embark securely outsourcing middleboxes to the cloud
play

Embark: Securely Outsourcing Middleboxes to the Cloud Chang Lan, - PowerPoint PPT Presentation

Mar 07, 2023 •161 likes •572 views

Embark: Securely Outsourcing Middleboxes to the Cloud Chang Lan, Justine Sherry, Raluca Ada Popa, Sylvia Ratnasamy, Zhi Liu UC Berkeley Tsinghua University 1 Background Middleboxes are prevalent and problematic Number of Middleboxes

  1. Embark: Securely Outsourcing Middleboxes to the Cloud Chang Lan, Justine Sherry, Raluca Ada Popa, Sylvia Ratnasamy, Zhi Liu UC Berkeley Tsinghua University 1

  2. Background Middleboxes are prevalent and problematic ➢ Number of Middleboxes ≈ Number of Routers (APLOMB [SIGCOMM ‘12]) ■ Lots of Problems: ■ MB Manifesto [HotNets ‘11], CoMb [NSDI ‘12], ■ Honda et al. [IMC'11], DOA [OSDI '04], ETTM [NSDI '11], … A Promising Solution: Outsourcing ➢ APLOMB [SIGCOMM ‘12] ■ Aryaka, Zscaler ■ AT&T NFV/CORD ■ 2

  3. New Challenge: Confidentiality and Privacy The middleboxes sees the traffic unencrypted. ➢ Strawman: End-to-end Encryption (e.g. TLS): ➢ Some middleboxes cannot process traffic (e.g. Deep Packet Inspection). ■ Unencrypted packet fields still leak information ■ 3

  4. Src IP: 169.229.123.170 Src Port: 21453 Dst IP: 172.217.1.36 (Google) Dst Port: 80 Src IP: 169.229.123.170 Src Port: 24363 Dst IP: Amazon Dst Port: 80 Cloud Src IP: 169.229.123.170 Even with end-to-end encryption, Cloud can Src Port: 12568 Src IP: 169.229.123.170 Src IP: 169.229.123.170 Src Port: 12568 Dst IP: Twitter Src IP: 169.229.123.170 still infer the user profile. Src Port: 12568 Dst Port: 80 Dst IP: Twitter Src IP: 169.229.123.170 Src Port: 12568 Dst IP: Twitter Dst Port: 80 Src Port: 12568 Dst IP: Twitter Dst Port: 80 Dst IP: Twitter Dst Port: 80 Dst Port: 80 Enterprise 4

  5. Problem Statement Can we outsource middleboxes without compromising privacy? Embark the first system that allows middlebox outsourcing, while keeping traffic confidential. 5

  6. Overview Approach ➢ Middleboxes process encrypted traffic without decrypting it ■ Crypto Primitives ➢ KeywordMatch : For Signature Matching ■ BlindBox [SIGCOMM ‘15]: Prohibitive Setup Time Per Flow ■ Contribution: System Design + Implementation without Per-flow Setup Time PrefixMatch : Prefix/Range Matching ■ Contribution: A fast, secure encryption scheme for prefix matching 6

  7. Overview Approach ➢ Middleboxes process encrypted traffic without decrypting it ■ Crypto Primitives ➢ KeywordMatch : For Signature Matching ■ BlindBox [SIGCOMM ‘15]: Prohibitive Setup Time Per Flow ■ Contribution: System Design + Implementation without Per-flow Setup Time PrefixMatch : Prefix/Range Matching ■ Contribution: A fast, secure encryption scheme for prefix matching 7

  8. Outline 1. Service Model of Embark 2. PrefixMatch: Two Functions EncryptRanges ■ EncryptValue ■ 3. Evaluation 4. Conclusion 8

