ZERO-Conflict: A Grouping-Based Approach for Automatic Generation of IPSec/VPN Security Policies

摘要

IPSec/VPN management is a complicated challenge, since IPSec functions correctly only if its security policies satisfy all administrated requirements. Computer-generated security policies tend to conflict with each other, which would causes network congestion or creates security vulnerability. Thus conflict resolving has become an issue. In this paper, a method to automatically generate policies is proposed. Instead of performing complicated conflict-checking procedures as most existing works do, the proposed Zero-Conflict algorithm is able to predict and avoid conflict in advance by using requirement groups and cut points techniques. Since policies are established without the need to perform backward conflict check, thus yielding a significantly less time-complexity, which is O(nlogn). Experimental results show that it maintains a satisfactorily minimal numbers of generated tunnels.