CISSP Certified Information Systems Security Professional Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana. Used with permission. 1 CISSP Focus CISSP focuses on security: Design Architecture Theory Concept Planning Managing 2 Topical Domains Security and Risk Management Asset Security Security Architecture and Engineering Communication and Network Security Identity and Access Management (IAM) Security Assessment and Testing Security Operations Software Development Security 3 Exam Topic Outline www.isc2.org/Certifications/CISSP Download the CISSP Exam Outline Previously known as the Candidate Information Bulletin 4 Prequalifications For taking the CISSP exam: 5 years full-time paid work experience Or, 4 years experience with a recent college degree Or, 4 years experience with an approved security certification, such as CAP, CISM, CISA, Security+, CCNA Security, MCSA, MCSE, and GIAC Or, Associate of (ISC)2 if you don’t yet have experience Agree to (ISC)2 Code of Ethics 5 CISSP Exam Overview CISSP-CAT (Computerized Adaptive Testing) Minimum 100 questions Maximum 150 questions 25 unscored items mixed in 3 hours to take the exam No score issues, just pass or fail Must achieve “passing standard” for each domain within the last 75 questions seen 6 Exam Retakes Take the exam a maximum of 3 times per 12-month period Wait 30 days after your first attempt Wait an additional 90 days after your second attempt Wait an additional 180 days after your third attempt You will need to pay full price for each additional exam attempt. 7 Question Types Most questions are standard multiple choice with four answer options with a single correct answer Some questions require to select two, select three, or select all that apply Some questions may be based on a provided scenario or situation Advanced innovative questions may require drag-and-drop, hot-spot, or re-order tasks 8 Exam Advice Work promptly, don’t waste time, keep an eye on your remaining time It is not possible to return to a question. Try to reduce/eliminate answer options before guessing Pay attention to question format and how many answers are needed Use the provided dry-erase board for notes 9 Updates and Changes As updates, changes, and errata are need for the book, they are posted online at: www.wiley.com/go/cissp8e Visit and write in the corrections to your book! 10 Exam Prep Recommendations Read each chapter thoroughly Research each practice question you get wrong Complete the written labs View the online flashcards Use the 6 online bonus exams to test your knowledge across all of the domains Consider using: (ISC)² CISSP Official Practice Tests, 2nd Edition (ISBN:978-1-119-47592-7) 11 Completing Certification Endorsement A CISSP certified individual in good standing Within 90 days of passing the exam After CISSP, consider the post-CISSP Concentrations: Information Systems Security Architecture Professional (ISSAP) Information Systems.

1. CISSP
Certified Information Systems
Security Professional
Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis,
Indiana.
Used with permission.
1
CISSP Focus
CISSP focuses on security:
Design
Architecture
Theory
Concept
Planning
Managing
2
Topical Domains
Security and Risk Management
Asset Security
Security Architecture and Engineering
Communication and Network Security
Identity and Access Management (IAM)
Security Assessment and Testing
Security Operations

2. Software Development Security
3
Exam Topic Outline
www.isc2.org/Certifications/CISSP
Download the CISSP Exam Outline
Previously known as the Candidate Information Bulletin
4
Prequalifications
For taking the CISSP exam:
5 years full-time paid work experience
Or, 4 years experience with a recent college degree
Or, 4 years experience with an approved security certification,
such as CAP, CISM, CISA, Security+, CCNA Security, MCSA,
MCSE, and GIAC
Or, Associate of (ISC)2 if you don’t yet have experience
Agree to (ISC)2 Code of Ethics
5
CISSP Exam Overview
CISSP-CAT (Computerized Adaptive Testing)
Minimum 100 questions
Maximum 150 questions
25 unscored items mixed in
3 hours to take the exam
No score issues, just pass or fail

3. Must achieve “passing standard” for each domain within the last
75 questions seen
6
Exam Retakes
Take the exam a maximum of 3 times per 12-month period
Wait 30 days after your first attempt
Wait an additional 90 days after your second attempt
Wait an additional 180 days after your third attempt
You will need to pay full price for each additional exam
attempt.
7
Question Types
Most questions are standard multiple choice with four answer
options with a single correct answer
Some questions require to select two, select three, or select all
that apply
Some questions may be based on a provided scenario or
situation
Advanced innovative questions may require drag-and-drop, hot-
spot, or re-order tasks
8
Exam Advice
Work promptly, don’t waste time, keep an eye on your
remaining time

4. It is not possible to return to a question.
Try to reduce/eliminate answer options before guessing
Pay attention to question format and how many answers are
needed
Use the provided dry-erase board for notes
9
Updates and Changes
As updates, changes, and errata are need for the book, they are
posted online at:
www.wiley.com/go/cissp8e
Visit and write in the corrections to your book!
10
Exam Prep Recommendations
Read each chapter thoroughly
Research each practice question you get wrong
Complete the written labs
View the online flashcards
Use the 6 online bonus exams to test your knowledge across all
of the domains
Consider using: (ISC)² CISSP Official Practice Tests, 2nd
Edition (ISBN:978-1-119-47592-7)
11

