Novel Design and Implementation of Cross-Domain Privacy-Preserving Firewall Optimization

  IJCTT-book-cover
 
International Journal of Computer Trends and Technology (IJCTT)          
 
© 2015 by IJCTT Journal
Volume-22 Number-1
Year of Publication : 2015
Authors : D.Uma, Dr.G.Venkata Rami Reddy, K.shirisha
  10.14445/22312803/IJCTT-V22P101

MLA

D.Uma, Dr.G.Venkata Rami Reddy, K.shirisha"Novel Design and Implementation of Cross-Domain Privacy-Preserving Firewall Optimization". International Journal of Computer Trends and Technology (IJCTT) V22(1):1-4, April 2015. ISSN:2231-2803. www.ijcttjournal.org. Published by Seventh Sense Research Group.

Abstract -
Firewalls are very important in Internet for providing security and privacy. Firewalls checks each incoming and outgoing packets based on its rules set in their policies. As per the vast requirement of services on internet the rule set in firewall policies becomes large, so the increasing number of rules in a firewall policy reduces its throughput. So, optimizing the firewalls is very important for improving the throughput as well as network performance. In this paper we propose a novel privacy preserving protocol that removes the redundant rules present in two adjacent firewalls that belong to two different administrative domains, and reorder those rules, in a privacy preserving way. We implemented our protocol and conducted experiments. As the result our protocol effectively removed the redundant rules and enormously improved the network performance.

