Presentation is loading. Please wait.

Presentation is loading. Please wait.

Design and implementation of Cross domain cooperative firewall Jerry Cheng, Hao Yang, Starsky H.Y. Wong, Petros Zerfos, Songwu Lu UCLA Computer Science.

Published bySharon Short Modified over 6 years ago

Similar presentations

Presentation on theme: "Design and implementation of Cross domain cooperative firewall Jerry Cheng, Hao Yang, Starsky H.Y. Wong, Petros Zerfos, Songwu Lu UCLA Computer Science."— Presentation transcript:

1 Design and implementation of Cross domain cooperative firewall Jerry Cheng, Hao Yang, Starsky H.Y. Wong, Petros Zerfos, Songwu Lu UCLA Computer Science Department, Los Angeles, CA Presented by david rodriguez 10/27/2016 What are they? They are firewalls at the entrance of an administrative network domain that work together to enable confidentiality and privacy for the users that cross domains by allowing or denying network traffic based its policy. They work in a cooperative, oblivious manner in that they share these policies with the external network firewall in order to protect themselves and the foreign network that the user is accessing. In the spirit of security, we must attempt to protect ourselves and the foreign network.

2 What’s wrong with using a normal firewall?
Normally, when users are on foreign networks, they use an encrypted tunnel (Virtual Private Network) in order to communicate with their home network. This protects the information from Man in the Middle attacks. However, it also bypasses the foreign network firewall due to this encryption. The firewall can’t see into the encrypted tunnel. The firewall can’t enforce it’s policies.

3 Alternatives and Privacy issues
* We could ask users not to encrypt their communication, but that defeats the whole purpose of a VPN. * We could also share our firewall policies with the foreign network so that they could implement independently. However, firewall policies can be used as inference regarding the internal network structure. Sharing could jeopardize our security and put us a further risk.

4 Keys to implementation
The most important aspect of using a CDCF is that we can enforce each other’s firewall policies without knowing specifics about the policies. * We must be able to securely send firewall primitives across the network domains. * We must also perform oblivious membership verification.

5 How it works FOREIGN HOME
Computer in foreign network starts a VPN connection. The VPN server authenticates the user using normal procedures.

6 How it works FOREIGN HOME
Now CDCF takes over. By making changes to the VPN client and VPN server, the foreign network now knows to send a representative value for its Firewall policies. It encrypts them with it’s key and sends it to the home network.

7 How it works FOREIGN HOME
The home network double-encrypts using its key and then sends it back to the foreign network.

8 How it works FOREIGN HOME
The foreign network now has a doubly encrypted firewall rule set.

9 How it works FOREIGN HOME
Now the client sends to the home network it’s connection descriptor that it encrypts with it’s key.

10 How it works FOREIGN HOME
The home network encrypts again using it’s key and sends a representative value back to the foreign network.

11 How it works FOREIGN HOME
Now, the foreign network has a double-encrypted rule set value and a doubly encrypted connection descriptor value.

12 How it works FOREIGN HOME
These are double-encrypted to take advantage of the commutative properties of the cipher. Two parties can encrypt with two different keys and the cipher-text is not changed. This is not extremely secure, but it is quick enough and secure enough to transmit Firewall Rule sets. The cipher used in this paper was Polig-Hellman.

13 Commutative cipher “That is, when one uses the commutative cipher to apply two encryption operations on a message using two different keys, the order of these encryptions does not change the resulting cipher-text. Additionally, the order of the decryption does not affect the resulting plain text.” The cipher used in this paper was Polig-Hellman.

14 How it works FOREIGN HOME
Now, the foreign network uses the oblivious comparison of singular values and the oblivious membership verification algorithms to match the doubly-encrypted connection descriptor with the doubly-encrypted rule set. Rule matching is done on the foreign network.

15 How it works FOREIGN HOME
It compares and then sends the verdict to the home network.

16 How it works FOREIGN HOME
The home network uses the verdict from the foreign network and enforces them via it’s firewall.

17 Note FOREIGN HOME Verification takes place on the foreign network.
Enforcement takes place on the home network.

18 Note FOREIGN HOME * The verification comparison needs to take place in an oblivious manner so that the comparison is blind. The foreign network doesn’t know the firewall rules or connection descriptions. * Also, the verification/enforcement process only occurs once during the communication so that it does not interfere or slowdown traffic exchange.

19 ISSUES FOREIGN HOME *User connection privacy issues. The foreign performs the rule-matching. It is oblivious to the foreign network but inferences can be made based on the connections that are made. It can make inferences on the firewall rule set and the user connection descriptions based on behavioral/temporal analysis.

20 Privacy enhancements FOREIGN HOME
Obfuscation: In order to increase privacy and decrease ease of analysis, dummy fields/rules and dummy connections are introduced in order to increase the degree of analysis. These result in an increase in difficulty of behavioral/temporal analysis and increase the data and the determination of data validity.

21 ISSUES FOREIGN HOME * Foreign Network Privacy: The foreign network rule set is sent in an encrypted form to the home network. However, a match must be made in order for the foreign network to send it’s validity check. The home network can probe the foreign network in order to reveal information about it’s network. The authors show that this is no more effective than a normal brute force probe and does not decrease the security of the foreign network.

22 Implementation Analysis
As you can see in the graphs above, only the bootstrap phase of CDCF requires a significant about of overhead. This is due to the cross domain communication. This only occurs once during a communication.

23 conclusion The authors have proposed a novel process for mitigating foreign network risks associated with vpn interaction. Their proposal shows a process that increases privacy, decreases potential issues via encrypted channels, and does not substantially increase overhead or cost for their implementation.

24 Questions?

Download ppt "Design and implementation of Cross domain cooperative firewall Jerry Cheng, Hao Yang, Starsky H.Y. Wong, Petros Zerfos, Songwu Lu UCLA Computer Science."

Similar presentations

Secure Mobile IP Communication

Secure Mobile IP Communication
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
Authored by: Rachit Rastogi Computer Science & Engineering Deptt., College of Technology, G.B.P.U.A. & T., Pantnagar.

Authored by: Rachit Rastogi Computer Science & Engineering Deptt., College of Technology, G.B.P.U.A. & T., Pantnagar.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
Part 5:Security Network Security (Access Control, Encryption, Firewalls)

Part 5:Security Network Security (Access Control, Encryption, Firewalls)
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.

SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.

Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.

Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.

1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.
VIRTUAL PRIVATE NETWORK By: Tammy Be Khoa Kieu Stephen Tran Michael Tse.

VIRTUAL PRIVATE NETWORK By: Tammy Be Khoa Kieu Stephen Tran Michael Tse.
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: 102088 March 10, 2001.

E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
POSTER TEMPLATE BY: Whitewater HTTP Vulnerabilities Nick Berry, Joe Joyce, & Kevin Vaccaro. Syntax & Routing Attempt to capture.

POSTER TEMPLATE BY: Whitewater HTTP Vulnerabilities Nick Berry, Joe Joyce, & Kevin Vaccaro. Syntax & Routing Attempt to capture.
PRESENTED BY P. PRAVEEN Roll No: 1009 – 11 – 862 - 025 NETWORK SECURITY M.C.A III Year II Sem.

PRESENTED BY P. PRAVEEN Roll No: 1009 – 11 – NETWORK SECURITY M.C.A III Year II Sem.

Similar presentations

Ads by Google