Cross-domain privacy-preserving cooperative firewall optimization

Authors:
Fei Chen;Bezawada Bruhadeshwar;Alex X. Liu
Affiliations:
VMware, Inc., Palo Alto, CA and Department of Computer Science and Engineering, Michigan State University, East Lansing, MI;Center for Security, Theory, and Algorithmic Research, International Institute of Information Technology, Hyderabad, India;Department of Computer Science and Technology, Nanjing University, Nanjing, China
Venue:
IEEE/ACM Transactions on Networking (TON)
Year:
2013

Citing 21
Cited 0

Service specific anomaly detection for network intrusion detection

Proceedings of the 2002 ACM symposium on Applied computing
Specification-based anomaly detection: a new approach for detecting network intrusions

Proceedings of the 9th ACM conference on Computer and communications security
Packet classification using multidimensional cutting

Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Information sharing across private databases

Proceedings of the 2003 ACM SIGMOD international conference on Management of data
Information-Theoretic Measures for Anomaly Detection

SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Algorithms for routing lookups and packet classification

Algorithms for routing lookups and packet classification
Foundations of Cryptography: Volume 2, Basic Applications

Foundations of Cryptography: Volume 2, Basic Applications
Firewall Design: Consistency, Completeness, and Compactness

ICDCS '04 Proceedings of the 24th International Conference on Distributed Computing Systems (ICDCS'04)
A Quantitative Study of Firewall Configuration Errors

Computer
FIREMAN: A Toolkit for FIREwall Modeling and ANalysis

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Packet classifiers in ternary CAMs can be smaller

SIGMETRICS '06/Performance '06 Proceedings of the joint international conference on Measurement and modeling of computer systems
Fast binary and multiway prefix searches for packet forwarding

Computer Networks: The International Journal of Computer and Telecommunications Networking
Structured firewall design

Computer Networks: The International Journal of Computer and Telecommunications Networking
Collaborative enforcement of firewall policies in virtual private networks

Proceedings of the twenty-seventh ACM symposium on Principles of distributed computing
Diverse Firewall Design

IEEE Transactions on Parallel and Distributed Systems
Topological transformation approaches to optimizing TCAM-based packet classification systems

Proceedings of the eleventh international joint conference on Measurement and modeling of computer systems
Complete Redundancy Removal for Packet Classifiers in TCAMs

IEEE Transactions on Parallel and Distributed Systems
TCAM Razor: a systematic approach towards minimizing packet classifiers in TCAMs

IEEE/ACM Transactions on Networking (TON)
Privacy-Preserving graph algorithms in the semi-honest model

ASIACRYPT'05 Proceedings of the 11th international conference on Theory and Application of Cryptology and Information Security
An improved algorithm for computing logarithms over and its cryptographic significance (Corresp.)

IEEE Transactions on Information Theory
Bit weaving: A non-prefix approach to compressing packet classifiers in TCAMs

ICNP '09 Proceedings of the 2009 17th IEEE International Conference on Network Protocols. ICNP 2009

Quantified Score

Hi-index	0.00

Visualization

Abstract

Firewalls have been widely deployed on the Internet for securing private networks. A firewall checks each incoming or outgoing packet to decide whether to accept or discard the packet based on its policy. Optimizing firewall policies is crucial for improving network performance. Prior work on firewall optimization focuses on either intrafirewall or interfirewall optimization within one administrative domain where the privacy of firewall policies is not a concern. This paper explores interfirewall optimization across administrative domains for the first time. The key technical challenge is that firewall policies cannot be shared across domains because a firewall policy contains confidential information and even potential security holes, which can be exploited by attackers. In this paper, we propose the first cross-domain privacy-preserving cooperative firewall policy optimization protocol. Specifically, for any two adjacent firewalls belonging to two different administrative domains, our protocol can identify in each firewall the rules that can be removed because of the other firewall. The optimization process involves cooperative computation between the two firewalls without any party disclosing its policy to the other. We implemented our protocol and conducted extensive experiments. The results on real firewall policies show that our protocol can remove as many as 49% of the rules in a firewall, whereas the average is 19.4%. The communication cost is less than a few hundred kilobytes. Our protocol incurs no extra online packet processing overhead, and the offline processing time is less than a few hundred seconds.