How To Write A Privacy Preserving Firewall Optimization Protocol

Transcription

1 Asia-pacific Journal of Multimedia Services Convergence with Art, Humanities and Sociology Vol.1, No.2 (2011), pp Secure Multi-Party Computation in Networks Over A Cross Domain Privacy Preserving Firewall Optimization Sattarova Feruza 1), Farkhod Alisherov 2) Abstract In any system, the network firewall is the main feature which will be protecting the system from getting attacked from any illegal intruders who will try to hack the system and steel the information from the network. These firewalls have been involving in the optimization that has to be done when any other tries to come through the other firewall and sharing the information will improve the network performance very well. Firewall will be mainly concentrating on intra firewall and also inter firewall optimization that will be helpful to improve the security of the network. Previously, there has been the use of cross-domain privacy preserving cooperative firewall policy optimization protocol. But there is no improvement that made a lot of difference in the native methods used. So we propose secure multi-party computation of union which will be improving the firewall optimization and also improving the security very well when compared to the all the previous methods. Keywords : Firewall optimization, cross-domain privacy preserving cooperative firewall policy optimization protocol, secure multi-party computation of union, intra firewall, inter firewall optimization. 1. Introduction A firewall is a system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria. Firewalls can be either hardware or software but the ideal firewall configuration will consist of both. In addition to limiting access to your computer and network, a firewall is also useful for allowing remote access to a private network through secure authentication certificates and logins. Hardware firewalls can be purchased as a stand-alone product but are also typically found in broadband Received(November 02, 2011), Review request(november 03, 2011), Review Result(1st: November 23, 2011) Accepted(December 31, 2011) Dept. of Multimedia, Hannam University, Daejeon, Korea. mymail6585@gmail.com 2 (Corresponding Author) Dept. of Multimedia, Hannam University, Daejeon, Korea. sntdvl@yahoo.com ISSN: AJMSCAHS Copyright c 2011 SERSC 93

2 Secure Multi-Party Computation in Networks Over A Cross Domain Privacy Preserving Firewall Optimization routers, and should be considered an important part of your system and network set-up. Most hardware firewalls will have a minimum of four network ports to connect other computers, but for larger networks, business networking firewall solutions are available. Software firewalls are installed on your computer (like any software) and you can customize it; allowing you some control over its function and protection features. A software firewall will protect your computer from outside attempts to control or gain access your computer. [Fig. 1] Firewall Architecture Common Firewall Techniques: Firewalls are used to protect both home and corporate networks. A typical firewall program or hardware device filters all information coming through the Internet to your network or computer system. There are several types of firewall techniques that will prevent potentially harmful information from getting through: Packet Filter: Looks at each packet entering or leaving the network and accepts or rejects it based on user-defined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing. Application Gateway: Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose a performance degradation. Circuit-level Gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking. 94 Copyright c 2011 SERSC

3 Asia-pacific Journal of Multimedia Services Convergence with Art, Humanities and Sociology Vol.1, No.2 (2011) Proxy Server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses. In practice, many firewalls use two or more of these techniques in concert. A firewall is considered a first line of defense in protecting private information. For greater security, data can be encrypted. 2. Related Work Rakesh Agrawal and Alexandre Evfimievski Ramakrishnan stated that Literature on information integration across databases tacitly assumes that the data in each database can be revealed to the other databases. However, there is an increasing need for sharing information across autonomous entities in such a way that no information apart from the answer to the query is revealed. We form a lizethe notion of minimal information sharing across private databases, and develop protocols for intersection, equijoin, intersection size, and equijoin size. We also show how new applications can be built using the proposed protocols. Ada Wai-Chee Fu, Raymond Chi-Wing Wong stated that Privacy consideration has much significance in the application of data mining. It is very important that the privacy of individual parties will not be exposed when data mining techniques are applied to a large collection of data about the parties. In many scenarios such as data warehousing or data integration, data from the different parties form a many-to-many schema. This paper addresses the problem of privacy-preserving frequent pattern mining in such a schema across two dimension sites. We assume that sites are not trusted and they are semi-honest. Our method is based on the concept of semi-join and does not involve data encryption which is used in most previous work. Experiments are conducted to study the efficiency of the proposed models. Al-Shaer, E.S stated that Firewalls are core elements in network security. However, managing firewall rules, particularly in multi-firewall enterprise networks, has become a complex and error-prone task. Firewall filtering rules have to be written, ordered and distributed carefully in order to avoid firewall policy anomalies that might cause network vulnerability. Therefore, inserting or modifying filtering rules in any firewall requires thorough intra- and inter-firewall analysis to determine the proper rule placement and ordering in the firewalls. We identify all anomalies that could exist in a single- or multi-firewall environment. We also present a set of techniques and algorithms to automatically discover policy anomalies in centralized and distributed legacy firewalls. These techniques are implemented in a software tool called the "Firewall Policy Advisor" that simplifies the management of filtering rules and maintains the security of next-generation firewalls. Justin Brickell and Vitaly Shmatikov stated that We consider scenarios in which two parties, each in possession of a graph, wish to compute some algorithm on their joint graphin a privacy-preserving manner, that ISSN: AJMSCAHS Copyright c 2011 SERSC 95

