No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Privacy-Preserving Cloud-Based Firewall for IaaS-based Enterprise
... For example, the firewall systems in [4], [16], and [17] defend against verifiability attacks, but they do not defend against privacy attacks. Also the firewall systems in [6]- [8], [11], [13], and [14] defend against privacy attacks but not against verifiability attacks. None of these systems defends against both attacks. ...
... In the outsourced systems in [6]- [8], [11], [13], and [14], the rules of the underlying firewall F are encrypted before they are stored in the cloud. Each incoming packet to the enterprise network is directed to the cloud. ...
... Because the rules of the underlying firewall F which are stored in the cloud are encrypted, the cloud cannot know the rules of the underlying firewall F and so cannot leak these rules to potential attackers of the system. Therefore, the firewall systems in [6]- [8], [11], [13], and [14] defend against privacy attacks. ...
... Further research is required to apply the load balancing technique [22] to maximize transfer throughput and avoid overload. Furthermore, the addition of performance tests on cloud security parameters is also necessary, such as firewall management [23], security, which is an important area in the cloud [24], and turnaround time to maximize cloud performance. ...
The resources of information technology and the availability of services on non-cloud network systems are limited. This constitutes problems for companies, especially in the efficient management of information technology. The high investment in infrastructure procurement is an obstacle in building centralized systems, including the adoption of cloud computing through Infrastructure as a Service (IaaS), as an elective solution. This research aims to analyze the performance of cloud servers on IaaS services using the parameters of cloud service availability, resource utilization, and throughput transfer which were implemented in companies engaged in the toll road concession sector. Furthermore, the results are expected to be a reference in supporting company decisions/policies related to cloud system adoption. The methodology involved the Network Development Life Cycle (NDLC), a system constituted by 6 (six) stages of management, namely user, proxy server, database, web service, monitoring service, and Remote Desktop Protocol (RDP). The results of cloud service availability indicate that the cloud system provides service availability (system interface, broad network access, and resource pooling). Furthermore, cloud systems have a significant performance on resource utilization (CPU) and throughput transfer parameters, while non-cloud systems only excel in response time and resource utilization (Memory) parameters. The overall result analysis based on this research scenario showed that the cloud system provides services according to user needs and has a better speed in data transmission, but has shortcomings in response time.
Network function virtualization (NFV) has been promising to improve the availability, programmability, and flexibility of network function deployment and communication facilities. Meanwhile, with the advancements of cloud technologies, there has been a trend to outsource network functions through virtualization to a cloud service provider, so as to alleviate the local burdens on provisioning and managing such hardware resources. Promising as it is, redirecting the communication traffic to a third-party service provider has drawn various security and privacy concerns. Traditional end-to-end encryption can protect the traffic in transmit, but it also hinders data usability. This dilemma has raised wide interests from both industry and academia, and great efforts have been made to realize privacy-preserving network function outsourcing that can guarantee the confidentiality of network communications while preserving the ability to inspect the traffic. In this article, we conduct a comprehensive survey of the state-of-the-art literature on network function outsourcing, with a special focus on privacy and security issues. We first give a brief introduction to NFV and pinpoint its challenges and security risks in the cloud context. Then, we present detailed descriptions and comparisons of existing secure network function outsourcing schemes in terms of functionality, efficiency, and security. Finally, we conclude by discussing possible future research directions.
In this paper, we present the design and implementation of SplitBox, a system for privacy-preserving processing of network functions outsourced to cloud middleboxes—i.e., without revealing the policies governing these functions. SplitBox is built to provide privacy for a generic network function that abstracts the functionality of a variety of network functions and associated policies, including firewalls, virtual LANs, network address translators (NATs), deep packet inspection, and load balancers. We present a scalable design aiming to provide high throughput and low latency, by distributing functionalities to a few virtual machines (VMs), while providing provably secure guarantees. We implement SplitBox inside FastClick, an extension of the Click modular router, using Intel’s DPDK to handle packet I/O. We evaluate our prototype experimentally to find its bottlenecks and stress-test its different components, vis-à-vis two widely used network functions, i.e., firewall and VLAN tagging. Our evaluation shows that, on commodity hardware, SplitBox can process packets close to line rate (i.e., 8.9Gbps) with up to 50 traversed policies.
With the rapid development of the network, in recent years, the Internet has greatly improved people’s lives, and the real-time, sharing and distance-removing characteristics of network information transmission have made the operation and management of enterprises more efficient and coordinated. The basis of refinement. At the same time, various network security incidents have followed, such as hacker attacks on computer network systems, and various types of viruses, Trojans and other active attacks emerge one after another. In this regard, this paper analyzes the enterprise network security system of firewall from the perspective of enterprise network security, briefly summarizes the background, advantages and disadvantages of firewall technology, and designs and implements a client software according to the actual needs of users. The network performs real-time intelligent security monitoring. After the system design is completed, the security is tested by building a simulation platform, including qualitative testing and quantitative testing, which are divided into security and performance to verify whether the system can achieve and guarantee performance.
