Cross-Domain
Privacy-Preserving Cooperative
Firewall Optimization
ABSTRACT:
Firewalls have been widely
deployed on the Internet for securing private networks. A firewall checks each
incoming or outgoing packet to decide whether to accept or discard the packet based
on its policy. Optimizing firewall policies is crucial for improving network
performance. Prior work on firewall optimization focuses on either
intrafirewall or interfirewall optimization within one administrative domain
where the privacy of firewall policies is not a concern. This paper explores
interfirewall optimization across administrative domains for the first time.
The key technical challenge is that firewall policies cannot be shared across domains
because a firewall policy contains confidential information and even potential
security holes, which can be exploited by attackers. In this paper, we propose
the first cross-domain privacy-preserving cooperative firewall policy
optimization protocol. Specifically, for any two adjacent firewalls belonging
to two different administrative domains, our protocol can identify in each firewall
the rules that can be removed because of the other firewall. The optimization
process involves cooperative computation between the two firewalls without any
party disclosing its policy to the other. We implemented our protocol and
conducted extensive experiments. The results on real firewall policies show
that our protocol can remove as many as 49% of the rules in a firewall, whereas
the average is 19.4%. The communication cost is less than a few hundred
kilobytes. Our protocol incurs no extra online packet processing overhead, and
the offline processing time is less than a few hundred seconds.
ARCHITECTURE:
AIM:
To
provide an innovative policy anomaly management framework for firewalls,
adopting a rule-based segmentation technique to identify policy anomalies and
derive effective anomaly resolutions.
SYNOPSIS:
A
novel anomaly management framework for firewalls based on a rule-based
segmentation technique to facilitate not only more accurate anomaly detection
but also effective anomaly resolution. Based on this technique, a network
packet space defined by a firewall policy can be divided into a set of disjoint
packet space segments. Each segment associated with a unique set of firewall
rules accurately indicates an overlap relation among those rules. We also
introduce a flexible conflict resolution method to enable a fine grained
conflict resolution with the help of several effective resolution strategies
with respect to the risk assessment of protected networks and the intention of
policy definition.
EXISTING
SYSTEM:
Prior work on firewall optimization
focuses on either intrafirewall optimization, or interfirewall optimization
within one administrative domain where the privacy of firewall policies is not
a concern.
Firewall policy management is a
challenging task due to the complexity and interdependency of policy rules.
This is further exacerbated by the continuous evolution of network and system
environments.
The process of configuring a firewall is
tedious and error prone. Therefore, effective mechanisms and tools for policy management
are crucial to the success of firewalls.
Existing policy analysis tools, such as Firewall
Policy Advisor and FIREMAN, with the goal of detecting policy anomalies have
been introduced. Firewall Policy Advisor only has the capability of detecting pair
wise anomalies in firewall rules. FIREMAN can detect anomalies among multiple
rules by analyzing the relationships between one rule and the collections of
packet spaces derived from all preceding rules.
However, FIREMAN also has limitations in
detecting anomalies. For each firewall rule, FIREMAN only examines all
preceding rules but ignores all subsequent rules when performing anomaly analysis.
In addition, each analysis result from FIREMAN can only show that there is a misconfiguration
between one rule and its preceding rules, but cannot accurately indicate all rules
involved in an anomaly.
DISADVANTAGES
OF EXISTING SYSTEM:
The
number of rules in a firewall significantly affects its throughput. Fireman
can detect anomalies among multiple rules by analyzing the relationships
between one rule and the collections of packet spaces derived from all
preceding rules. For each firewall rule, FIREMAN only examines all preceding
rules but ignores all subsequent rules when performing anomaly analysis.
PROPOSED
SYSTEM:
In this paper, we represent a novel
anomaly management framework for firewalls based on a rule-based segmentation technique
to facilitate not only more accurate anomaly detection but also effective
anomaly resolution.
Based on this technique, a network
packet space defined by a firewall policy can be divided into a set of disjoint
packet space segments. Each segment associated with a unique set of firewall
rules accurately indicates an overlap relation (either conflicting or redundant)
among those rules.
We also introduce a flexible conflict
resolution method to enable a fine-grained conflict resolution with the help of
several effective resolution strategies with respect to the risk assessment of
protected networks and the intention of policy definition.
ADVANTAGES OF PROPOSED SYSTEM:
In
our framework conflict detection and resolution, conflicting segments are
identified in the first step. Each conflicting segment associates with a policy
conflict and a set of conflicting rules. Also, the correlation relationships
among conflicting segments are identified and conflict correlation groups are
derived. Policy conflicts belonging to different conflict correlation groups
can be resolved separately, thus the searching space for resolving conflicts is
reduced by the correlation process.
MODULES:
·
Correlation
of Packet Space Segment
·
Action
Constraint Generation
·
Rule
Reordering
·
Data
Package
MODULES DESCRIPTION:
Correlation
of Packet Space Segment:
The
major benefit of generating correlation groups for the anomaly analysis is that
anomalies can be examined within each group independently, because all
correlation groups are independent of each other. Especially, the searching
space for reordering conflicting rules in conflict resolution can be
significantly lessened and the efficiency of resolving conflicts can be greatly
improved.
Action
Constraint Generation:
In
a firewall policy are discovered and conflict correlation groups are
identified, the risk assessment for conflicts is performed. The risk levels of
conflicts are in turn utilized for both automated and manual strategy selections.
A basic idea of automated strategy selection is that a risk level of a
conflicting segment is used to directly determine the expected action taken for
the network packets in the conflicting segment. If the risk level is very high,
the expected action should deny packets considering the protection of network
perimeters
Rule
Reordering:
The
solution for conflict resolution is that all action constraints for conflicting
segments can be satisfied by reordering conflicting rules. In conflicting rules
in order that satisfies all action constraints, this order must be the optimal
solution for the conflict resolution.
Data
Package:
When
conflicts in a policy are resolved, the risk value of the resolved policy
should be reduced and the availability of protected network should be improved
comparing with the situation prior to conflict resolution based on the
threshold value data will be received in to the server.
SYSTEM CONFIGURATION:-
H/W SYSTEM CONFIGURATION:-
ü Processor -Pentium –III
ü Speed - 1.1 Ghz
ü RAM - 256 MB(min)
ü Hard
Disk - 20 GB
ü Floppy
Drive - 1.44 MB
ü Key
Board - Standard Windows Keyboard
ü Mouse - Two or Three Button Mouse
ü Monitor - SVGA
S/W System Configuration:-
v Operating System : Windows95/98/2000/XP
v Front End : Java
REFERENCE:
Fei Chen, Bezawada Bruhadeshwar, and Alex X. Liu, “Cross-Domain
Privacy-Preserving Cooperative Firewall Optimization”, IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 21, NO. 3, JUNE 2013
