SlideShare a Scribd company logo

Cross domain privacy-preserving cooperative firewall optimization

Download as DOCX, PDF
JPINFOTECH JAYAPRAKASH
JPINFOTECH JAYAPRAKASH

This document proposes a novel framework for cross-domain firewall policy optimization that preserves privacy. It involves cooperative computation between firewalls from different administrative domains to identify redundant rules without disclosing full policies. Evaluation on real firewall policies found the method could remove up to 49% of rules on average 19.4% with communication costs under a few hundred kilobytes and no online processing overhead.

EducationTechnology
1 of 9
Cross-Domain Privacy-Preserving Cooperative Firewall Optimization ABSTRACT: Firewalls have been widely deployed on the Internet for securing private networks. A firewall checks each incoming or outgoing packet to decide whether to accept or discard the packet based on its policy. Optimizing firewall policies is crucial for improving network performance. Prior work on firewall optimization focuses on either intrafirewall or interfirewall optimization within one administrative domain where the privacy of firewall policies is not a concern. This paper explores interfirewall optimization across administrative domains for the first time. The key technical challenge is that firewall policies cannot be shared across domains because a firewall policy contains confidential information and even potential security holes, which can be exploited by attackers. In this paper, we propose the first cross-domain privacy-preserving cooperative firewall policy optimization protocol. Specifically, for any two adjacent firewalls belonging to two different administrative domains, our protocol can identify in each firewall the rules that can be removed because of the other firewall. The optimization process involves cooperative computation between the two firewalls without any party disclosing its policy to the other. We implemented our protocol and conducted extensive experiments. The results on real firewall policies show that our protocol can remove as many as 49% of the rules in a firewall, whereas the average is 19.4%.
The communication cost is less than a few hundred kilobytes. Our protocol incurs no extra online packet processing overhead, and the offline processing time is less than a few hundred seconds. ARCHITECTURE: AIM: To provide an innovative policy anomaly management framework for firewalls, adopting a rule-based segmentation technique to identify policy anomalies and derive effective anomaly resolutions.
SYNOPSIS: A novel anomaly management framework for firewalls based on a rule-based segmentation technique to facilitate not only more accurate anomaly detection but also effective anomaly resolution. Based on this technique, a network packet space defined by a firewall policy can be divided into a set of disjoint packet space segments. Each segment associated with a unique set of firewall rules accurately indicates an overlap relation among those rules. We also introduce a flexible conflict resolution method to enable a fine grained conflict resolution with the help of several effective resolution strategies with respect to the risk assessment of protected networks and the intention of policy definition. EXISTING SYSTEM: Prior work on firewall optimization focuses on either intrafirewall optimization, or interfirewall optimization within one administrative domain where the privacy of firewall policies is not a concern. Firewall policy management is a challenging task due to the complexity and interdependency of policy rules. This is further exacerbated by the continuous evolution of network and system environments.
The process of configuring a firewall is tedious and error prone. Therefore, effective mechanisms and tools for policy management are crucial to the success of firewalls. Existing policy analysis tools, such as Firewall Policy Advisor and FIREMAN, with the goal of detecting policy anomalies have been introduced. Firewall Policy Advisor only has the capability of detecting pair wise anomalies in firewall rules. FIREMAN can detect anomalies among multiple rules by analyzing the relationships between one rule and the collections of packet spaces derived from all preceding rules. However, FIREMAN also has limitations in detecting anomalies. For each firewall rule, FIREMAN only examines all preceding rules but ignores all subsequent rules when performing anomaly analysis. In addition, each analysis result from FIREMAN can only show that there is a misconfiguration between one rule and its preceding rules, but cannot accurately indicate all rules involved in an anomaly. DISADVANTAGES OF EXISTING SYSTEM: The number of rules in a firewall significantly affects its throughput. Fireman can detect anomalies among multiple rules by analyzing the relationships between one rule and the collections of packet spaces derived
from all preceding rules. For each firewall rule, FIREMAN only examines all preceding rules but ignores all subsequent rules when performing anomaly analysis. PROPOSED SYSTEM: In this paper, we represent a novel anomaly management framework for firewalls based on a rule-based segmentation technique to facilitate not only more accurate anomaly detection but also effective anomaly resolution. Based on this technique, a network packet space defined by a firewall policy can be divided into a set of disjoint packet space segments. Each segment associated with a unique set of firewall rules accurately indicates an overlap relation (either conflicting or redundant) among those rules. We also introduce a flexible conflict resolution method to enable a fine-grained conflict resolution with the help of several effective resolution strategies with respect to the risk assessment of protected networks and the intention of policy definition.
ADVANTAGES OF PROPOSED SYSTEM: In our framework conflict detection and resolution, conflicting segments are identified in the first step. Each conflicting segment associates with a policy conflict and a set of conflicting rules. Also, the correlation relationships among conflicting segments are identified and conflict correlation groups are derived. Policy conflicts belonging to different conflict correlation groups can be resolved separately, thus the searching space for resolving conflicts is reduced by the correlation process. MODULES: Correlation of Packet Space Segment Action Constraint Generation Rule Reordering Data Package
MODULES DESCRIPTION: Correlation of Packet Space Segment: The major benefit of generating correlation groups for the anomaly analysis is that anomalies can be examined within each group independently, because all correlation groups are independent of each other. Especially, the searching space for reordering conflicting rules in conflict resolution can be significantly lessened and the efficiency of resolving conflicts can be greatly improved. Action Constraint Generation: In a firewall policy are discovered and conflict correlation groups are identified, the risk assessment for conflicts is performed. The risk levels of conflicts are in turn utilized for both automated and manual strategy selections. A basic idea of automated strategy selection is that a risk level of a conflicting segment is used to directly determine the expected action taken for the network packets in the conflicting segment. If the risk level is very high, the expected action should deny packets considering the protection of network perimeters Rule Reordering: The solution for conflict resolution is that all action constraints for conflicting segments can be satisfied by reordering conflicting rules. In conflicting rules in
order that satisfies all action constraints, this order must be the optimal solution for the conflict resolution. Data Package: When conflicts in a policy are resolved, the risk value of the resolved policy should be reduced and the availability of protected network should be improved comparing with the situation prior to conflict resolution based on the threshold value data will be received in to the server. SYSTEM CONFIGURATION:- H/W SYSTEM CONFIGURATION:-  Processor -Pentium –III  Speed - 1.1 Ghz  RAM - 256 MB(min)  Hard Disk - 20 GB  Floppy Drive - 1.44 MB  Key Board - Standard Windows Keyboard
 Mouse - Two or Three Button Mouse  Monitor - SVGA S/W System Configuration:-  Operating System : Windows95/98/2000/XP  Front End : Java REFERENCE: Fei Chen, Bezawada Bruhadeshwar, and Alex X. Liu, “Cross-Domain Privacy- Preserving Cooperative Firewall Optimization”, IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 21, NO. 3, JUNE 2013

