Research On Cross-Domain Cooperative Firewall Optimization Based On The Sectioned Process

With the widely deployed of Virtual Private Network(VPN,for short),researchers proposed a novel firewall architecture called Cross-Domain Cooperative Firewall(CDCF,for short)to address the security and privacy problems in VPN.The first cross-domain privacy-preserving cooperative firewall policy optimization protocol was proposed on INFOCOM 2011.However,if a firewall is updated frequently,the protocol may not be applicable to this scenario due to its significant computation cost and communication cost.To address this issue,this paper proposes a universal and high efficient method for CDCF optimization(SPRR,for short).It satisfies the needs of privacy protection,but also,meanwhile,it is able to rapidly respond to the CDCF's updating.The main works of the thesis are as follows.1.Research the deployment environment and the working principle of CDCF.Define the inter-firewall redundant rules in one firewall with respect to another firewall.Describe the date structure of firewall rules.Analysis the firewall rules with the Firewall Decision Diagram(FDD,for short).2.This paper analyzes the requirements of detecting the inter-firewall redundancy in CDCF.For the requirements of privacy-preserving in the inter-firewall redundancy detection,this paper discusses the comparison method of rules in two cooperative firewalls in a privacy-preserving manner based on the "prefix membership verification scheme".For the adaption requirements of CDCF dynamic update,this paper has analyzed all kinds of possible updating cases of CDCF and divides them into 3 updating scenarios.Based on the analysis of the structure of firewall rules,this paper proposes a novel concept called Related Rules and designs propose a sectioned-lookup algorithm to find the related rules which are associated with the updated rules in CDCF.Based on the theory of FDD,this paper proposes a novel method to analyze the related rules with the graph theory.3.Responding to the defect of the CDPP,based on the idea of sectioned process,this paper proposes a novel scheme with universality,high efficiency and privacy-preserving features to identify the inter-firewall redundant rules in CDCF,i.e.,SPRR.This paper analyzes details methods and designs corresponding algorithms for SPRR and describes the implementation process of SPRR in detail with examples.4.This paper designs the assessment schemes of SPRR in detail and evaluates the accuracy and performance of SPRR on real firewall policies.The results show that SPRR can identify integral inter-firewall redundant rules as CDPP does.In addition,in views of performance,the time costs and the communication costs of SPRR have been reduced by at least an order of magnitude than CDPP.