Improving Performance of Cross-Domain Firewalls in Multi-Firewall System

Firewall is used to protect local network from outside untrusted public network or Internet. Every packet coming to and going out from network is inspected at Firewall. Local network policies are converted into rules and stored in firewall. It is used to restrict access of the external network into local network and vice versa. Packets are checked against the rules serially. Therefore increase in the number of rules decreases the firewall performance. The key thing in performance improvement is to reduce number of firewall rules. Optimization helps to reduce number of rules by removing anomalies and redundancies in the rule list. It is observed that only reducing number of rules is not sufficient as the major time is consumed in rule verification. Therefore to reduce time of rule checking fast verification method is used. Prior work focuses on either Intrafirewall optimization or Interfirewall optimization within single administrative domain. In cross-domain firewall optimization key thing is to keep rules secure from others as they contain confidential information which can be exploited by attackers. The proposed system implements cross-domain firewall rule optimization. For optimization multi-firewall environment is considered. Then optimized rule set is converted to Binary Tree Firewall (BTF) so as to reduce packet checking time and improve firewall performance further. DOI: 10.17762/ijritcc2321-8169.16047

Applying Formal Methods to Networking: Theory, Techniques and Applications

Despite its great importance, modern network infrastructure is remarkable for the lack of rigor in its engineering. The Internet which began as a research experiment was never designed to handle the users and applications it hosts today. The lack of formalization of the Internet architecture meant limited abstractions and modularity, especially for the control and management planes, thus requiring for every new need a new protocol built from scratch. This led to an unwieldy ossified Internet architecture resistant to any attempts at formal verification, and an Internet culture where expediency and pragmatism are favored over formal correctness. Fortunately, recent work in the space of clean slate Internet design---especially, the software defined networking (SDN) paradigm---offers the Internet community another chance to develop the right kind of architecture and abstractions. This has also led to a great resurgence in interest of applying formal methods to specification, verification, and synthesis of networking protocols and applications. In this paper, we present a self-contained tutorial of the formidable amount of work that has been done in formal methods, and present a survey of its applications to networking.Comment: 30 pages, submitted to IEEE Communications Surveys and Tutorial

A Novel Hybrid Security Framework (HSF) with Vshield Based Firewall to Secure Cloud Computing Environment

Cloud Computing is an emerging technology that provides an enormous amount of computing resources which includes networks, servers and storages which are accessed through the internet. In addition it allows useful provisioning of the resources based on the user’s demands. A crucial aspect of cloud computing infrastructure is to provide secure and reliable services.  The main challenge lies in the security issues is to reduce the impact of third party attacks in the cloud computing environment. Hence a novel Hybrid Security Framework(HSF) based on Reinforcement Learning (RL) Methodology with Vshield Firewall is proposed for securing the cloud environment.  The RL method is used for deep packet inspection and VShiled based firewall is established to deny the attacks which are malicious when authenticating the signature of incoming packets. The bipartite pattern matching approach is integrated with the RL method to verify the signatures for obtaining the decisions quickly.  The simulation results shows that the hybrid security framework is effective when compared with the existing methods by considering response time, resource utilization and denial of malicious attacks.  This indicates that our proposed framework achieves not only better security but also attains better efficiency in cloud computing environment

Inconsistency Detection Method for Access Control Policies

Abstract-In enterprise environments, the task of assigning access control rights to subjects for resources is not trivial. Because of their complexity, distribution and size, access control policies can contain anomalies such as inconsistencies, which can result in security vulnerabilities. A set of access control policies is inconsistent when, for specific situations different incompatible policies can apply. Many researchers have tried to address the problem of inconsistency using methods based on formal logic. However, this approach is difficult to implement and inefficient for large policy sets. Therefore, in this paper, we propose a simple, efficient and practical solution for detecting inconsistencies in access control policies with the help of a modified C4.5 data classification algorithm

To Provide An Innovative Policy Anomaly Management Framework For Firewalls

- Firewalls have been widely organized on the Internet for securing private networks. A firewall checks each incoming or outgoing packet to choose whether to accept or discard the packet based on its policy. Optimizing firewall policies is vital for improving network performance. In this paper we propose the first cross-domain privacy-preserving cooperative firewall policy optimization protocol. Specifically for any two adjacent firewalls belonging to two different administrative domains our protocol can recognize in each firewall the rules that can be removed because of the other firewall. The optimization process involves cooperative computation between the two firewalls without any party disclosing its policy to the other. Firewalls are significant in securing private networks of businesses, institutions and home networks. A firewall is frequently placed at the entry between a private network and the external network so that it can ensure each incoming or outgoing packet and choose whether to accept or abandon the packet based on its policy. A firewall policy is typically specified as a sequence of rules called Access Control List (ACL) and each rule has a predicate over multiple packet header fields i.e., source IP, destination IP, source port, destination port, and protocol type and a decision i.e., accept and discard for the packets that counterpart the predicate.  In this paper we recommend the first cross-domain privacy- preserving cooperative firewall policy optimization protocol

Collaborative enforcement of firewall policies in virtual private networks

The widely deployed Virtual Private Network (VPN) tech-nology allows roaming users to build an encrypted tunnel to a VPN server, which henceforth allows roaming users to access some resources as if that computer is residing on their home organization’s network. Although the VPN technol-ogy is very useful, it imposes security threats to the remote network because their firewall does not know what traffic is flowing inside the VPN tunnel. To address this issue, we pro-pose VGuard, a framework that allows a policy owner and a request owner to collaboratively determine whether the re-quest satisfies the policy without the policy owner knowing the request and the request owner knowing the policy. We first present an efficient protocol, called Xhash, for oblivious comparison, which allows two parties, where each party has a number, to compare whether they have the same num-ber, without disclosing their numbers to each other. Then, we present the VGuard framework that uses Xhash as the basic building block. The basic idea of VGuard is to first convert a firewall policy to non-overlapping numerical rules and then use Xhash to check whether a request matches a rule. Comparing with the Cross-Domain Cooperative Fire-wall (CDCF) framework, which represents the state-of-the-art, VGuard is not only more secure but also orders of mag-nitude more efficient. On real-life firewall policies, for pro-cessing packets, our experimental results show that VGuard is 552 times faster than CDCF on one party and 5035 times faster than CDCF on the other party

The Policy Mapping Algorithm for High-speed Firewall Policy Verifying

Abstract In this paper, we have proposed a novel algorithm and data structures to improve the speed of firewall policy verification. it is called the policy mapping (PMAP). Time complexity of the proposed technique is O(1) to verify incoming-outgoing packets against the firewall policy. Besides, the algorithm is not limited to handle IP network classes as IPSET which is the top of high-speed firewall open source today. PMAP can also optimize the firewall rule decision by employing the firewall decision state diagram (FDSD) to clarify ordering of policy verifying. The consumed memory of PMAP is reasonable. It consumes the memory usage around 3.27 GB for maintaining rule data structures processing the firewall rule at 5,000 rules