Recommended

An Effective Policy Anomaly Management Framework for Firewalls
An Effective Policy Anomaly Management Framework for FirewallsAn Effective Policy Anomaly Management Framework for Firewalls
An Effective Policy Anomaly Management Framework for Firewalls
IJMER
 
Auto Finding and Resolving Distributed Firewall Policy
Auto Finding and Resolving Distributed Firewall PolicyAuto Finding and Resolving Distributed Firewall Policy
Auto Finding and Resolving Distributed Firewall Policy
IOSR Journals
 
A Novel Management Framework for Policy Anomaly in Firewall
A Novel Management Framework for Policy Anomaly in FirewallA Novel Management Framework for Policy Anomaly in Firewall
A Novel Management Framework for Policy Anomaly in Firewall
ijsrd.com
 
Ch10 Firewall it-slideshares.blogspot.com
Ch10 Firewall it-slideshares.blogspot.comCh10 Firewall it-slideshares.blogspot.com
Ch10 Firewall it-slideshares.blogspot.com
phanleson
 
SURVEY ON COOPERATIVE FIREWALL ANOMALY DETECTION AND REDUNDANCY MANAGEMENT
SURVEY ON COOPERATIVE FIREWALL ANOMALY DETECTION AND REDUNDANCY MANAGEMENTSURVEY ON COOPERATIVE FIREWALL ANOMALY DETECTION AND REDUNDANCY MANAGEMENT
SURVEY ON COOPERATIVE FIREWALL ANOMALY DETECTION AND REDUNDANCY MANAGEMENT
ijsrd.com
 
Firewall
FirewallFirewall
Firewall
Nishant Pahad
 
Redundancy removal of rules with reordering them to increase the firewall opt...
Redundancy removal of rules with reordering them to increase the firewall opt...Redundancy removal of rules with reordering them to increase the firewall opt...
Redundancy removal of rules with reordering them to increase the firewall opt...
eSAT Publishing House
 
A secure scheme against power exhausting attacks in hierarchical wireless sen...
A secure scheme against power exhausting attacks in hierarchical wireless sen...A secure scheme against power exhausting attacks in hierarchical wireless sen...
A secure scheme against power exhausting attacks in hierarchical wireless sen...
Nexgen Technology
 

