtering firewall is achieved.
For two application scenes of the IPSec security gateway, at present, a lot of applications exist, and the construction of an enterprise multi-center intranet and the construction of isolation of a campus network and an extranet can adopt the mode of the IPSec security gateway. Since IPSec encrypts data at the network layer, it has versatility. IPSec can use a combination of various encryption algorithms to increase the security level, and is particularly important for protecting security subnets from unauthorized attacks from external networks. Through the analysis of the two scenes, the establishment of the IPSec security policy has important influence on the security, and the establishment of the correct security policy according to the requirements is very important on the security of the subnet, which is also the necessity of solving the security policy conflict.

Claims (1)

1. A method for dynamically detecting policy conflict of IPSec security gateway is characterized in that the method comprises the following steps:
step one, the policy of the IPSec gateway is described in a regularization way, and the specific steps are as follows:
(1) keeping the operation process of the condition part and the operation action contained in the policy list L, the rule R and the rule R of the IPSec policy unchanged;
(2) changing the protection in the operation action set into AH-protection and ESP-protection, wherein the corrected operation action set is shown as the following formula:
Ai∈{bypass,discard,AH-protect,ESP-protect|parameters};
(3) grouping SCs of rule typesprotectTo SCAH-protectAnd SCESP-portectTwo kinds of and adding corresponding protection strategy destination gateway set SWAH-protectAnd SWESP-portectThe corrected and newly added classification set is shown as follows:
SCAH-protect=f3(C1,C2,C3,...,Cn);
SCESP-portect=f4(C1,C2,C3,...,Cn);
SWAH-protect=f5(G1,G2,G3,...,Gn);
SWEPS-protect=f6(G1,G2,G3,...,Gn);
(4) introducing a new variable SallAll pools were polymerized as follows:
Sall=SCbypass∨SCdiacard∨SCAH-protect∨SCESP-portect∨SWAH-protect∨SWESP-portect
in the formula, SallAggregating for all sets, SCbypass、SCdiscardAnd SCprotectRepresents the collection of all the conditions that trigger bypass, discard and protect actions, SCAH-protectRepresenting a collection of conditions for triggering a protection policy of AH type, SCESP-portectA set of conditions representing the triggering of a protection policy of the ESP type;
step two, judging whether the newly added rule has rule conflict or not, and the specific steps are as follows:
when the policy rules are newly added, dynamically updating each policy set to generate new S'allGenerating corresponding S for old policyallAnd S'allComparing, and if the characteristics of the Boolean function of a certain conflict type are met, determining that a policy conflict exists;
step three, inquiring the possibility of the existence of approval redundancy and conflict redundancy of the newly added rule, and specifically comprising the following steps:
s 'generated after addition of New rule'allAnd S generated by all old policiesallIs the same, condition part C of the new rulenewIs a subset of all the old strategies before, and the formula is as follows:
Figure FDA0003010584740000021
in the case of compliance with regular redundancy, it is an approved redundancy if the following formula is also met, and a non-compliant is a conflicting redundancy:
Figure FDA0003010584740000022
step four, inquiring the possibility that the newly added rule has rule related conflict, and the specific steps are as follows:
under relevant conflicts, old rule condition part ColdIn which a new rule condition C may existnewThe subsets or the old and new rules have partial overlap, and the judgment method is as follows:
(Cold∧Cnew)==true;
step five, inquiring the possibility of tunnel overlapping conflict existing in the newly added protection strategy rules, and specifically comprising the following steps:
firstly, the new rule is determined to have no rule redundancy and rule related conflict types, the newly added rule is a protection policy rule, and then the new rule protection policy set and the old rule protection policy set are partially overlapped, and the judgment method comprises the following steps:
((SC′AH-protect∨SC′ESP-protect)∨(SCAH-protect∨SCESP-protect))==ture;
in formula (II) to (III)'AH-protectAfter the representative adds the new rule, the AH protocol protects the collection of the policy rule types; SC'ESP-portectAfter the representative is added with the new rule, the ESP protocol protects the set of the policy rule types; SWAH-protectRepresenting a gateway set corresponding to an AH protocol protection strategy; SWESP-portectRepresenting a gateway set corresponding to an ESP protocol protection strategy;
step six, inquiring the possibility of nonstandard packaging conflict of the newly added protection strategy rules, and specifically comprising the following steps:
firstly, the new rule is determined to have no three conflict types of rule redundancy, rule correlation and tunnel overlapping, the newly added rule is a protection strategy ESP type rule, the new rule is compared with an AH type rule set of an old rule, and if an overlapping part exists, the problem of non-standard encapsulation sequence conflict of a security protocol is inevitable, and the judgment method comprises the following steps:
(Cnew∈SC′EPS-protect)and(Cnew∧SCAH-protect)==ture;
in the formula, CnewRepresents the newly added rule, SC'AH-protectAfter the representative adds the new rule, the AH protocol protects the collection of the policy rule types; SC'ESP-portectAfter the representative is added with the new rule, the ESP protocol protects the set of the policy rule types;
and step seven, after four conflict types of rule redundancy, rule correlation, tunnel overlapping and a non-standard encapsulation sequence of the safety protocol are detected, the existing conflicts are solved, and a new rule list after the conflicts are removed is generated.
CN201910364168.3A 2019-04-30 2019-04-30 Policy conflict dynamic detection method for IPSec security gateway Active CN110099056B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910364168.3A CN110099056B (en) 2019-04-30 2019-04-30 Policy conflict dynamic detection method for IPSec security gateway