4 Secure Multi-Party Computation in Networks Over A Cross Domain Privacy Preserving Firewall Optimization is, without leaking any information about their inputs except that revealed by the algorithm s output. Working in the standard secure multi-party computation paradigm, we present new algorithms for privacy-preserving computation of APSD (all pairs shortest distance) and SSSD (single source shortest distance), as well as two new algorithms for privacy-preserving set union. Our algorithms are significantly more efficient than generic constructions. As in previous work on privacy-preserving data mining, we prove that our algorithms are secure provided the participants are honest, but curious. Cheng, J. stated that security and privacy are two major concerns in supporting roaming users across administrative domains. In current practices, a roaming user often uses encrypted tunnels, e.g., Virtual Private Networks (VPNs), to protect the secrecy and privacy of her communications. However, due to its encrypted nature, the traffic flowing through these tunnels cannot be examined and regulated by the foreign network's firewall, which may lead the foreign network widely open to various attacks from the Internet. This threat can be alleviated if the users reveal their traffic to the foreign network or the foreign network reveals its firewall rules to the tunnel endpoints. However, neither approach is desirable in practice due to privacy concerns. In this paper, we propose a Cross-Domain Cooperative Firewall (CDCF) that allows two collaborative networks to enforce each other's firewall rules in an oblivious manner. In CDCF, when a roaming user establishes an encrypted tunnel between his home network and the foreign network, the tunnel endpoint (e.g., a VPN server) can regulate the traffic and enforce the foreign network's firewall rules, without knowing these rules. The key ingredients in CDCF are the distribution of firewall primitives across network domains, and the enabling technique of efficient oblivious membership verification. We have implemented CDCF and integrated it with the OpenVPN software, and evaluated its performance using extensive experiments. Our results show that CDCF can protect the foreign network from encrypted tunnel traffic with minimal overhead. 3. Existing System Prior work on firewall optimization focuses on either intra firewall optimization, or inter firewall optimization within one administrative domain where the privacy of firewall policies is not a concern. Firewall policy management is a challenging task due to the complexity and interdependency of policy rules. This is further exacerbated by the continuous evolution of network and system environments. The process of configuring a firewall is tedious and error prone. Therefore, effective mechanisms and tools for policy management are crucial to the success of firewalls. In this paper, we represent a novel anomaly management framework for firewalls based on a rule-based segmentation technique to facilitate not only more accurate anomaly detection but also effective anomaly resolution. Based on this technique, a network packet space defined by a firewall policy can be divided into a set of 96 Copyright c 2011 SERSC

5 Asia-pacific Journal of Multimedia Services Convergence with Art, Humanities and Sociology Vol.1, No.2 (2011) disjoint packet space segments. Each segment associated with a unique set of firewall rules accurately indicates an overlap relation (either conflicting or redundant) among those rules. We also introduce a flexible conflict resolution method to enable a fine-grained conflict resolution with the help of several effective resolution strategies with respect to the risk assessment of protected networks and the intention of policy definition. In our framework conflict detection and resolution, conflicting segments are identified in the first step. Each conflicting segment associates with a policy conflict and a set of conflicting rules. Also, the correlation relationships among conflicting segments are identified and conflict correlation groups are derived. Policy conflicts belonging to different conflict correlation groups can be resolved separately, thus the searching space for resolving conflicts is reduced by the correlation process. 3. Proposed System The model that we consider is one where an adversarial entity controls some subset of the parties and wishes to attack the protocol execution. The parties under the control of the adversary are called corrupted, and follow the adversary's instructions. Secure protocols should withstand any adversarial attack (where the exact power of the adversary will be discussed later). In order to formally claim and prove that a protocol is secure, a precise definition of security for multiparty computation is required. A number of different definitions have been proposed and these definitions aim to ensure a number of important security properties that are general enough to capture most (if not all) multiparty computation tasks. We now describe the most central of these properties: Privacy: No party should learn anything more than its prescribed output. In particular, theonly information that should be learned about other parties' inputs is what can be derived from the output itself. For example, in an auction where the only bid revealed is that of the highest bidder, it is clearly possible to derive that all other bids were lower than the winning bid. However, this should be the only information revealed about the losing bids. Correctness: Each party is guaranteed that the output that it receives is correct. To continue with the example of an auction, this implies that the party with the highest bid is guaranteed to win, and no party including the auctioneer can alter this. Independence of Inputs: Corrupted parties must choose their inputs independently of the honest parties' inputs. This property is crucial in a sealed auction, where bids are kept secret and parties must x their bids independently of others. We note that independence of inputs is not implied by privacy. For example, it may be possible to generate a higher bid, without knowing the value of the original one. Such an attack can actually be carried out on some encryption schemes (i.e., given an encryption of $100, it is possible to ISSN: AJMSCAHS Copyright c 2011 SERSC 97