We describe a polynomial-time cryptanalysis of the (approximate) multilinear map of Coron, Lepoint and Tibouchi (CLT). The attack relies on an adaptation of the so-called zeroizing attack against the Garg, Gentry and Halevi (GGH) candidate multilinear map. Zeroizing is much more devastating for CLT than for GGH. In the case of GGH, it allows to break generalizations of the Decision Linear and Subgroup Membership problems from pairing-based cryptography. For CLT, this leads to a total break: all quantities meant to be kept secret can be efficiently and publicly recovered.
Since the advent of software defined networks ({SDN}), there have been many
attempts to outsource the complex and costly local network functionality, i.e.
the middlebox, to the cloud in the same way as outsourcing computation and
storage. The privacy issues, however, may thwart the enterprises' willingness
to adopt this innovation since the underlying configurations of these
middleboxes may leak crucial and confidential information which can be utilized
by attackers. To address this new problem, we use firewall as an sample
functionality and propose the first privacy preserving outsourcing framework
and schemes in SDN. The basic technique that we exploit is a ground-breaking
tool in cryptography, the \textit{cryptographic multilinear map}. In contrast
to the infeasibility in efficiency if a naive approach is adopted, we devise
practical schemes that can outsource the middlebox as a blackbox after
\textit{obfuscating} it such that the cloud provider can efficiently perform
the same functionality without knowing its underlying private configurations.
Both theoretical analysis and experiments on real-world firewall rules
demonstrate that our schemes are secure, accurate, and practical.
This paper investigates a novel computational problem, na- mely the Composite Residuosity Class Problem, and its applications to public-key cryptography. We propose a new trapdoor mechanism and derive from this technique three encryption schemes : a trapdoor permu- tation and two homomorphic probabilistic encryption schemes computa- tionally comparable to RSA. Our cryptosystems, based on usual modular arithmetics, are provably secure under appropriate assumptions in the standard model.
Aiming to reduce the cost and complexity of maintaining networking infrastructures, organizations are increasingly outsourcing their network functions (e.g., firewalls, traffic shapers and intrusion detection systems) to the cloud, and a number of industrial players have started to offer network function virtualization (NFV)-based solutions. Alas, outsourcing network functions in its current setting implies that sensitive network policies, such as firewall rules, are revealed to the cloud provider. In this paper, we investigate the use of cryptographic primitives for processing outsourced network functions, so that the provider does not learn any sensitive information. More specifically, we present a cryptographic treatment of privacy-preserving outsourcing of network functions, introducing security definitions as well as an abstract model of generic network functions, and then propose a few instantiations using partial homomorphic encryption and public-key encryption with keyword search. We include a proof-of-concept implementation of our constructions and show that network functions can be privately processed by an untrusted cloud provider in a few milliseconds.
We show how to securely obfuscate the class of conjunction functions (functions like ). Given any function in the class, we produce an obfuscated program which preserves the input-output functionality of the given function, but reveals nothing else.
Our construction is based on multilinear maps, and can be instantiated using the recent candidates proposed by Garg, Gentry and Halevi (EUROCRYPT 2013) and by Coron, Lepoint and Tibouchi (CRYPTO 2013). We show that the construction is secure when the conjunction is drawn from a distribution, under mild assumptions on the distribution. Security follows from multilinear entropic variants of the Diffie-Hellman assumption. We conjecture that our construction is secure for any conjunction, regardless of the distribution from which it is drawn. We offer supporting evidence for this conjecture, proving that our obfuscator is secure for any conjunction against generic adversaries.
In the last few years, cryptographic multilinear maps have proved their tremendous potential as building blocks for new constructions, in particular the first viable approach to general program obfuscation. After the first candidate construction by Garg, Gentry and Halevi (GGH) based on ideal lattices, a second construction over the integers was described by Coron, Lepoint and Tibouchi (CLT). However the CLT scheme was recently broken by Cheon et al.; the attack works by computing the eigenvalues of a diagonalizable matrix over derived from the multilinear map.
In this paper we describe a new candidate multilinear map over the integers. Our construction is based on CLT but with a new arithmetic technique that makes the zero-testing element non-linear in the encoding, which prevents the Cheon et al. attack. Our new construction is relatively practical as its efficiency is comparable to the original CLT scheme. Moreover the subgroup membership and decisional linear assumptions appear to hold in the new setting.
