Existing research lacks a systematic investigation of mechanisms to ensure communication privacy, integrity, and utility among multi-LLM-agent systems executing long-horizon, goal-coupled tasks. Method: We propose the first dynamic firewall framework for LLM agent networks, featuring three synergistic layers: task-driven protocol generation, adaptive data abstraction, and reflective trajectory correction—enabling proactive defense at the communication level. Contribution/Results: Evaluated on a travel planning use case, the framework effectively mitigates information over-exposure and adversarial interference, significantly improving cross-agent collaboration security and task success rate. It provides a scalable, principled methodology for building trustworthy and robust LLM agent networks, advancing foundational infrastructure for secure multi-agent LLM orchestration.

Future LLM agents are likely to communicate on behalf of users with other entity-representing agents on tasks that entail long-horizon plans with interdependent goals. Current work does not focus on such agentic networks, nor does it address their challenges. Thus, we first identify the required properties of agents' communication, which should be proactive and adaptable. It needs to satisfy 1) privacy: agents should not share more than what is needed for the task, and 2) security: the communication must preserve integrity and maintain utility against selfish entities. We design a use case (travel planning) as a testbed that exemplifies these requirements, and we show examples of how this can go wrong. Next, we propose a practical design, inspired by established network security principles, for constrained LLM agentic networks that balance adaptability, security, and privacy. Our framework automatically constructs and updates task-specific rules from prior simulations to build firewalls. We offer layers of defense to 1) convert free-form input to a task-specific protocol, 2) dynamically abstract users' data to a task-specific degree of permissiveness, and 3) self-correct the agents' trajectory.