Junjie Shi,Yuan Zhang,Sheng Zhong

DOI: https://doi.org/10.48550/arxiv.1502.00389

2015-01-01

Abstract:Since the advent of software defined networks (SDN), there have been many attempts to outsource the complex and costly local network functionality, i.e. the middlebox, to the cloud in the same way as outsourcing computation and storage. The privacy issues, however, may thwart the enterprises' willingness to adopt this innovation since the underlying configurations of these middleboxes may leak crucial and confidential information which can be utilized by attackers. To address this new problem, we use firewall as an sample functionality and propose the first privacy preserving outsourcing framework and schemes in SDN. The basic technique that we exploit is a ground-breaking tool in cryptography, the cryptographic multilinear map. In contrast to the infeasibility in efficiency if a naive approach is adopted, we devise practical schemes that can outsource the middlebox as a blackbox after obfuscating it such that the cloud provider can efficiently perform the same functionality without knowing its underlying private configurations. Both theoretical analysis and experiments on real-world firewall rules demonstrate that our schemes are secure, accurate, and practical.

Xiaofeng Tao,Yan Han,Xiaodong Xu,Ping Zhang,Victor C. M. Leung

DOI: https://doi.org/10.1007/s11432-017-9045-1

2017-01-01

Science China Information Sciences

Abstract:Recently, network function virtualization(NFV) was proposed as a paradigm shift in the telecommunication industry. Both industry and academia have drawn significant attention in mobile network virtualization.NFV decouples the software implementation of network functions from the underlying hardware, leading to considerable reductions in operating expenses(OPEX) and capital expenses(CAPEX), and facilitating the network deployment. However, as an emerging technology, NFV brings both challenges and opportunities in developing new architectures, applying and deployment. In this paper, we first survey the related work of NFV, and then propose promising research directions in this area.

Qiang Wu,Ran Wang,Xincheng Yan,Chunming Wu,Rongxing Lu

DOI: https://doi.org/10.1109/MWC.001.2100251

IF: 12.777

2022-01-01

IEEE Wireless Communications

Abstract:Opening-up sharing has prompted the multi-tenancy architecture, whereby different vendors (including outsourcees) work together with network operators to form a vibrant service ecosystem, resulting in several advantages as well as risks. In particular, the static nature of existing architectures in network functions virtualization-based (NFV-based) clouds facilitate hacking. Thus, much attention has been focused on determining how to avoid the uncontrollable cloud security induced by complex production relations and non-trustworthy software/hardware sources when the two sets of security risks intersect. In this article, we investigate latent persistent threats against cloud environments and determine a high degree of complementarity and consistency between the NFV-based cloud environment and the dynamic defense concept. More specifically, new NFV-based cloud features provide an effective implementation for dynamic defense, while the generalized robustness of dynamic defense theory allows for high security gains. Intrinsic cloud security (iCS) is then proposed to align NFV-based clouds, mimicking defense and the moving target defense (MTD) paradigm to implement a seamless integration and symbiosis evolution between security and NFV-based clouds. We quantify the impact on system overhead to account for efficiency and cost issues. The simulation analysis demonstrates that the enhanced mode is able to consistently obtain a more beneficial and stable defense compared with the counterparts.

