Service specific anomaly detection for network intrusion detection
Proceedings of the 2002 ACM symposium on Applied computing
Specification-based anomaly detection: a new approach for detecting network intrusions
Proceedings of the 9th ACM conference on Computer and communications security
Packet classification using multidimensional cutting
Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Information sharing across private databases
Proceedings of the 2003 ACM SIGMOD international conference on Management of data
Information-Theoretic Measures for Anomaly Detection
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Algorithms for routing lookups and packet classification
Algorithms for routing lookups and packet classification
Foundations of Cryptography: Volume 2, Basic Applications
Foundations of Cryptography: Volume 2, Basic Applications
Firewall Design: Consistency, Completeness, and Compactness
ICDCS '04 Proceedings of the 24th International Conference on Distributed Computing Systems (ICDCS'04)
FIREMAN: A Toolkit for FIREwall Modeling and ANalysis
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Packet classifiers in ternary CAMs can be smaller
SIGMETRICS '06/Performance '06 Proceedings of the joint international conference on Measurement and modeling of computer systems
Fast binary and multiway prefix searches for packet forwarding
Computer Networks: The International Journal of Computer and Telecommunications Networking
Computer Networks: The International Journal of Computer and Telecommunications Networking
Collaborative enforcement of firewall policies in virtual private networks
Proceedings of the twenty-seventh ACM symposium on Principles of distributed computing
IEEE Transactions on Parallel and Distributed Systems
Topological transformation approaches to optimizing TCAM-based packet classification systems
Proceedings of the eleventh international joint conference on Measurement and modeling of computer systems
Complete Redundancy Removal for Packet Classifiers in TCAMs
IEEE Transactions on Parallel and Distributed Systems
TCAM Razor: a systematic approach towards minimizing packet classifiers in TCAMs
IEEE/ACM Transactions on Networking (TON)
Privacy-Preserving graph algorithms in the semi-honest model
ASIACRYPT'05 Proceedings of the 11th international conference on Theory and Application of Cryptology and Information Security
An improved algorithm for computing logarithms over and its cryptographic significance (Corresp.)
IEEE Transactions on Information Theory
Bit weaving: A non-prefix approach to compressing packet classifiers in TCAMs
ICNP '09 Proceedings of the 2009 17th IEEE International Conference on Network Protocols. ICNP 2009
Hi-index | 0.00 |
Firewalls have been widely deployed on the Internet for securing private networks. A firewall checks each incoming or outgoing packet to decide whether to accept or discard the packet based on its policy. Optimizing firewall policies is crucial for improving network performance. Prior work on firewall optimization focuses on either intrafirewall or interfirewall optimization within one administrative domain where the privacy of firewall policies is not a concern. This paper explores interfirewall optimization across administrative domains for the first time. The key technical challenge is that firewall policies cannot be shared across domains because a firewall policy contains confidential information and even potential security holes, which can be exploited by attackers. In this paper, we propose the first cross-domain privacy-preserving cooperative firewall policy optimization protocol. Specifically, for any two adjacent firewalls belonging to two different administrative domains, our protocol can identify in each firewall the rules that can be removed because of the other firewall. The optimization process involves cooperative computation between the two firewalls without any party disclosing its policy to the other. We implemented our protocol and conducted extensive experiments. The results on real firewall policies show that our protocol can remove as many as 49% of the rules in a firewall, whereas the average is 19.4%. The communication cost is less than a few hundred kilobytes. Our protocol incurs no extra online packet processing overhead, and the offline processing time is less than a few hundred seconds.