5. Completing Certification
Endorsement
A CISSP certified individual in good standing
Within 90 days of passing the exam
After CISSP, consider the post-CISSP Concentrations:
Information Systems Security Architecture Professional
(ISSAP)
Information Systems Security Management Professional
(ISSMP)
Information Systems Security Engineering Professional (ISSEP)
12
Book Organization 1/2
Security and Risk Management
Chapters 1-4
Asset Security
Chapter 5
Security Architecture and Engineering
Chapters 6-10
Communication and Network Security
Chapters 11-12
13
Book Organization 2/2
Identity and Access Management (IAM)
Chapters 13-14
Security Assessment and Testing
Chapter 15
Security Operations

6. Chapters 16-19
Software Development Security
Chapters 20-21
14
Study Guide Elements
Exam Essentials
Chapter Review Questions
Written Labs
Real-World Scenarios
Summaries
15
Additional Study Tools
www.wiley.com/go/cissptestprep
Electronic flashcards
Glossary in PDF
Bonus Practice Exams:
6x 150 question practice exams covering the full range of
domain topics
16
National infrastructure provides a platform for support systems
that enable the delivery of extensive services considered

7. important for running the nation. The government is obligated
with providing some of the key services while others are
provided by the private sector groups such as banks, shipping
lines, airlines, and internet service providers among others.
There also exists a scenario where some of the essential
services required in a specific nation are sourced from another
hence creating global interdependency. The interdependence
trend is referred to as a “flat world.” The national infrastructure
is mainly reliant on computer networks and systems which
facilitate remote access over the internet. This makes it
vulnerable to cyber-attacks through worms, computer viruses,
fiber cuts, and data leaks (Amoroso, 2011). The conventional
approaches to data security adopted for the national
infrastructure have not been sufficient.
One of the major challenges to fully securing the
national infrastructure is the high cost of implementing security
tools. The government and the commercial enterprises rely on
off-shelf data security products to reduce the cost other than
acquiring the recent enterprise system security tools. Further,
manual intercession by local experts who collaborate in an
event of a serious security breach on the national infrastructure
is highly controlled to avoid legal repercussions for sharing
private data. This limits the effectiveness in adopting a unified
approach towards data security (Benson, McAlaney & Frumkin,
2019). The book provides an overview of national infrastructure
system protection methodologies based on recent data security
trends. The government and the private sector must identify
potential solutions to all potential security threats to avoid
infrastructural breach disasters. The government and
commercial enterprises should provide a comprehensive review
of all vulnerabilities of the national infrastructure. What types
of plan or security devices can be implemented by the
government to ensure that our national infrastructure is safe?
References
Amoroso, E., G. (2011). Emerging Threats & Countermeasures
(ITS834). Elsevier.

8. Benson, V., McAlaney, J., & Frumkin, L. A. (2019). Emerging
threats for the human element and countermeasures in current
cyber security landscape. In Cyber Law, Privacy, and Security:
Concepts, Methodologies, Tools, and Applications (pp. 1264-
1269). IGI Global.
Managing and Using Information Systems:
A Strategic Approach – Sixth Edition
Keri Pearlson, Carol Saunders,
and Dennis Galletta
© Copyright 2016
John Wiley & Sons, Inc.
Chapter 7
Security
2
Opening Case
What are some important lessons from the opening case?

9. How long did the theft take? How did the theft likely occur?
How long did it take Office of Personnel Management (OPM) to
detect the theft?
How damaging are the early reports of the data theft for the
OPM?
© 2016 John Wiley & Sons, Inc.
3
The hackers did not carry out a dramatic and quick theft; they
had a year to steal the records at their leisure.
The theft took place over a year, and the hackers stole a
password.
It took many months for OPM to detect the theft.
Early reports say that at least 4 million, and as many as 14
million records were stolen. Each record contained 127-page
security clearances that include sensitive medical, personal, and
relationship information.
3
How Long Does it Take?
How long do you think it usually takes for someone to discover
a security compromise in a system after the evidence shows up?
Several seconds
Several minutes
Several hours
Several days
Several months

10. A Mandiant study revealed that the median for 2014 was 205
days! That’s almost 7 months!
The record is 2,982 which is 11 years!
© 2016 John Wiley & Sons, Inc.
4
Timeline of a Breach - Fantasy
Hollywood has a fairly consistent script:
0: Crooks get password and locate the file
Minute 1: Crooks start downloading data and destroying the
original
Minute 2: Officials sense the breach
Minute 3: Officials try to block the breach
Minute 4: Crooks’ download completes
Minute 5: Officials lose all data
Source:
http://www.verizonbusiness.com/resources/reports/rp_2010-
DBIR-combined-reports_en_xg.pdf
© 2016 John Wiley & Sons, Inc.
5
Timeline of a Breach - Reality
Source:
http://www.verizonbusiness.com/resources/reports/rp_2010-

