By Topic

Design and Implementation of Cross-Domain Cooperative Firewall

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$31 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

5 Author(s)
Cheng, J. ; UCLA Comput., Los Angeles ; Hao Yang ; Wong, S.H.Y. ; Zerfos, P.
more authors

Security and privacy are two major concerns in supporting roaming users across administrative domains. In current practices, a roaming user often uses encrypted tunnels, e.g., Virtual Private Networks (VPNs), to protect the secrecy and privacy of her communications. However, due to its encrypted nature, the traffic flowing through these tunnels cannot be examined and regulated by the foreign network's firewall, which may lead the foreign network widely open to various attacks from the Internet. This threat can be alleviated if the users reveal their traffic to the foreign network or the foreign network reveals its firewall rules to the tunnel endpoints. However, neither approach is desirable in practice due to privacy concerns. In this paper, we propose a Cross-Domain Cooperative Firewall (CDCF) that allows two collaborative networks to enforce each other's firewall rules in an oblivious manner. In CDCF, when a roaming user establishes an encrypted tunnel between his home network and the foreign network, the tunnel endpoint (e.g., a VPN server) can regulate the traffic and enforce the foreign network's firewall rules, without knowing these rules. The key ingredients in CDCF are the distribution of firewall primitives across network domains, and the enabling technique of efficient oblivious membership verification. We have implemented CDCF and integrated it with the OpenVPN software, and evaluated its performance using extensive experiments. Our results show that CDCF can protect the foreign network from encrypted tunnel traffic with minimal overhead.

Published in:

Network Protocols, 2007. ICNP 2007. IEEE International Conference on

Date of Conference:

16-19 Oct. 2007