Firewalls to Secure Dynamic LLM Agentic Networks

TL;DR

This paper introduces a dual-firewall architecture for secure communication in agentic networks of language models, significantly reducing privacy and security risks while maintaining task performance.

Contribution

It proposes a novel dual-firewall system that projects messages onto task-specific contexts, structurally eliminating manipulation channels in AI agent communication.

Findings

Reduces privacy attack success rates from 84% to 10%.

Decreases security attack success rates from 60% to 3%.

Maintains or improves task completion quality.

Abstract

The emergence of agent-to-agent communication protocols mirrors the early internet: powerful connectivity with minimal security infrastructure. When AI agents communicate on behalf of users, every message crosses a trust boundary where the user's personal data and the external agent's unconstrained language each present distinct risks. We address both through a dual-firewall architecture grounded in a unifying principle: each task defines a context, and both sides of the communication carry information far exceeding what that context requires. Our firewalls act as projections onto the task context, allowing only contextually appropriate content to cross each boundary. The Language Converter Firewall projects incoming messages onto a closed, domain-specific, structured protocol; an external agent's message is converted to validated fields while persuasive framing, urgency tactics, and embedded instructions are structurally eliminated through deterministic verification. This replaces the asymmetric challenge of resisting every possible manipulation with the structural guarantee that manipulation has no channel through which to arrive. The Data Abstraction Firewall projects outgoing information onto the granularity appropriate for the task, rather than applying binary disclose-or-redact filtering, as previous airgapping solutions did. Both firewalls operate in a trusted environment isolated from external input, applying domain-specific rules learned automatically from demonstrations. Across 864 attacks spanning three domains on the recent ConVerse benchmark, our architecture reduces privacy attack success rates (e.g., from 84% to 10% for GPT-5) and security attacks (from 60% to 3%), while maintaining or even improving task completion quality. Code is available at: https://github.com/amrgomaaelhady/Firewall-Agentic-Networks.