Design and Implementation of Cross-Domain Cooperative Firewall
Security and privacy axe two major concerns in supporting roaming users across administrative domains. In current practices, a roaming user often uses encrypted tunnels, e. g., Virtual Private Networks (VPNs), to protect the secrecy and privacy of her communications. However, due to its encrypted nature, the traffic flowing through these tunnels cannot be examined and regulated by the foreign networks firewall, which may lead the foreign network widely open to various attacks from the Internet. This threat can be alleviated if the users reveal their traffic to the foreign network or the foreign network reveals its firewall rules to the tunnel endpoints. However, neither approach is desirable in practice due to privacy concerns. In this paper, we propose a Cross-Domain Cooperative Firewall (CDCF) that allows two collaborative networks to enforce each others firewall rules in an Oblivious manner. In CDCF, when a roaming user establishes an encrypted tunnel between his home network and the foreign network, the tunnel endpoint (e. g., a VPN server) can regulate the traffic and enforce the foreign networks firewall rules, without knowing these rules. The key ingredients in CDCF are the distribution of firewall, primitives across network domains, and the enabling technique of efficient oblivious membership verification. We have implemented CDCF and integrated it with the Open VPN software, and evaluated its performance using extensive experiments. Our results show that CDCF can protect the foreign .network from encrypted tunnel traffic with minimal overhead.
Jerry Cheng Hao Yang Starsky H. Y. Wong Petros Zerfos Songwu Lu
UCLA Computer Science Department, Los Angeles, CA 90095 IBM T. J. Watson Research Center, Hawthorne, NY 10532 Deutsche Telekom Laboratories, Emst-Reuter-Platz 7 D-10587, Berlin, Germany
国际会议
The 15th IEEE International Conference on Network Protocols(ICNP 2007)(第15届IEEE国际网络协议大会)
北京
英文
284-293
2007-10-16(万方平台首次上网日期,不代表论文的发表时间)