With the explosive growth of network-based services and attacks, the complexity and cost of firewall deployment and management have been increasing rapidly. Yet, each private network, no matter big or small, has to deploy and manage its own firewall, which is the critical first line of defense. To reduce the complexity and cost in deploying and managing firewalls, businesses have started to outsource the firewall service to their Internet Service Providers (ISPs), such as AT&T, which provide cloud-based firewal service. Such fire walling model saves businesses in managing, deploying, and upgrading firewalls. The current firewall service outsourcing model requires businesses fully trust their ISPs and give ISPs their firewall policies. However, businesses typically need to keep their firewall policies confidential. In this paper, we propose the first privacy preserving firewall outsourcing approach where businesses outsource their firewall services to ISPs without revealing their firewall policies to the ISPs. The basic idea is that businesses first anonymize their firewall policies and send the anonymized policies to their ISP, then the ISP performs packet filtering based on the anonymized firewall policies. For anonymizing firewall policies, we use Firewall Decision Diagrams to cope with the multi-dimensionality of policies and Bloom Filters for the anonymization purpose. This paper deals with a hard problem. By no means that we claim our scheme is perfect, however, this effort represents the first step towards privacy preserving outsourcing of firewall services. We implemented our scheme and conducted extensive experiments. Our experimental results show that our scheme is efficient in terms of both memory usage and packet lookup time. The firewall throughput of our scheme running at ISPs is comparable to that of software firewalls running at businesses themselves.
Modern enterprises almost ubiquitously deploy middlebox processing services to improve security and performance in their networks. Despite this, we find that today's middlebox infrastructure is expensive, complex to manage, and creates new failure modes for the networks that use them. Given the promise of cloud computing to decrease costs, ease management, and provide elasticity and fault-tolerance, we argue that middlebox processing can benefit from outsourcing the cloud. Arriving at a feasible implementation, however, is challenging due to the need to achieve functional equivalence with traditional middlebox deployments without sacrificing performance or increasing network complexity. In this paper, we motivate, design, and implement APLOMB, a practical service for outsourcing enterprise middlebox processing to the cloud. Our discussion of APLOMB is data-driven, guided by a survey of 57 enterprise networks, the first large-scale academic study of middlebox deployment. We show that APLOMB solves real problems faced by network administrators, can outsource over 90% of middlebox hardware in a typical large enterprise network, and, in a case study of a real enterprise, imposes an average latency penalty of 1.1ms and median bandwidth inflation of 3.8%.
This paper presents an architecture for adding functionality to networks via outsourcing. In this model, the enterprise network only forwards data; any additional processing is performed by external Feature Providers (FPs). FPs provide and manage features, scaling and moving them in response to customer demand, and providing automated recovery in case of failure. Benefits to the enterprise include reduced cost and management complexity, improved features through FP specialization, and increased choice in services.
Central to the model are a policy component and a Feature API (FAPI). Policy is specified with features not locations, enabling features to be located anywhere. FAPI enables communication between enterprise and FP control planes to share policy and configure features.
We have built a prototype implementation of this architecture called Jingling. Our prototype system incorporates a nation-wide backbone network and FPs located in six sites around the United States.
A firewall is a security guard placed at the point of entry between a private network and the outside Internet such that all incoming and outgoing packets have to pass through it. The function of a firewall is to examine every incoming or outgoing packet and decide whether to accept or discard it. This function is conventionally specified by a sequence of rules, where rules often conflict. To resolve conflicts, the decision for each packet is the decision of the first rule that the packet matches. The current practice of designing a firewall directly as a sequence of rules suffers from three types of major problems: (1) the consistency problem, which means that it is difficult to order the rules correctly; (2) the completeness problem, which means that it is difficult to ensure thorough consideration for all types of traffic; (3) the compactness problem, which means that it is difficult to keep the number of rules small (because some rules may be redundant and some rules may be combined into one rule).
In this paper trade-offs among certain computational factors in hash coding are analyzed. The paradigm problem considered is that of testing a series of messages one-by-one for membership in a given set of messages. Two new hash-coding methods are examined and compared with a particular conventional hash-coding method. The computational factors considered are the size of the hash area (space), the time required to identify a message as a nonmember of the given set (reject time), and an allowable error frequency.
The new methods are intended to reduce the amount of space required to contain the hash-coded information from that associated with conventional methods. The reduction in space is accomplished by exploiting the possibility that a small fraction of errors of commission may be tolerable in some applications, in particular, applications in which a large amount of data is involved and a core resident hash area is consequently not feasible using conventional methods.
In such applications, it is envisaged that overall performance could be improved by using a smaller core resident hash area in conjunction with the new methods and, when necessary, by using some secondary and perhaps time-consuming test to “catch” the small fraction of errors associated with the new methods. An example is discussed which illustrates possible areas of application for the new methods.
Analysis of the paradigm problem demonstrates that allowing a small number of test messages to be falsely identified as members of the given set will permit a much smaller hash area to be used without increasing reject time.
Cloud based firewalls: Overview and considerations
- R Daley
Network-based firewall: Extending the firewall into the cloud
- T Ritter