Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
Taking back control of privacy: a novel framework for preserving cloud-based firewall policy confidentiality
Kurek T., Niemiec M., Lason A.  International Journal of Information Security 15 (3): 235-250, 2016. Type: Article
Date Reviewed: Sep 12 2016

Would you intentionally make your firewall leak packets that are supposed to be blocked? This paper presents an interesting argument for when this might be desired.

When your firewall is hosted, the cloud service provider (CSP) would know your firewall configuration. Is that a problem? The argument is that you trust the CSP, but individual CSP staff members could have malicious intentions; knowing your firewall configuration would make it easy for them to launch an attack.

Earlier work had already proposed a mechanism to hide the firewall configuration from the CSP by transforming the firewall decision diagrams into a set of hash functions, a Bloom filter firewall decision diagram (BFFDD); this is known as the Ladon framework. However, even though in this case the CSP now only sees the hash functions and not the original firewall configuration, the CSP could still de-anonymize the firewall by watching the traffic entering and leaving the firewall.

This paper proposes to introduce purposeful uncertainty into the BFFDD decisions, to make the task of deducing the original firewall configuration infeasible by intentionally allowing “bad” packets to pass through, and not letting the observer record any positive decision (of a closed firewall) as certain. However, with the bad packets being mixed with the good traffic, the connection from the public cloud has to be filtered by a second, traditional firewall in the private cloud operated by the customer; this firewall and the private cloud would only be receiving a fraction of the traffic entering the public cloud.

The paper shows through a detailed mathematical analysis that the rate of the “bad packets” allowed through can be tuned to a chosen value, allowing the company to reach a desired tradeoff between the extra load (on the network link and the second firewall in the private cloud) and the level of privacy of the firewall configuration in the public cloud.

The paper also provides a good background on the issues surrounding operations of firewalls in public clouds. I recommend it to researchers and practitioners active in this area.

Reviewer:  Vladimir Mencl Review #: CR144755 (1612-0889)
Bookmark and Share
Security and Protection (C.2.0 ... )
Cloud Computing (C.2.4 ... )
Privacy (K.4.1 ... )
Would you recommend this review?
Other reviews under "Security and Protection": Date
Security, privacy and trust in the IoT environment
Mahmood Z.,  Springer International Publishing, New York, NY, 2019. 293 pp. Type: Book (978-3-030180-74-4)
Aug 19 2020
Pro Azure governance and security: a comprehensive guide to Azure Policy, Blueprints, Security Center, and Sentinel
Tender P., Rendon D., Erskine S.,  Apress, New York, NY, 2019. 340 pp. Type: Book (978-1-484249-09-3)
May 26 2020
Quantifying the utility-privacy tradeoff in the Internet of Things
Dong R., Ratliff L., Cárdenas A., Ohlsson H., Sastry S.  ACM Transactions on Cyber-Physical Systems 2(2): 1-28, 2018. Type: Article
Mar 10 2020

E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright © 2000-2020 ThinkLoud, Inc.
Terms of Use
| Privacy Policy