A Firewall of Two Clouds: Preserving Outsourced Firewall Policy Confidentiality with Heterogeneity

摘要

It is increasingly common for enterprises and other organizations to outsource firewalls to public clouds in order to reduce the cost and complexity in deploying and maintaining dedicated hardware middleboxes. However, this poses a serious threat to the enterprise network security because sensitive network policies, such as firewall rules, are revealed to cloud providers, which may be leaked and exploited by attackers. In this paper, we design and implement a SE- FWaaS, a secured system that enables cloud providers to support middlebox (e.g., firewall) outsourcing while preserving the network policy confidentiality. The key ingredients in our SE-FWaaS are the distribution of the firewall primitives, namely policy checking and verdict enforcing, to two independent public clouds, and the enabling techniques of efficient firewall rule obfuscation and oblivious rule-matching. Our SE-FWaaS provides the maximum achievable level of protection of network policies by enforcing the principle of the least privilege and removing the threat of offline probing attacks. We evaluate the proposed system over real-world firewall rules and demonstrate its effectiveness and feasibility.