Peipei Jiang,Qian Wang,Muqi Huang,Cong Wang,Qi Li,Chao Shen,Kui Ren

DOI: https://doi.org/10.1109/jproc.2021.3127277

IF: 20.6

2021-12-01

Proceedings of the IEEE

Abstract:Network function virtualization (NFV) has been promising to improve the availability, programmability, and flexibility of network function deployment and communication facilities. Meanwhile, with the advancements of cloud technologies, there has been a trend to outsource network functions through virtualization to a cloud service provider, so as to alleviate the local burdens on provisioning and managing such hardware resources. Promising as it is, redirecting the communication traffic to a third-party service provider has drawn various security and privacy concerns. Traditional end-to-end encryption can protect the traffic in transmit, but it also hinders data usability. This dilemma has raised wide interests from both industry and academia, and great efforts have been made to realize privacy-preserving network function outsourcing that can guarantee the confidentiality of network communications while preserving the ability to inspect the traffic. In this article, we conduct a comprehensive survey of the state-of-the-art literature on network function outsourcing, with a special focus on privacy and security issues. We first give a brief introduction to NFV and pinpoint its challenges and security risks in the cloud context. Then, we present detailed descriptions and comparisons of existing secure network function outsourcing schemes in terms of functionality, efficiency, and security. Finally, we conclude by discussing possible future research directions.

engineering, electrical & electronic

Qiumei Cheng,Chunming Wu,Haifeng Zhou,Yuhang Zhang,Rui Wang,Wei Ruan

DOI: https://doi.org/10.1109/hpcc/smartcity/dss.2018.00149

2018-01-01

Abstract:Guarding the perimeter of cloud-based enterprise networks is a challenge due to massive traffic with dynamic nature. Current firewalls of enterprise networks in cloud are largely based on static security rule configuration or simple rule matching, which makes them inflexible, error-prone and poorly effective, bringing about severe security risks. In this paper, we propose an artificial intelligence-based software-defined networks firewall (AI-SDNF) for solving the above problems. Compared with existing SDN firewalls, AI-SDNF is able to extract and analyze the payload of data packets based on machine learning technologies rather than simply match with flow tables according to several header fields (e.g., source and destination IP/MAC addresses). Considering deciding whether a packet is benign or malicious is able to be formulated as a typical binary classification problem, we employ logistic regression for training an intelligent SDN firewall under supervised machine learning. We implement a prototype of AI-SDNF on the OpenDaylight controller and the OpenStack platform. Based on the prototype, we evaluate its performance and overheads with real dataset. The experimental results indicate that AI-SDNF achieves a relatively high detection accuracy of 96.79% with an average of 0.2ms latency.

Cong Liu,Yong Cui,Kun Tan,Quan Fan,Kui Ren,Jianping Wu

DOI: https://doi.org/10.1109/INFOCOM.2018.8485861

2018-01-01

Abstract:The trends of the increasing middleboxes make the middle network more and more complex. Today, many middlehoxes work on application layer and offer significant network services by the plain-text traffic, such as firewalling, intrusion detecting and application layer gateways. At the same time, more and more network applications arc encrypting their data transmission to protect security and privacy. It is becoming a critical task and hot topic to continue providing application-layer middlehox services in the encrypted Internet, however, the state of the art is far from being able to be deployed in the real network. In this paper, we propose a practical architecture, named PlainBox, to enable session key sharing between the communication client and the middleboxes in the network path. It employs Attribute-Based Encryption (ABE) in the key sharing protocol to support multiple chaining middleboxes efficiently and securely. We develop a prototype system and apply it to popular security protocols such as TLS and SSH. We have tested our prototype system in a lab testhed as well as real-world websites. Our result shows PlainBox introduces very little overhead and the performance is practically deployable.

Qiang Wu,Chun-Ming Wu,Hai-feng Zhou,Yan-song Wang

DOI: https://doi.org/10.1109/compcomm.2016.7925190

2016-01-01

Abstract:The core-network suffers from inflexible and expensive equipment. Service chaining is a common but important problem of network management in Gi-LAN. The requirements of business agility drive the service architecture to services flexibility and scalability. To address these challenges, SDN centralized control and the NFV concept of CT reconstruction with IT virtualization technology are used to enable a reform in the mobile core network and the Gi-LAN service field. In this paper, following the technical trend of 5G, we propose the Cloud-ICT Convergence Service Architecture to construct an open and elastic digital information ecosystem. This architecture is a solution that provides flexibility in managing infrastructure and uses virtualization to dynamically orchestrate service chains on demand. The information ecosystem constructed in this architecture can provide the functional convergence of IT&CT services in addition to the traditional cellular network functions.

