Download presentation
Presentation is loading. Please wait.
Published byMaurice Grant Modified over 9 years ago
1
Cross-Domain Privacy-Preserving Collaborative Firewall Optimization Fei Chen Computer Science and Engineering Michigan State University Joint work with Bruhadeshwar Bezawada, and Alex Liu
2
2 Motivation Business Network Home Network Home Network Business Network The number of rules in a firewall significantly affects network throughput. Internet
3
3 Many solutions have been proposed to eliminate redundant rules from a firewall There could be a lot of rules that are common across a series of firewalls Common malicious website Motivation FW 1 FW 2 Net 1 Net 2 SIPDIPSPDPPRDec r1'r1'1.2.*.*192.168.*.***TCPdiscard r2'r2'2.3.*.*192.168.*.***TCPaccept r3'r3'*****discard SIPDIPSPDPPRDec r1r1 1.2.1.*192.168.1.**25TCPaccept r2r2 1.2.1.*192.168.*.*80*TCPdiscard r3r3 *****accept
4
4 Motivation Can we detect redundant rules across firewalls? How to preserve the privacy of firewalls that belong to different parties? FW 1 FW 2 Net 1 Net 2 SIPDIPSPDPPRDec r1'r1'1.2.*.*192.168.*.***TCPdiscard r2'r2'2.3.*.*192.168.*.***TCPaccept r3'r3'*****discard SIPDIPSPDPPRDec r1r1 1.2.1.*192.168.1.**25TCPaccept r2r2 1.2.1.*192.168.*.*80*TCPdiscard r3r3 *****accept
5
5 Detect redundant rules across firewalls Single rule redundancy detection One rule in FW 2 is covered by another rule in FW 1 Multi-rule redundancy detection One rule in FW 2 is covered by multiple rules in FW 1 Preserve privacy of two firewalls One party cannot figure out the firewall rules of another party Problem Statement FW 1 FW 2 Net 1 Net 2 SIPDIPSPDPPRDec r1'r1'1.2.*.*192.168.*.***TCPdiscard r2'r2'2.3.*.*192.168.*.***TCPaccept r3'r3'*****discard SIPDIPSPDPPRDec r1r1 1.2.1.*192.168.1.**25TCPaccept r2r2 1.2.1.*192.168.*.*80*TCPdiscard r3r3 *****accept
6
6 Related work Firewall optimization Local optimization has received intense study Redundant rule removal TCAM optimization Global optimization is impractical No party likes to reveal its internal security requirements as this information is sensitive and confidential No prior work investigates cooperative optimization Collaborative Firewall Enforcement in VPN It focuses on enforcing a firewall policy over VPN tunnels in a privacy preserving manner It preserves the privacy of the remote network’s firewall and the packets in VPN tunnels While this paper preserves the privacy of different firewalls.
7
7 Basic building blocks Prefix membership verification [3, 7] 5 {011, 1**} F (5)={101, 10*,1**,***} Prefix familyPrefix format Prefix numericalization {1011,1010, 1100,1000} {0111, 1100} If these two sets have common elements, 5 is in [3, 7] FW 2 FW 1
8
8 Simple but incorrect solutions (1/2) For preserving privacy Two parties apply keyed hash function to each number Drawbacks Hash function is efficient The length for IPv4 addresses is 32 bits Each party can brute-force compute the hash value of each number [3, 7] 5 {1011,1010, 1100,1000} {0111, 1100} HMAC hash {h g (1011), h g (1010), h g (1100), h g (1000)}{h g (0111), h g (1100)} FW 2 FW 1
9
9 Simple but incorrect solutions (2/2) For detecting redundant rules Directly compare the rules of two firewalls It may find wrong rules as redundant rules in FW 2 r2 is covered by r2’, but it is not covered by r2’-r1’ It may only find a portion of redundant rules As long as r2-r1 is covered by r2’-r1’, then r2 is a redundant rule in FW 2 FW 2 FW 1 accept discard r2 r1' r2' r1
10
10 Preserving privacy For preserving privacy, we use the commutative encryption.
11
11 Processing FW 1 FDD construction [0, 4] [8, 15] F1F1 [0,15] F2F2 F2F2 [0,4] F2F2 [5,15] [0,15] [5, 7] a d d d Extract non-overlapping rules with the discard decision Convert ranges to prefixes Extract and permute the prefixes Numericalize the prefixes Encrypt by Net 1 Encrypt by Net 2 Reconstruct non-overlapping Rules by Net 1
12
12 Processing FW 2 Construct the all-match FDD Extract non-overlapping rules Convert values to prefix families Numericalize and encrypt by Net 2 [0, 2][6, 15] F1F1 [0, 6] F2F2 F2F2 F2F2 [7, 15] [3, 5] 41,2,4 42,4 dadd [0, 5] [6, 15] 3,4 4 da Extract and permute prefixes for each filed Encrypt by Net 1
13
13 Comparing FW 1 and FW 2 Compare two reconstructed firewalls by Net 1 Find corresponding prefix families in FW 2 by Net 2 FW 1 FW 2
14
14 Remove redundant rules Candidate redundant rule set {1, 2, 4}. However, because (1) 4 is the first rule in the third and last paths (2) 2 is the first rule in the fourth parh The redundant rules in FW 2 is r 1 Identify redundant rules [0, 2] [6, 15] F1F1 [0, 6] F2F2 F2F2 F2F2 [7, 15] [3, 5] 41,2,442,4 dadd [0, 5] [6, 15] 3,44 da
15
15 Net 1 changes its FW 1 without notifying Net 2 How about Net 1 misbehaves? FW 2 r2r3r4r2r3r4 nr 1 nr 2 FW 1 Periodically check
16
16 Experimental Results (1/4) We conducted experiments on both real and synthetic firewalls For real firewalls Our approach achieves significant compression on four real firewall groups Redundancy ratios for 5 real firewall groups
17
17 Experimental Results (2/4) For real firewalls Our approach is efficient for the conversion and comparison of two real ACLs Processing FW 1 on real firewalls
18
18 Experimental Results (3/4) For synthetic firewalls with the number of rules from 200 to 2000 For the conversion of FW 1 The processing time of Net 1 is less than 400 seconds and the processing time of Net 2 is less than 5 seconds The communication costs are less than 450 KB Processing FW 1 on synthetic firewalls
19
19 Experimental Results (4/4) For synthetic firewalls with the number of rules from 200 to 2000 For the conversion of FW 2 The processing time of Net 2 also is less than 400 seconds and the processing time of Net 1 is less than 20 seconds The communication cost is less than 1600 KB Processing FW 2 on synthetic firewalls
20
20 Experimental Results For synthetic firewalls with the number of rules from 200 to 2000 The comparison time of two synthetic firewalls is less than 4 seconds Comparing two synthetic firewalls
21
21 Questions Thank you!
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.