References
[1] nf-HiPAC, “Firewall throughput test,” 2012 [Online]. Available: http://www.hipac.org/performance_tests/results.html.
[2] R. Agrawal, A. Evfimievski, and R. Srikant, “Information sharing across private databases,” in Proc. ACM SIGMOD, 2003, pp. 86–97.
[3] E. Al-Shaer and H. Hamed, “Discovery of policy anomalies in distributed firewalls,” in Proc. IEEE INFOCOM, 2004, pp. 2605–2616.
[4] J. Brickell and V. Shmatikov, “Privacy-preserving graph algorithms in the semi-honest model,” in Proc. ASIACRYPT, 2010, pp. 236–252.
[5] Y.-K. Chang, “Fast binary and multiway prefix searches for packet forwarding,” Comput. Netw., vol. 51, no. 3, pp. 588–605, 2007.
[6] J. Cheng, H. Yang, S. H.Wong, and S. Lu, “Design and implementation of cross-domain cooperative firewall,” in Proc. IEEE ICNP, 2007, pp. 284–293.
[7] Q. Dong, S. Banerjee, J. Wang, D. Agrawal, and A. Shukla, “Packet classifiers in ternary CAMs can be smaller,” in Proc. ACM SIGMETRICS, 2006, pp. 311–322.
[8] O. Goldreich, “Secure multi-party computations,” Working draft, Ver. 1.4, 2002.
[9] O. Goldreich, Foundations of Cryptography: Volume II (Basic Applications). Cambridge, U.K.: Cambridge Univ. Press, 2004.
[10] M. G. Gouda and A. X. Liu, “Firewall design: Consistency, completeness and compactness,” in Proc. IEEE ICDCS, 2004, pp. 320–327.
[11] M. G. Gouda and A. X. Liu, “Structured firewall design,” Comput. Netw., vol. 51, no. 4, pp. 1106–1120, 2007.
[12] P. Gupta, “Algorithms for routing lookups and packet classification,” Ph.D. dissertation, Stanford Univ., Stanford, CA, 2000.
[13] A. X. Liu and F. Chen, “Collaborative enforcement of firewall policies in virtual private networks,” in Proc. ACM PODC, 2008, pp. 95–104.
[14] A. X. Liu and M. G. Gouda, “Diverse firewall design,” IEEE Trans. Parallel Distrib. Syst., vol. 19, no. 8, pp. 1237–1251, Sep. 2008.
[15] A. X. Liu and M. G. Gouda, “Complete redundancy removal for packet classifiers in TCAMs,” IEEE Trans. Parallel Distrib. Syst., vol. 21, no. 4, pp. 424–437, Apr. 2010.
[16] A. X. Liu, C. R. Meiners, and E. Torng, “TCAM Razor: A systematic approach towards minimizing packet classifiers in TCAMs,” IEEE/ACM Trans. Netw., vol. 18, no. 2, pp. 490–500, Apr. 2010.
[17] A. X. Liu, C. R. Meiners, and Y. Zhou, “All-match based complete redundancy removal for packet classifiers in TCAMs,” in Proc. IEEE INFOCOM, 2008, pp. 574–582.
[18] A. X. Liu, E. Torng, and C. Meiners, “Firewall compressor: An algorithm for minimizing firewall policies,” in Proc. IEEE INFOCOM, 2008.
[19] C. R. Meiners, A. X. Liu, and E. Torng, “TCAM Razor: A systematic approach towards minimizing packet classifiers in TCAMs,” in Proc. IEEE ICNP, 2007, pp. 266–275.
[20] C. R. Meiners, A. X. Liu, and E. Torng, “Bit weaving: A non-prefix approach to compressing packet classifiers in TCAMs,” in Proc. IEEE ICNP, 2009, pp. 93–102.
[21] C. R. Meiners, A. X. Liu, and E. Torng, “Topological transformation approaches to optimizing TCAM-based packet processing systems,” in Proc. ACM SIGMETRICS, 2009, pp. 73–84.
[22] S. C. Pohlig and M. E. Hellman, “An improved algorithm for computing logarithms over GF(p) and its cryptographic significance,” IEEE Trans. Inf. Theory, vol. IT-24, no. 1, pp. 106–110, Jan. 1978.
[23] D. K. H. D. R. Safford and D. L. Schales, “Secure RPC authentication (SRA) for TELNET and FTP,” Tech. Rep., 1993.
[24] S. Singh, F. Baboescu, G. Varghese, and J.Wang, “Packet classification using multidimensional cutting,” in Proc. ACM SIGCOMM, 2003, pp. 213–224.
[25] A. Wool, “A quantitative study of firewall configuration errors,” Computer, vol. 37, no. 6, pp. 62–67, Jun. 2004.
[26] Z.Yang, S. Zhong, and R.N.Wright, “Privacy-preserving classification of customer data without loss of accuracy,” in Proc. SIAM SDM, 2005, pp. 21–23.
[27] W. Lee and D. Xiang, “Information-theoretic measures for anomaly detection,” in Proc. IEEE S&P, 2001, pp. 130–143.
[28] R. Sekar, A. Gupta, J. Frullo, T. Shanbhag, A. Tiwari, H. Yang, and S. Zhou, “Specification-based anomaly detection: A new approach for detecting network intrusions,” in Proc. ACM CCS, 2002, pp. 265–274.
[29] C. Kruegel, T. Toth, and E. Kirda, “Service specific anomaly detection for network intrusion detection,” in Proc. ACM SAC, 2002, pp. 201–208.
[30] L. Yuan, H. Chen, J. Mai, C.-N. Chuah, Z. Su, and P. Mohapatra, “Fireman: A toolkit for firewall modeling and analysis,” in Proc. IEEE S&P, 2006, pp. 199–213.
[31] Avishai Wool, “Trends in Firewall Configuration errors - Measuring the Holes in Swiss Cheese” in Internet Computing, IEEE, vol 14, pp. 58-65.
[32] J. Alfaro, N. Boulahia-Cuppens and F. Cuppens “Complete Analysis of Configuration Rules to Guarantee Reliable Network Security policies” in Sprinjer, 2007
[33] F. Baboescu and G. Varghese “Fast and Scalable conflict detection for packet classifiers” in Elsevier Computer Networks, 2003.

Keywords
Cooperative Firewall, Privacy Preservation, Cross domain, Firewall optimization