  9. Service Model Cloud Enterprise 9

  10. Service Model Cloud Gateway Encrypt / Decrypt traffic to/from the cloud Enterprise 10

  11. Service Model Middlebox Rules Cloud IP firewall rules, IDS signatures, etc. Enterprise 11

  12. Initialization Cloud Enterprise encrypt rules using EncryptRanges . Enterprise 12

  13. Initialization Cloud Middleboxes deploy encrypted rules. Enterprise 13

  14. Packet Flow Cloud 1. Outgoing traffic are sent to Gateway. Enterprise 14

  15. Packet Flow 2. Encrypt the traffic Cloud Encrypt packet headers field by field ■ using EncryptValue Encrypt payloads using stream cipher ■ Implication: no change to packet structure Enterprise Internet 15

  16. Packet Flow 3. Forward to Cloud Cloud Enterprise 16

  17. Packet Flow 4. Middleboxes process encrypted traffic. Cloud No change to algorithms: E.g., LPM, multi-dimensional classifiers, etc. Enterprise 17

  18. Packet Flow 5. Back to Gateway Cloud Enterprise 18

  19. Packet Flow 6. Decrypt and Forward Cloud Internet Enterprise 19

  20. Outline 1. Service Model of Embark 2. PrefixMatch: Two Functions EncryptRanges ■ EncryptValue ■ 3. Evaluation 4. Conclusion 20

  21. PrefixMatch Property ➢ Answer if a value V matches a range R i from [R 1 , R 2 , ...] ■ Security ➢ Do not reveal the value of V and R i ■ If both V 1 and V 2 match R i , do not reveal the ordering between V 1 and V 2 ■ 21

  22. PrefixMatch vs. OPE Order-preserving Encryption ➢ Preserve the ordering of values after encryption ■ PrefixMatch is better than OPE in this scenario ➢ More secure (No relative ordering) ■ Faster (10000x) ■ Compare with the state-of-the-art OPE schemes (BCLO and mOPE) ■ Operation BCLO mOPE PrefixMatch Encrypt, 10K rules 9333 us 6640 us 0.53 us Encrypt, 100K rules 9333 us 8300 us 0.77 us Decrypt 169 us 0.128 us 0.128 us 22

  23. EncryptRanges Firewall Rules ➢ block from 192.168.1.0/24 to 205.203.224.0/19 block from 192.168.0.0/16 to 223.254.0.0/16 block from 10.1.0.0/16 to 223.201.0.0/16 23

  24. EncryptRanges 192.168.1.0/24 192.168.0.0/16 10.1.0.0/16 0.0.0.0 255.255.255.255 62.0.0.0/8 3.0.0.0/8 162.0.0.0/8 Assign Random Prefixes 24

  25. EncryptRanges 192.168.1.0/24 -> 3.0.0.0/8 192.168.1.0/24 192.168.0.0/16 -> 3.0.0.0/8 162.0.0.0/8 10.1.0.0/16 -> 62.0.0.0/8 192.168.0.0/16 10.1.0.0/16 0.0.0.0 255.255.255.255 62.0.0.0/8 3.0.0.0/8 162.0.0.0/8 25

  26. EncryptRanges block from 192.168.1.0/24 to 205.203.224.0/19 block from 192.168.0.0/16 to 223.254.0.0/16 block from 10.1.0.0/16 to 223.201.0.0/16 Source IP 192.168.1.0/24 -> 3.0.0.0/8 192.168.0.0/16 -> 3.0.0.0/8 162.0.0.0/8 block from 3.0.0.0/8 to 12.0.0.0/8 10.1.0.0/16 -> 62.0.0.0/8 block from 3.0.0.0/8 to 241.0.0.0/8 block from 162.0.0.0/8 to 241.0.0.0/8 Destination IP block from 62.0.0.0/8 to 163.0.0.0/8 205.203.224.0/19 -> 12.0.0.0/8 223.254.0.0/16 -> 241.0.0.0/8 223.201.0.0/16 -> 163.0.0.0/8 26