11. DBIR-combined-reports_en_xg.pdf
© 2016 John Wiley & Sons, Inc.
6
IT Security Decision FrameworkDecisionWho is
ResponsibleWhy?Otherwise?Information Security
StrategyBusiness LeadersThey know business strategiesSecurity
is an afterthought and patched onInformation Security
InfrastructureIT LeadersTechnical knowledge is
neededIncorrect infrastructure decisionsInformation Security
PolicyShared: IT and Business LeadersTrade-offs need to be
handled correctlyUnenforceable policies that don’t fit the IT
and the usersSETA (training)Shared: IT and Business
LeadersBusiness buy-in and technical correctnessInsufficient
training; errorsInformation Security InvestmentsShared: IT and
Business LeadersEvaluation of business goals and technical
requirementsOver- or under-investment in security
© 2016 John Wiley & Sons, Inc.
7
How Have Big Breaches Occurred?Date DetectedCompanyWhat
was stolenHowNovember 2013Target40 million credit & debit
cardsContractor opened virus-laden email attachmentMay
2014Ebay #1145 million user names, physical addresses,
phones, birthdays, encrypted passwordsEmployee’s password
obtainedSeptember 2014Ebay #2Small but unknownCross-site

12. scriptingSeptember 2014Home Depot56 million credit card
numbers
53 million email addressesObtaining a vendor’s
password/exploiting OS vulnerabilityJanuary 2015Anthem Blue
Cross80 million names, birthdays, emails, Social security
numbers, addresses, and employment dataObtaining passwords
from 5 or more high-level employees
© 2016 John Wiley & Sons, Inc.
8
Password Breaches
80% of breaches are caused by stealing a password.
You can steal a password by:
Phishing attack
Key logger (hardware or software)
Guessing weak passwords (123456 is most common)
Evil twin wifi
© 2016 John Wiley & Sons, Inc.
9
Insecurity of WiFi– a Dutch study
“We took a hacker to a café and, in 20 minutes, he knew where
everyone else was born, what schools they attended, and the last
five things they googled.”
Had WiFi transmitter broadcasting “Starbucks” as ID
Because they were connected to him, he scanned for unpatched

13. or vulnerable mobile devices or laptops
He also saw passwords and could lock them out of their own
accounts.
The correspondent: “I will never again be connecting to an
insecure public WiFi network without taking security
measures.”
© 2016 John Wiley & Sons, Inc.
Slide 5-10
Other Approaches
Cross-site scripting (malicious code pointing to a link requiring
log-in at an imposter site)
Third parties
Target’s HVAC system was connected to main systems
Contractors had access
Hackers gained contractors’ password
Malware captured customer credit card info before it could be
encrypted
© 2016 John Wiley & Sons, Inc.
11
Cost of Breaches
Estimated at $145 to $154 per stolen record
Revenue lost when sales decline
Some costs can be recouped by insurance

14. © 2016 John Wiley & Sons, Inc.
12
Can You be Safe?
No, unless the information is permanently inaccessible
“You cannot make a computer secure” – from Dain Gary, former
CERT chief
97% of all firms have been breached
Sometimes security makes systems less usable
© 2016 John Wiley & Sons, Inc.
13
What Motivates the Hackers?
Sell stolen credit card numbers for up to $50 each
2 million Target card numbers were sold for $20 each on
average
Street gang members can usually get $400 out of a card
Some “kits” (card number plus SSN plus medical information)
sell for up to $1,000
They allow opening new account cards
Stolen cards can be sold for bitcoin on the Deep Web

15. © 2016 John Wiley & Sons, Inc.
14
What Should Management Do?
Security strategy
Infrastructure
Access tools *
Storage and transmission tools *
Security policies *
Training *
Investments
* Described next
© 2016 John Wiley & Sons, Inc.
15
Access ToolsAccess
ToolUbiquityAdvantagesDisadvantagesPhysical locksVery
highExcellent if guardedLocks can be picked
Physical Access is often not needed
Keys can be lostPasswordsVery highUser acceptance and
familiarity
Ease of use
Mature practicesPoor by themselves
Sometimes forgotten
Sometimes stolen from users using deception or key
loggersBiometricsMediumCan be reliable

16. Never forgotten
Cannot be stolen
Can be inexpensiveFalse positives/negatives
Some are expensive
Some might change (e.g., voice)
Lost limbs
Loopholes (e.g., photo)
© 2016 John Wiley & Sons, Inc.
16
Access Tools (continued)Access
ToolUbiquityAdvantagesDisadvantagesChallenge
questionsMedium (high in banking)Not forgotten
Multitude of questions can be usedSocial networking might
reveal some answers
Personal knowledge of an individual might reveal the answers
Spelling might not be consistentTokenLowStolen passkey is
useless quicklyRequires carrying a deviceText
messageMediumStolen passkey is useless
Mobile phone already owned by users
Useful as a secondary mechanism tooRequires mobile phone
ownership by all users
Home phone option requires speech synthesis
Requires alternative access control if mobile phone lostMulti-
factor authenticationMediumStolen password is useless
Enhanced securityRequires an additional technique if one of the
two fails
Temptation for easy password
© 2016 John Wiley & Sons, Inc.
17

17. Storage and Transmission
ToolsToolUbiquityAdvantagesDisadvantagesAntivirus/
antispywareVery highBlocks many known threats
Blocks some “zero-day” threatsSlow down operating system
“Zero day” threats can be missedFirewallHighCan prevent some
targeted trafficCan only filter known threats
Can have well-known “holes”System logsVery highCan reveal
IP address of attacker
Can estimate the extent of the breachHackers can conceal their
IP address
Hackers can delete logs
Logs can be huge
Irregular inspectionsSystem alertsHighCan help point to logs
Can detect an attack in process
High sensitivityLow selectivity
© 2016 John Wiley & Sons, Inc.
18
Storage and Transmission Tools
(continued)ToolUbiquityAdvantagesDisadvantagesEncryptionVe
ry highDifficult to access a file without the key
Long keys could take years to breakKeys are unnecessary if
password is known
If the key is not strong, hackers could uncover it by trial and
errorWEP/WPAVery highSame as encryption
Most devices have the capability

