Design and implementation of Cross domain cooperative firewall Jerry Cheng, Hao Yang, Starsky H.Y. Wong, Petros Zerfos, Songwu Lu UCLA Computer Science.

Slides:



Advertisements
Similar presentations
Secure Mobile IP Communication
Advertisements

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
Authored by: Rachit Rastogi Computer Science & Engineering Deptt., College of Technology, G.B.P.U.A. & T., Pantnagar.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
Part 5:Security Network Security (Access Control, Encryption, Firewalls)
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.
VIRTUAL PRIVATE NETWORK By: Tammy Be Khoa Kieu Stephen Tran Michael Tse.
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
POSTER TEMPLATE BY: Whitewater HTTP Vulnerabilities Nick Berry, Joe Joyce, & Kevin Vaccaro. Syntax & Routing Attempt to capture.
PRESENTED BY P. PRAVEEN Roll No: 1009 – 11 – NETWORK SECURITY M.C.A III Year II Sem.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
IP Security IP sec IPsec is short for Internet Protocol Security. It was originally created as a part of IPv6, but has been retrofitted into IPv4. It.
PAWS: Security Considerations Yizhuang WU, Yang CUI PAWS WG
Database security Diego Abella. Database security Global connection increase database security problems. Database security is the system, processes, and.
Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.
Understand Network Isolation Part 2 LESSON 3.3_B Security Fundamentals.
1 Chapter 13: RADIUS in Remote Access Designs Designs That Include RADIUS Essential RADIUS Design Concepts Data Protection in RADIUS Designs RADIUS Design.
Rights Management for Shared Collections Storage Resource Broker Reagan W. Moore
Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
Securing Access to Data Using IPsec Josh Jones Cosc352.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
M2 Encryption techniques Gladys Nzita-Mak. What is encryption? Encryption is the method of having information such as text being converted into a format.
Encryption and Security Tools for IA Management Nick Hornick COSC 481 Spring 2007.
Information Systems Design and Development Security Precautions Computing Science.
Department of Computer Science Chapter 5 Introduction to Cryptography Semester 1.
CRYPTOGRAPHY Cryptography is art or science of transforming intelligible message to unintelligible and again transforming that message back to the original.
SSL: Secure Socket Layer By: Mike Weissert. Overview Definition History & Background SSL Assurances SSL Session Problems Attacks & Defenses.
Network security Presentation AFZAAL AHMAD ABDUL RAZAQ AHMAD SHAKIR MUHAMMD ADNAN WEB SECURITY, THREADS & SSL.
Secure HTTP (HTTPS) Pat Morin COMP 2405.
Virtual Private Network (VPN)
Virtual Private Network
NET 536 Network Security Firewalls and VPN
Tutorial on Creating Certificates SSH Kerberos
Configuring Windows Firewall with Advanced Security
WEP & WPA Mandy Kershishnik.
IP Security IP sec IPsec is short for Internet Protocol Security. It was originally created as a part of IPv6, but has been retrofitted into IPv4. It works.
SECURING NETWORK TRAFFIC WITH IPSEC
A Wireless LAN Security Protocol
Firewalls.
Tutorial on Creating Certificates SSH Kerberos
Information and Network Security
Originally by Yu Yang and Lilly Wang Modified by T. A. Yang
NET 311 Information Security
Pooja programmer,cse department
Goals Introduce the Windows Server 2003 family of operating systems
Lecture 1: Foundation of Network Security
Virtual Private Networks
Lab 7 - Topics Establishing SSH Connection Install SSH Configure SSH
Computer Security Distributed System Security
Firewalls Routers, Switches, Hubs VPNs
IS4680 Security Auditing for Compliance
The Secure Sockets Layer (SSL) Protocol
Group 2 module 2 obj 15 explain the meaning of terms related to the security of Information Technology Systems.
Public-Key, Digital Signatures, Management, Security
Electronic Payment Security Technologies
Secure Diffie-Hellman Algorithm
A Model For Network Security
Key Exchange, Man-in-the-Middle Attack
Presentation transcript:

Design and implementation of Cross domain cooperative firewall Jerry Cheng, Hao Yang, Starsky H.Y. Wong, Petros Zerfos, Songwu Lu UCLA Computer Science Department, Los Angeles, CA 900951 Presented by david rodriguez 10/27/2016 What are they? They are firewalls at the entrance of an administrative network domain that work together to enable confidentiality and privacy for the users that cross domains by allowing or denying network traffic based its policy. They work in a cooperative, oblivious manner in that they share these policies with the external network firewall in order to protect themselves and the foreign network that the user is accessing. In the spirit of security, we must attempt to protect ourselves and the foreign network.

