Cross-domain privacy-preserving cooperative firewall optimization
Technology Used: Java
Firewalls have been widely deployed on the Internet for securing private networks. A firewall checks each incoming or outgoing packet to decide whether to accept or discard the packet based on its policy. Optimizing firewall policies is crucial for improving network performance. Prior work on firewall optimization focuses on either intra-firewall or inter-firewall optimization within one administrative domain where the privacy of firewall policies is not a concern. Inter-firewall optimization is considered across administrative domains for the first time. The key technical challenge is that firewall policies cannot be shared across domains because a firewall policy contains confidential information and even potential security holes, which can be exploited by attackers. First cross-domain privacy-preserving cooperative firewall policy optimization protocol is proposed. Specifically, for any two adjacent firewalls belonging to two different administrative domains, this protocol can identify in each firewall the rules that can be removed because of the other firewall. The optimization process involves cooperative computation between the two firewalls without any party disclosing its policy to the other. This protocol incurs no extra online packet processing overhead and the offline processing time is less than a few hundred seconds.