To Provide An Innovative Policy Anomaly Management Framework For Firewalls

Subha Sree Mallela, M M Bala Krishna, K.T.V Subbarao


- Firewalls have been widely organized on the Internet for securing private networks. A firewall checks each incoming or outgoing packet to choose whether to accept or discard the packet based on its policy. Optimizing firewall policies is vital for improving network performance. In this paper we propose the first cross-domain privacy-preserving cooperative firewall policy optimization protocol. Specifically for any two adjacent firewalls belonging to two different administrative domains our protocol can recognize in each firewall the rules that can be removed because of the other firewall. The optimization process involves cooperative computation between the two firewalls without any party disclosing its policy to the other. Firewalls are significant in securing private networks of businesses, institutions and home networks. A firewall is frequently placed at the entry between a private network and the external network so that it can ensure each incoming or outgoing packet and choose whether to accept or abandon the packet based on its policy. A firewall policy is typically specified as a sequence of rules called Access Control List (ACL) and each rule has a predicate over multiple packet header fields i.e., source IP, destination IP, source port, destination port, and protocol type and a decision i.e., accept and discard for the packets that counterpart the predicate.  In this paper we recommend the first cross-domain privacy- preserving cooperative firewall policy optimization protocol.


Firewall optimization, privacy.


nf-HiPAC, “Firewall throughput test,” 2012 [Online]. Available:http://

R. Agrawal, A. Evfimievski, and R. Srikant, “Information sharing across private databases,” in Proc. ACM SIGMOD, 2003, pp. 86–97.

E. Al-Shaer and H. Hamed, “Discovery of policy anomalies in distributed firewalls,” in Proc. IEEE INFOCOM, 2004, pp. 2605–2616.

J. Brickell and V. Shmatikov, “Privacy-preserving graph algorithms in the semi-honest model,” in Proc. ASIACRYPT, 2010, pp. 236–252.

Y.-K. Chang, “Fast binary and multiway prefix searches for packet forwarding,” Comput. Netw., vol. 51, no. 3, pp. 588–605, 2007.

J. Cheng, H. Yang, S. H.Wong, and S. Lu, “Design and implementation of cross-domain cooperative firewall,” in Proc. IEEE ICNP, 2007, pp. 284–293.

Q. Dong, S. Banerjee, J. Wang, D. Agrawal, and A. Shukla, “Packet classifiers in ternary CAMs can be smaller,” in Proc. ACM SIGMETRICS, 2006, pp. 311–322.

O. Goldreich, “Secure multi-party computations,” Working draft, Ver. 1.4, 2002.

O. Goldreich, Foundations of Cryptography: Volume II (Basic Applications). Cambridge, U.K.: Cambridge Univ. Press, 2004.

M. G. Gouda and A. X. Liu, “Firewall design: Consistency, completeness and compactness,” in Proc. IEEE ICDCS, 2004, pp. 320–327.

M. G. Gouda and A. X. Liu, “Structured firewall design,” Comput. Netw., vol. 51, no. 4, pp. 1106–1120, 2007.

P. Gupta, “Algorithms for routing lookups and packet classification,” Ph.D. dissertation, Stanford Univ., Stanford, CA, 2000.

A. X. Liu and F. Chen, “Collaborative enforcement of firewall policies in virtual private networks,” in Proc. ACM PODC, 2008, pp. 95–104.

A. X. Liu and M. G. Gouda, “Diverse firewall design,” IEEE Trans. Parallel Distrib. Syst., vol. 19, no. 8, pp. 1237–1251, Sep. 2008.

A. X. Liu and M. G. Gouda, “Complete redundancy removal for packet classifiers in TCAMs,” IEEE Trans. Parallel Distrib. Syst., vol. 21, no. 4, pp. 424–437, Apr. 2010.



  • There are currently no refbacks.

Copyright © 2013, All rights reserved.|

Creative Commons License
International Journal of Science Engineering and Advance Technology is licensed under a Creative Commons Attribution 3.0 Unported License.Based on a work at IJSEat , Permissions beyond the scope of this license may be available at