  27. EncryptValue Encrypt each field independently ➢ ■ Source IP, Destination IP, Source Port, Destination Port... 27

  28. EncryptValue Encrypt each field independently ➢ 192.168.1.0/24 ■ Source IP, Destination IP, Source Port, Destination Port... 192.168.0.0/16 10.1.0.0/16 0.0.0.0 255.255.255.255 62.0.0.0/8 3.0.0.0/8 162.0.0.0/8 28

  29. EncryptValue 192.168.1.0/24 Src IP = 10.1.1.1 192.168.0.0/16 10.1.0.0/16 0.0.0.0 255.255.255.255 62.0.0.0/8 3.0.0.0/8 162.0.0.0/8 29

  30. EncryptValue Src IP = 10.1.123.123 192.168.1.0/24 Enc (Src IP) = 62.0.0.0 + Rand(0, 2^24) 192.168.0.0/16 10.1.0.0/16 0.0.0.0 255.255.255.255 62.0.0.0/8 3.0.0.0/8 162.0.0.0/8 30

  31. EncryptValue Problem 1: How to support NAT and Load Balancers? ➢ Deterministic : The value from the same flow will be mapped to the same value ■ Injective : Values from different flows will be mapped to different values ■ Sufficient condition ■ Sufficient condition: Src IP = 10.1.123.123 Enc (Src IP) = 62.0.0.0 + Rand(0, 2^24) Let v = (sip, dip, sp, dp, proto) v’ = (sip’, dip’, sp’, dp’, proto’) v = v’ if and only if Enc(v) = Enc(v’) 31

  32. EncryptValue Problem 1: How to support NAT and Load Balancers? ➢ Use pseudorandom function, ■ seeded by 5-tuple Use IPv6 to avoid collisions ■ Src IP = 10.1.123.123 Enc (Src IP) = 62.0.0.0 + Rand(0, 2^24) Src IP = ::FFFF:10.1.123.123 Enc (Src IP) = 3e00::/8 + PRF(Src IP) 32

  33. EncryptValue Problem 1: How to support NAT and Load Balancers? ➢ Problem 2: How to decrypt? ➢ Store AES(Src IP) in IP Options ■ Decrypt AES(Src IP) ■ 33

  34. Outline 1. Service Model of Embark 2. PrefixMatch: Two Functions EncryptRanges ■ EncryptValue ■ 3. Evaluation 4. Conclusion 34

  35. Evaluation What kinds of middleboxes does Embark support? ➢ Performance of each type of middleboxes ■ How much does PrefixMatch increase the number of rules? ➢ Microbenchmarks ➢ How does PrefixMatch compare with OPE? ■ How well does PrefixMatch scale with the number of rules? ■ Performance ➢ How fast is the gateway (with PrefixMatch and with KeywordMatch) ■ How much does the service model increase the page load time? ■ 35

  36. Supported Middleboxes IP Firewall Linux iptables NAT Linux iptables PrefixMatch L3 Load Balancer ECMP L4 Load Balancer HAProxy HTTP Proxy Embark vs Squid Parental Filter Embark vs Squid KeywordMatch Intrusion Detection Embark vs Snort (excluding scripts and other statistical techniques) 36

  37. How much does PrefixMatch increase Firewall rules? Upper bound ➢ O(n d ), d is the number of fields ■ Empirically ➢ Rulesets ■ 3 firewall rulesets from campus network at UC Berkeley ■ 1 firewall ruleset from Emerging Threats ■ Result ■ UCB rulesets: No increase ■ Emerging Threats: from 1363 to 1370 ■ Intuition ■ Most firewall rules don’t overlap ■ 37

  38. How fast is the gateway (without KeywordMatch)? Performance with 1k rules: 7.2 Gbps With KeywordMatch enabled: - 1.2 Gbps (min-size) 240 Mbps per core (Pkt size: 1400 B) - Line rate (other cases) 1.2 Gbps Baseline PrefixMatch 38

