Firewalls have been widely deployed on the Internet for securing private networks. A firewall checks every incoming or outgoing packet to choose whether to accept or discard the packet based on its strategy. Optimizing firewall policies is crucial for enhancing network performance. Prior work on firewall optimization focuses on either intra-firewall or inter-firewall optimization within one administrative domain where the privacy of firewall strategies isn’t the concern. This project explores inter-firewall optimization across administrative domain for the first time. The key technical challenge is those firewall strategies can’t be shared across domain because the firewall approach contains confidential data and even potential security openings, which can be exploited by attackers.
In this project, we propose the first cross-domain privacy-preserving cooperative firewall policy optimization protocol. Specifically, for any two adjacent firewalls belonging to two different administrative domains, our protocol can identify in each firewall the rules that can be removed because of the other firewall. The optimization process involves cooperative computation between the two firewalls without any party disclosing its policy to the other. We implemented our protocol and conducted extensive experiments. The results on real firewall policies show that our protocol can remove as many of the rules in a firewall, whereas the average. The communication cost is less than a few hundred kilobytes. Our protocol incurs no extra online packet processing overhead, and the offline processing time is less than a few hundred seconds.
In this project, we propose a novel anomaly management framework for firewalls based on a rule-based segmentation strategy to facilitate not only more accurate anomaly detection but also effective anomaly resolution.
Based on this technique, a network packet space characterized by a firewall approach can be separated into an arrangement of disjoint packet segments. Each segment related with a unique set of firewall rules accurately demonstrates an overlap relation (either conflicting or redundant) among those principles.
We likewise present a flexible conflict resolution technique to enable a fine-grained conflict with the help of a few effective resolution methodologies regarding the risk assessment of protected networks and the intention of the policy definition.
• Correlation of Packet Space Segment
• Action Constraint Generation
• Rule Reordering
• Data Package