Privacy Preserving Collaborative Enforcement of Firewall Policies in Virtual Private Networks

Alex X. Liu; Fei Chen

doi:10.1109/TPDS.2010.155

Publication
2011
Issue No. 5 - May
Abstract - Privacy Preserving Collaborative Enforcement of Firewall Policies in Virtual Private Networks

	This Article
	Subscribers, please Login Purchase article: $19 PDF HTML RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/EndNote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Alex X. Liu Articles by Fei Chen

Privacy Preserving Collaborative Enforcement of Firewall Policies in Virtual Private Networks

May 2011 (vol. 22 no. 5)

pp. 887-895

	ASCII Text	x
	Alex X. Liu, Fei Chen, "Privacy Preserving Collaborative Enforcement of Firewall Policies in Virtual Private Networks," IEEE Transactions on Parallel and Distributed Systems, vol. 22, no. 5, pp. 887-895, May, 2011.

	BibTex	x
	@article{ 10.1109/TPDS.2010.155, author = {Alex X. Liu and Fei Chen}, title = {Privacy Preserving Collaborative Enforcement of Firewall Policies in Virtual Private Networks}, journal ={IEEE Transactions on Parallel and Distributed Systems}, volume = {22}, number = {5}, issn = {1045-9219}, year = {2011}, pages = {887-895}, doi = {http://doi.ieeecomputersociety.org/10.1109/TPDS.2010.155}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - JOUR JO - IEEE Transactions on Parallel and Distributed Systems TI - Privacy Preserving Collaborative Enforcement of Firewall Policies in Virtual Private Networks IS - 5 SN - 1045-9219 SP887 EP895 EPD - 887-895 A1 - Alex X. Liu, A1 - Fei Chen, PY - 2011 KW - Virtual private networks KW - privacy KW - network security. VL - 22 JA - IEEE Transactions on Parallel and Distributed Systems ER -

Alex X. Liu, Michigan State University, East Lansing

Fei Chen, Michigan State University, East Lansing

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TPDS.2010.155

The widely deployed Virtual Private Network (VPN) technology allows roaming users to build an encrypted tunnel to a VPN server, which, henceforth, allows roaming users to access some resources as if that computer were residing on their home organization's network. Although VPN technology is very useful, it imposes security threats on the remote network because its firewall does not know what traffic is flowing inside the VPN tunnel. To address this issue, we propose VGuard, a framework that allows a policy owner and a request owner to collaboratively determine whether the request satisfies the policy without the policy owner knowing the request and the request owner knowing the policy. We first present an efficient protocol, called Xhash, for oblivious comparison, which allows two parties, where each party has a number, to compare whether they have the same number, without disclosing their numbers to each other. Then, we present the VGuard framework that uses Xhash as the basic building block. The basic idea of VGuard is to first convert a firewall policy to nonoverlapping numerical rules and then use Xhash to check whether a request matches a rule. Comparing with the Cross-Domain Cooperative Firewall (CDCF) framework, which represents the state-of-the-art, VGuard is not only more secure but also orders of magnitude more efficient. On real-life firewall policies, for processing packets, our experimental results show that VGuard is three to four orders of magnitude faster than CDCF.

[1] "Cisco IOS IPS Deployment Guide," www.cisco.com, 2010.
[2] "TippingPoint X505," www.tippingpoint.comproducts_ips.html, 2009
[3] A.V. Aho and M.J. Corasick, "Efficient String Matching: An Aid to Bibliographic Search," Comm. ACM, vol. 18, no. 6, pp. 333-334, June 1975.
[4] Y.-K. Chang, "Fast Binary and Multiway Prefix Searches for Packet Forwarding," Computer Networks, vol. 51, no. 3, pp. 588-605, 2007.
[5] J. Cheng, H. Yang, H.Y. Starsky Wong, and S. Lu, "Design and Implementation of Cross-Domain Cooperative Firewall," Proc. IEEE Int'l Conf. Network Protocols (ICNP), 2007.
[6] C.-W. Beate, "A String Matching Algorithm Fast on the Average," Proc. Sixth Colloquium Automata, Languages and Programming, pp. 118-132, 1979.
[7] D. Eastlake and P. Jones, "US Secure Hash Algorithm 1 (SHA1)," RFC 3174, 2001.
[8] M.G. Gouda and A.X. Liu, "Structured Firewall Design," Computer Networks J., vol. 51, no. 4, pp. 1106-1120, 2007.
[9] P. Gupta and N. McKeown, "Algorithms for Packet Classification," IEEE Network, vol. 15, no. 2, pp. 24-32, Mar./Apr. 2001.
[10] H. Krawczyk, M. Bellare, and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication," RFC 2104, 1997.
[11] A.X. Liu and M.G. Gouda, "Diverse Firewall Design," Proc. Int'l Conf. Dependable Systems and Networks (DSN), pp. 595-604, June 2004.
[12] V. Paxson, "Bro: A System for Detecting Network Intruders in Real-Time," Computer Networks, vol. 31, nos. 23/24, pp. 2435-2463, 1999.
[13] S.C. Pohlig and M.E. Hellman, "An Improved Algorithm for Computing Logarithms over GF(p) and Its Cryptographic Significance," IEEE Trans. Information and System Security, vol. IT-24, no. 1 pp. 106-110, Jan. 1978.
[14] R. Rivest, "The MD5 Message-Digest Algorithm," RFC 1321, 1992.
[15] M. Roesch, "Snort: Lightweight Intrusion Detection for Networks," Proc. USENIX Conf. Systems Administration, pp. 229-238, 1999.
[16] D.K. Hess, D.R. Safford, and D.L. Schales, "Secure RPC Authentication (SRA) for TELNET and FTP," Proc. Fourth USENIX Security Conf., 1993.

Index Terms:

Virtual private networks, privacy, network security.

Citation:

Alex X. Liu, Fei Chen, "Privacy Preserving Collaborative Enforcement of Firewall Policies in Virtual Private Networks," IEEE Transactions on Parallel and Distributed Systems, vol. 22, no. 5, pp. 887-895, May 2011, doi:10.1109/TPDS.2010.155

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.