  39. See the paper for ... How we design and implement middleboxes ● Formal proof of sufficient conditions for NAT and L3/TCP Load Balancers ● Limitations ● More in-depth evaluation ● ... ● 39

  40. Paper: changlan.org/papers/embark. pdf Conclusion Contact: clan@eecs.berkeley.edu Middleboxes can be outsourced in a way that still keeps the Thanks! traffic confidential with Embark . 40

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Embark: Securely Outsourcing Middleboxes to the Cloud Chang Lan, Justine Sherry, Raluca Ada

Embark: Securely Outsourcing Middleboxes to the Cloud Chang Lan, Justine Sherry, Raluca Ada

Embark: Securely Outsourcing Middleboxes to the Cloud Chang Lan, Justine Sherry, Raluca Ada Popa, Sylvia Ratnasamy, Zhi Liu UC Berkeley Tsinghua University 1 Background Middleboxes are prevalent and problematic Number of Middleboxes

1.31k views • 44 slides
Middlebox Technologies with Intel SGX A Literature Survey Shiv Kushwah & Sumukh Shivakumar 1

Middlebox Technologies with Intel SGX A Literature Survey Shiv Kushwah & Sumukh Shivakumar 1

Middlebox Technologies with Intel SGX A Literature Survey Shiv Kushwah & Sumukh Shivakumar 1 Whats all the fuss with middleboxes? 2 Background 3 What are middleboxes? 4 Middleboxes in the Cloud Cloud APLOMB gateway Enterprise

668 views • 37 slides
Securely Moving Your Business Into the Cloud Alex Stamos Partner

Securely Moving Your Business Into the Cloud Alex Stamos Partner

Securely Moving Your Business Into the Cloud Alex Stamos Partner Takeaways Current conventional wisdom on cloud computing is missing the point You cannot

793 views • 37 slides
Verifiable Cloud Outsourcing for Network Func9ons (+

Verifiable Cloud Outsourcing for Network Func9ons (+

Verifiable Cloud Outsourcing for Network Func9ons (+ Verifiable Resource Accoun9ng for Cloud Services) Vyas Sekar vNFO joint with Seyed Fayazbakhsh,

434 views • 28 slides
Making Middleboxes Someone Elses Problem: Network Processing as a Cloud Service Justine

Making Middleboxes Someone Elses Problem: Network Processing as a Cloud Service Justine

Making Middleboxes Someone Elses Problem: Network Processing as a Cloud Service Justine Sherry*, Shaddi Hasan*, Colin Scott*, Arvind Krishnamurthy , Sylvia Ratnasamy*, and Vyas Sekar * Typical Enterprise Networks Internet

904 views • 52 slides
Connecting IoT appliances securely to the cloud (eap-noob) Tuomas Aura, Aalto University,

Connecting IoT appliances securely to the cloud (eap-noob) Tuomas Aura, Aalto University,

Connecting IoT appliances securely to the cloud (eap-noob) Tuomas Aura, Aalto University, Finland joint work with Mohit Sethi, Ericsson, and others Connecting devices to cloud Cloud IoT appliances Internet User Authenticated key

528 views • 17 slides
A Survey of Oblivious RAMs David Cash IBM Securely Outsourcing Memory Server Goal : Store,

A Survey of Oblivious RAMs David Cash IBM Securely Outsourcing Memory Server Goal : Store,

A Survey of Oblivious RAMs David Cash IBM Securely Outsourcing Memory Server Goal : Store, access, and update data on an untrusted server. Mem[0] a Mem[1] b Mem[2] c Write(i,x) Read(j) Mem[i] d Client Mem[j] e Untrusted

908 views • 70 slides
Security and Privacy for Cloud Computing Refik Molva Cloud Computing Outsourcing

Security and Privacy for Cloud Computing Refik Molva Cloud Computing Outsourcing

Security and Privacy for Cloud Computing Refik Molva Cloud Computing Outsourcing Storage Computation High availability No maintenance Decreased Costs Elasticity & Flexibility Security and Privacy for Cloud