18. Provides secure wifi connectionSame as encryption
Some older devices have limited protections
WEP is not secure, yet it is still providedVPNMediumTrusted
connection is as if you were connected on site
Hard to decryptDevice could be stolen while connected
Sometimes slows the connection
© 2016 John Wiley & Sons, Inc.
19
Security Policies
Perform security updates promptly
Separate unrelated networks
Keep passwords secret
Manage mobile devices (BYOD)
Formulate data policies (retention and disposal)
Manage social media (rules as to what can be shared, how to
identify yourself)
Use consultants (Managed Security Services Providers)
© 2016 John Wiley & Sons, Inc.
20
SETA (Security Education, Training, and Awareness)
Training on access tools
Limitations of passwords
Formulating a password
Changing passwords periodically

19. Using multi-factor authentication
Using password managers
© 2016 John Wiley & Sons, Inc.
21
SETA (Security Education, Training, and Awareness)
BYOD
Rules
How to follow them
Social Media
Rules
How to follow them
Cases from the past that created problems
© 2016 John Wiley & Sons, Inc.
22
SETA (Security Education, Training, and Awareness)
Vigilance: Recognizing:
Bogus warning messages
Phishing emails
Physical intrusions
Ports and access channels to examine
© 2016 John Wiley & Sons, Inc.
23

20. Classic Signs of Phishing
Account is being closed
Email in-box is full
Winning a contest or lottery
Inheritance or commission to handle funds
Product delivery failed
Odd URL when hovering
Familiar name but strange email address
Poor grammar/spelling
Impossibly low prices
Attachment with EXE, ZIP, or BAT (etc.)
© 2016 John Wiley & Sons, Inc.
24
Managing and Using Information Systems:
A Strategic Approach – Sixth Edition
Keri Pearlson, Carol Saunders,
and Dennis Galletta
© Copyright 2016
John Wiley & Sons, Inc.

21. IPsec/Firewall Security Policy Analysis : A Survey
Roumaissa Khelf
Networks and System Laboratory
Computer Science Department
Badji Mokhtar-Annaba University
Annaba, Algeria
[email protected]
Nacira Ghoualmi-Zine
Networks and System Laboratory
Computer Science Department
Badji Mokhtar-Annaba University
Annaba, Algeria
[email protected]
Abstract—As the technology reliance increases, computer
networks are getting bigger and larger and so are threats and
attacks. Therefore Network security becomes a major concern
during this last decade. Network Security requires a
combination of hardware devices and software applications.
Namely, Firewalls and IPsec gateways are two technologies
that provide network security protection and repose on
security policies which are maintained to ensure traffic control
and network safety. Nevertheless, security policy

22. misconfigurations and inconsistency between the policy’s rules
produce errors and conflicts, which are often very hard to
detect and consequently cause security holes and compromise
the entire system functionality. In This paper, we review the
related approaches which have been proposed for security
policy management along with surveying the literature for
conflicts detection and resolution techniques. This work
highlights the advantages and limitations of the proposed
solutions for security policy verification in IPsec and Firewalls
and gives an overall comparison and classification of the
existing approaches.
Keywords—Network Security; Security policy; IPsec;
Firewall; Security policy anomalies; policy analysis; Conflicts
analysis.
I. INTRODUCTION
To enforce network security, several functionalities are
implemented by the security to ensure security within a
computer network. Some of security controls are used to
control traffic like firewalls (Network protection), others
have the capability to control and modify the traffic as IPsec
gateways (VPNs Protection) [1]. Despite that IPsec is newer
than firewall technology, firewall studies are more common
and various. This can be due to the fact that firewalls are
more market-share. So, this gives us a motivation to regroup
both technologies in this survey in order to show up which
one of them is the best choice for the network security
verification. Whereas studies are varied, Firewall and IPsec
share the similar nature, thus security policies are an
essential component for both of them. Basically, security
policies are considered complex in large systems, and it is
hard to find faults. In addition, network administrators
cannot always have a deep insight of the network
configuration; hence, those challenges make the security

23. policy testing and verification much harder. To solve this
problem, several approaches have been proposed in
literature. The main objective of those studies was to find out
a way to automatize the verification and the management of
security policy by introducing different techniques for
conflicts identification and resolution. So, this survey
highlights different studies for policy analysis context and
especially on conflict management. Regarding studies on
policy analysis topic, we can notice that there is no global or
general solution that can be applied directly to solve the
problem. Most of the studies focus on sub-problems parts
solutions, thus the proposed works does not grant compatible
solutions. Also, as regards to the network topology, dynamic
environment of distributed networks must be taken into
consideration (enterprise networks); because some of the
proposed approaches are inefficient for dynamic conditions.
More details will be given in next sections.
This work highlights the existing researches in the field
of security policy verification and analysis. We highlight the
most important approaches in a chronological order, while
emphasizing the different advantages and disadvantages of
these approaches. We also discuss the differences between
these works, and propose solutions in order to overcome
prior studies drawbacks and also we propose a categorization
schema for the existing approaches in this area.
This paper is organized as follows. Section 2 presents a
global overview on both technologies Firewall and IPsec
hence the basic differences between them. In Section 3 we
present a brief definition of security policy and the notion of
filtering rules, as well as the policy analysis and its different
fields. Section 4 presents the researches carried out on
different types of security policy concerning firewalls and
IPsec. In section 5 we compare the cited works and discuss

