Heavy Networking 648: Using Zero Knowledge Middleboxes To Enforce Policy On Encrypted Traffic
Heavy Networking - A podcast by Packet Pushers - Vineri
Categories:
If you use a middlebox such as a firewall or proxy to enforce security policies on network traffic, you’re well aware of the problem of pervasive encryption. If the middlebox can’t read the data stream, how can policy be enforced? The usual answer to this was to give a proxy keys so it could be a man in the middle of an encrypted session, at least for those few hosts you have the keys for. But as most of the traffic you want to inspect isn’t heading to a server you control, the man in the middle approach isn’t viable most of the time. And that’s especially the world we live in today, where the payload of everything from web to chat to DNS queries is probably encrypted. Our middleboxes can’t see what’s inside to protect us from the bad stuff. But what if there was a way a middlebox could still accurately enforce policy on encrypted traffic? That’s the research Paul Grubbs has been working on as an Assistant Professor at the University of Michigan. He wrote about “Unpacking Zero Knowledge Middleboxes” on the APNIC blog in July 2022, and we’re chatting with him about zero knowledge middleboxes today. We discuss: * Paul and his team’s research in zero knowledge middleboxes * How encryption can impact security policy enforcement * Using cryptographic verification between clients and middleboxes for policy enforcement * Use cases such as DNS * Practical implications and potential drawbacks * More Sponsor: IP Fabric IP Fabric recently sponsored an EMA research report discussing “The Future of DC Network Automation” which revealed more than half of organizations that use manual data gathering processes feel it undermines their automation efforts. That’s where IP Fabric comes in. IP Fabric puts the right data in the hands of the people who need it. Download the full report now, for free, at ipfabric.io/packetpushers. Show Links: Zero-Knowledge Middleboxes – Paul Grubbs, Arasu Arun, Ye Zhang, Joseph Bonneau, and Michael Walfish Unpacking Zero Knowledge Middleboxes – APNIC Blog @pag_crypto – Paul Grubbs Paul Grubbs’s Academic Website