WEI Lingbo,FENG Xiaobing,ZHANG Chi,SHENG Hualong,YU Nenghai

DOI: https://doi.org/10.11959/j.issn.1000-436x.2018057

2018-01-01

Abstract:Due to the problem of high cost and limited scalability of dedicated hardware middleboxes, it is popular for enterprises to outsource middleboxes as software processes to the cloud service provider. In the current network function outsourcing schemes, the cloud service provider requires the enterprise's communication traffic and network strategy which poses a serious threat to the enterprise's piracy. Based on prefix-preserving encryption, a privacy preserving net-work function outsourcing system was proposed. Compared with other similar schemes, the system not only realizes the privacy protection of communication traffic, but also has higher throughput and lower delay.

Xiaochun Wu,Kaiyu Hou,Xue Leng,Xing Li,Yinbo Yu,Bo Wu,Yan Chen

DOI: https://doi.org/10.1109/mic.2019.2956712

IF: 2.68

2019-01-01

IEEE Internet Computing

Abstract:In recent years, network function virtualization (NFV) has drawn considerable attention due to its potential for service agility and low total cost of ownership. As the core of an NFV implementation, security issues in the management and control platform must be comprehensively addressed-from architectural concept to deployment. In this article, we first analyze the state of the security architecture based on ETSI-NFV, and then propose useful security practices for an NFV-based management and control ecosystem. To encourage future research, we also identify the ongoing research challenges and open security issues relevant to the NFV.

Luca Melis,Hassan Jameel Asghar,Emiliano De Cristofaro,Mohamed Ali Kaafar

DOI: https://doi.org/10.1145/2876019.2876021

2016-01-25

Abstract:Aiming to reduce the cost and complexity of maintaining networking infrastructures, organizations are increasingly outsourcing their network functions (e.g., firewalls, traffic shapers and intrusion detection systems) to the cloud, and a number of industrial players have started to offer network function virtualization (NFV)-based solutions. Alas, outsourcing network functions in its current setting implies that sensitive network policies, such as firewall rules, are revealed to the cloud provider. In this paper, we investigate the use of cryptographic primitives for processing outsourced network functions, so that the provider does not learn any sensitive information. More specifically, we present a cryptographic treatment of privacy-preserving outsourcing of network functions, introducing security definitions as well as an abstract model of generic network functions, and then propose a few instantiations using partial homomorphic encryption and public-key encryption with keyword search. We include a proof-of-concept implementation of our constructions and show that network functions can be privately processed by an untrusted cloud provider in a few milliseconds.

Cryptography and Security

Zhifeng Zhao,Feng Hong,Rongpeng Li

DOI: https://doi.org/10.1109/ACCESS.2017.2762362

IF: 3.9

2017-01-01

IEEE Access

Abstract:Nowadays, cloud computing networks significantly benefit the deployment of new services and have become one infrastructure provider in the digital society. The virtual extensible local area network (VxLAN), which belongs to the network schemes to overlay Layer 2 over Layer 3, is one of the most popular methods to realize cloud computing networks. Though VxLAN partially overcomes the capacity limitation of its predecessor virtual local area network, it still faces several challenges like annoying signaling overhead during the multicast period and interrupted communication with a migrating virtual machine (VM). In this paper, we propose a new software defined network (SDN) based VxLAN network architecture. Based on this architecture, we address how we can deploy an intelligent center to enhance the multicast capability and facilitate the VM migration. Besides, we discuss the means to update the global information and guarantee the communication continuum. Finally, we use Mininet to emulate this SDN based VxLAN architecture and demonstrate effective load balancing results. In a word, this proposed architecture could provide a blueprint for future cloud computing networks.