24. the main differences between those approaches in addition to
a proposition of a categorization schema.
II. FIREWALL VS IPSEC
Firewall and IPsec are both complementary components
for network security. We can't really compare them;
however, there are some differences between IPsec and
firewalls. In this section we try to identify those differences
and understand subtleties of both technologies.
A. Firewalls
Firewalls are network devices which enforce an
organization’s security policy [2]. It can be a router, an
access server, or a several services modules. Firewall
monitors the outgoing and incoming traffic from and to a
network. The monitoring operation is done using packet
filters and aims to allow or deny the traffic. Firewall filters
the packets according to various criteria such as IP addresses,
Ports, network interfaces… etc. All those information are
ordered in a set of rules which constitute security policies of
firewalls. The main objective of a firewall is to determine the
accessibility of a type of traffic in a particular network.
Indeed the principal is simple; a firewall protects the network
by allowing or discarding wanted or unwanted traffic
respectively. However, firewalls do not secure or modify the
actual traffic going back and forth. Beside the fact that not all
attacks types are handled, the emerging technologies like
VPN and P2P present new challenges for firewalls.
B. IPsec
Internet Protocol security (IPsec) is known as a cost-

25. effective way to establish security in Virtual Private
Networks (VPNs). IPsec is a set of open standard that
provide data authentication, integrity and confidentiality. It
can be used to protect the data flow between a pair of hosts, a
pair of gateways or between a host and a gateway. Regarding
IPsec security architecture, it defines two types of security
policies: the access control list and the crypto map list.
Access control list defines the protected traffic and the
crypto access list defines the protection parameters to be
applied on this traffic. In other words, the distribution of
protection in IPsec depends on the design of the security
policy and its distribution.
C. Firewall and IPsec Comparison
To sum up, Firewall is used to protect a network from
unwanted traffic, however, IPsec is used to protect a server
or a group of servers in a network IPsec protect the wanted
traffic while crossing the network, hence IPsec is not just
controlling traffic but also protecting it. In other words,
firewall security policies are defined to control the traffic
access to the network. It aims to permit legitimate traffic and
blocks unwanted traffic. On the other hand, IPsec’s access
control policy has a similar aim of firewall policy; however
legitimate traffic is either permitted directly or protected
before the transmission. Therefrom, the main distinction
comes between the firewall and IPsec. When the legitimate
traffic is judged to be protected, the IPsec encryption list
takes place, and the traffic is compared to its filtering rules to
find out which IPsec perform (AH, ESP, Tunnel, Transport
mode) must be applied on this traffic.
Despite the differences, both technologies can be used to
ensure the network protection; the firewall is more
convenient in term of the centralized protection. Hence IPsec

26. is more powerful in the term of flexible protection and
servers/domains isolations.
III. POLICY VERIFICATION BACKGROUND
A. Network Security Policy
A network security policy is a set of requirements and
that control the behavior of an entity in a network. This
behavior is defined by a set of constraints, which are meant
to govern data access, use, and transfer inside the network.
The security policy requirement is defined as a set of
filtering rules; these rules are tried in a particular order that
ensure the correct execution of policy directives. Generally,
security policies are used to ensure three main
functionalities: Confidentiality (data secrecy), Integrity (data
originality) and Availability (data access).
B. Security Policy Analysis
After the definition of security policy directives, comes
the specification of filtering rules. This phase is called
policy configuration, which is typically complicated and
error-prone. Despite the huge importance of security
policies on the security of communication networks,
conflicts can lead to security breaches and high risk attacks.
Thus, conflicts in network security policy can be a result of
misconfiguration or inconsistency between different rules in
the same policy or in different policies. Therefore, to ensure
the correct functioning of the policy, conflicts should be
avoided or at least identified in order to remove them. This
solution is not as easy as it sounds because of many
difficulties that make the conflict management a very hard
task for network administrator such as; the growing number
of internet applications, the nature of distributed networks,

27. different types of security controls and the large number of
policies and rules which can cause an extremely high
number of conflicts, hence it become intractable for network
administrator. Therefrom, the need arises to find more
suitable solutions for the verification of security policies.
C. Policy Analysis
As discussed before, Network security cannot be
guaranteed without a well-designed security policy. Hence,
several studies have been carried out to overcome the
problem of conflicts and configuration errors in different
types of security policies such as in social network policies
[3] or cloud computing [4], Policy analysis consists of the
verification of policy configuration in order to monitor the
changes in policies, behavior or security violation caused by
a conflict. To be noted that during the analysis of policy,
devices which are already deployed remains unchangeable
and under the control of a network administrator.
Regarding the proposed works in literature that extend
the concept of policy analysis, we can divide them into three
main categories: reachability, policy comparison and conflict
analysis. (Fig. 1) Essentially, our focus will be on conflicts
Fig. 1. Classification of Policy Analysis Approaches
analysis.
The analysis of conflicts aims to identify potential errors
in single or multiple security policies (intra and inter
domains). Without the loss of generality, the approaches
used for conflict analysis can be also categorized into three
main categories: verification of configurations, conflicts