Recommended

An Effective Policy Anomaly Management Framework for Firewalls
An Effective Policy Anomaly Management Framework for FirewallsAn Effective Policy Anomaly Management Framework for Firewalls
An Effective Policy Anomaly Management Framework for Firewalls
IJMER
 
Auto Finding and Resolving Distributed Firewall Policy
Auto Finding and Resolving Distributed Firewall PolicyAuto Finding and Resolving Distributed Firewall Policy
Auto Finding and Resolving Distributed Firewall Policy
IOSR Journals
 
A Novel Management Framework for Policy Anomaly in Firewall
A Novel Management Framework for Policy Anomaly in FirewallA Novel Management Framework for Policy Anomaly in Firewall
A Novel Management Framework for Policy Anomaly in Firewall
ijsrd.com
 
Ch10 Firewall it-slideshares.blogspot.com
Ch10 Firewall it-slideshares.blogspot.comCh10 Firewall it-slideshares.blogspot.com
Ch10 Firewall it-slideshares.blogspot.com
phanleson
 
SURVEY ON COOPERATIVE FIREWALL ANOMALY DETECTION AND REDUNDANCY MANAGEMENT
SURVEY ON COOPERATIVE FIREWALL ANOMALY DETECTION AND REDUNDANCY MANAGEMENTSURVEY ON COOPERATIVE FIREWALL ANOMALY DETECTION AND REDUNDANCY MANAGEMENT
SURVEY ON COOPERATIVE FIREWALL ANOMALY DETECTION AND REDUNDANCY MANAGEMENT
ijsrd.com
 
Firewall
FirewallFirewall
Firewall
Nishant Pahad
 
Redundancy removal of rules with reordering them to increase the firewall opt...
Redundancy removal of rules with reordering them to increase the firewall opt...Redundancy removal of rules with reordering them to increase the firewall opt...
Redundancy removal of rules with reordering them to increase the firewall opt...
eSAT Publishing House
 
A secure scheme against power exhausting attacks in hierarchical wireless sen...
A secure scheme against power exhausting attacks in hierarchical wireless sen...A secure scheme against power exhausting attacks in hierarchical wireless sen...
A secure scheme against power exhausting attacks in hierarchical wireless sen...
Nexgen Technology
 
Secure encounter based mobile social networks requirements, designs, and trad...
Secure encounter based mobile social networks requirements, designs, and trad...Secure encounter based mobile social networks requirements, designs, and trad...
Secure encounter based mobile social networks requirements, designs, and trad...
JPINFOTECH JAYAPRAKASH
 
A highly scalable key pre distribution scheme for wireless sensor networks
A highly scalable key pre distribution scheme for wireless sensor networksA highly scalable key pre distribution scheme for wireless sensor networks
A highly scalable key pre distribution scheme for wireless sensor networks
JPINFOTECH JAYAPRAKASH
 
Privacy preserving data sharing with anonymous id assignment
Privacy preserving data sharing with anonymous id assignmentPrivacy preserving data sharing with anonymous id assignment
Privacy preserving data sharing with anonymous id assignment
JPINFOTECH JAYAPRAKASH
 
Scalable and secure sharing of personal health records in cloud computing usi...
Scalable and secure sharing of personal health records in cloud computing usi...Scalable and secure sharing of personal health records in cloud computing usi...
Scalable and secure sharing of personal health records in cloud computing usi...
JPINFOTECH JAYAPRAKASH
 
Beyond text qa multimedia answer generation by harvesting web information
Beyond text qa multimedia answer generation by harvesting web informationBeyond text qa multimedia answer generation by harvesting web information
Beyond text qa multimedia answer generation by harvesting web information
JPINFOTECH JAYAPRAKASH
 
Attribute aware data aggregation using potential-based dynamic routing n wire...
Attribute aware data aggregation using potential-based dynamic routing n wire...Attribute aware data aggregation using potential-based dynamic routing n wire...
Attribute aware data aggregation using potential-based dynamic routing n wire...
JPINFOTECH JAYAPRAKASH
 
Dynamic audit services for outsourced storages in clouds
Dynamic audit services for outsourced storages in cloudsDynamic audit services for outsourced storages in clouds
Dynamic audit services for outsourced storages in clouds
JPINFOTECH JAYAPRAKASH
 
Pmse a personalized mobile search engine
Pmse a personalized mobile search enginePmse a personalized mobile search engine
Pmse a personalized mobile search engine
JPINFOTECH JAYAPRAKASH
 
Cooperative packet delivery in hybrid wireless mobile networks a coalitional ...
Cooperative packet delivery in hybrid wireless mobile networks a coalitional ...Cooperative packet delivery in hybrid wireless mobile networks a coalitional ...
Cooperative packet delivery in hybrid wireless mobile networks a coalitional ...
JPINFOTECH JAYAPRAKASH
 