Kai Bu,Yutian Yang,Zixuan Guo,Yuanyuan Yang,Xing Li,Shigeng Zhang

DOI: https://doi.org/10.1016/j.comnet.2021.108099

IF: 5.493

2021-01-01

Computer Networks

Abstract:Software-Defined Networking (SDN) greatly simplifies middlebox policy enforcement. Middleboxes need tag packet headers to avoid forwarding ambiguity on SDN switches. In this paper, we present a new attack, called middlebox-bypass attack, to breach SDN-based middlebox policy enforcement. Such an attack manipulates a compromised switch to locally tag attacking packets without handing them over to the attached middlebox for inspection. Existing SDN security solutions, however, cannot detect the middlebox-bypass attack under practical constraints of efficiency, robustness, and applicability. We design and implement FlowCloak, the first protocol for per-packet real-time detection and prevention of middlebox-bypass attacks. FlowCloak enables middleboxes to generate tags that are probabilistically unknown to an attacker and confines it to only random guessing. We propose a multi-tag verification technique to address the tradeoff between FlowCloak robustness and TCAM usage by tag verification rules on the egress switch. Experiment results show that dozens of verification rules can confine the attacking probability under 0.1%. We further explore implementation techniques of packet looping and field swapping that can enable a flow table pipeline on a single TCAM and mitigate packet correlation, respectively. FlowCloak imposes only a 0.01 ms packet processing delay on middleboxes and no obvious delay on the egress switch.

Pengfei Duan,Qing Li,Yong Jiang,Shu-Tao Xia

DOI: https://doi.org/10.1109/icccn.2015.7288478

2015-01-01

Abstract:Under the current Internet environment, middlebox management has become a significant challenge for network operators. Schemes in prior works tried to simplify it with Software-Defined Networking (SDN) technologies, and they provided reliable and flexible approaches to configure the middlebox-related flow entries. However, these schemes are inefficient in resource utilization with the dynamically changing traffic requirements, as they mainly focus on stationary hardware middleboxes. Further-more, latencies of packets lack controls under these schemes. In this paper, inspired by Network Function Virtualization (NFV), we employ software middleboxes, and build a processing delay model to formulate latency behaviours. And based on this model, we present a latency-aware NFV/SDN scheme called Quokka with portable software-based middleboxes that can be dynamically scheduled (placed) according to the changing traffic. Quokka controls the number of middleboxes by efficient and automatic scheduling of both traffic and middlebox positions, and thus reduces the transmission latencies of the network. Comprehensive experiments show: 1) compared with traditional configuration methods, Quokka reduces the transmission delay by about 20% on average; 2) Quokka requires 30% to 50% less middleboxes than traditional schemes to achieve the same performance.

Nawaf Alhebaishi,Lingyu Wang,Sushil Jajodia

DOI: https://doi.org/10.1007/978-3-030-49669-2_1

2020-01-01

Abstract:By virtualizing proprietary hardware networking devices, Network Functions Virtualization (NFV) allows agile and cost-effective deployment of diverse network services for multiple tenants on top of the same physical infrastructure. As NFV relies on virtualization, and as an NFV stack typically involves several levels of abstraction and multiple co-resident tenants, this new technology also unavoidably leads to new security threats. In this paper, we take the first step toward modeling and mitigating security threats unique to NFV. Specifically, we model both cross-layer and co-residency attacks on the NFV stack. Additionally, we mitigate such threats through optimizing the virtual machine (VM) placement with respect to given constraints. The simulation results demonstrate the effectiveness of our solution.

Jun Bi,Gaogang Xie,Hongxin Hu

DOI: https://doi.org/10.1109/cc.2018.8485471

2018-01-01

China Communications

Abstract:In traditional networks,enabling new network functions often needs to add new proprietary middleboxes.However,finding the space and power to accommodate these middleboxes is becoming increasingly difficult,