28. detection and policy optimization. Thus, the proposed
solutions for the conflicts detection across last years, can be
divided in three sub-categories: the first one is the policy
management sub-category, which is based on data structures
like [5], the second one is the proposition of novel formal
models as in [6] and lastly, the proposition of new tools such
as [7].
IV. STATE OF THE ART
In literature, firewall policy verification is a very
common research field; a lot of approaches were proposed
in order to provide a complete solution of the main problem:
the conflict analysis. In this section, we show some of these
proposed approaches for firewall policy verification.
A. Firewall Approaches
The Proposition of Al in [8] was the first paper that
introduced the concept of conflict analysis of firewall
policy. Authors in this paper define all the existing relations
between policy rules, their classification defines 5 types of
relationships: complete disjoint where rules are independent
and do not have any intersection, exactly matched: two rules
match the same traffic and apply the same action for this
traffic. The other type is: Inclusively matched, this relation
occurs when the rules do not exactly match the same traffic,
in other words, every field in the first rule is a subset or
equal to the corresponding fields in the second rule.
Partially disjoint: is when at least one of the first rule fields
is a subset or equal to the other rule and finally Correlation
is when some fields of the rule are subsets or equals to the
corresponding fields in the second rules, and the rest of
other fields are superset or equals. The authors present
policy using a single rooted tree (policy tree) so every node
in the policy tree represents a field of a filtering rule and
each branch at this node represents a possible value for the

29. associated field. Then they give a classification of 4 types of
anomalies (shadowing, correlation, generalization and
redundancy). The authors use a tool called policy advisor
that help the administrator to manage a firewall policy
without prior analysis of filtering rules. Thus, it implements
two management tools: policy anomaly detector: identify
anomalies and notify the administrator and policy editor;
which reorder the updated or inserted rules. However policy
advisor is limited in detecting only pairwise anomalies in
firewall rules. This work was extended next to [9]. In this
work, the authors add a new classification which includes
the multi-firewall environment anomalies. So they develop
their technique to detect anomalies in centralized and
distributed legacy firewall. The new defined conflicts are
(shadowing, spuriousness, correlation, redundancy and
irrelevance). Shadowing occurs between two rules in two
different firewalls that match the same packets and the first
rule blocks a packet that is permitted by the second rule.
The case of spuriousness is defined when two rules match
the same packet and the first rule permit this packet which is
blocked by the second rule. According to their definition,
rules in correlation are rules in different firewall. These
rules match some common packets, but apply different
actions. However, if these two rules block the traffic, it’s
then a redundancy conflict. The irrelevances anomaly is
defined by rules which do not have any corresponding
matched traffic. Authors specify that rules insertion phase is
performed in two steps, the first one is the rule placement
which aims to find the corresponded firewall by identifying
all the possible paths, and the next step is to verify the
relation between the new rule and the existing rules in order
to avoid intra-firewall anomalies. Despite this work was
very helpful for next studies, it has the drawback of
detecting anomalies only afterward, and do not provide a
recovery mechanism, also it’s not suitable for all the

30. security controls. In addition, high performances are
guaranteed only for a limited number of rules. Another
extension of Al-Shaer’s work is [10]. This work proved that
conflicts classified by Al-Shaer cation are the only conflicts
that could exist in firewall policies. The authors present a set
of algorithms to detect rule anomalies within a single
firewall (intra-firewall anomalies), and between
interconnected firewalls (inter-firewall anomalies) in the
network. In addition to their previous works they presented
a user-friendly Java-based implementation of the Firewall
Policy Advisor. This work was also extended by Al-Shaer in
[11]. The Authors in [12] also proposed a novel tool
“FIREMAN” for the analysis of firewall policies. They use
the Binary Decision Diagram (BDD) [13] to represent the
packet filtering policies. This work provides intra-policy
packets analysis and verifies the correct implementation on
end-to-end policy.
The FIREMAN detection technique is based on the
analysis of potential relationships between a filtering rule
and a packet space. Hence this packet space is derived from
the set of all the preceding rules. The main limitation of
FIREMAN is that it can only detect the anomaly without
identifying the rules involved. Also, subsequent rules are
ignored during the anomaly analysis. In [14] FIREMAN toll
was extended to deal with NAT and routing tables. Their
tool, Prometheus, unlike Fireman, is able to detect the
misconfiguration beside rules responsible for it. Prometheus
identifies the anomaly when two different paths within the
same firewall execute several decisions for the same packet.
In Addition some corrections are also available with this
tool. In [15], the authors define a methodology to classify
firewall policy rule conflicts, according to their severity
level. Authors present a classification of different intra-
policy conflicts, where severity defines the rank of
correlation between the presences of conflict in policy and

