Network security management is a field of increasing complexity. The use of tunnels to service and transport data packets is common on managed networks. In particular, IP Security Protocol (IPSEC) tunneling is used as a primary component to implement a security policy. For example, IPSEC tunnels are used to build secure virtual private networks (VPNs). IPSEC tunnels are widely deployed in large network environments that employ numerous IPSEC enabled security devices and VPNs.
The number of tunnels that an IPSEC enabled device can support may vary. Currently, high-end firewalls support over a thousand IPSEC tunnels, while low-end firewalls support only a few. But in each case, the number of IPSEC tunnels that can be supported by a particular device is finite. Among other limitations, this constraint limits the scalability of VPN deployment. For example, a large enterprise network with a major corporate site might include hundreds of remote sites around the world, as well as hundreds of business partner sites. If the corporate site wants to establish a VPN connection with each of the remote sites or partner sites, its firewall (called hub) needs to support many (sometimes hundreds) simultaneous IPSEC tunnels. In addition, as the granularity of VPN configuration becomes finer, more than one tunnel is needed for each site. As a result, the hub may be required to support thousands of tunnels. Due to the limited ability to expand IPSEC tunneling, use of tunneling in this type of corporate network can impose performance problem and limit future network expansion. Additional network expansion can become expensive as limits are reached on the amount of tunneling that can be carried on the security devices of the network. Even at a remote office, the number of IPSEC tunnels needed to connect to the corporate site may exceed the network's IPSEC capacity if a low-end firewall is used.
There are some important practical values in minimizing the number of tunnels used in a security configuration. For example, networks can scale more easily when fewer tunnels exist to implement a security policy. In general, firewalls and other security devices are easier to implement and manage on a network having a smaller number of tunnels. In addition, the use of a smaller number of tunnels can also facilitate the filtering of data packets through security measures and tunnels
Currently, networks build tunnels and other security measures onto one another. Removing unnecessary tunnels is usually performed manually by administrators of a network.
The approaches described in this section could be pursued, but are not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.