Geong Sen Poh,Dinil Mon Divakaran,Hoon Wei Lim,Jianting Ning,Achintya Desai

DOI: https://doi.org/10.48550/arXiv.2101.04338

2021-01-12

Cryptography and Security

Abstract:Middleboxes in a computer network system inspect and analyse network traffic to detect malicious communications, monitor system performance and provide operational services. However, encrypted traffic hinders the ability of middleboxes to perform such services. A common practice in addressing this issue is by employing a "Man-in-the-Middle" (MitM) approach, wherein an encrypted traffic flow between two endpoints is interrupted, decrypted and analysed by the middleboxes. The MitM approach is straightforward and is used by many organisations, but there are both practical and privacy concerns. Due to the cost of the MitM appliances and the latency incurred in the encrypt-decrypt processes, enterprises continue to seek solutions that are less costly. There were discussion on the many efforts required to configure MitM. Besides, MitM violates end-to-end privacy guarantee, raising privacy concerns and issues on compliance especially with the rising awareness on user privacy. Furthermore, some of the MitM implementations were found to be flawed. Consequently, new practical and privacy-preserving techniques for inspection over encrypted traffic were proposed. We examine them to compare their advantages, limitations and challenges. We categorise them into four main categories by defining a framework that consist of system architectures, use cases, trust and threat models. These are searchable encryption, access control, machine learning and trusted hardware. We first discuss the man-in-the-middle approach as a baseline, then discuss in details each of them, and provide an in-depth comparisons of their advantages and limitations. By doing so we describe practical constraints, advantages and pitfalls towards adopting the techniques. We also give insights on the gaps between research work and industrial deployment, which leads us to the discussion on the challenges and research directions.

Renlong Tu,Xin Wang,Jin Zhao,Yue Yang,Lei Shi,Tilman Wolf

DOI: https://doi.org/10.1109/INFCOMW.2015.7179431

2015-01-01

Abstract:Modern cloud-based applications are becoming more communication-intensive, posing a challenge for data centers to supply sufficient bandwidth. Current data centers are not optimized for such cloud-based software services. In practice, due to the variability of traffic load, data centers may suffer from lower throughput, as well as higher latency, dramatically reducing quality of service (QoS). This paper addresses this challenging problem by introducing a programmable middlebox that can distribute traffic more evenly. The middlebox is based on a Clos network design and uses Software Defined Networking (SDN) to enhance bandwidth utilization while guaranteeing QoS. The SDN controller of the middlebox collects information from switches and servers to learn the traffic distribution and server loads and to perform load balancing accordingly. When implemented in a data center, the middlebox can greatly improve bandwidth utilization and reduce latency up to 50%. Since the middlebox does not rely on any specific feature of the data center, it can readily be deployed in current data centers.

Vasudevan Nagendra,Shubhada Patil,Michalis Polychronakis,Samir R. Das

DOI: https://doi.org/10.48550/arXiv.1608.07658

2016-08-27

Abstract:Software Defined Networks (SDN) provide vital benefits to network administrators by offering global visibility and network-wide control over the switching infrastructure of the network. It is rather much difficult to obtain the same benefits in the presence of middleboxes (MBs), due to (i) lack of a proper topology discovery mechanism in environments with a mix of forwarding devices and middleboxes. (ii) lack of generic APIs to abstract and gain control on these rigid and heterogeneous third-party middleboxes (iii) lack of a generic network infrastructure framework to monitor and verify any specific device or path connectivity status in the network. These limitations make automation of network operations such as, network-wide monitoring, policy enforcement and rule-placement much difficult to handle. Hence, there is a greater urge even from middlebox vendors, to better handle the control and visibility aspects of the network in presence of middleboxes. In this paper, we propose a Unified network infrastructure framework for gaining global network visibility, by discovering the network topology in the presence of middleboxes, along with a framework to support the end-to-end path connectivity verification, independent of SDN. We have also addressed security aspects and provided necessary APIs to support our framework.

