Privacy Preserving Collaborative Enforcement of Firewall Policies in Virtual Private Networks
Abstract
The widely deployed Virtual Private Network (VPN) technology allows roaming users to build an encrypted tunnel to a VPN
server, which henceforth allows roaming users to access some resources as if that computer were residing on their home organization’s
network. Although VPN technology is very useful, it imposes security threats on the remote network because its firewall does not know
what traffic is flowing inside the VPN tunnel. To address this issue, we propose VGuard, a framework that allows a policy owner and a
request owner to collaboratively determine whether the request satisfies the policy without the policy owner knowing the request and
the request owner knowing the policy. We first present an efficient protocol, called Xhash, for oblivious comparison, which allows two
parties, where each party has a number, to compare whether they have the same number, without disclosing their numbers to each
other. Then, we present the VGuard framework that uses Xhash as the basic building block. The basic idea of VGuard is to first convert
a firewall policy to non-overlapping numerical rules and then use Xhash to check whether a request matches a rule. Comparing with
the Cross-Domain Cooperative Firewall (CDCF) framework, which represents the state-of-the-art, VGuard is not only more secure but
also orders of magnitude more efficient. On real-life firewall policies, for processing packets, our experimental results show that VGuard
is three to four orders of magnitude faster than CDCF.
Index Terms—Virtual Private Networks, Privacy, Network Security.
1 INTRODUCTION
1.1 Background and Motivation VIRTUAL Private Network (VPN) is a widely deployed technology that allows roaming users to securely use a remote computer on the public Internet as if that computer were residing on their organization’s network, which henceforth allows roaming users to access some resources that are only accessible from their organization’s network. VPN works in the following manner. Suppose IBM sends a field representative to one of its customers, say Michigan State University (MSU). Assume that MSU’s IP addresses are in the range 1.1.0.0 ∼ 1.1.255.255 and IBM’s IP addresses are in the range 2.2.0.0 ∼ 2.2.255.255. To access resources (say a confidential customer database server with IP address 2.2.0.2) that are only accessible within IBM’s network, the IBM representative uses an MSU computer (or his laptop) with an MSU IP address (say 1.1.0.10) to establish a secure VPN tunnel to the VPN server (with IP address 2.2.0.1) in IBM’s network. Upon establishing the VPN tunnel, the IBM representative’s computer is temporarily assigned a virtual IBM IP address (say 2.2.0.25). Using the VPN tunnel, the IBM representative can access any computer on the Internet as if his computer were residing on IBM’s network with IP address 2.2.0.25. The payload of each packet inside the VPN tunnel is • Alex X. Liu and Fei Chen are with the Department of Computer Science and Engineering, Michigan State University, East Lansing, MI, 48824. E-mail: {alexliu, feichen}[at]cse.msu.edu 1. The preliminary version of this paper titled “Collaborative Enforcement of Firewall Policies in Virtual Private Networks” was published in proceedings of the Annual ACM SIGACT-SIGOPS Symposium on Principles of Distributed Computing (PODC), pages 95-104, Canada, August 2008. another packet (to or from the newly assigned IBM IP address 2.2.0.25), which is typically encrypted. Fig. 1 illustrates an example packet that traverses from the IBM representative’s computer on MSU’s network to the customer database server in IBM’s network.


Download full report
http://googleurl?sa=t&source=web&cd=1&ve...DS2010.pdf&ei=FAI9TvmwEcmurAe4kvEX&usg=AFQjCNFmel67D0lhW1e2hT2AeT4d2s-yCg