1 / 21

Cross-Domain Privacy-Preserving Collaborative Firewall Optimization

Cross-Domain Privacy-Preserving Collaborative Firewall Optimization. Fei Chen Computer Science and Engineering Michigan State University Joint work with Bruhadeshwar Bezawada, and Alex Liu. Motivation. Business Network. Business Network. Internet. Home Network. Home Network.

lavey
Download Presentation

Cross-Domain Privacy-Preserving Collaborative Firewall Optimization

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cross-Domain Privacy-PreservingCollaborative Firewall Optimization Fei Chen Computer Science and Engineering Michigan State University Joint work with Bruhadeshwar Bezawada, and Alex Liu

  2. Motivation Business Network Business Network Internet Home Network Home Network The number of rules in a firewall significantly affects network throughput.

  3. Motivation • Many solutions have been proposed to eliminate redundant rules from a firewall • There could be a lot of rules that are common across a series of firewalls • Common malicious website FW1 FW2 Net2 Net1

  4. Motivation • Can we detect redundant rules across firewalls? • How to preserve the privacy of firewalls that belong to different parties? FW1 FW2 Net2 Net1

  5. Problem Statement • Detect redundant rules across firewalls • Single rule redundancy detection • One rule in FW2 is covered by another rule in FW1 • Multi-rule redundancy detection • One rule in FW2 is covered by multiple rules in FW1 • Preserve privacy of two firewalls • One party cannot figure out the firewall rules of another party FW1 FW2 Net2 Net1

  6. Related work • Firewall optimization • Local optimization has received intense study • Redundant rule removal • TCAM optimization • Global optimization is impractical • No party likes to reveal its internal security requirements as this information is sensitive and confidential • No prior work investigates cooperative optimization • Collaborative Firewall Enforcement in VPN • It focuses on enforcing a firewall policy over VPN tunnels in a privacy preserving manner • It preserves the privacy of the remote network’s firewall and the packets in VPN tunnels While this paper preserves the privacy of different firewalls.

  7. Basic building blocks • Prefix membership verification FW2 FW1 [3, 7] 5 Prefix family Prefix format F (5)={101, 10*,1**,***} {011, 1**} Prefix numericalization Prefix numericalization {0111, 1100} {1011,1010, 1100,1000} If these two sets have common elements, 5 is in [3, 7]

  8. Simple but incorrect solutions (1/2) • For preserving privacy • Two parties apply keyed hash function to each number • Drawbacks • Hash function is efficient • The length for IPv4 addresses is 32 bits • Each party can brute-force compute the hash value of each number FW2 FW1 [3, 7] 5 {0111, 1100} {1011,1010, 1100,1000} HMAC hash HMAC hash {hg(1011), hg(1010), hg(1100), hg(1000)} {hg(0111), hg(1100)}

  9. Simple but incorrect solutions (2/2) • For detecting redundant rules • Directly compare the rules of two firewalls • It may find wrong rules as redundant rules in FW2 • r2 is covered by r2’, but it is not covered by r2’-r1’ • It may only find a portion of redundant rules • As long as r2-r1 is covered by r2’-r1’, then r2 is a redundant rule in FW2 FW2 FW1 r1 accept r1' r2' discard r2

  10. Preserving privacy • For preserving privacy, we use the commutative encryption.

  11. Processing FW1 Extract and permute the prefixes Numericalize the prefixes FDD construction F1 [8, 15] [0, 4] Encrypt by Net1 [5, 7] F2 F2 F2 [0,15] [0,4] [5,15] [0,15] Encrypt by Net2 d d a d Extract non-overlapping rules with the discard decision Reconstruct non-overlapping Rules by Net1 Convert ranges to prefixes

  12. Processing FW2 Construct the all-match FDD Extract and permute prefixes for each filed F1 [0, 2] [6, 15] [3, 5] F2 F2 F2 [0,6] [7, 15] [6, 15] [7,15] [0, 6] [0, 5] 4 1,2,4 4 2,4 3,4 4 Numericalize and encrypt by Net2 d a d d d a Extract non-overlapping rules Encrypt by Net1 Convert values to prefix families

  13. Comparing FW1 and FW2 FW1 FW2 Compare two reconstructed firewalls by Net1 Find corresponding prefix families in FW2 by Net2

  14. Identify redundant rules • Remove redundant rules Candidate redundant rule set {1, 2, 4}. However, because (1) 4 is the first rule in the third and last paths (2) 2 is the first rule in the fourth parh The redundant rules in FW2 is r1 F1 [0, 2] [6, 15] [3, 5] F2 F2 F2 [7, 15] [0,6] [6, 15] [7,15] [0, 6] [0, 5] 4 1,2,4 4 2,4 3,4 4 d a d d d a

  15. How about Net1 misbehaves? • Net1 changes its FW1 without notifying Net2 FW2 r2 r3 r4 FW1 nr1 nr2 Periodically check

  16. Experimental Results (1/4) • We conducted experiments on both real and synthetic firewalls • For real firewalls • Our approach achieves significant compression on four real firewall groups Redundancy ratios for 5 real firewall groups

  17. Experimental Results (2/4) • For real firewalls • Our approach is efficient for the conversion and comparison of two real ACLs Processing FW1 on real firewalls

  18. Experimental Results (3/4) • For synthetic firewalls with the number of rules from 200 to 2000 • For the conversion of FW1 • The processing time of Net1 is less than 400 seconds and the processing time of Net2 is less than 5 seconds • The communication costs are less than 450 KB Processing FW1 on synthetic firewalls

  19. Experimental Results (4/4) • For synthetic firewalls with the number of rules from 200 to 2000 • For the conversion of FW2 • The processing time of Net2 also is less than 400 seconds and the processing time of Net1 is less than 20 seconds • The communication cost is less than 1600 KB Processing FW2 on synthetic firewalls

  20. Experimental Results • For synthetic firewalls with the number of rules from 200 to 2000 • The comparison time of two synthetic firewalls is less than 4 seconds Comparing two synthetic firewalls

  21. Questions Thank you!

More Related