Anonymization of centralized and distributed social networks by sequential cl...
Anonymization of centralized and distributed social networks by sequential cl...Anonymization of centralized and distributed social networks by sequential cl...
Anonymization of centralized and distributed social networks by sequential cl...
JPINFOTECH JAYAPRAKASH
 
Distributed processing of probabilistic top k queries in wireless sensor netw...
Distributed processing of probabilistic top k queries in wireless sensor netw...Distributed processing of probabilistic top k queries in wireless sensor netw...
Distributed processing of probabilistic top k queries in wireless sensor netw...
JPINFOTECH JAYAPRAKASH
 
Sort a self o rganizing trust model for peer-to-peer systems
Sort a self o rganizing trust model for peer-to-peer systemsSort a self o rganizing trust model for peer-to-peer systems
Sort a self o rganizing trust model for peer-to-peer systems
JPINFOTECH JAYAPRAKASH
 
Efficient rekeying framework for secure multicast with diverse subscription-p...
Efficient rekeying framework for secure multicast with diverse subscription-p...Efficient rekeying framework for secure multicast with diverse subscription-p...
Efficient rekeying framework for secure multicast with diverse subscription-p...
JPINFOTECH JAYAPRAKASH
 
Attribute based encryption with verifiable outsourced decryption
Attribute based encryption with verifiable outsourced decryptionAttribute based encryption with verifiable outsourced decryption
Attribute based encryption with verifiable outsourced decryption
JPINFOTECH JAYAPRAKASH
 
Scalable and secure sharing of personal health records in cloud computing usi...
Scalable and secure sharing of personal health records in cloud computing usi...Scalable and secure sharing of personal health records in cloud computing usi...
Scalable and secure sharing of personal health records in cloud computing usi...
JPINFOTECH JAYAPRAKASH
 
Cost based optimization of service compositions
Cost based optimization of service compositionsCost based optimization of service compositions
Cost based optimization of service compositions
JPINFOTECH JAYAPRAKASH
 
Two tales of privacy in online social networks
Two tales of privacy in online social networksTwo tales of privacy in online social networks
Two tales of privacy in online social networks
JPINFOTECH JAYAPRAKASH
 
Adaptive position update for geographic routing in mobile ad hoc networks
Adaptive position update for geographic routing in mobile ad hoc networksAdaptive position update for geographic routing in mobile ad hoc networks
Adaptive position update for geographic routing in mobile ad hoc networks
JPINFOTECH JAYAPRAKASH
 
Interfirewall optimization across various administrative domain for enabling ...
Interfirewall optimization across various administrative domain for enabling ...Interfirewall optimization across various administrative domain for enabling ...
Interfirewall optimization across various administrative domain for enabling ...
Editor IJMTER
 
Dp4301696701
Dp4301696701Dp4301696701
Dp4301696701
IJERA Editor
 
Traffic aware dynamic
Traffic aware dynamicTraffic aware dynamic
Traffic aware dynamic
Justin Cletus
 
Cross-Domain Privacy-Preserving Cooperative Firewall Optimization
Cross-Domain Privacy-Preserving Cooperative Firewall OptimizationCross-Domain Privacy-Preserving Cooperative Firewall Optimization
Cross-Domain Privacy-Preserving Cooperative Firewall Optimization
Venkatavarma Vegiraju
 

More Related Content

Viewers also liked

Viewers also liked (18)

Secure encounter based mobile social networks requirements, designs, and trad...
Secure encounter based mobile social networks requirements, designs, and trad...Secure encounter based mobile social networks requirements, designs, and trad...
Secure encounter based mobile social networks requirements, designs, and trad...
 
A highly scalable key pre distribution scheme for wireless sensor networks
A highly scalable key pre distribution scheme for wireless sensor networksA highly scalable key pre distribution scheme for wireless sensor networks
A highly scalable key pre distribution scheme for wireless sensor networks
 
Privacy preserving data sharing with anonymous id assignment
Privacy preserving data sharing with anonymous id assignmentPrivacy preserving data sharing with anonymous id assignment
Privacy preserving data sharing with anonymous id assignment
 
Scalable and secure sharing of personal health records in cloud computing usi...
Scalable and secure sharing of personal health records in cloud computing usi...Scalable and secure sharing of personal health records in cloud computing usi...
Scalable and secure sharing of personal health records in cloud computing usi...
 
