1. Cross-Domain Privacy-Preserving Collaborative Firewall Optimization Fei Chen Computer Science and Engineering Michigan State University Joint work with Bruhadeshwar Bezawada, and Alex Liu

2. 2 Motivation Business Network Home Network Home Network Business Network The number of rules in a firewall significantly affects network throughput. Internet

3. 3  Many solutions have been proposed to eliminate redundant rules from a firewall  There could be a lot of rules that are common across a series of firewalls  Common malicious website Motivation FW 1 FW 2 Net 1 Net 2 SIPDIPSPDPPRDec r1'r1'1.2.*.*192.168.*.***TCPdiscard r2'r2'2.3.*.*192.168.*.***TCPaccept r3'r3'*****discard SIPDIPSPDPPRDec r1r1 1.2.1.*192.168.1.**25TCPaccept r2r2 1.2.1.*192.168.*.*80*TCPdiscard r3r3 *****accept

4. 4 Motivation  Can we detect redundant rules across firewalls?  How to preserve the privacy of firewalls that belong to different parties? FW 1 FW 2 Net 1 Net 2 SIPDIPSPDPPRDec r1'r1'1.2.*.*192.168.*.***TCPdiscard r2'r2'2.3.*.*192.168.*.***TCPaccept r3'r3'*****discard SIPDIPSPDPPRDec r1r1 1.2.1.*192.168.1.**25TCPaccept r2r2 1.2.1.*192.168.*.*80*TCPdiscard r3r3 *****accept

5. 5  Detect redundant rules across firewalls  Single rule redundancy detection One rule in FW 2 is covered by another rule in FW 1  Multi-rule redundancy detection One rule in FW 2 is covered by multiple rules in FW 1  Preserve privacy of two firewalls  One party cannot figure out the firewall rules of another party Problem Statement FW 1 FW 2 Net 1 Net 2 SIPDIPSPDPPRDec r1'r1'1.2.*.*192.168.*.***TCPdiscard r2'r2'2.3.*.*192.168.*.***TCPaccept r3'r3'*****discard SIPDIPSPDPPRDec r1r1 1.2.1.*192.168.1.**25TCPaccept r2r2 1.2.1.*192.168.*.*80*TCPdiscard r3r3 *****accept

6. 6 Related work  Firewall optimization  Local optimization has received intense study Redundant rule removal TCAM optimization  Global optimization is impractical No party likes to reveal its internal security requirements as this information is sensitive and confidential  No prior work investigates cooperative optimization  Collaborative Firewall Enforcement in VPN  It focuses on enforcing a firewall policy over VPN tunnels in a privacy preserving manner  It preserves the privacy of the remote network’s firewall and the packets in VPN tunnels While this paper preserves the privacy of different firewalls.

7. 7 Basic building blocks  Prefix membership verification [3, 7] 5 {011, 1**} F (5)={101, 10*,1**,***} Prefix familyPrefix format Prefix numericalization {1011,1010, 1100,1000} {0111, 1100} If these two sets have common elements, 5 is in [3, 7] FW 2 FW 1

8. 8 Simple but incorrect solutions (1/2)  For preserving privacy  Two parties apply keyed hash function to each number  Drawbacks Hash function is efficient The length for IPv4 addresses is 32 bits Each party can brute-force compute the hash value of each number [3, 7] 5 {1011,1010, 1100,1000} {0111, 1100} HMAC hash {h g (1011), h g (1010), h g (1100), h g (1000)}{h g (0111), h g (1100)} FW 2 FW 1

9. 9 Simple but incorrect solutions (2/2)  For detecting redundant rules  Directly compare the rules of two firewalls  It may find wrong rules as redundant rules in FW 2 r2 is covered by r2’, but it is not covered by r2’-r1’  It may only find a portion of redundant rules As long as r2-r1 is covered by r2’-r1’, then r2 is a redundant rule in FW 2 FW 2 FW 1 accept discard r2 r1' r2' r1

10. 10 Preserving privacy  For preserving privacy, we use the commutative encryption.

11. 11 Processing FW 1 FDD construction [0, 4] [8, 15] F1F1 [0,15] F2F2 F2F2 [0,4] F2F2 [5,15] [0,15] [5, 7] a d d d Extract non-overlapping rules with the discard decision Convert ranges to prefixes Extract and permute the prefixes Numericalize the prefixes Encrypt by Net 1 Encrypt by Net 2 Reconstruct non-overlapping Rules by Net 1

12. 12 Processing FW 2 Construct the all-match FDD Extract non-overlapping rules Convert values to prefix families Numericalize and encrypt by Net 2 [0, 2][6, 15] F1F1 [0, 6] F2F2 F2F2 F2F2 [7, 15] [3, 5] 41,2,4 42,4 dadd [0, 5] [6, 15] 3,4 4 da Extract and permute prefixes for each filed Encrypt by Net 1

13. 13 Comparing FW 1 and FW 2 Compare two reconstructed firewalls by Net 1 Find corresponding prefix families in FW 2 by Net 2 FW 1 FW 2

14. 14  Remove redundant rules Candidate redundant rule set {1, 2, 4}. However, because (1) 4 is the first rule in the third and last paths (2) 2 is the first rule in the fourth parh The redundant rules in FW 2 is r 1 Identify redundant rules [0, 2] [6, 15] F1F1 [0, 6] F2F2 F2F2 F2F2 [7, 15] [3, 5] 41,2,442,4 dadd [0, 5] [6, 15] 3,44 da

15. 15  Net 1 changes its FW 1 without notifying Net 2 How about Net 1 misbehaves? FW 2 r2r3r4r2r3r4 nr 1 nr 2 FW 1 Periodically check

16. 16 Experimental Results (1/4)  We conducted experiments on both real and synthetic firewalls  For real firewalls  Our approach achieves significant compression on four real firewall groups Redundancy ratios for 5 real firewall groups

17. 17 Experimental Results (2/4)  For real firewalls  Our approach is efficient for the conversion and comparison of two real ACLs Processing FW 1 on real firewalls

18. 18 Experimental Results (3/4)  For synthetic firewalls with the number of rules from 200 to 2000  For the conversion of FW 1 The processing time of Net 1 is less than 400 seconds and the processing time of Net 2 is less than 5 seconds The communication costs are less than 450 KB Processing FW 1 on synthetic firewalls

19. 19 Experimental Results (4/4)  For synthetic firewalls with the number of rules from 200 to 2000  For the conversion of FW 2 The processing time of Net 2 also is less than 400 seconds and the processing time of Net 1 is less than 20 seconds The communication cost is less than 1600 KB Processing FW 2 on synthetic firewalls

20. 20 Experimental Results  For synthetic firewalls with the number of rules from 200 to 2000  The comparison time of two synthetic firewalls is less than 4 seconds Comparing two synthetic firewalls

21. 21 Questions Thank you!