6 Secure Multi-Party Computation in Networks Over A Cross Domain Privacy Preserving Firewall Optimization generate a valid encryption of $101, without knowing the original encrypted value). Guaranteed Output Delivery: Corrupted parties should not be able to prevent honest parties from receiving their output. In other words, the adversary should not be able to disrupt the computation by carrying out a "denial of service" attack. Fairness: Corrupted parties should receive their outputs if and only if the honest parties also receive their outputs. The scenario where a corrupted party obtains output and an honest party does not should not be allowed to occur. This property can be crucial, for example, in the case of contract signing. Specifically, it would be very problematic if the corrupted party received the signed contract and the honest party did not. More formally, the security of a protocol is established by comparing the outcome of a real protocol execution to the outcome of an ideal computation. That is, for any adversary attacking a real protocol execution, there exists an adversary attacking an ideal execution (with a trusted party) such that the input/output distributions of the adversary and the participating parties in the real and ideal executions are essentially the same. Thus a real protocol execution "emulates" the ideal world. This formulation of security is called the ideal/real simulation paradigm. In order to motivate the usefulness of this definition, we describe why all the properties described above are implied. Privacy follows from the fact that the adversary's output is the same in the real and ideal executions. Since the adversary learns nothing beyond the corrupted party's outputs in an ideal execution, the same must be true for a real execution. Correctness follows from the fact that the honest parties' outputs are the same in the real and ideal executions, and from the fact that in an ideal execution, the honest parties all receive correct outputs as computed by the trusted party. Regarding independence of inputs, notice that in an ideal execution, all inputs are sent to the trusted party before any output is received. Therefore, the corrupted parties know nothing of the honest parties' inputs at the time that they send their inputs. In other words, the corrupted parties' inputs are chosen independently of the honest parties' inputs, as required. Finally, guaranteed output delivery and fairness hold in the ideal world because the trusted party always returns all outputs. The fact that it also holds in the real world again follows from the fact that the honest parties' outputs are the same in the real and ideal executions. 5. Experimental Results Our experimental results shows that, we proposed a security in networks used secure multi-party computation of union over a firewall optimization. Firewall will be mainly concentrating on intra firewall and also inter firewall optimization that will be helpful to improve the security of the network. Previously there has been the use of cross-domain privacy preserving cooperative firewall policy optimization protocol. But there is no improvement that made a lot of difference in the native methods used. So we propose secure multi-party computation of union which will be improving the firewall optimization and also improving the security very 98 Copyright c 2011 SERSC

7 well when compared to the all the previous methods. Asia-pacific Journal of Multimedia Services Convergence with Art, Humanities and Sociology Vol.1, No.2 (2011) [Fig 2] Security in Secure Multi-Party Computation Of Union The above figure explains about the security in the networks using secure multi-party computation of union over a firewall optimization in different stage levels. 5. Conclusion In this paper, we identified an important problem, novel privacy-preserving protocol for detecting such redundancy. We implemented our protocol secure multi-party computation of union. The results on real firewall policies show that our protocol can remove as many as possible. Our protocol is applicable for identifying the inter firewall redundancy of firewalls with a few thousands of rules. Previously there has been the use of cross-domain privacy preserving cooperative firewall policy optimization protocol. But there is no improvement that made a lot of difference in the native methods used. In our work, secure multi-party computation of union which will be improving the firewall optimization and also improving the security very well when compared to the all the previous methods. ISSN: AJMSCAHS Copyright c 2011 SERSC 99

8 Secure Multi-Party Computation in Networks Over A Cross Domain Privacy Preserving Firewall Optimization References [1] What is Firewall?, Webopedia. [2] Information Sharing Across Private Databases by RakeshAgrawalAlexandreEvfimievskiRamakrishnanSrikant. [3] A. Wai-Chee Fu and R. Chi-Wing Wong, Privacy-Preserving Frequent Pattern Mining Across Private Databases, [4] E. S. Al-Shaer, Discovery of policy anomalies in distributed firewalls. [5] J. Brickell and V. Shmatikov, Privacy-Preserving Graph Algorithms in thesemi-honest Model. [6] J. Cheng, Design and Implementation of Cross-Domain Cooperative Firewall. [7] F. Chen, B. Bruhadeshwar and A. X. Liu, Cross-Domain Privacy-Preserving Cooperative Firewall Optimization. 100 Copyright c 2011 SERSC