Beyond text qa multimedia answer generation by harvesting web information
Beyond text qa multimedia answer generation by harvesting web informationBeyond text qa multimedia answer generation by harvesting web information
Beyond text qa multimedia answer generation by harvesting web information
 
Attribute aware data aggregation using potential-based dynamic routing n wire...
Attribute aware data aggregation using potential-based dynamic routing n wire...Attribute aware data aggregation using potential-based dynamic routing n wire...
Attribute aware data aggregation using potential-based dynamic routing n wire...
 
Dynamic audit services for outsourced storages in clouds
Dynamic audit services for outsourced storages in cloudsDynamic audit services for outsourced storages in clouds
Dynamic audit services for outsourced storages in clouds
 
Pmse a personalized mobile search engine
Pmse a personalized mobile search enginePmse a personalized mobile search engine
Pmse a personalized mobile search engine
 
Cooperative packet delivery in hybrid wireless mobile networks a coalitional ...
Cooperative packet delivery in hybrid wireless mobile networks a coalitional ...Cooperative packet delivery in hybrid wireless mobile networks a coalitional ...
Cooperative packet delivery in hybrid wireless mobile networks a coalitional ...
 
Anonymization of centralized and distributed social networks by sequential cl...
Anonymization of centralized and distributed social networks by sequential cl...Anonymization of centralized and distributed social networks by sequential cl...
Anonymization of centralized and distributed social networks by sequential cl...
 
Distributed processing of probabilistic top k queries in wireless sensor netw...
Distributed processing of probabilistic top k queries in wireless sensor netw...Distributed processing of probabilistic top k queries in wireless sensor netw...
Distributed processing of probabilistic top k queries in wireless sensor netw...
 
Sort a self o rganizing trust model for peer-to-peer systems
Sort a self o rganizing trust model for peer-to-peer systemsSort a self o rganizing trust model for peer-to-peer systems
Sort a self o rganizing trust model for peer-to-peer systems
 
Efficient rekeying framework for secure multicast with diverse subscription-p...
Efficient rekeying framework for secure multicast with diverse subscription-p...Efficient rekeying framework for secure multicast with diverse subscription-p...
Efficient rekeying framework for secure multicast with diverse subscription-p...
 
Attribute based encryption with verifiable outsourced decryption
Attribute based encryption with verifiable outsourced decryptionAttribute based encryption with verifiable outsourced decryption
Attribute based encryption with verifiable outsourced decryption
 
Scalable and secure sharing of personal health records in cloud computing usi...
Scalable and secure sharing of personal health records in cloud computing usi...Scalable and secure sharing of personal health records in cloud computing usi...
Scalable and secure sharing of personal health records in cloud computing usi...
 
Cost based optimization of service compositions
Cost based optimization of service compositionsCost based optimization of service compositions
Cost based optimization of service compositions
 
Two tales of privacy in online social networks
Two tales of privacy in online social networksTwo tales of privacy in online social networks
Two tales of privacy in online social networks
 
Adaptive position update for geographic routing in mobile ad hoc networks
Adaptive position update for geographic routing in mobile ad hoc networksAdaptive position update for geographic routing in mobile ad hoc networks
Adaptive position update for geographic routing in mobile ad hoc networks
 

Similar to Cross domain privacy-preserving cooperative firewall optimization

Interfirewall optimization across various administrative domain for enabling ...
Interfirewall optimization across various administrative domain for enabling ...Interfirewall optimization across various administrative domain for enabling ...
Interfirewall optimization across various administrative domain for enabling ...
Editor IJMTER
 
Cross-Domain Privacy-Preserving Cooperative Firewall Optimization
Cross-Domain Privacy-Preserving Cooperative Firewall OptimizationCross-Domain Privacy-Preserving Cooperative Firewall Optimization
Cross-Domain Privacy-Preserving Cooperative Firewall Optimization
Venkatavarma Vegiraju
 
Review on redundancy removal of rules for optimizing firewall
Review on redundancy removal of rules for optimizing firewallReview on redundancy removal of rules for optimizing firewall
Review on redundancy removal of rules for optimizing firewall
eSAT Publishing House
 
Redundancy removal of rules with reordering them to increase the firewall opt...
Redundancy removal of rules with reordering them to increase the firewall opt...Redundancy removal of rules with reordering them to increase the firewall opt...
Redundancy removal of rules with reordering them to increase the firewall opt...
eSAT Journals
 
Untitled document(2).pdf
Untitled document(2).pdfUntitled document(2).pdf
Untitled document(2).pdf
hadaf44
 
Ijirsm bhargavi-ka-robust-distributed-security-using-stateful-csg-based-distr...
Ijirsm bhargavi-ka-robust-distributed-security-using-stateful-csg-based-distr...Ijirsm bhargavi-ka-robust-distributed-security-using-stateful-csg-based-distr...
Ijirsm bhargavi-ka-robust-distributed-security-using-stateful-csg-based-distr...
IJIR JOURNALS IJIRUSA
 

Similar to Cross domain privacy-preserving cooperative firewall optimization (20)

Interfirewall optimization across various administrative domain for enabling ...
Interfirewall optimization across various administrative domain for enabling ...Interfirewall optimization across various administrative domain for enabling ...
Interfirewall optimization across various administrative domain for enabling ...
 
