Goltzsche D, Schwarz-Rüsch S, Nieke M, Vaucher S, Weichbrodt N, Schiavoni V, Aublin PL, Costa P, Fetzer C, Felber P, Pietzuch P, Kapitza R (2018)
Publication Language: English
Publication Type: Conference contribution
Publication year: 2018
Series: DSN'18
Conference Proceedings Title: Proceedings of the 48th International Conference on Dependable Systems and Networks
URI: https://www.ibr.cs.tu-bs.de/users/goltzsch/papers/dsn18-endbox.pdf
Many organisations enhance the performance, security, and functionality of their managed networks by deploying middleboxes centrally as part of their core network. While this simplifies maintenance, it also increases cost because middlebox hardware must scale with the number of clients. A promising alternative is to outsource middlebox functions to the clients themselves, thus leveraging their CPU resources. Such an approach, however, raises security challenges for critical middlebox functions such as firewalls and intrusion detection systems.
We describe EndBox, a system that securely executes middlebox functions on client machines at the network edge. Its
design combines a virtual private network (VPN) with middlebox
functions that are hardware-protected by a trusted execution
environment (TEE), as offered by Intel’s Software Guard Extensions (SGX). By maintaining VPN connection endpoints inside
SGX enclaves, EndBox ensures that all client traffic, including
encrypted communication, is processed by the middlebox. Despite
its decentralised model, EndBox's middlebox functions remain
maintainable: they are centrally controlled and can be updated
efficiently. We demonstrate EndBox with two scenarios involving
(i) a large company; and (ii) an Internet service provider that
both need to protect their network and connected clients. We
evaluate EndBox by comparing it to centralised deployments of
common middlebox functions, such as load balancing, intrusion
detection, firewalling, and DDoS prevention. We show that EndBox achieves up to 3.8x higher throughput and scales
linearly with the number of clients.
APA:
Goltzsche, D., Schwarz-Rüsch, S., Nieke, M., Vaucher, S., Weichbrodt, N., Schiavoni, V.,... Kapitza, R. (2018). EndBox: Scalable Middlebox Functions Using Client-Side Trusted Execution. In Proceedings of the 48th International Conference on Dependable Systems and Networks. Luxemburg, LU.
MLA:
Goltzsche, David, et al. "EndBox: Scalable Middlebox Functions Using Client-Side Trusted Execution." Proceedings of the International Conference on Dependable Systems and Networks, Luxemburg 2018.
BibTeX: Download