Research On Technology Of Policy Conflict Detection And Resolution Of Network Security Device

The use of firewalls and intrusion detection systems (IDSs) and other network security devices is the dominant method to survey and guarantee the security policy in distributed networks. The network security devices survey and guarantee the network with a set of rules configured on them. Nevertheless, the existence of conflicts within the set of configuration rules of the network security devices is very likely to degrade the network security.In this paper, we study the policy conflict detection and resolution of network securyt devices to solve the policy conflicts. The main work of this paper is as follows:1. Propose and build the distributed security policy model for the first time, which establishs the basis of the distributed policy conflict detection and resolution.(1) Propose a policy specification based on sectional real number interval.Policy specification based on multidimensional sectional real number interval maps the rule fields to several real number intervals. Therefore, the rule condition fields uniformly map to the real number intervals, which guaranty the flexibility and extensibility of the policy conflict detection and resolution.(2) Build the distributed security policy conflict model based on the undirected graph of the network topology.The topology of network is modeled as an undirected graph. The security policy conflicts in distributed network are classified and the multilevel algorithm is provided to search all the simple paths between any two vertexes in the undirected graph.2. Propose an extensible intra-node policy conflict detection and resolution algorithm.The intra-node policy conflict detection and resolution algorithm is based on the policy specification of multidimensional sectional real number interval, which solves the policy conflict intra-node, and this is the foundation of the conflict detection and resovling in distributed network.3. Propose an inter-node security policy conflict detection algorithm based on simple path.Many researchers have studied the policy conflict detection algorithms in distributednetwork. But all the algorithms have a problem that they can only partly detect the conflicts in the network, and can not detect the all the conflicts overall. To solve this problem, the policy conflict detection algorithm based on simple path is proposed, which can entirely detect the conflicts in the network.4. Propose an inter-node security policy conflict resolution algorithm based on simple path.The conflict resolution ideas of prioritizing and adding resolve filters are introduced to resolve the policy conflicts in distributed environment. In any traffic stream, the security devices in all simple paths perform the conflict resolution using the method of the combination of prioritizing and adding resolve rules.At present, most of researches on policy conflicts are done in theory, but the implemented is very rare. Based on above algorithms, we design and implemented the security policy conflict detection and resolution tool, SPCDRT, which provide theoretical and technical supports for constructing security environment.