Privacy-preserving Network Functionality Outsourcing

—Since the advent of software defined networks (SDN), there have been many attempts to outsource the complex and costly local network functionality, i.e. the middlebox, to the cloud in the same way as outsourcing computation and storage. The privacy issues, however, may thwart the enterprises' willingness to adopt this innovation since the underlying configurations of these middleboxes may leak crucial and confidential information which can be utilized by attackers. To address this new problem, we use firewall as an sample functionality and propose the first privacy preserving outsourcing framework and schemes in SDN. The basic technique that we exploit is a groundbreaking tool in cryptography, the cryptographic multilinear map. In contrast to the infeasibility in efficiency if a naive approach is adopted, we devise practical schemes that can outsource the middlebox as a blackbox after obfuscating it such that the cloud provider can efficiently perform the same functionality without knowing its underlying private configurations. Both theoretical analysis and experiments on real-world firewall rules demonstrate that our schemes are secure, accurate, and practical. I. INTRODUCTION Although network functionalities play an important role in enterprise network to make it robust, fast, and secure, they often burden a company with great hardware financial pressure and management complexity. Network middleboxes, such as firewalls and intrusion detection systems (IDS), are the customized appliances to implement these sophisticated functionalities, and they are also often hard to deploy and upgrade. A recent survey [1] reveals that the investments in network infrastructures deployment of these middleboxes as well as in the personnel cost of managing and maintaining them are substantial. The emergence of SDN helps us separate the logic control from the basic traffic processing, so we can relieve some of the above " pain points " to a certain extent by taking the advantage of SDN [2]–[5]. But though the management of networks can be simplified by SDN, it still has many shortcomings. For instance, because these functionalities are still implemented within the enterprise network, the hardware cost and the everyday maintenance cost are still there. Thus, to further reduce the cost and complexity faced by local networks, some SDN researchers have attempted to outsource these network functionalities or middleboxes out to cloud providers, in the same way that the computation and storage services have been successfully outsourced [1], [6]. After migrating middleboxes to cloud, the local enterprises will