529 views • 36 slides
Secure Outsourcing Computation Li Xiong Outline Cloud computing Computing on encrypted

Secure Outsourcing Computation Li Xiong Outline Cloud computing Computing on encrypted

CS573 Data Privacy and Security Secure Outsourcing Computation Li Xiong Outline Cloud computing Computing on encrypted data Homomorphic encryption What is Cloud Computing ? Cloud computing Type of computing that relies on sharing

1.29k views • 62 slides
Total Workforce Shared Services & Outsourcing Solution Integrated Enterprise Cloud Solutions

Total Workforce Shared Services & Outsourcing Solution Integrated Enterprise Cloud Solutions

Total Workforce Shared Services & Outsourcing Solution Integrated Enterprise Cloud Solutions Powered by NetAIMS@Cloud Presented by: Dr. Saw Lean Joo LJS Technology Sdn Bhd. Access Any Time Any Where.. In the World Introduction To

558 views • 33 slides
Whats The Next Big Thing in Telecom & IT? Cloud DaaS Desktop as a Service

Whats The Next Big Thing in Telecom & IT? Cloud DaaS Desktop as a Service

Whats The Next Big Thing in Telecom & IT? Cloud DaaS Desktop as a Service Supercharge Your Desktop! Cloud IaaS Infrastructure as a Service Cloud Computing Work Smarter in the Cloud Cloud Single Sign-On Securely Access Many

627 views • 19 slides
Dont Call Them Middleboxes, Call Them Middlepipes Hani Jamjoom Dan Williams Upendra

Dont Call Them Middleboxes, Call Them Middlepipes Hani Jamjoom Dan Williams Upendra

Dont Call Them Middleboxes, Call Them Middlepipes Hani Jamjoom Dan Williams Upendra Sharma IBM T. J. Watson Research Center PaaS Makes Things Easy Abstract out infrastructure resource management e.g., BlueMix, Cloud Foundry,

632 views • 15 slides
Doubly Efficient Interactive Proofs Ron Rothblum Outsourcing Computation Weak client outsources

Doubly Efficient Interactive Proofs Ron Rothblum Outsourcing Computation Weak client outsources

Doubly Efficient Interactive Proofs Ron Rothblum Outsourcing Computation Weak client outsources computation to the cloud. = () Outsourcing Computation We do not want to blindly trust the cloud. = () Key

462 views • 21 slides
Efficient Outsourcing GWAS using FHE Wenjie Lu*, Jun Sakuma * * Dept. of CS, University of

Efficient Outsourcing GWAS using FHE Wenjie Lu*, Jun Sakuma * * Dept. of CS, University of

Efficient Outsourcing GWAS using FHE Wenjie Lu*, Jun Sakuma * * Dept. of CS, University of Tsukuba, Japan JST CREST Secure Outsourcing GWAS Secure computation [Cloud] Outline of our solution [data holder] Secure

381 views • 19 slides
OVERSEE: Outsourcing Verification to Enable Resource Sharing in Edge Environment Reporter:

OVERSEE: Outsourcing Verification to Enable Resource Sharing in Edge Environment Reporter:

OVERSEE: Outsourcing Verification to Enable Resource Sharing in Edge Environment Reporter: Xiaoqing Cai August 2020 From Cloud to Edge Cloud Computing Edge Computing Low Latency Lack of Resources Cloud Computing Edge Computing No More

582 views • 17 slides
Outsourcing Overview Value Driven Engineering Value Driven Engineering Outsourcing is one

Outsourcing Overview Value Driven Engineering Value Driven Engineering Outsourcing is one

Outsourcing Overview Value Driven Engineering Value Driven Engineering Outsourcing is one available tool in Mustangs diversified toolkit, but not an all encompassing primary strategy Outsourcing will be used when it makes sense