Networking and Internet Architecture

Jin-Wen WANG,Xiao-Li ZHANG,Qi LI,Jian-Ping WU,Yong JIANG

DOI: https://doi.org/10.11897/SP.J.1016.2019.00415

2019-01-01

Jisuanji Xuebao/Chinese Journal of Computers

Abstract:Various middleboxes have been deployed to enable diversified functionalities in enterprise networks.For example, Firewalls and Intrusion Detection Systems are used to enhance the security of the network, and Cache Proxies and WAN Optimizations are used to improve the performance of the enterprise networks.However, it is painful for enterprises to deploy, update, or maintain such physical devices in their enterprise networks.Moreover, because of the discrepancybetween network function devices of the different manufacturers, enterprises need to hire large management teams with extensive knowledge to manage the network functions devices.Because of the fixed location and network traffic process capacity of the hardware network function devices, the network traffic congestion always causes the failure of the network functions.The overhead of middlebox management, maintenance and update increase significantly as enterprise networks grow.Fortunately, the emerging Network Function Virtualization (NFV) technology can address these issues by decoupling the physical network equipment from the network functions that run on them.With the NFV technology, an enterprise can efficiently reduce complicated network function management and the cost of deploying network function equipment by deploying network functions in commercial servers.It can also enable flexible service deployment strategies for the enterprises, e.g., dynamically scale in/out.Although NFV can bring significant benefits to enterprises, there are still many challenges in developing practical and efficient NFV.In order to solve such problems, researchers in academia and industry have devoted to the study of the NFV technology.This paper presents the first systematic study of the literature of the NFV technology.Firstly, we review the standard architecture of NFV established by the European Telecom Standards Institute Industry Specification Group for NFV (ETSI ISG NFV).We classify and summarize the problems and challenges in the developing of NFV systems based on the standard architecture of NFV.The study can be classified into the following three categories:Network Function Virtualization, Network Function Virtualization Infrastructure (NFVI), and Management And Network Orchestration (MANO).Furthermore, Software Defined Network (SDN) is a new type of network architecture which are designed to achieve flexible and intelligent network traffic control by decoupling the control plane and data plane of network devices, NFV and SDN can complement each other in various aspects, we study the relationship between the NFV and SDN.Secondly, we systematically study building blocks of NFV, i.e., virtual network function (VNF) construction, and the running environment optimization in NFV, the design of NFV management system and its optimization, policy enforcement and verification, resource allocation and migration, load balance and state management technology, and NFV security.Thirdly, the NFV technology has been deployed in different kinds of industry fields, we show the practical deployment issues of NFV by discussing the application scenario cases of NFV, e.g.in cloud computing, mobile communication, and home network.Finally, we summarize the advantages and shortcomings of NFV by comparing the NFV technology and classical physical network function devices and present the future research directions of the NFV technology from six aspects based on the standard architecture of ETSI NFV.

Xiaoli Zhang,Huayi Duan,Cong Wang,Qi Li,Jianping Wu

DOI: https://doi.org/10.1109/INFOCOM.2019.8737435

2019-01-01

Abstract:In-the-cloud middleboxes have drawn widespread attentions recently, along with the rapid advancement of network function virtualization (NFV). Despite the well known benefits like reduced hardware and maintenance cost, deploying middleboxes in the remote environment poses new performance and security concerns, due to invisibility of the untrusted cloud and susceptible software implementations. One essential requirement for enterprise customers is to monitor performance compliance, while ensuring that packets are faithfully processed by remote middleboxes. In this paper, we propose a practical scheme towards verifiable performance measurement over in-the-cloud middleboxes. It employs “sample and replay” to achieve performance measurement and packet processing attestation. It estimates performance by collecting receipts in a tunable way, while coping with dynamic traffic changes made by middleboxes. In particular, our sampling is stateful which can capture a sequence of packets sharing same states of middleboxes for correct local replay. More importantly, it ensures high-confidence packet processing attestation by enforcing middleboxes to bind execution assurances with packets using commitment messages, and by using delayed verification procedure to defeat any potential biased results against selected sampling. To demonstrate the feasibility and efficiency of our scheme, we implement a prototype consisting of various types of middleboxes on Click, and conduct extensive experiments on Amazon EC2 with real traces. The experimental results show that our scheme imposes marginal processing delay for packets with various middleboxes and presents negligible throughput degradation.