Cross-Domain
Privacy-Preserving Cooperative Firewall Optimization
ABSTRACT:
Firewalls have been widely deployed on the Internet for
securing private networks. A firewall checks each incoming or outgoing packet
to decide whether to accept or discard the packet based on its policy.
Optimizing firewall policies is crucial for improving network performance.
Prior work on firewall optimization focuses on either intrafirewall or
interfirewall optimization within one administrative domain where the privacy
of firewall policies is not a concern. This paper explores interfirewall
optimization across administrative domains for the first time. The key technical
challenge is that firewall policies cannot be shared across domains because a
firewall policy contains confidential information and even potential security
holes, which can be exploited by attackers. In this paper, we propose the first
cross-domain privacy-preserving cooperative firewall policy optimization
protocol. Specifically, for any two adjacent firewalls belonging to two
different administrative domains, our protocol can identify in each firewall
the rules that can be removed because of the other firewall. The optimization
process involves cooperative computation between the two firewalls without any
party disclosing its policy to the other. We implemented our protocol and
conducted extensive experiments. The results on real firewall policies show
that our protocol can remove as many as 49% of the rules in a firewall, whereas
the average is 19.4%. The communication cost is less than a few hundred
kilobytes. Our protocol incurs no extra online packet processing overhead, and
the offline processing time is less than a few hundred seconds.
ARCHITECTURE:
AIM:
To provide an innovative policy anomaly
management framework for firewalls, adopting a rule-based segmentation
technique to identify policy anomalies and derive effective anomaly
resolutions.
SYNOPSIS:
A novel anomaly management framework for
firewalls based on a rule-based segmentation technique to facilitate not only
more accurate anomaly detection but also effective anomaly resolution. Based on
this technique, a network packet space defined by a firewall policy can be
divided into a set of disjoint packet space segments. Each segment associated
with a unique set of firewall rules accurately indicates an overlap relation
among those rules. We also introduce a flexible conflict resolution method to
enable a fine grained conflict resolution with the help of several effective
resolution strategies with respect to the risk assessment of protected networks
and the intention of policy definition.
EXISTING SYSTEM:
Prior
work on firewall optimization focuses on either intrafirewall optimization, or
interfirewall optimization within one administrative domain where the privacy
of firewall policies is not a concern.
Firewall
policy management is a challenging task due to the complexity and
interdependency of policy rules. This is further exacerbated by the continuous evolution
of network and system environments.
The
process of configuring a firewall is tedious and error prone. Therefore,
effective mechanisms and tools for policy management are crucial to the success
of firewalls.
Existing
policy analysis tools, such as Firewall Policy Advisor and FIREMAN, with the
goal of detecting policy anomalies have been introduced. Firewall Policy
Advisor only has the capability of detecting pair wise anomalies in firewall
rules. FIREMAN can detect anomalies among multiple rules by analyzing the
relationships between one rule and the collections of packet spaces derived
from all preceding rules.
However,
FIREMAN also has limitations in detecting anomalies. For each firewall rule,
FIREMAN only examines all preceding rules but ignores all subsequent rules when
performing anomaly analysis. In addition, each analysis result from FIREMAN can
only show that there is a misconfiguration between one rule and its preceding
rules, but cannot accurately indicate all rules involved in an anomaly.
DISADVANTAGES OF
EXISTING SYSTEM:
The
number of rules in a firewall significantly affects its throughput. Fireman
can detect anomalies among multiple rules by analyzing the relationships
between one rule and the collections of packet spaces derived from all
preceding rules. For each firewall rule, FIREMAN only examines all preceding
rules but ignores all subsequent rules when performing anomaly analysis.
PROPOSED SYSTEM:
In
this paper, we represent a novel anomaly management framework for firewalls
based on a rule-based segmentation technique to facilitate not only more
accurate anomaly detection but also effective anomaly resolution.
Based
on this technique, a network packet space defined by a firewall policy can be
divided into a set of disjoint packet space segments. Each segment associated with
a unique set of firewall rules accurately indicates an overlap relation (either
conflicting or redundant) among those rules.
We
also introduce a flexible conflict resolution method to enable a fine-grained
conflict resolution with the help of several effective resolution strategies
with respect to the risk assessment of protected networks and the intention of
policy definition.
ADVANTAGES OF PROPOSED SYSTEM:
In our framework conflict detection and
resolution, conflicting segments are identified in the first step. Each
conflicting segment associates with a policy conflict and a set of conflicting
rules. Also, the correlation relationships among conflicting segments are
identified and conflict correlation groups are derived. Policy conflicts
belonging to different conflict correlation groups can be resolved separately,
thus the searching space for resolving conflicts is reduced by the correlation
process.
MODULES:
·
Correlation
of Packet Space Segment
·
Action
Constraint Generation
·
Rule
Reordering
·
Data
Package
MODULES
DESCRIPTION:
Correlation of Packet Space
Segment:
The major benefit of generating
correlation groups for the anomaly analysis is that anomalies can be examined
within each group independently, because all correlation groups are independent
of each other. Especially, the searching space for reordering conflicting rules
in conflict resolution can be significantly lessened and the efficiency of
resolving conflicts can be greatly improved.
Action Constraint Generation:
In a firewall policy are discovered and
conflict correlation groups are identified, the risk assessment for conflicts
is performed. The risk levels of conflicts are in turn utilized for both
automated and manual strategy selections. A basic idea of automated strategy
selection is that a risk level of a conflicting segment is used to directly
determine the expected action taken for the network packets in the conflicting
segment. If the risk level is very high, the expected action should deny
packets considering the protection of network perimeters
Rule Reordering:
The solution for conflict resolution is
that all action constraints for conflicting segments can be satisfied by
reordering conflicting rules. In conflicting rules in order that satisfies all
action constraints, this order must be the optimal solution for the conflict
resolution.
Data Package:
When conflicts in a policy are resolved,
the risk value of the resolved policy should be reduced and the availability of
protected network should be improved comparing with the situation prior to
conflict resolution based on the threshold value data will be received in to
the server.
SYSTEM CONFIGURATION:-
H/W SYSTEM CONFIGURATION:-
ü Processor -Pentium –III
ü Speed - 1.1 Ghz
ü RAM - 256 MB(min)
ü Hard
Disk - 20 GB
ü Floppy
Drive - 1.44 MB
ü Key
Board - Standard Windows Keyboard
ü Mouse - Two or Three Button Mouse
ü Monitor - SVGA
S/W System Configuration:-
v Operating System : Windows95/98/2000/XP
v Front End : Java
REFERENCE:
Fei
Chen, Bezawada Bruhadeshwar, and Alex X. Liu, “Cross-Domain Privacy-Preserving
Cooperative Firewall Optimization”, IEEE/ACM
TRANSACTIONS ON NETWORKING, VOL. 21, NO. 3, JUNE 2013
No comments:
Post a Comment