31. the erroneous behavior of the respective device. Exact
match, shadowing, and post redundancy are severe conflicts
according to authors’ definition. The resolution of conflicts
depends in some cases, on the network manager decision;
that can associate priorities to the conflictual rules. One of
the major limitations of this work is that the approach
concerns only a one firewall policy implementation; it is not
applied on distributed firewall policies. Al-Shaer approach
was very helpful for researches thus, a lot of works has been
proposed based on it. Those novel approaches prove that al-
Shaer classification is general and applicable for multiple
scenarios. Additionally, some researchers introduce
different security component for the security policy analysis
context, for instance in [16], authors add the possibility to
manage security policies over a distributed network security
as network intrusion detection systems (NIDS) for the
detection of conflicts in filtering packet rules, the authors
presented a network model that allows identification of
components which are crossed by a given packet knowing
its source and destination. Based on this model they defined
two new types of conflicts (irrelevance and miss-
connection). In this work, the security policy is rewritten in
a positive and negative format (only allows rule or only
deny rules). The extended work of this approach is [7]
where the MIRAGE tool is proposed. This tool represents a
management tool for analysis and deployment of
configuration policies over network security components,
such as firewalls, intrusion detection systems, and VPN
routers. In the same context, another tool was proposed in
[17]. The authors propose the Margrave; a novel tool for
firewall analysis. Beside the analysis of the policy this tool
is able to define the consequences resulting from
configuration updates. Margrave is also capable to generate

32. separate policies for other functions other than access
filtering, like routing and switching which ensure the
analysis of the whole firewall behavior. Other studies
present formal models for security policy generation, such
as [18]. In this work, the authors present a new formal
model for the ACL policies, this model called geometric
model is based on a set of rules a default limited number of
actions and use an ad-hoc resolution strategy. For the
resolution of anomalies, the authors present several
techniques such as the First matching Rule (FMR) and the
Last Matching Rule (LMR). In addition, the authors define a
new type of anomalies which result from the union of more
than two rules (general shadowing and general redundancy).
In [19] authors adopt a novel technique of rule segmentation
for the identification and resolution of anomalies in firewall
policies based on Binary Decision Diagram (BDD). For this
purpose, they adopt a grid-based representation technique
which provides an intuitive cognitive sense about anomaly,
in order to identify policy anomalies and resolve them.
Based on this technique the network packet space is divided
into disjoint packet space segments associated with a unique
set of firewall rules. The work in [20] presents a formal
model of firewall rules sequence, the authors focus on rules
reordering problem, their method verifies if a given firewall
rule sequence maintains the correct specification of a
security policy, by checking the relation between rules.
They proposed a verification method divided into two parts.
The first part is decision conflicts rules set generator; where
the set of security policy is translated into rules and ordered
correctly is in the rule base, then identifying rules that
generate conflict with the policy abstraction technique. The
second part is the Policy consistency engine which ensures
that rules reordering maintain the correctness of the security
policy. In case of violation another rule reordering is
needed. In [21], authors present a framework in order to

33. facilitate the detection of firewall policy conflicts inside
dynamic open flow networks, in addition to the previous
works in this area, this work present a model for the
detection and the resolution of conflicts in a real-time
situations, the proposed tool FLOWGUARD checks
network flow path spaces to detect firewall policy violations
when network states are updated. However, there is no
analysis model in their framework. And it does not cover
stateful firewalls in SDN’s. Basically, most of precedent
cited paper has focus on the detection and resolution of
conflicts with the human intervention, which is in some
cases difficult and error prone. Authors in [22] focus on this
point and propose an alternative solution to make amends of
human intervention, where they use a query engine for
firewall security policy analysis. Their proposition aims to
automate the whole process of anomaly resolution, without
referring to the administrator intervention. In other words,
instead of prompting the administrator for inserting the
proper order of rules, they implemented a tool (FPQE)
which executes a set of queries against a high level firewall
policy.
In [5] Authors propose an analysis method; this method
aims to detect anomalies in a firewall file configuration and
to determine consequences resulting from deleting or
updating filtering rules in the configuration file. The method
key is to represent the set of rules with a data structure
which is the tree. Firewall Anomaly Tree (FAT) can be
dynamically updated by adding or deleting filtering rules
and it gives to administrator an idea about the adequate
position to insert a rule.
Authors in [23] use a data structure called Firewall
Decision Diagram FDD and an inference system. They
propose a novel approach to automatically remove fix
firewall misconfigurations. In this work, a classification of

34. different anomalies in the multi firewall environment is
provided, where anomalies are divided into two main parts;
real misconfiguration and intended anomaly Resolution of
configuration errors, according to this work is done by
several techniques such as modifying the rules fields,
reordering and removing some rules. In brief they propose a
method to rules sets optimization by removing unused rules
in the policy. The authors define shadowed and redundant
rules as superfluous rules. Superfluous rules identification is
based on an inference system. Thus, this kind of rules is
removed from the policy. After the removal of superfluous
rules the discovery of misconfiguration phase begins.
Misconfigurations are identified in both simple firewall
(when different actions are applied on the same traffic in the
same firewall configuration) and distributed firewalls
(different firewalls apply different actions on the same
traffic).
B. IPsec Approaches
In literature, IPsec policies verification and management
approaches are not as common as firewall polices, this can
be caused by the similarity between the two technologies,
and the novelty of IPsec comparing to firewalls. The
concept of verification of IPsec security policies was firstly
introduced in [24]; the analysis is performed on several
policy implementations in order to detect conflicts. Authors
define a conflict as the case when policy implementations
do not satisfy the security policy requirements. They define
a requirement as the high level policy objective while policy
implementations are specified to meet that objective. Thus
the policy specification process transforms a requirement to
specific policy implementation. Beside the conflicts

