Distributing and Obfuscating Firewalls via Oblivious Bloom Filter Evaluation

Firewalls have long been in use to protect local networks from threats of the larger Internet. Although firewalls are effective in preventing attacks initiated from outside, they are vulnerable to insider threats, e.g., malicious insiders may access and alter firewall configurations, and disable firewall services. In this paper, we develop an innovative distributed architecture to obliviously manage and evaluate firewalls to prevent both insider and external attacks oriented to the firewalls. Our proposed structure alleviates these issues by obfuscating the firewall rules or policies themselves, then distributing the function of evaluating these rules across multiple servers. Thus, both accessing and altering the rules are considerably more difficult thereby providing better protection to the local network as well as greater security for the firewall itself. We achieve this by integrating multiple areas of research such as secret sharing schemes and multi-party computation, as well as Bloom filters and Byzantine agreement protocols. Our resulting solution is an efficient and secure means by which a firewall may be distributed, and obfuscated while maintaining the ability for multiple servers to obliviously evaluate its functionality.

[1]  Miguel Oom Temudo de Castro,et al.  Practical Byzantine fault tolerance , 1999, OSDI '99.

[2]  Tal Rabin,et al.  Simplified VSS and fast-track multiparty computations with applications to threshold cryptography , 1998, PODC '98.

[3]  Mahmood Ahmadi,et al.  Bloom filter applications in network security: A state-of-the-art survey , 2013, Comput. Networks.

[4]  Dan Bogdanov Sharemind: programmable secure computations with practical applications , 2013 .

[5]  Dan Bogdanov,et al.  How to securely perform computations on secret-shared data , 2007 .

[6]  Oded Goldreich,et al.  The Foundations of Cryptography - Volume 2: Basic Applications , 2001 .

[7]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[8]  Rafael M. Gasca,et al.  Mesh Network Firewalling with Bloom Filters , 2007, 2007 IEEE International Conference on Communications.

[9]  Judit Bar-Ilan,et al.  Non-cryptographic fault-tolerant computing in constant number of rounds of interaction , 1989, PODC '89.

[10]  Christian Decker,et al.  Bitcoin meets strong consistency , 2014, ICDCN.

[11]  Liuba Shrira,et al.  HQ replication: a hybrid quorum protocol for byzantine fault tolerance , 2006, OSDI '06.

[12]  Lars R. Knudsen,et al.  Advanced Encryption Standard (AES) - An Update , 1999, IMACC.

[13]  Wenliang Du,et al.  Protocols for Secure Remote Database Access with Approximate Matching , 2001, E-Commerce Security and Privacy.

[14]  E. Eugene Schultz A framework for understanding and predicting insider attacks , 2002, Comput. Secur..

[15]  Mohamed G. Gouda,et al.  Firewall design: consistency, completeness, and compactness , 2004, 24th International Conference on Distributed Computing Systems, 2004. Proceedings..

[16]  Rafael M. Gasca,et al.  Stateful Firewalling for Wireless Mesh Networks , 2008, 2008 New Technologies, Mobility and Security.

[17]  William Emmanuel Yu,et al.  Development of a distributed firewall using software defined networking technology , 2014, 2014 4th IEEE International Conference on Information Science and Technology.

[18]  Dhaval Satasiya,et al.  Enhanced SDN security using firewall in a distributed scenario , 2016, 2016 International Conference on Advanced Communication Control and Computing Technologies (ICACCCT).

[19]  Dan Bogdanov,et al.  Sharemind: A Framework for Fast Privacy-Preserving Computations , 2008, ESORICS.

[20]  Malek Ben Salem,et al.  Designing Host and Network Sensors to Mitigate the Insider Threat , 2009, IEEE Security & Privacy.

[21]  Aggelos Kiayias,et al.  The Bitcoin Backbone Protocol: Analysis and Applications , 2015, EUROCRYPT.

[22]  Navtej Singh Ghumman,et al.  Programmable firewall using Software Defined Networking , 2015, 2015 2nd International Conference on Computing for Sustainable Global Development (INDIACom).

[23]  Thomas Peltier,et al.  Complete Guide to CISM Certification , 2006 .

[24]  Marko Vukolic,et al.  The Next 700 BFT Protocols , 2015, ACM Trans. Comput. Syst..

[25]  Jim Esch,et al.  Software-Defined Networking: A Comprehensive Survey , 2015, Proc. IEEE.

[26]  Ladislav Hudec,et al.  Securing Mobile Ad Hoc Networks using distributed firewall with PKI , 2016, 2016 IEEE 14th International Symposium on Applied Machine Intelligence and Informatics (SAMI).

[27]  Roy Friedman,et al.  TinySet - An Access Efficient Self Adjusting Bloom Filter Construction , 2015, 2015 24th International Conference on Computer Communication and Networks (ICCCN).

[28]  Sasu Tarkoma,et al.  Theory and Practice of Bloom Filters for Distributed Systems , 2012, IEEE Communications Surveys & Tutorials.

[29]  Dimitris Gritzalis,et al.  An Insider Threat Prediction Model , 2010, TrustBus.

[30]  Shyhtsun Felix Wu,et al.  An experimental study of insider attacks for OSPF routing protocol , 1997, Proceedings 1997 International Conference on Network Protocols.

[31]  Andrei Broder,et al.  Network Applications of Bloom Filters: A Survey , 2004, Internet Math..

[32]  Angelos D. Keromytis,et al.  Implementing a distributed firewall , 2000, CCS.

[33]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.