Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cross-Domain Privacy-Preserving Cooperative Firewall Optimization.

Published byAldous Todd Modified over 8 years ago

Similar presentations

Presentation on theme: "Cross-Domain Privacy-Preserving Cooperative Firewall Optimization."— Presentation transcript:

1 Cross-Domain Privacy-Preserving Cooperative Firewall Optimization

2 Abstract Firewalls have been widely deployed on the Internet for securing private networks. A firewall checks each incoming or outgoing packet to decide whether to accept or discard the packet based on its policy. Optimizing firewall policies is crucial for im¬proving network performance. Prior work on firewall optimiza¬tion focuses on either intrafirewall or interfirewall optimization within one administrative domain where the privacy of firewall policies is not a concern. This paper explores interfirewall opti¬mization across administrative domains for the first time. The key technical challenge is that firewall policies cannot be shared across domains because a firewall policy contains confidential informa¬tion and even potential security holes, which can be exploited by attackers. In this paper, we propose the first cross-domain pri¬vacy-preserving cooperative firewall policy optimization protocol.

3 Abstract con… Specifically, for any two adjacent firewalls belonging to two dif-ferent administrative domains, our protocol can identify in each firewall the rules that can be removed because of the other fire¬wall. The optimization process involves cooperative computation between the two firewalls without any party disclosing its policy to the other. We implemented our protocol and conducted extensive experiments. The results on real firewall policies show that our pro¬tocol can remove as many as 49% of the rules in a firewall, whereas the average is 19.4%. The communication cost is less than a few hundred kilobytes. Our protocol incurs no extra online packet pro¬cessing overhead, and the offline processing time is less than a few hundred seconds.

4 Existing system FIREWALLS are critical in securing private networks of businesses, institutions, and home networks. A firewall is often placed at the entrance between a private network and the external network so that it can check each incoming or outgoing packet and decide whether to accept or discard the packet based on its policy. A firewall policy is usually specified as a sequence of rules, called Access Control List (ACL), and each rule has a predicate over multiple packet header fields (i.e., source IP, des¬tination IP, source port, destination port, and protocol type) and a decision (i.e., accept and discard) for the packets that match the predicate. The rules in a firewall policy typically follow the first-match semantics, where the decision for a packet is the de¬cision of the first rule that the packet matches in the policy. Each physical interface of a router/firewall is configured with two ACLs: one for filtering outgoing packets and the other one for filtering incoming packets. In this paper, we use firewalls, firewallpolicies,and ACLs, interchangeably.

5 Architecture diagram

6 System specification HARDWARE REQUIREMENTS Processor : intel Pentium IV Ram : 512 MB Hard Disk : 80 GB HDD SOFTWARE REQUIREMENTS Operating System : windows XP / Windows 7 FrontEnd : Java BackEnd : MySQL 5

7 CONCLUSION In this paper, we identified an important problem, cross-do¬main privacy-preserving interfirewall redundancy detection. We propose a novel privacy-preserving protocol for detecting such redundancy. We implemented our protocol in Java and con¬ducted extensive evaluation. The results on real firewall policies show that our protocol can remove as many as 49% of the rules in a firewall whereas the average is 19.4%.

8 THANK YOU

Download ppt "Cross-Domain Privacy-Preserving Cooperative Firewall Optimization."

Similar presentations

First Step Towards Automatic Correction of Firewall Policy Faults Fei Chen Alex X. Liu Computer Science and Engineering Michigan State University JeeHyun.

First Step Towards Automatic Correction of Firewall Policy Faults Fei Chen Alex X. Liu Computer Science and Engineering Michigan State University JeeHyun.
Abstract Shortest distance query is a fundamental operation in large-scale networks. Many existing methods in the literature take a landmark embedding.

Abstract Shortest distance query is a fundamental operation in large-scale networks. Many existing methods in the literature take a landmark embedding.
CloudMoV: Cloud-based Mobile Social TV

CloudMoV: Cloud-based Mobile Social TV
On the Node Clone Detection inWireless Sensor Networks.

On the Node Clone Detection inWireless Sensor Networks.
Optimizing Cloud Resources for Delivering IPTV Services Through Virtualization.

Optimizing Cloud Resources for Delivering IPTV Services Through Virtualization.
Toward a Statistical Framework for Source Anonymity in Sensor Networks.

Toward a Statistical Framework for Source Anonymity in Sensor Networks.
Annotating Search Results from Web Databases. Abstract An increasing number of databases have become web accessible through HTML form-based search interfaces.

Annotating Search Results from Web Databases. Abstract An increasing number of databases have become web accessible through HTML form-based search interfaces.
A Secure Protocol for Spontaneous Wireless Ad Hoc Networks Creation.

A Secure Protocol for Spontaneous Wireless Ad Hoc Networks Creation.
Back-Pressure-Based Packet-by-Packet Adaptive Routing in Communication Networks.

Back-Pressure-Based Packet-by-Packet Adaptive Routing in Communication Networks.
Personalized QoS-Aware Web Service Recommendation and Visualization.

Personalized QoS-Aware Web Service Recommendation and Visualization.
Abstract Provable data possession (PDP) is a probabilistic proof technique for cloud service providers (CSPs) to prove the clients' data integrity without.

Abstract Provable data possession (PDP) is a probabilistic proof technique for cloud service providers (CSPs) to prove the clients' data integrity without.
Secure Encounter-based Mobile Social Networks: Requirements, Designs, and Tradeoffs.

Secure Encounter-based Mobile Social Networks: Requirements, Designs, and Tradeoffs.
A Survey of Mobile Cloud Computing Application Models

A Survey of Mobile Cloud Computing Application Models
NICE :Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems.

NICE :Network Intrusion Detection and Countermeasure Selection in Virtual Network Systems.
Security Evaluation of Pattern Classifiers under Attack.

Security Evaluation of Pattern Classifiers under Attack.
A Framework for Mining Signatures from Event Sequences and Its Applications in Healthcare Data.

A Framework for Mining Signatures from Event Sequences and Its Applications in Healthcare Data.
Vampire Attacks: Draining Life from Wireless Ad Hoc Sensor Networks.

Vampire Attacks: Draining Life from Wireless Ad Hoc Sensor Networks.
Privacy-Preserving Public Auditing for Secure Cloud Storage

Privacy-Preserving Public Auditing for Secure Cloud Storage
BestPeer++: A Peer-to-Peer Based Large-Scale Data Processing Platform.

BestPeer++: A Peer-to-Peer Based Large-Scale Data Processing Platform.
Improving Network I/O Virtualization for Cloud Computing.

Improving Network I/O Virtualization for Cloud Computing.

Similar presentations

Ads by Google