Abstract

The assurance of network security is dependent not only on the protocols but also on configuration polices that determine the functional behavior of network security devices. Network security devices, such as Firewalls, IPSec gateways, Intrusion Detection and Prevention Systems, as well as end-host access control servers, operate based on locally configured policies. Yet these policies are not necessarily independent as they interact with each other to form global end-to-end security. As a result, policy inconsistencies and network vulnerability are created. In addition, security policy might grow in size causing a significant performance overhead in security devices. A major performance gain can be achieved if policies can be dynamic optimized to adapt to traffic properties (traffic-aware policy optimization). This talk will address these challenges and present the recent research results in the area of automated verification, and optimization of network security polices.