Dp4301696701
Dp4301696701Dp4301696701
Dp4301696701
 
Traffic aware dynamic
Traffic aware dynamicTraffic aware dynamic
Traffic aware dynamic
 
Cross-Domain Privacy-Preserving Cooperative Firewall Optimization
Cross-Domain Privacy-Preserving Cooperative Firewall OptimizationCross-Domain Privacy-Preserving Cooperative Firewall Optimization
Cross-Domain Privacy-Preserving Cooperative Firewall Optimization
 
Review on redundancy removal of rules for optimizing firewall
Review on redundancy removal of rules for optimizing firewallReview on redundancy removal of rules for optimizing firewall
Review on redundancy removal of rules for optimizing firewall
 
Using Data Mining for Discovering Anomalies from Firewall Logs: a Comprehensi...
Using Data Mining for Discovering Anomalies from Firewall Logs: a Comprehensi...Using Data Mining for Discovering Anomalies from Firewall Logs: a Comprehensi...
Using Data Mining for Discovering Anomalies from Firewall Logs: a Comprehensi...
 
Redundancy removal of rules with reordering them to increase the firewall opt...
Redundancy removal of rules with reordering them to increase the firewall opt...Redundancy removal of rules with reordering them to increase the firewall opt...
Redundancy removal of rules with reordering them to increase the firewall opt...
 
Untitled document(2).pdf
Untitled document(2).pdfUntitled document(2).pdf
Untitled document(2).pdf
 
IRJET- Data Security in Local Network through Distributed Firewalls: A Review
IRJET- Data Security in Local Network through Distributed Firewalls: A ReviewIRJET- Data Security in Local Network through Distributed Firewalls: A Review
IRJET- Data Security in Local Network through Distributed Firewalls: A Review
 
A COMBINATION OF THE INTRUSION DETECTION SYSTEM AND THE OPEN-SOURCE FIREWALL ...
A COMBINATION OF THE INTRUSION DETECTION SYSTEM AND THE OPEN-SOURCE FIREWALL ...A COMBINATION OF THE INTRUSION DETECTION SYSTEM AND THE OPEN-SOURCE FIREWALL ...
A COMBINATION OF THE INTRUSION DETECTION SYSTEM AND THE OPEN-SOURCE FIREWALL ...
 
A Combination of the Intrusion Detection System and the Open-source Firewall ...
A Combination of the Intrusion Detection System and the Open-source Firewall ...A Combination of the Intrusion Detection System and the Open-source Firewall ...
A Combination of the Intrusion Detection System and the Open-source Firewall ...
 
Firewall
FirewallFirewall
Firewall
 
FIREWALLS BY SAIKIRAN PANJALA
FIREWALLS BY SAIKIRAN PANJALAFIREWALLS BY SAIKIRAN PANJALA
FIREWALLS BY SAIKIRAN PANJALA
 
A Complete Guide To Firewall How To Build A Secure Networking System.pptx
A Complete Guide To Firewall How To Build A Secure Networking System.pptxA Complete Guide To Firewall How To Build A Secure Networking System.pptx
A Complete Guide To Firewall How To Build A Secure Networking System.pptx
 
Firewall
FirewallFirewall
Firewall
 
IRJET- SDN Simulation in Mininet to Provide Security Via Firewall
IRJET- SDN Simulation in Mininet to Provide Security Via FirewallIRJET- SDN Simulation in Mininet to Provide Security Via Firewall
IRJET- SDN Simulation in Mininet to Provide Security Via Firewall
 
Ijirsm bhargavi-ka-robust-distributed-security-using-stateful-csg-based-distr...
Ijirsm bhargavi-ka-robust-distributed-security-using-stateful-csg-based-distr...Ijirsm bhargavi-ka-robust-distributed-security-using-stateful-csg-based-distr...
Ijirsm bhargavi-ka-robust-distributed-security-using-stateful-csg-based-distr...
 
secure mining of association rules in horizontally distributed databases
secure mining of association rules in horizontally distributed databasessecure mining of association rules in horizontally distributed databases
secure mining of association rules in horizontally distributed databases
 
Networking for java and dotnet 2016 - 17
Networking for java and dotnet 2016 - 17Networking for java and dotnet 2016 - 17
Networking for java and dotnet 2016 - 17
 
