EndBox: Scalable Middlebox Functions Using Client-Side Trusted Execution

Goltzsche D, Schwarz-Rüsch S, Nieke M, Vaucher S, Weichbrodt N, Schiavoni V, Aublin PL, Costa P, Fetzer C, Felber P, Pietzuch P, Kapitza R (2018)


Publication Language: English

Publication Type: Conference contribution

Publication year: 2018

Series: DSN'18

Conference Proceedings Title: Proceedings of the 48th International Conference on Dependable Systems and Networks

Event location: Luxemburg LU

URI: https://www.ibr.cs.tu-bs.de/users/goltzsch/papers/dsn18-endbox.pdf

DOI: 10.1109/DSN.2018.00048

Abstract

Many organisations enhance the performance, security, and functionality of their managed networks by deploying middleboxes centrally as part of their core network. While this simplifies maintenance, it also increases cost because middlebox hardware must scale with the number of clients. A promising alternative is to outsource middlebox functions to the clients themselves, thus leveraging their CPU resources. Such an approach, however, raises security challenges for critical middlebox functions such as firewalls and intrusion detection systems. 

We describe EndBox, a system that securely executes middlebox functions on client machines at the network edge. Its design combines a virtual private network (VPN) with middlebox functions that are hardware-protected by a trusted execution environment (TEE), as offered by Intel’s Software Guard Extensions (SGX). By maintaining VPN connection endpoints inside SGX enclaves, EndBox ensures that all client traffic, including encrypted communication, is processed by the middlebox. Despite its decentralised model, EndBox's middlebox functions remain maintainable: they are centrally controlled and can be updated efficiently. We demonstrate EndBox with two scenarios involving (i) a large company; and (ii) an Internet service provider that both need to protect their network and connected clients. We evaluate EndBox by comparing it to centralised deployments of common middlebox functions, such as load balancing, intrusion detection, firewalling, and DDoS prevention. We show that EndBox achieves up to 3.8x higher throughput and scales linearly with the number of clients.

Authors with CRIS profile

Involved external institutions

How to cite

APA:

Goltzsche, D., Schwarz-Rüsch, S., Nieke, M., Vaucher, S., Weichbrodt, N., Schiavoni, V.,... Kapitza, R. (2018). EndBox: Scalable Middlebox Functions Using Client-Side Trusted Execution. In Proceedings of the 48th International Conference on Dependable Systems and Networks. Luxemburg, LU.

MLA:

Goltzsche, David, et al. "EndBox: Scalable Middlebox Functions Using Client-Side Trusted Execution." Proceedings of the International Conference on Dependable Systems and Networks, Luxemburg 2018.

BibTeX: Download