ABSTRACT
Outsourced middlebox services have been a natural trend in modern enterprise networks to handle advanced traffic processing such as deep packet inspection, traffic classification, and load balancing. However, traffic redirection to outsourced middleboxes raises new security and privacy concerns, as this service model gives cloud providers full access to all the enterprise's traffic flows and proprietary middlebox rules. To ease these concerns, recent efforts are made to design secure middlebox services that can directly function over encrypted traffic and middlebox rules. But security concerns from dynamic network functions like stateful deep packet inspection and firewall rule updates are still not yet fully addressed. In this paper, we first propose a practical system architecture for outsourced middleboxes to perform dynamic deep packet inspection with forward and backward privacy. That is, newly added rules cannot be linked to previous inspection results, and deleted rules remain inaccessible to the server. Several recent papers have shown that it is a strong property that makes adaptive attacks less effective. Furthermore, we provide a generic solution that handles stateful inspection while still ensuring the state privacy protection. Rigorous analysis and prototype evaluations demonstrate the security, efficiency, and effectiveness of the design.
- H. Asghar, L. Melis, C. Soldani, E. Cristofaro, M. Kaafar, and L. Mathy. Splitbox: Toward efficient private network function virtualization. In Proc. of ACM HotMiddlebox, 2016. Google ScholarCross Ref
- R. Bost, B. Minaud, and O. Ohrimenko. Forward and backward private searchable encryption from constrained cryptographic primitives. In Proc. of ACM CCS, 2017. Google ScholarDigital Library
- D. Cash, P. Grubbs, J. Perry, and T. Ristenpart. Leakage-abuse attacks against searchable encryption. In Proc. of ACM CCS, 2015. Google ScholarDigital Library
- D. Cash, J. Jaeger, S. Jarecki, C. Jutla, H. Krawczyk, M.-C. Rosu, and M. Steiner. Dynamic searchable encryption in very large databases: Data structures and implementation. In Proc. of NDSS, 2014.Google ScholarCross Ref
- R. Curtmola, J. Garay, S. Kamara, and R. Ostrovsky. Searchable symmetric encryption: improved definitions and efficient constructions. In Proc. of ACM CCS, 2006. Google ScholarDigital Library
- M. Etemad, A. Küpccü, C. Papamanthou, and D. Evans. Efficient dynamic searchable encryption with forward privacy. In Proc. of PETS, 2018.Google ScholarCross Ref
- Y. Guo, C. Wang, X. Yuan, and X. Jia. Enabling privacy-preserving header matching for outsourced middleboxes. In Proc. of IWQoS, 2018.Google ScholarCross Ref
- Y. Ishai, E. Kushilevitz, S. Lu, and R. Ostrovsky. Private large-scale databases with distributed searchable symmetric encryption. In Proc. of CT-RSA, 2016. Google ScholarDigital Library
- M. Islam, M. Kuzu, and M. Kantarcioglu. Access pattern disclosure on searchable encryption: Ramification, attack and mitigation. In Proc. of NDSS, 2012.Google Scholar
- D. Joseph and I. Stoica. Modeling middleboxes. Netwrk. Mag. of Global Internetwkg., 22(5):20--25, 2008. Google ScholarDigital Library
- Juniper Networks. Firewall filters feature guide for ex9200 switches. Online at https://www.juniper.net/, 2016.Google Scholar
- S. Kamara, C. Papamanthou, and T. Roeder. Dynamic searchable symmetric encryption. In Proc. of ACM CCS, 2012. Google ScholarDigital Library
- A. R. Khakpour and A. X. Liu. First step toward cloud-based firewalling. In Proc. of IEEE SRDS, 2012. Google ScholarDigital Library
- K. Kurosawa and Y. Ohtaki. Uc-secure searchable symmetric encryption. In Financial Cryptography and Data Security, 2012.Google ScholarCross Ref