42
4242
42
 

Recently uploaded

Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
EADTU
 

Recently uploaded (20)

Our Environment Class 10 Science Notes pdf
Our Environment Class 10 Science Notes pdfOur Environment Class 10 Science Notes pdf
Our Environment Class 10 Science Notes pdf
 
FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
What is 3 Way Matching Process in Odoo 17.pptx
What is 3 Way Matching Process in Odoo 17.pptxWhat is 3 Way Matching Process in Odoo 17.pptx
What is 3 Way Matching Process in Odoo 17.pptx
 
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
80 ĐỀ THI THỬ TUYỂN SINH TIẾNG ANH VÀO 10 SỞ GD – ĐT THÀNH PHỐ HỒ CHÍ MINH NĂ...
 
UGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdf
UGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdfUGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdf
UGC NET Paper 1 Unit 7 DATA INTERPRETATION.pdf
 
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
 
Towards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptxTowards a code of practice for AI in AT.pptx
Towards a code of practice for AI in AT.pptx
 
How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17How to Add New Custom Addons Path in Odoo 17
How to Add New Custom Addons Path in Odoo 17
 
Play hard learn harder: The Serious Business of Play
Play hard learn harder: The Serious Business of PlayPlay hard learn harder: The Serious Business of Play
Play hard learn harder: The Serious Business of Play
 
Details on CBSE Compartment Exam.pptx1111
Details on CBSE Compartment Exam.pptx1111Details on CBSE Compartment Exam.pptx1111
Details on CBSE Compartment Exam.pptx1111
 
How to Add a Tool Tip to a Field in Odoo 17
How to Add a Tool Tip to a Field in Odoo 17How to Add a Tool Tip to a Field in Odoo 17
How to Add a Tool Tip to a Field in Odoo 17
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Simple, Complex, and Compound Sentences Exercises.pdf
Simple, Complex, and Compound Sentences Exercises.pdfSimple, Complex, and Compound Sentences Exercises.pdf
Simple, Complex, and Compound Sentences Exercises.pdf
 
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
Transparency, Recognition and the role of eSealing - Ildiko Mazar and Koen No...
 
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
Sensory_Experience_and_Emotional_Resonance_in_Gabriel_Okaras_The_Piano_and_Th...
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
How to Manage Call for Tendor in Odoo 17
How to Manage Call for Tendor in Odoo 17How to Manage Call for Tendor in Odoo 17
How to Manage Call for Tendor in Odoo 17
 
AIM of Education-Teachers Training-2024.ppt
AIM of Education-Teachers Training-2024.pptAIM of Education-Teachers Training-2024.ppt
AIM of Education-Teachers Training-2024.ppt
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 

Cross domain privacy-preserving cooperative firewall optimization

  • 1. Cross-Domain Privacy-Preserving Cooperative Firewall Optimization ABSTRACT: Firewalls have been widely deployed on the Internet for securing private networks. A firewall checks each incoming or outgoing packet to decide whether to accept or discard the packet based on its policy. Optimizing firewall policies is crucial for improving network performance. Prior work on firewall optimization focuses on either intrafirewall or interfirewall optimization within one administrative domain where the privacy of firewall policies is not a concern. This paper explores interfirewall optimization across administrative domains for the first time. The key technical challenge is that firewall policies cannot be shared across domains because a firewall policy contains confidential information and even potential security holes, which can be exploited by attackers. In this paper, we propose the first cross-domain privacy-preserving cooperative firewall policy optimization protocol. Specifically, for any two adjacent firewalls belonging to two different administrative domains, our protocol can identify in each firewall the rules that can be removed because of the other firewall. The optimization process involves cooperative computation between the two firewalls without any party disclosing its policy to the other. We implemented our protocol and conducted extensive experiments. The results on real firewall policies show that our protocol can remove as many as 49% of the rules in a firewall, whereas the average is 19.4%.
  • 2. The communication cost is less than a few hundred kilobytes. Our protocol incurs no extra online packet processing overhead, and the offline processing time is less than a few hundred seconds. ARCHITECTURE: AIM: To provide an innovative policy anomaly management framework for firewalls, adopting a rule-based segmentation technique to identify policy anomalies and derive effective anomaly resolutions.
  • 3. SYNOPSIS: A novel anomaly management framework for firewalls based on a rule-based segmentation technique to facilitate not only more accurate anomaly detection but also effective anomaly resolution. Based on this technique, a network packet space defined by a firewall policy can be divided into a set of disjoint packet space segments. Each segment associated with a unique set of firewall rules accurately indicates an overlap relation among those rules. We also introduce a flexible conflict resolution method to enable a fine grained conflict resolution with the help of several effective resolution strategies with respect to the risk assessment of protected networks and the intention of policy definition. EXISTING SYSTEM: Prior work on firewall optimization focuses on either intrafirewall optimization, or interfirewall optimization within one administrative domain where the privacy of firewall policies is not a concern. Firewall policy management is a challenging task due to the complexity and interdependency of policy rules. This is further exacerbated by the continuous evolution of network and system environments.
  • 4. The process of configuring a firewall is tedious and error prone. Therefore, effective mechanisms and tools for policy management are crucial to the success of firewalls. Existing policy analysis tools, such as Firewall Policy Advisor and FIREMAN, with the goal of detecting policy anomalies have been introduced. Firewall Policy Advisor only has the capability of detecting pair wise anomalies in firewall rules. FIREMAN can detect anomalies among multiple rules by analyzing the relationships between one rule and the collections of packet spaces derived from all preceding rules. However, FIREMAN also has limitations in detecting anomalies. For each firewall rule, FIREMAN only examines all preceding rules but ignores all subsequent rules when performing anomaly analysis. In addition, each analysis result from FIREMAN can only show that there is a misconfiguration between one rule and its preceding rules, but cannot accurately indicate all rules involved in an anomaly. DISADVANTAGES OF EXISTING SYSTEM: The number of rules in a firewall significantly affects its throughput. Fireman can detect anomalies among multiple rules by analyzing the relationships between one rule and the collections of packet spaces derived
  • 5. from all preceding rules. For each firewall rule, FIREMAN only examines all preceding rules but ignores all subsequent rules when performing anomaly analysis. PROPOSED SYSTEM: In this paper, we represent a novel anomaly management framework for firewalls based on a rule-based segmentation technique to facilitate not only more accurate anomaly detection but also effective anomaly resolution. Based on this technique, a network packet space defined by a firewall policy can be divided into a set of disjoint packet space segments. Each segment associated with a unique set of firewall rules accurately indicates an overlap relation (either conflicting or redundant) among those rules. We also introduce a flexible conflict resolution method to enable a fine-grained conflict resolution with the help of several effective resolution strategies with respect to the risk assessment of protected networks and the intention of policy definition.
  • 6. ADVANTAGES OF PROPOSED SYSTEM: In our framework conflict detection and resolution, conflicting segments are identified in the first step. Each conflicting segment associates with a policy conflict and a set of conflicting rules. Also, the correlation relationships among conflicting segments are identified and conflict correlation groups are derived. Policy conflicts belonging to different conflict correlation groups can be resolved separately, thus the searching space for resolving conflicts is reduced by the correlation process. MODULES: Correlation of Packet Space Segment Action Constraint Generation Rule Reordering Data Package
  • 7. MODULES DESCRIPTION: Correlation of Packet Space Segment: The major benefit of generating correlation groups for the anomaly analysis is that anomalies can be examined within each group independently, because all correlation groups are independent of each other. Especially, the searching space for reordering conflicting rules in conflict resolution can be significantly lessened and the efficiency of resolving conflicts can be greatly improved. Action Constraint Generation: In a firewall policy are discovered and conflict correlation groups are identified, the risk assessment for conflicts is performed. The risk levels of conflicts are in turn utilized for both automated and manual strategy selections. A basic idea of automated strategy selection is that a risk level of a conflicting segment is used to directly determine the expected action taken for the network packets in the conflicting segment. If the risk level is very high, the expected action should deny packets considering the protection of network perimeters Rule Reordering: The solution for conflict resolution is that all action constraints for conflicting segments can be satisfied by reordering conflicting rules. In conflicting rules in
  • 8. order that satisfies all action constraints, this order must be the optimal solution for the conflict resolution. Data Package: When conflicts in a policy are resolved, the risk value of the resolved policy should be reduced and the availability of protected network should be improved comparing with the situation prior to conflict resolution based on the threshold value data will be received in to the server. SYSTEM CONFIGURATION:- H/W SYSTEM CONFIGURATION:-  Processor -Pentium –III  Speed - 1.1 Ghz  RAM - 256 MB(min)  Hard Disk - 20 GB  Floppy Drive - 1.44 MB  Key Board - Standard Windows Keyboard
  • 9.  Mouse - Two or Three Button Mouse  Monitor - SVGA S/W System Configuration:-  Operating System : Windows95/98/2000/XP  Front End : Java REFERENCE: Fei Chen, Bezawada Bruhadeshwar, and Alex X. Liu, “Cross-Domain Privacy- Preserving Cooperative Firewall Optimization”, IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 21, NO. 3, JUNE 2013