What’s wrong with using a normal firewall? Normally, when users are on foreign networks, they use an encrypted tunnel (Virtual Private Network) in order to communicate with their home network. This protects the information from Man in the Middle attacks. However, it also bypasses the foreign network firewall due to this encryption. The firewall can’t see into the encrypted tunnel. The firewall can’t enforce it’s policies.

Alternatives and Privacy issues * We could ask users not to encrypt their communication, but that defeats the whole purpose of a VPN. * We could also share our firewall policies with the foreign network so that they could implement independently. However, firewall policies can be used as inference regarding the internal network structure. Sharing could jeopardize our security and put us a further risk.

Keys to implementation The most important aspect of using a CDCF is that we can enforce each other’s firewall policies without knowing specifics about the policies. * We must be able to securely send firewall primitives across the network domains. * We must also perform oblivious membership verification.

How it works FOREIGN HOME Computer in foreign network starts a VPN connection. The VPN server authenticates the user using normal procedures.

How it works FOREIGN HOME Now CDCF takes over. By making changes to the VPN client and VPN server, the foreign network now knows to send a representative value for its Firewall policies. It encrypts them with it’s key and sends it to the home network.

How it works FOREIGN HOME The home network double-encrypts using its key and then sends it back to the foreign network.

How it works FOREIGN HOME The foreign network now has a doubly encrypted firewall rule set.

How it works FOREIGN HOME Now the client sends to the home network it’s connection descriptor that it encrypts with it’s key.

How it works FOREIGN HOME The home network encrypts again using it’s key and sends a representative value back to the foreign network.

How it works FOREIGN HOME Now, the foreign network has a double-encrypted rule set value and a doubly encrypted connection descriptor value.

How it works FOREIGN HOME These are double-encrypted to take advantage of the commutative properties of the cipher. Two parties can encrypt with two different keys and the cipher-text is not changed. This is not extremely secure, but it is quick enough and secure enough to transmit Firewall Rule sets. The cipher used in this paper was Polig-Hellman.

Commutative cipher “That is, when one uses the commutative cipher to apply two encryption operations on a message using two different keys, the order of these encryptions does not change the resulting cipher-text. Additionally, the order of the decryption does not affect the resulting plain text.” The cipher used in this paper was Polig-Hellman.

How it works FOREIGN HOME Now, the foreign network uses the oblivious comparison of singular values and the oblivious membership verification algorithms to match the doubly-encrypted connection descriptor with the doubly-encrypted rule set. Rule matching is done on the foreign network.

How it works FOREIGN HOME It compares and then sends the verdict to the home network.

How it works FOREIGN HOME The home network uses the verdict from the foreign network and enforces them via it’s firewall.

Note FOREIGN HOME Verification takes place on the foreign network. Enforcement takes place on the home network.

Note FOREIGN HOME * The verification comparison needs to take place in an oblivious manner so that the comparison is blind. The foreign network doesn’t know the firewall rules or connection descriptions. * Also, the verification/enforcement process only occurs once during the communication so that it does not interfere or slowdown traffic exchange.

ISSUES FOREIGN HOME *User connection privacy issues. The foreign performs the rule-matching. It is oblivious to the foreign network but inferences can be made based on the connections that are made. It can make inferences on the firewall rule set and the user connection descriptions based on behavioral/temporal analysis.

Privacy enhancements FOREIGN HOME Obfuscation: In order to increase privacy and decrease ease of analysis, dummy fields/rules and dummy connections are introduced in order to increase the degree of analysis. These result in an increase in difficulty of behavioral/temporal analysis and increase the data and the determination of data validity.

ISSUES FOREIGN HOME * Foreign Network Privacy: The foreign network rule set is sent in an encrypted form to the home network. However, a match must be made in order for the foreign network to send it’s validity check. The home network can probe the foreign network in order to reveal information about it’s network. The authors show that this is no more effective than a normal brute force probe and does not decrease the security of the foreign network.

Implementation Analysis As you can see in the graphs above, only the bootstrap phase of CDCF requires a significant about of overhead. This is due to the cross domain communication. This only occurs once during a communication.

conclusion The authors have proposed a novel process for mitigating foreign network risks associated with vpn interaction. Their proposal shows a process that increases privacy, decreases potential issues via encrypted channels, and does not substantially increase overhead or cost for their implementation.

Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.