skip to main content

Attention:

The NSF Public Access Repository (PAR) system and access will be unavailable from 11:00 PM ET on Friday, December 13 until 2:00 AM ET on Saturday, December 14 due to maintenance. We apologize for the inconvenience.


Title: Validating security protocols with cloud-based middleboxes
Residential networks pose a unique challenge for security since they are operated by end-users that may not have security expertise. Residential networks are also home to devices that may have lackluster security protections, such as Internet of Things (IoT) devices, which may introduce vulnerabilities. In this work, we introduce TLSDeputy, a middlebox-based system to protect residential networks from connections to inauthentic TLS servers. By combining the approach with OpenFlow, a popular software-defined networking protocol, we show that we can effectively provide residential network-wide protections across diverse devices with minimal performance overheads.  more » « less
Award ID(s):
1422180
PAR ID:
10055772
Author(s) / Creator(s):
;
Date Published:
Journal Name:
IEEE Conference on Communications and Network Security (CNS)
Page Range / eLocation ID:
261 to 269
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. The security of residential networks can vary greatly. These networks are often administrated by end-users who may lack security expertise or the resources to adequately defend their networks. Insecure residential networks provide attackers with opportunities to infiltrate systems and create a platform for launching powerful attacks. To address these issues, we introduce a new approach that uses software-defined networking (SDN) to allow home users to outsource their security maintenance to a cloud-based service provider. Using this architecture, we show how a novel network-based two-factor authentication approach can be used to protect Internet of Things devices. Our approach works without requiring modifications to end-devices. We further show how security modules can enforce protocol messages to limit the attack surface in vulnerable devices. Our analysis shows that the system is effective and adds less than 50 milliseconds of delay to the start of a connection with less than 100 microseconds of delay for subsequent packets. 
    more » « less
  2. While enterprise networks follow best practices and security measures, residential networks often lack these protections. Home networks have constrained resources and lack a dedicated IT staff that can secure and manage the network and systems. At the same time, homes must tackle the same challenges of securing heterogeneous devices when communicating to the Internet. In this work, we explore combining software-defined networking and proxies with commodity residential Internet routers. We evaluate a "whole home" proxy solution for the Skype video conferencing application to determine the viability of the approach in practice. We find that we are able to automatically detect when a device is about to use Skype and dynamically intercept all of the Skype communication and route it through a proxy while not disturbing unrelated network flows. Our approach works across multiple operating systems, form factors, and versions of Skype. 
    more » « less
  3. Residential networks are home to increasingly diverse devices, including embedded devices that are part of the Internet of Things phenomenon, leading to new management and security challenges. However, current residential solutions that rely on customer premises equipment (CPE), which often remains deployed in homes for years without updates or maintenance, are not evolving to keep up with these emerging demands. Recently, researchers have proposed to outsource the tasks of managing and securing residential networks to cloud-based security services by leveraging software-defined networking (SDN). However, the use of cloud-based infrastructure may have performance implications. In this paper, we measure the performance impact and perception of a residential SDN using a cloud-based controller through two measurement studies. First, we recruit 270 residential users located across the United States to measure residential latency to cloud providers. Our measurements suggest the cloud controller architecture provides 90% of end-users with acceptable performance with judiciously selected public cloud locations. When evaluating web page loading times of popular domains, which are particularly latency-sensitive, we found an increase of a few seconds at the median. However, optimizations could reduce this overhead for top websites in practice. 
    more » « less
  4. null (Ed.)
    Residential networks are difficult to secure due to resource constraints and lack of local security expertise. These networks primarily use consumer-grade routers that lack meaningful security mechanisms, providing a safe-haven for adversaries to launch attacks, including damaging distributed denial-of-service (DDoS) attacks. Prior efforts have suggested outsourcing residential network security to experts, but motivating user adoption has been a challenge. This work explores combining residential SDN techniques with prior work on collaborative DDoS reporting to identify residential network compromises. This combination provides incentives for end-users to deploy the technique, including rapid notification of compromises on their own devices and reduced upstream bandwidth consumption, while incurring minimal performance overheads. 
    more » « less
  5. Home networks lack the powerful security tools and trained personnel available in enterprise networks. This compli- cates efforts to address security risks in residential settings. While prior efforts explore outsourcing network traffic to cloud or cloudlet services, such an approach exposes that network traffic to a third party, which introduces privacy risks, particularly where traffic is decrypted (e.g., using Transport Layer Security Inspection (TLSI)). To enable security screening locally, home networks could introduce new physical hardware, but the capital and deployment costs may impede deployment. In this work, we explore a system to leverage existing available devices, such as smartphones, tablets and laptops, already inside a home network to create a platform for traffic inspection. This software-based solution avoids new hardware deployment and allows decryption of traffic without risk of new third parties. Our investigation compares on-router inspection of traffic with an approach using that same router to direct traffic through smartphones in the local network. Our performance evaluation shows that smartphone middleboxes can substantially increase the throughput of communication from around 10 Mbps in the on-router case to around 90 Mbps when smartphones are used. This approach increases CPU usage at the router by around 15%, with a 20% CPU usage increase on a smartphone (with single core processing). The network packet latency increases by about 120 milliseconds. 
    more » « less