The Community for Technology Leaders
RSS Icon
Issue No.05 - May (2011 vol.22)
pp: 887-895
Alex X. Liu , Michigan State University, East Lansing
Fei Chen , Michigan State University, East Lansing
The widely deployed Virtual Private Network (VPN) technology allows roaming users to build an encrypted tunnel to a VPN server, which, henceforth, allows roaming users to access some resources as if that computer were residing on their home organization's network. Although VPN technology is very useful, it imposes security threats on the remote network because its firewall does not know what traffic is flowing inside the VPN tunnel. To address this issue, we propose VGuard, a framework that allows a policy owner and a request owner to collaboratively determine whether the request satisfies the policy without the policy owner knowing the request and the request owner knowing the policy. We first present an efficient protocol, called Xhash, for oblivious comparison, which allows two parties, where each party has a number, to compare whether they have the same number, without disclosing their numbers to each other. Then, we present the VGuard framework that uses Xhash as the basic building block. The basic idea of VGuard is to first convert a firewall policy to nonoverlapping numerical rules and then use Xhash to check whether a request matches a rule. Comparing with the Cross-Domain Cooperative Firewall (CDCF) framework, which represents the state-of-the-art, VGuard is not only more secure but also orders of magnitude more efficient. On real-life firewall policies, for processing packets, our experimental results show that VGuard is three to four orders of magnitude faster than CDCF.
Virtual private networks, privacy, network security.
Alex X. Liu, Fei Chen, "Privacy Preserving Collaborative Enforcement of Firewall Policies in Virtual Private Networks", IEEE Transactions on Parallel & Distributed Systems, vol.22, no. 5, pp. 887-895, May 2011, doi:10.1109/TPDS.2010.155
[1] "Cisco IOS IPS Deployment Guide,", 2010.
[2] "TippingPoint X505," www.tippingpoint.comproducts_ips.html, 2009
[3] A.V. Aho and M.J. Corasick, "Efficient String Matching: An Aid to Bibliographic Search," Comm. ACM, vol. 18, no. 6, pp. 333-334, June 1975.
[4] Y.-K. Chang, "Fast Binary and Multiway Prefix Searches for Packet Forwarding," Computer Networks, vol. 51, no. 3, pp. 588-605, 2007.
[5] J. Cheng, H. Yang, H.Y. Starsky Wong, and S. Lu, "Design and Implementation of Cross-Domain Cooperative Firewall," Proc. IEEE Int'l Conf. Network Protocols (ICNP), 2007.
[6] C.-W. Beate, "A String Matching Algorithm Fast on the Average," Proc. Sixth Colloquium Automata, Languages and Programming, pp. 118-132, 1979.
[7] D. Eastlake and P. Jones, "US Secure Hash Algorithm 1 (SHA1)," RFC 3174, 2001.
[8] M.G. Gouda and A.X. Liu, "Structured Firewall Design," Computer Networks J., vol. 51, no. 4, pp. 1106-1120, 2007.
[9] P. Gupta and N. McKeown, "Algorithms for Packet Classification," IEEE Network, vol. 15, no. 2, pp. 24-32, Mar./Apr. 2001.
[10] H. Krawczyk, M. Bellare, and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication," RFC 2104, 1997.
[11] A.X. Liu and M.G. Gouda, "Diverse Firewall Design," Proc. Int'l Conf. Dependable Systems and Networks (DSN), pp. 595-604, June 2004.
[12] V. Paxson, "Bro: A System for Detecting Network Intruders in Real-Time," Computer Networks, vol. 31, nos. 23/24, pp. 2435-2463, 1999.
[13] S.C. Pohlig and M.E. Hellman, "An Improved Algorithm for Computing Logarithms over GF(p) and Its Cryptographic Significance," IEEE Trans. Information and System Security, vol. IT-24, no. 1 pp. 106-110, Jan. 1978.
[14] R. Rivest, "The MD5 Message-Digest Algorithm," RFC 1321, 1992.
[15] M. Roesch, "Snort: Lightweight Intrusion Detection for Networks," Proc. USENIX Conf. Systems Administration, pp. 229-238, 1999.
[16] D.K. Hess, D.R. Safford, and D.L. Schales, "Secure RPC Authentication (SRA) for TELNET and FTP," Proc. Fourth USENIX Security Conf., 1993.
20 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool