Collaborative Enforcement of Firewall Policies in Virtual Private Networks
description
Transcript of Collaborative Enforcement of Firewall Policies in Virtual Private Networks
Collaborative Enforcement of Firewall Policies in Virtual Private Networks
Fei ChenDept. of Computer Science and Engineering
Michigan State University
Joint work with Prof. Alex X. Liu
Collaborative Enforcement of Firewall Policies in Virtual Private Networks Liu, Chen
2/18
Maliciouswebsites
IBM2.2.0.0/16
MSU1.1.0.0/16
IntroductionVirtual Private Network (VPN)
FirewallIBMRepresentative
1.1.0.10
VPN Server
2.2.0.12.2.0.25
ConfidentialDatabase
2.2.0.2
Src IP: 2.2.0.25Dst IP: 2.2.0.2 Header
Payload
Src IP: 1.1.0.10Dst IP: 2.2.0.1
Src IP: 2.2.0.25Dst IP: 2.2.0.2
Header
EncryptedPayload
A secure hole
Collaborative Enforcement of Firewall Policies in Virtual Private Networks Liu, Chen
3/18
Motivation• The problem: MSU firewall cannot know what traffic is inside VPN
– Viruses or worms can enter into MSU’s networks
• Two straight forward ways
• Goal: MSU and IBM collaboratively enforce the firewall policy without MSU knowing IBM packet and IBM knowing MSU firewall
MSUFirewall
IBMVPN Server
packet×Firewall×
Collaborative Enforcement of Firewall Policies in Virtual Private Networks Liu, Chen
4/18
Related Work• Secure Function Evaluation (SFE) (Yao, 1982)
– Garbled circuits (Yao, 1986)• Computation cost is O(2b)
• Oblivious Attribute Certificates (OACerts) (Li et al., 2005)– Trusted third party– Expensive PKI operation
• Cross-Domain Cooperative Firewall (CDCF) (Cheng et al., 2007)– CDCF is insecure
• MSU knows which rule matches which packet– CDCF is inefficient
• It uses commutative encryption functions
Collaborative Enforcement of Firewall Policies in Virtual Private Networks Liu, Chen
5/18
Our Approach: VGuardMSU
FirewallIBM
VPN Serverf1(Firewall)
f2(f1(Firewall))
1. Compute f1(f2(packet))decision Filtering Protocol
f2(packet)
2. Search f1(f2(packet)) in f2(f1(Firewall))
Bootstrapping Protocol
• Key idea I: We propose Xhash protocol for oblivious comparison– Three orders faster than the commutative encryption
• Key idea II: We uses Firewall Decision Diagrams (FDD)– For security purpose, FDD can help to prevent MSU from knowing which
rule matches which packet– For efficiency purpose, processing packets using FDD is much more
efficient than using linear search
Collaborative Enforcement of Firewall Policies in Virtual Private Networks Liu, Chen
6/18
Oblivious Comparison• Oblivious comparison problem
• Xhash protocol
c1MSU
c2IBM
c1 = c2?
If c1 ≠ c2, no party should learn the value of the other party
MSU(K1) IBM(K2)h(c1⊕K1⊕K2)
c2⊕K2 Compute h(c2⊕K2⊕K1)
Compare with h(c1⊕K1⊕K2)
c1⊕K1
Collaborative Enforcement of Firewall Policies in Virtual Private Networks Liu, Chen
7/18
Membership Query• Membership query problem
• Solutions using Xhash protocol
[a, b] MSU cIBM
No party should learn the value of the other party
[3, 7] 5
Does c in the range [a,b]?
{011, 1**}
PF(5)={101, 10*,1**,***}
Prefix familyPrefix format
1** 1**
Collaborative Enforcement of Firewall Policies in Virtual Private Networks Liu, Chen
8/18
How to check the intersection of two sets in a privacy preserving manner ?
[3, 7] 5
{011, 1**}
PF(5)={101, 10*,1**,***}
Prefix familyPrefix format
MSU IBM
{01100, 10010}
{10111, 10010,10001,00011}
Prefix numericalization
Prefix numericalization{h(01100⊕K1⊕K2),
{01100⊕K1, 10010⊕K1}
h(10010⊕K1⊕K2)}
10111⊕K2, …,00011⊕K2
Store{h(01100⊕K1⊕K2), h(10010⊕K1⊕K2)}
Compute{h(10111⊕K2⊕K1), …, h(00011⊕K2⊕K1)}
Collaborative Enforcement of Firewall Policies in Virtual Private Networks Liu, Chen
9/18
The Bootstrapping Protocol (1/3)
• Why to prevent MSU from knowing which rule matches which packet?
acceptFF ]8,5[ ]4,1[ 21
f1(Firewall)
f2(f1(Firewall))
1. Compute f1(f2(packet))
decision Filtering Protocol
f2(packet)
2. Search f1(f2(packet)) in f2(f1(Firewall))
Bootstrapping Protocol
IBM cannot figure outFirewall by using f1(Firewall)
MSU may figure out packet by knowing the original rule that matches packet
f2(packet)match
acceptFF ]6,5[ ]2,1[ 21
change by MSU F1(packet) is in [1, 2]F2(packet) is not in [5, 6]
acceptFF ]8,7[ ]2,1[ 21
……
Collaborative Enforcement of Firewall Policies in Virtual Private Networks Liu, Chen
10/18
The Bootstrapping Protocol (2/3)
(0100010⊕K1, 0000010⊕K1) → a (0100010⊕K1, 0100011⊕K1) → a (1000010⊕K1, 0000010⊕K1) → a (1000010⊕K1, 0100011⊕K1) → a (0100010⊕K1, 0110011⊕K1) → d
……
discardFFacceptFFacceptFFacceptFF
]15,0[ ]15,0[ ]7,2[ ]15,12[ ]7,2[ ]3,0[ ]5,0[ ]11,4[
21
21
21
21
• Convert overlapping rules to non-overlapping rules
FDDconstruction
Prefixgeneration
Prefixnumericalization
XOR by MSURule
generation
Overlapping rules
Non-Overlapping rules
The order of non-overlapping rules does not affect their function
Collaborative Enforcement of Firewall Policies in Virtual Private Networks Liu, Chen
11/18
The Bootstrapping Protocol (3/3)
(0100010⊕K1, 0000010⊕K1) → a (0100010⊕K1, 0100011⊕K1) → a (1000010⊕K1, 0000010⊕K1) → a (1000010⊕K1, 0100011⊕K1) → a (0100010⊕K1, 0110011⊕K1) → d
……
(h (0100010⊕K1⊕K2), h(0000010⊕K1⊕K2)) → a (h(0100010⊕K1⊕K2), h(0100011⊕K1⊕K2)) → a
(h(1000010⊕K1⊕K2), h(0000010⊕K1⊕K2)) → a
(h(1000010⊕K1⊕K2), h(0100011⊕K1⊕K2)) → a
(h(0100010⊕K1⊕K2), h(0110011⊕K1⊕K2)) → d
……
(h(0100010⊕K1⊕K2), h(0000010⊕K1⊕K2)) → a(h(0100010⊕K1⊕K2), h(0100011⊕K1⊕K2)) → a(h(1000010⊕K1⊕K2), h(0000010⊕K1⊕K2)) → a(h(0100010⊕K1⊕K2), h(0110011⊕K1⊕K2)) → d(h(1000010⊕K1⊕K2), h(0100011⊕K1⊕K2)) → a
……
Send to IBM
IBM shuffles rules
Send back to MSU
(h(0100010⊕K1⊕K2), h(dummy1⊕K2)) → dIBM adddummy rules
MSU statistically analyze 1.Frequency of values2.Frequency of decisions
Collaborative Enforcement of Firewall Policies in Virtual Private Networks Liu, Chen
12/18
The Filtering Protocol (1/2)
(0101, 0011)
0101 0011010* 001*01** 00**0*** 0******* ****
0101100 00111000100011 00100110100010 00000100000001 00000010000000 0000000
0101100⊕K2 0011100⊕K2
0100011⊕K2 0010011⊕K2
0100010⊕K2 0000010⊕K2
0000001⊕K2 0000001⊕K2
0000000⊕K2 0000000⊕K2
h(0101100⊕K2⊕K1) h(0011100⊕K2⊕K1)h(0100011⊕K2⊕K1) h(0010011⊕K2⊕K1)h(0100010⊕K2⊕K1) h(0000010⊕K2⊕K1)h(0000001⊕K2⊕K1) h(0000001⊕K2⊕K1)h(0000000⊕K2⊕K1) h(0000000⊕K2⊕K1)
Prefix familygeneration
PrefixNumericalizaiton
XOR by IBM
XOR and HMACBy MSU
A Packet:
Collaborative Enforcement of Firewall Policies in Virtual Private Networks Liu, Chen
13/18
The Filtering Protocol (2/2)• To improve search efficiency, MSU can convert non-overlapping
rules to a FDD
(h(0100010⊕K1⊕K2), h(0000010⊕K1⊕K2)) → d(h(0100010⊕K1⊕K2), h(0100011⊕K1⊕K2)) → d(h(1000010⊕K1⊕K2), h(0110011⊕K1⊕K2)) → a(h(1000010⊕K1⊕K2), h(0100011⊕K1⊕K2)) → d(h(0100010⊕K1⊕K2), h(0110011⊕K1⊕K2)) → a(h(dummy5⊕K1⊕K2), h(dummy7⊕K1⊕K2)) → d
……
Collaborative Enforcement of Firewall Policies in Virtual Private Networks Liu, Chen
14/18
Experimental Results (1/3)• For real-life firewalls in bootstrapping protocol
– Bootstrapping cost of VGuard is lower than that of CDCF for most firewalls
MSU IBM
Collaborative Enforcement of Firewall Policies in Virtual Private Networks Liu, Chen
15/18
Experimental Results (2/3)• For real-life firewalls in filtering protocol
– VGuard is 552 times faster than CDCF on the MSU side– VGuard is 5035 times faster than CDCF on the IBM side
MSU
(Log scale)(Log scale)
• Two intuitive reasons for the better performance– Xhash is three orders faster than commutative encryption– FDD is much efficient to search the decision of a given packet
IBM
Collaborative Enforcement of Firewall Policies in Virtual Private Networks Liu, Chen
16/18
Experimental Results (3/3)• For synthetic firewall policies in filtering protocol
– VGuard is 252 times faster than CDCF on the MSU side– VGuard is 5529 times faster than CDCF on the IBM side
(Log scale)
MSU IBM
(Log scale)
Collaborative Enforcement of Firewall Policies in Virtual Private Networks Liu, Chen
17/18
Concluding Remarks
• VGuard is secure– VGuard prevents MSU from identifying which rule matches the
given packet
• VGuard is efficient– Xhash is three orders faster than the commutative encryption– VGuard uses firewall decision diagrams for processing packets
• Xhash is very efficient for oblivious comparison and can be used for other applications
Collaborative Enforcement of Firewall Policies in Virtual Private Networks Liu, Chen
18/18
Questions?
Thank you!