35. detection, authors propose also a recovery mechanism. The
resolution aims to define new implementation that satisfies
the desired policy while minimizing possible damage causes
by the violation of any security requirement. However, this
method is quite complicated due to the use of non-standard
high level security requirement, which are not always
available in existing standards. Furthermore, updating
requirements cause the re-initialization of algorithm each
time, which is a tedious task. Next the schema proposed in
this work was formalized in [6]. The authors propose a
method for conflict detection by analyzing IPsec policies.
This work can be also considered as the extension of [10].
The proposed model incorporates encryption and packet
filter capabilities of IPsec. Thus, two types of conflicts are
defined for both the intra and inter-policy. the overlapping
session conflicts occurs when multiple IPsec session are
established to delivered a packet to several hosts, and the
packet is delivered to the farther host before the near one.
The second type of conflict is the Multi-Transform conflict.
It is the result of the application of a weaker protection to an
already encapsulated traffic. Authors also use BDD to
compares rules translated into Boolean functions. The main
drawback of this method is that is limited to detection
conflicts only without any recovery process. In addition, the
processing of the policy rules each time is highly time
consuming and inefficient in dynamic environment.
In [25] and [26] authors present a complete taxonomy of
possible existing conflicts in an IPsec security policy,
including both packet-filter and IPsec configuration. Their
proposed classification of intra and inter-policy is quite
similar; however they define conflicts in a simpler way that
makes the implementation much easier. In [27] an
architecture that stores all the IPsec policy in a center is
proposed. Thus, this center is accessible by a manager and
enforced by an access control policy. IPsec implementations

36. manipulate IPsec databases via a database manager. The
authors define IPsec implementation as programs which can
establish IPsec channels and access to databases (for
instance Strongswan and Openswan). The essential
contribution is that the use of this manager aims to avoid
access to databases by unauthorized implementations. In
another part, this work aims to prevent conflict before it
occurs, which is described as some kind of conflict
recovery. However, recovery is only made for conflict
diffusion, which is the authors’ definition of the inter-policy
conflicts.
The proposed algorithm in [28] can be considered as an
improvement of the solution proposed in [6]. The authors
propose an algorithm for the dynamic verification of an
IPsec policy. The proposed algorithm defines some type of
conflicts (does not support all the defined conflicts in the
previous works). The method uses essentially the BDD to
represent the IPsec policy and manipulate Boolean functions
in order to dynamically detect conflicts. On the whole, the
proposed algorithm generates conflict-free policies from
conflicting policies. Thus, beside the conflicts detection
authors also present some recovery mechanisms in their
approach
Authors in [29] extend the idea of, they improved the
conflicts classification in a way to be easier to implement.
An algorithm is proposed for dynamic detection of both
intra and inter-policy conflicts. The proposed classification
includes all the possible conflicts of an IPsec Access control
list; the proposed algorithm is based on a generic model
where each type of conflict is associated with a Boolean
expression. The use of Boolean expression for the
presentation of IPsec policy is obtained thanks to the Binary
Decision Diagram. Beside the improvement of classification

37. this method can also detect inter-policy conflicts. However
the method was not evaluated to show up the efficiency of
the algorithm.
TABLE 1 Comparison between different approaches for security
policy
analysis
A
p
p
ro
ac
he
s
C
on
fl
ic
t
C
la
ss
if
ic
at
io

38. n
C
on
fl
ic
t
R
es
o
lu
ti
on
In
te
r-
p
ol
ic
y
co
n
fl

39. ic
ts
D
at
a
S
tr
u
ct
u
re
P
o
li
cy
re
g
en
er
at

40. io
n
P
o
li
cy
f
o
rm
al
m
o
de
l
C
on
fl
ic
t
p
re
v

41. en
ti
on
D
y
na
m
ic
it
y
[8] √ √
[9] √
[10] √
[12] √
[14] √ √
[15] √ √
[16] √ √ √
[7] √ √
[17] √ √ √
[18] √ √ √
[19] √ √ √
[20] √ √ √
[5] √ √ √

42. [23] √ √ √ …
Discuss an organization’s need for physical security. What
methods, approaches, and models can be used by organizations
when designing physical security needs? Lastly, explain how
these security measures will safeguard the organization.
Please make your initial post and two response posts
substantive. A substantive post will do at least TWO of the
following:
· Ask an interesting, thoughtful question pertaining to the topic
· Answer a question (in detail) posted by another student or the
instructor
· Provide extensive additional information on the topic
· Explain, define, or analyze the topic in detail
· Share an applicable personal experience
· Provide an outside source (for example, an article from the UC
Library) that applies to the topic, along with additional
information about the topic or the source (please cite properly
in APA)
· Make an argument concerning the topic.
At least one scholarly source should be used in the initial
discussion thread. Be sure to use information from your
readings and other sources from the UC Library. Use proper
citations and references in your post.