- C. Lan, J. Sherry, R. A. Popa, S. Ratnasamy, and Z. Liu. Embark: Securely outsourcing middleboxes to the cloud. In Proc. of NSDI, 2016. Google ScholarDigital Library
- L. Melis, H. Asghar, E. Cristofaro, and M. Kaafar. Private processing of outsourced network functions: Feasibility and constructions. In Proc. of ACM Int'l Workshop on Security in SDN & NFV, 2016. Google ScholarDigital Library
- M. Naveed, S. Kamara, and C. V. Wright. Inference attacks on property-preserving encrypted databases. In Proc. of ACM CCS, 2015. Google ScholarDigital Library
- S. Northcutt, L. Zeltser, S. Winters, K. Kent, and R. W. Ritchey. Inside Network Perimeter Security. Sams, 2005. Google ScholarDigital Library
- J. Sherry, S. Hasan, C. Scott, A. Krishnamurthy, S. Ratnasamy, and V. Sekar. Making middleboxes someone else's problem: network processing as a cloud service. In Proc. of ACM SIGCOMM, 2012. Google ScholarDigital Library
- J. Sherry, C. Lan, R. A. Popa, and S. Ratnasamy. Blindbox: Deep packet inspection for encrypted traffic. In Proc. of ACM SIGCOMM, 2015. Google ScholarDigital Library
- J. Shi, Y. Zhang, and S. Zhong. Privacy-preserving network functionality outsourcing. arXiv preprint arXiv:1502.00389, 2015.Google Scholar
- M.-W. Shih, M. Kumar, T. Kim, and A. Gavrilovska. S-NFV: Securing NFV states by using SGX. In Proc. of ACM Int'l Workshop on Security in SDN & NFV, 2016. Google ScholarDigital Library
- D. Song, D. Wagner, and A. Perrig. Practical techniques for searches on encrypted data. In Proc. of IEEE S&P, 2000. Google ScholarDigital Library
- E. Stefanov, C. Papamanthou, and E. Shi. Practical dynamic searchable symmetric encryption with small leakage. In Proc. of NDSS, 2014.Google Scholar
- C. Wang, X. Yuan, Y. Cui, and K. Ren. Toward secure outsourced middlebox services: Practices, challenges, and beyond. IEEE Network, 32(1):166--171, 2018.Google ScholarCross Ref
- X. Yuan, H. Duan, and C. Wang. Bringing execution assurances of pattern matching in outsourced middleboxes. In Proc. of IEEE ICNP, 2016.Google ScholarCross Ref
- X. Yuan, Y. Guo, X. Wang, C. Wang, B. Li, and X. Jia. Enckv: An encrypted key-value store with rich queries. In Proc. of ACM AsiaCCS, 2017. Google ScholarDigital Library
- X. Yuan, X. Wang, J. Lin, and C. Wang. Privacy-preserving deep packet inspection in outsourced middleboxes. In Proc. of IEEE INFOCOM, 2016.Google ScholarCross Ref
Index Terms
- Enabling Secure and Dynamic Deep Packet Inspection in Outsourced Middleboxes
Recommendations
Deep Packet Inspection as a Service
CoNEXT '14: Proceedings of the 10th ACM International on Conference on emerging Networking Experiments and TechnologiesMiddleboxes play a major role in contemporary networks, as forwarding packets is often not enough to meet operator demands, and other functionalities (such as security, QoS/QoE provisioning, and load balancing) are required. Traffic is usually routed ...
Privacy-preserving deep packet inspection in outsourced middleboxes
IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer CommunicationsMiddleboxes are essential for a wide range of advanced traffic processing in modern enterprise networks. Recent trend of deploying middleboxes in cloud as virtualized services further expands potential benefits of middleboxes while avoiding local ...
Searchable Encryption with Secure and Efficient Updates
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications SecuritySearchable (symmetric) encryption allows encryption while still enabling search for keywords. Its immediate application is cloud storage where a client outsources its files while the (cloud) service provider should search and selectively retrieve those. ...
Comments