The widely deployed Virtual Private Network (VPN) technology allows roaming users to build an encrypted tunnel to a VPN server, which henceforth allows roaming users to access some resources as if that computer is residing on their home organization's network. Although the VPN technology is very useful, it imposes security threats to the remote network because their firewall does not know what traffic is flowing inside the VPN tunnel. To address this issue, we propose VGuard, a framework that allows a policy owner and a request owner to collaboratively determine whether the request satisfies the policy without the policy owner knowing the request and the request owner knowing the policy. We first present an efficient protocol, called Xhash, for oblivious comparison, which allows two parties, where each party has a number, to compare whether they have the same number, without disclosing their numbers to each other. Then, we present the VGuard framework that uses Xhash as the basic building block. The basic idea of VGuard is to first convert a firewall policy to non-overlapping numerical rules and then use Xhash to check whether a request matches a rule. Comparing with the Cross-Domain Cooperative Firewall (CDCF) framework, which represents the state-of-the-art, VGuard is not only more secure but also orders of magnitude more efficient. On real-life firewall policies, for processing packets, our experimental results show that VGuard is 552 times faster than CDCF on one party and 5035 times faster than CDCF on the other party.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Fabrice Boudot. Efficient proofs that a commited number lies in an interval. In Proc Advances in Cryptology (EUROCRYPT), volume 1807 of Lecture Notes in Computer Science, May 2000.
	2	David Chaum , Claude Crépeau , Ivan Damgard, Multiparty unconditionally secure protocols, Proceedings of the twentieth annual ACM symposium on Theory of computing, p.11-19, May 02-04, 1988, Chicago, Illinois, United States  [doi>10.1145/62212.62214]
	3	Jerry Cheng, Hao Yang, Starsky H.Y. Wong, and Songwu Lu. Design and implementation of cross-domain cooperative firewall. In Proc IEEE finte Conf on Network Protocols (ICNP) '2007, 2007.
	4	Ronald Cramer, Matthew K. Franklin, Berry Schoenmarks, and Moti Yung. Multi-authority secret-ballot elections with linear work. In Proc Advances in Cryptology (EUROCRYPT), 1996.
	5	Li Fan , Pei Cao , Jussara Almeida , Andrei Z. Broder, Summary cache: a scalable wide-area Web cache sharing protocol, Proceedings of the ACM SIGCOMM '98 conference on Applications, technologies, architectures, and protocols for computer communication, p.254-265, August 31-September 04, 1998, Vancouver, British Columbia, Canada
	6	Mohamed G. Gouda , Alex X. Liu, Structured firewall design, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.4, p.1106-1120, March, 2007  [doi>10.1016/j.comnet.2006.06.015]
	7	Pankaj Gupta and Nick McKeown. Algorithms for packet classification. IEEE Network, 15(2):24--32, 2001.
	8	Jiangtao Li and Ninghui Li. Oacerts: Oblivious attribute certificates. In Proc 3rd \Conf on Applied Cryptography and Network Security (ACNS), pages 301--317, June 2005.
	9	Alex X. Liu , Mohamed G. Gouda, Diverse Firewall Design, Proceedings of the 2004 International Conference on Dependable Systems and Networks, p.595, June 28-July 01, 2004
	10	Wenbo Mao, Guaranteed Correct Sharing of Integer Factorization with Off-Line Shareholders, Proceedings of the First International Workshop on Practice and Theory in Public Key Cryptography: Public Key Cryptography, p.60-71, February 05-06, 1998
	11	O. Goldreich , S. Micali , A. Wigderson, How to play ANY mental game, Proceedings of the nineteenth annual ACM symposium on Theory of computing, p.218-229, January 1987, New York, New York, United States  [doi>10.1145/28395.28420]
	12	Stephen C. Pohlig and Martin E. Hellman. An improved algorithm for computing logarithms over gf(p) and its cryptographic significance. IEEE Transactions Information and System Security, IT-24:106--110, 1978.
	13	David K. Hess David R. Safford and Douglas Lee Schales. Secure RPC authentication (SRA) for TELNET and FTP. Technical report, 1993.
	14	Andrew C. Yao, Protocols for secure computations, Proceedings of the 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982), p.160-164, November 03-05, 1982
	15	Andrew Chi-Chih Yao, How to generate and exchange secrets, Proceedings of the 27th Annual Symposium on Foundations of Computer Science (sfcs 1986), p.162-167, October 27-29, 1986  [doi>10.1109/SFCS.1986.25]