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910364168.3A CN110099056B (en) 2019-04-30 2019-04-30 Policy conflict dynamic detection method for IPSec security gateway

Publications (2)

Publication Number Publication Date
CN110099056A CN110099056A (en) 2019-08-06
CN110099056B true CN110099056B (en) 2021-09-03

Family

ID=67446716

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910364168.3A Active CN110099056B (en) 2019-04-30 2019-04-30 Policy conflict dynamic detection method for IPSec security gateway

Country Status (1)

Country Link
CN (1) CN110099056B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112988417B (en) * 2021-03-04 2024-07-26 长沙市到家悠享网络科技有限公司 Message processing method, device, electronic equipment and computer readable medium
CN114900367B (en) * 2022-05-25 2024-05-03 东南大学 Sharing policy verification and conflict detection method based on priority dynamic adjustment
CN114884821B (en) 2022-06-17 2023-07-18 北京邮电大学 Multi-strategy conflict avoiding method in self-intelligent network

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1874342A (en) * 2005-06-03 2006-12-06 华为技术有限公司 Refreshing method for preventing conflict of rollback after occurrence of changing IPSec safety alliance
CN101286896A (en) * 2008-06-05 2008-10-15 上海交通大学 IPSec VPN protocol drastic detecting method based on flows
CN101296227A (en) * 2008-06-19 2008-10-29 上海交通大学 IPSec VPN protocol depth detection method based on packet offset matching
CN107547343A (en) * 2017-06-28 2018-01-05 新华三技术有限公司 Message method of controlling operation thereof and device
CN108471412A (en) * 2018-03-19 2018-08-31 武汉华大国家数字化学习工程技术有限公司 A kind of firewall rule conflict detection method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10454890B2 (en) * 2005-01-31 2019-10-22 Unisys Corporation Negotiation of security protocols and protocol attributes in secure communications environment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1874342A (en) * 2005-06-03 2006-12-06 华为技术有限公司 Refreshing method for preventing conflict of rollback after occurrence of changing IPSec safety alliance
CN101286896A (en) * 2008-06-05 2008-10-15 上海交通大学 IPSec VPN protocol drastic detecting method based on flows
CN101296227A (en) * 2008-06-19 2008-10-29 上海交通大学 IPSec VPN protocol depth detection method based on packet offset matching
CN107547343A (en) * 2017-06-28 2018-01-05 新华三技术有限公司 Message method of controlling operation thereof and device
CN108471412A (en) * 2018-03-19 2018-08-31 武汉华大国家数字化学习工程技术有限公司 A kind of firewall rule conflict detection method

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
Efficient Algorithms for Dynamic Detection and Resolution of;Niksefat S etal;;<IEEE International Conference on Advanced>;20100131;第13-14页 *
IPSec安全策略冲突检测算法的研究;崔雪;《中国优秀硕士学位论文全文数据库信息科技辑(月刊 )》;20090515;第I139-163页 *
基于IPSec VPN的安全策略研究;潘茜;《中国优秀硕士学位论文全文数据库信息科技辑(月刊 )》;20070615;第I139-239页 *
移动网络安全策略冲突检测方法的改进研究;周健 等;《现代电子技术》;20170331;第75-78页 *

Also Published As

Publication number Publication date
CN110099056A (en) 2019-08-06

Similar Documents

Publication Publication Date Title
US11032190B2 (en) Methods and systems for network security universal control point
CN110099056B (en) Policy conflict dynamic detection method for IPSec security gateway
JP4490994B2 (en) Packet classification in network security devices
US7540025B2 (en) Mitigating network attacks using automatic signature generation
EP2573995A1 (en) Method and apparatus for identifying application protocol
Koch Towards next-generation intrusion detection
JP6994123B2 (en) Security for container networks
CN104333549A (en) Data package filtering method applied to distributive firewall system
Ponmaniraj et al. IDS based network security architecture with TCP/IP parameters using machine learning
Bdair et al. Brief of intrusion detection systems in detecting ICMPv6 attacks
Tasneem et al. Intrusion detection prevention system using SNORT
Le et al. Unsupervised monitoring of network and service behaviour using self organizing maps
Kumar et al. Artificial intelligence managed network defense system against port scanning outbreaks
Ahmed et al. A Linux-based IDPS using Snort
Meghdouri et al. Cross-layer profiling of encrypted network data for anomaly detection
US8964748B2 (en) Methods, systems, and computer readable media for performing flow compilation packet processing
Niksefat et al. Efficient algorithms for dynamic detection and resolution of IPSec/VPN security policy conflicts
Zeng et al. Toward identifying malicious encrypted traffic with a causality detection system
Singh Classification of Malware in HTTPs Traffic Using Machine Learning Approach
CN115065592A (en) Information processing method, device and storage medium
Qin et al. Computer network security protection system based on genetic algorithm
Ahmed et al. Characterizing strengths of snort-based IDPS
Hu et al. Network Virus and Computer Network Security Detection Technology Optimization
Mohammed et al. An automated signature generation approach for polymorphic worms using principal component analysis
Straub et al. Malware propagation in fully connected networks: A netflow-based analysis

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant