An Approach for improving Network Performance using Cross-Domain Cooperative Secrecy-Maintaining Firewall Optimization



Similar documents
Redundancy Removing Protocol to Minimize the Firewall Policies in Cross Domain

ACL Based Dynamic Network Reachability in Cross Domain

How To Write A Privacy Preserving Firewall Optimization Protocol

Firewall Verification and Redundancy Checking are Equivalent

Firewall Policy Anomalies- Detection and Resolution

II. BASICS OF PACKET FILTERING

Efficiently Managing Firewall Conflicting Policies

- Introduction to Firewalls -

Accessing Private Network via Firewall Based On Preset Threshold Value

Analysis of ACL in ASA Firewall

Firewalls. Ahmad Almulhem March 10, 2012

COMPARISON OF ALGORITHMS FOR DETECTING FIREWALL POLICY ANOMALIES

Security threats and network. Software firewall. Hardware firewall. Firewalls

Firewall Compressor: An Algorithm for Minimizing Firewall Policies

Firewall Configuration. Firewall Configuration. Solution Firewall Principles

ΕΠΛ 674: Εργαστήριο 5 Firewalls

A Matrix Model for Designing and Implementing Multi-firewall Environments

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

This Technical Support Note shows the different options available in the Firewall menu of the ADTRAN OS Web GUI.

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

21.4 Network Address Translation (NAT) NAT concept

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

- Introduction to PIX/ASA Firewalls -

Lecture 23: Firewalls

FIRE-ROUTER: A NEW SECURE INTER-NETWORKING DEVICE

SPACK FIREWALL RESTRICTION WITH SECURITY IN CLOUD OVER THE VIRTUAL ENVIRONMENT

MULTI WAN TECHNICAL OVERVIEW

Management of Exceptions on Access Control Policies

Security Technology: Firewalls and VPNs

Firewall Policy Anomaly Management with Optimizing Rule Order

Comparing and debugging firewall rule tables

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Polycom. RealPresence Ready Firewall Traversal Tips

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

CSCE 465 Computer & Network Security

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

SPML: A Visual Approach for Modeling Firewall Configurations

CSCI Firewalls and Packet Filtering

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

How To Set Up An Ip Firewall On Linux With Iptables (For Ubuntu) And Iptable (For Windows)

A Model Design of Network Security for Private and Public Data Transmission

Application Note. Stateful Firewall, IPS or IDS Load- Balancing

Methods for Firewall Policy Detection and Prevention

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

International Journal of Scientific & Engineering Research, Volume 6, Issue 5, May ISSN

How To Load balance traffic of Mail server hosted in the Internal network and redirect traffic over preferred Interface

2. Are explicit proxy connections also affected by the ARM config?

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

The Research and Application of Multi-Firewall Technology in Enterprise Network Security

FIREWALLS & CBAC. philip.heimer@hh.se

Optimization of Firewall Filtering Rules by a Thorough Rewriting

Firewalls P+S Linux Router & Firewall 2013

How To Connect Xbox 360 Game Consoles to the Router by Ethernet cable (RJ45)?

Technical Support Information

BorderWare Firewall Server 7.1. Release Notes

FIREWALL AND NAT Lecture 7a

Cisco PIX vs. Checkpoint Firewall

Guideline for setting up a functional VPN

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

12. Firewalls Content

Overview. Firewall Security. Perimeter Security Devices. Routers

Firewalls. Chapter 3

Virtual Data Centre. User Guide

EFFECTIVE DATA RECOVERY FOR CONSTRUCTIVE CLOUD PLATFORM

Conflict Classification and Analysis of Distributed Firewall Policies

What would you like to protect?

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

(51) Int Cl.: H04L 29/06 ( ) H04L 12/24 ( )

Chapter 3 Restricting Access From Your Network

Use Domain Name System and IP Version 6

Deployment Scenarios

Com.X Router/Firewall Module. Use Cases. White Paper. Version 1.0, 21 May Far South Networks

A typical router setup between WebSAMS and ITEd network is shown below for reference. DSU. Router

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

ENTERPRISE IT SECURITY ARCHITECTURE SECURITY ZONES: NETWORK SECURITY ZONE STANDARDS. Version 2.0

CSE331: Introduction to Networks and Security. Lecture 12 Fall 2006

vcloud Director User's Guide

Firewalls (IPTABLES)

How To Understand A Firewall

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Packet Filtering using the ADTRAN OS firewall has two fundamental parts:

IP Ports and Protocols used by H.323 Devices

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

DMZ Network Visibility with Wireshark June 15, 2010

Transcription:

An Approach for improving Network Performance using Cross-Domain Cooperative Secrecy-Maintaining Firewall Optimization Yogita Nikhare 1 andprof. Anil Bende 2 1 M.TechScholar, Department of Computer Science and Engineering, J D College of Engineering & Management, RTM University, Nagpur, India sanyog1988@gmail.com 2 Assistant Professor, Department of Computer Science and Engineering, J D College of Engineering & Management, Nagpur, India anilbende@gmail.com Abstract Firewalls are commonly deployed on the Internet for securing private networks. A firewall checks each incoming or outgoing packet to choose whether to accept or reject the packet based on its policy. Optimizing firewall policies is necessary for improving network performance. The optimization process involves cooperative computation between the two firewalls with no any party disclosing its strategy to the other.in this paper we are going to explain first cross-domain privacy-preserving cooperative firewall strategy optimization protocol. For any two adjoining firewalls belonging to two dissimilar administrative domains, our protocol can recognize in each firewall the rules that can be removed because of the other firewall. Keywords- Cross- Domain, Interfirewall Optimization 1. Introduction A firewall is defined as any device usedto filter or direct the flow of traffic. Firewalls are typicallyimplemented on the network outer limits and function bydefining trusted and untrusted region. Most firewalls will allow traffic from the trusted zone to theuntrusted zone, with no anyexplicit configuration. However, traffic from theuntrusted zone to the trusted zone must be clearly permitted. Thus, any traffic that is not explicitly permittedfrom the untrusted to trusted zone will be absolutely denied (by default on most firewall systems). The vital function of a firewall is to keep unwanted guests from browsing your network [1]. A firewall can be a hardware device or a softwareapplication and usually is placed at the boundary of thenetwork to act as the gatekeeper for all incoming and outgoing traffic. There are essentially four mechanisms used by firewalls to limit traffic. One device or application may use more than one of these in combination with each other to give more indepth protection. The four mechanisms are packet filtering, circuit-level gateway, and proxy server and application gateway. Packet Filtering is one of the core services provided by firewalls. Packets can be filtered (permitted or denied) based on a wide range of criteria: Source address Destination address Protocol Type (IP, TCP, UDP, ICMP, ESP, etc.) Source Port Destination Port Packet filtering is implemented as a rule-list. The order of the rule-list is a significant consideration. The rule-list is at all times parsed from top-to-bottom [2]. Each physical interface of a router/firewall is configured with two ACLs: one for filtering outgoing packets and the other one for filtering incoming packets. The number of rules in a firewall considerably affects its throughput. As the number of rules increases firewall performance decreases. 1423

evolution of network and system environments. The process of configuring a firewall is tedious and error prone. Therefore, efficient mechanisms and tools for policy management are vital to the success of firewalls. 3.1Limitation of Prior work Figure 1. Effect of the number of rules on the throughput 2. Cross-Domain Interfirewall Optimization No earlier work focuses on cross-domain privacypreserving interfirewall optimization.we focus on removing interfirewall policy redundancies in a privacy-preserving way. Consider two adjacent firewalls 1 and 2 belonging to dissimilar administrative domains Net1 and Net2. Let F1 indicate the policy on firewall 1 s outgoing interface to firewall 2 and F2 indicate the policy on firewall 2 s incoming interface from firewall 1. For a rule r in F2, if all the packets that match r but do not match any rule over r in F2 are discarded by F1, rule r can be removed because such packets never come to F2. We call rule r an interfirewall redundant rule with respect to F1 [1]. Figure 2 illustrates interfirewall redundancy, where two adjoining routersbelong to dissimilar administrative domains CSE and EE. Prior work focuses on intrafirewall optimization or interfirewall optimization within one administrative domain, where privacy of firewall policies is not considered. In intrafirewall it contains only the single firewall, where optimization is done and in interfirewall it includes two firewalls but they are in one network and optimization is done without any privacy preserving. But no prior work focuses on interfirewall optimization between more than one administrative domains and major concern is that firewall policies are not known to each other so that privacy is preserved. Also in the previous work numbers of rules in the firewall are not the concern. The number of rules in a firewall significantly affects its throughput. 4. Proposed Plan In this paper, we have proposed four modules: Module 1: Login window for authentication for administrator. Module 2: Setting of rules of firewall and redundancy removal in the intrafirewall. Module 3: Redundancy removal using Pohlig- Hellman commutative encryption algorithm in interfirewall. Module 4: Analysis and Testing. The configuration for proposed system is shown in the figure 3. Figure 2. Example interfirewall redundant rules. 3. Related Work Prior work on firewall optimization did not consider minimizing and maintaining the privacy of firewall policies. Firewall policy management is a difficult chore due to the complexity andinterdependency of policy rules. This is further studied by thecontinuous 1424

Reject No START LOGIN N1 send packet Yes F1 Outgoing Rule Accept Input: Sets of rules Output: Few rules which are redundant with respect to FW1 4. In the analysis part we have done the evaluation of proposed system and our approach i.e. the algorithm which we have proposed in this paper which is different than the existing system as it requires minimum processing time than the existing system as the number of rules decreases. We have tested this result on the two synthetic firewalls i.e. firewall1 of one administrative domain and firewall2 of second administrative domain. 5. Implementation Details Reject F2 Incoming Rule N2 receive packet Accept Figure 3. Data Flow chart of two administrative domains Terminologies used in the above figure are: N1- Network 1(Administrative domain 1) N2- Network 2(Administrative domain 2) F1- Firewall 1 F2- Firewall 2 1. In the login window for authentication, we have created GUI for authentication of administrator. Also we have created firewall model in which we have made application and added the different parameters for the rules of the firewall i.e. Incoming and outgoing rules. 2. Then we will set the incoming and outgoing rules of firewalls using parameters like source IP, destination IP, source port, destination port, protocol type and action.and then we will remove intrafirewall redundant rules i.e. overlapping rules in individual firewall. 3. In the third module, we have usedpohlig-hellman Commutative encryption algorithm to remove redundant rules ininterfirewall i.e. the rules of firewall 2 with respect to firewall 1. The algorithm works as follows: In Firewall policy, packet may match many rules havingdissimilar decisions. To resolve these conflicts, firewalls employ first match semantics where the decision of the packet is the decision of the first rule that packet matches. The project is different from the existing system in such a way that, in existing system the algorithm used for removing the rules consists of four steps i.e. prefix conversion, prefix family construction, prefix numericalization and comparison. So, it requires more time to remove rules. So for reducing this processing time we proposed the same algorithm and make changes in that algorithm in such a way that without using the above four steps the privacy is preserved and no firewall can access the rules of other firewall. In this algorithm, we use private keysfor encryption in each administrative domains and works like diffiehellman key exchange algorithm. The snapshots of the implementation of the algorithm are as follows: Figure 4. Outgoing rules of firewall1 1425

In the first evaluation as the number of rules more the processing time is also more in both proposed and our approach. But as the number of rules is minimized the processing time is also minimized in both the cases. And our approach requires less processing time as number of rules is removed without disclosing policies to each other, hence this is the best approach for maintaining privacy as well as removing the redundant rules. The graphs are as follows: Figure5. Incoming rules of firewall2 Figure 6.Intrafirewall redundant rule is removed in firewall1 Figure 8. Evaluation 1 when number rules are more Figure 9. Evaluation 2 when number of rules is less Figure 7. Final output showing removal of redundant rules using PHA algorithm 6. Analysis Of System Now, the analysis is done by showing the graphs, two graphs are shown which shows the processing time of algorithm. 7. Conclusion And Future Work Hence by using cross-domain cooperative privacy preserving protocol we have identified and remove the redundant rules in firewall 1 with respect to firewall 2 without disclosing policies to each other. But again we have identified and remove the redundant rules in the same way in firewall 2 with respect to firewall 1426

1.As redundant rules are removed the network performance is improved. The response time is also improved and the communication cost and processing time is reduced. As our current protocol i.e. privacy preserving cooperative firewall optimization protocol cannot operate on Network Address Translation (NAT) devices between the two adjacent firewalls. If we relate our protocol to such cases then it will furnish some remarkable results. 8. References [1] Fei Chen, BezawadaBruhadeshwar, and Alex X. Liu, Cross-Domain Privacy-Preserving CooperativeFirewall Optimization, IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 21, NO. 3, JUNE 2013. [2] ArunaDevi.R, PON Arivanandham, Interfirewall Optimization across AdministrativeDomains for Enabling Privacy Preserving andsecurity, (IJCSIT) International Journal of Computer Science and Information Technologies, Vol. 4 (6), 2013, 808-812 [3] E. Al-Shaer and H. Hamed, Discovery of policy anomalies in distributed firewalls, in Proc. IEEE INFOCOM, 2004, pp. 2605 2616. [4] J. Cheng, H. Yang, S. H.Wong, and S. Lu, Design and implementation of cross-domain cooperative firewall,in Proc. IEEE ICNP, 2007, pp. 284 293. [5] M. G. Gouda and A. X. Liu, Structured firewall design,comput.netw., vol. 51, no. 4, pp. 1106 1120, 2007. [6] A. X. Liu and F. Chen, Collaborative enforcement of firewall policies in virtual private networks, in Proc. ACM PODC, 2008, pp. 95 104. [7] A. X. Liu and M. G. Gouda, Complete redundancy removal for packet classifiers in TCAMs, IEEE Trans. Parallel Distrib. Syst., vol. 21, no. 4, pp. 424 437, Apr. 2010. [8] A. X. Liu, C. R. Meiners, and Y. Zhou, All-match based complete redundancy removal for packet classifiers in TCAMs, in Proc. IEEEINFOCOM, 2008, pp. 574 582. [9] A. X. Liu, E. Torng, and C. Meiners, Firewall compressor: An algorithm for minimizing firewall policies, in Proc. IEEE INFOCOM, 2008. [10] S. C. Pohlig and M. E. Hellman, An improved algorithm for computing logarithms over GF(p) and its cryptographic significance,ieeetrans. Inf. Theory, vol. IT-24, no. 1, pp. 106 110, Jan. 1978. [11] L. Yuan, H. Chen, J. Mai, C.-N.Chuah, Z. Su, and P. Mohapatra, Fireman: A toolkit for firewall modeling and analysis, in Proc. IEEES&P, 2006, pp. 199 213. 1427

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information