439 views • 8 slides
Presentation: MSA Fehmidah Koor 15 March 2019 RFP - MSA Mandatory requirement- it must be

Presentation: MSA Fehmidah Koor 15 March 2019 RFP - MSA Mandatory requirement- it must be

Hybrid Information Technology Outsourcing RFP Clarification Presentation: MSA Fehmidah Koor 15 March 2019 RFP - MSA Mandatory requirement- it must be submitted on or before close of tender The MSA must be duly accepted by the

352 views • 17 slides
Originally Published in Outsourcing Leadership News - October 2006 P ROVIDER U SE OF C USTOMER L

Originally Published in Outsourcing Leadership News - October 2006 P ROVIDER U SE OF C USTOMER L

Originally Published in Outsourcing Leadership News - October 2006 P ROVIDER U SE OF C USTOMER L ICENSED S OFTWARE IN O UTSOURCING A RRANGEMENTS By: Shawn C. Helms Companies considering whether or not to outsource critical business functions must

41 views • 3 slides
Rexel Worldwide expert in the professional multichannel distribution of electrical products and

Rexel Worldwide expert in the professional multichannel distribution of electrical products and

Rexel Worldwide expert in the professional multichannel distribution of electrical products and services for the energy world 30/04/2019 C O N T E N T S Rexel Our commitments A world of energy Our business For a better energy future A

283 views • 24 slides
I mplementing California s Small Business Health Exchange John Arensmeyer Small Business

I mplementing California s Small Business Health Exchange John Arensmeyer Small Business

I mplementing California s Small Business Health Exchange John Arensmeyer Small Business Majority April 26, 2012 About Small Business Majority Small business advocacy organization founded and run by small business owners

121 views • 10 slides
Outsourcing Service Delivery in a Fragile State: Experimental Evidence from Liberia Mauricio

Outsourcing Service Delivery in a Fragile State: Experimental Evidence from Liberia Mauricio

Outsourcing Service Delivery in a Fragile State: Experimental Evidence from Liberia Mauricio Romero (ITAM) Justin Sandefur (CGD) Wayne Sandholtz (UCSD) 6 August 2018 Schooling = learning Burundi Rwanda Peru Dom. Rep. 80 Indonesia

687 views • 37 slides
CBRE GROUP, INC. THE GLOBAL MARKET LEADER IN COMMERCIAL REAL ESTATE SERVICES June 2018

CBRE GROUP, INC. THE GLOBAL MARKET LEADER IN COMMERCIAL REAL ESTATE SERVICES June 2018

CBRE GROUP, INC. THE GLOBAL MARKET LEADER IN COMMERCIAL REAL ESTATE SERVICES June 2018 Forward-Looking Statements This presentation contains statements that are forward looking within the meaning of the Private Securities Litigation Reform Act

1.06k views • 51 slides
Outsourcing Pharma OUTSOURCING ON THAT SIDE OF THE PACIFIC. ABHAY DESHPANDE, CEO, JRF-GLOBAL

Outsourcing Pharma OUTSOURCING ON THAT SIDE OF THE PACIFIC. ABHAY DESHPANDE, CEO, JRF-GLOBAL

Outsourcing Pharma OUTSOURCING ON THAT SIDE OF THE PACIFIC. ABHAY DESHPANDE, CEO, JRF-GLOBAL PRESENTED AT OUTSOURCED PHARMA EVENT, SAN FRANCISCO, OCTOBER 29, 2018 JRF Global.Lead your LEAD with us! 1 Working Tariffs and Trade with

330 views • 32 slides
2017 in Review Regulatory activity Engagement Model Pro-active engagement Increased

2017 in Review Regulatory activity Engagement Model Pro-active engagement Increased

2017 in Review Regulatory activity Engagement Model Pro-active engagement Increased activity Address IMF recommendations on Observance of Standards and Codes Annual on-site inspections of 10% of medium-low impact firms For an

497 views • 13 slides

More recommend