Página 1 dos resultados de 59 itens digitais encontrados em 0.014 segundos

Network security and the NPS Internet firewall; NA

Schively, Jody L.
Fonte: Monterey, California. Naval Postgraduate School Publicador: Monterey, California. Naval Postgraduate School
Tipo: Tese de Doutorado Formato: 105 p.;28 cm.
Português
Relevância na Pesquisa
48.790034%
As the Naval Postgraduate School's (NPS) computer network continues to incorporate computers with a wide variety of security holes, it is vital that an Internet firewall be installed to provide perimeter security for NPS from the Internet. NPS has had systems compromised by unauthorized individuals who have gained access via the Internet. The approach taken by this thesis was to analyze the type of Internet firewalls available and chose a design that provides the protection required at NPS while maintaining the Internet functionality desired. After choosing the appropriate type of firewall, it was tested for functionality and performance. The functionality test successfully validated that the bootp, netwall, tftp, sunrpc, and nfsd packets could he blocked while other network services remained functional. The performance testing process first monitored existing traffic to and from the BARRNET and DDN routers. The second step determined the firewall's performance with a well known network measurement tool, New Test TCP/IP (ntrcp). The existing data rates to and from the Intemet are on average 438 kilobjis per second and the nttcp tests showed that the firewall could run at 600 kilobits per second. These results validated that the firewall could maintain the data rates currently required to the Internet. This thesis resulted in a firewall...

Modeling and analyzing intrusion attempts to a computer network operating in a defense-in-depth posture

Givens, Mark Allen
Fonte: Monterey California. Naval Postgraduate School Publicador: Monterey California. Naval Postgraduate School
Tipo: Tese de Doutorado Formato: xvi, 91 p. : ill. (some col.) ;
Português
Relevância na Pesquisa
69.3584%
Approved for public release; distribution is unlimited; In order to ensure the confidentially, integrity, and availability of networked resources operating on the Global Information Grid, the Department of Defense has incorporated a "Defense-in-Depth" posture. This posture includes the use of network security mechanisms and does not rely on a single defense for protection. Firewalls, Intrusion Detection Systems (IDS's), Anti-Virus (AV) software, and routers are such tools used. In recent years, computer security discussion groups have included IDS's as one of their most relevant issues. These systems help identify intruders that exploit vulnerabilities associated with operating systems, application software, and computing hardware. When IDS's are utilized on a host computer or network, there are two primary approaches to detecting and / or preventing attacks. Traditional IDS's, like most AV software, rely on known "signatures" to detect attacks. This thesis will focus on the secondary approach: Anomaly or "behavioral based" IDS's look for abnormal patterns of activity on a network to identify suspicious behavior.; Major, United States Marine Corps

Security and efficiency concerns with distributed collaborative networking environments

Felker, Keith A.
Fonte: Monterey, California. Naval Postgraduate School Publicador: Monterey, California. Naval Postgraduate School
Tipo: Tese de Doutorado Formato: xiv, 101 p. : ill. (some col.) ;
Português
Relevância na Pesquisa
59.388633%
Approved for public release, distribution unlimited; The progression of technology is continuous and the technology that drives interpersonal communication is not an exception. Recent technology advancements in the areas of multicast, firewalls, encryption techniques, and bandwidth availability have made the next level of interpersonal communication possible. This thesis answers why collaborative environments are important in today's online productivity. In doing so, it gives the reader a comprehensive background in distributed collaborative environments, answers how collaborative environments are employed in the Department of Defense and industry, details the effects network security has on multicast protocols, and compares collaborative solutions with a focus on security. The thesis ends by providing a recommendation for collaborative solutions to be utilized by NPS/DoD type networks. Efficient multicast collaboration, in the framework of security is a secondary focus of this research. As such, it takes security and firewall concerns into consideration while comparing and contrasting both multicast-based and non-multicast-based collaborative solutions.

A Security Simulation Game Scenario Definition Language

Falby, Naomi; Thompson, Michael F.; Irvine, Cynthia E.
Fonte: IEEE Publicador: IEEE
Tipo: Artigo de Revista Científica
Português
Relevância na Pesquisa
39.076277%
The Center for the Information Systems Studies and Research (CISR) at the Naval Postgraduate School has established a broad program in computer and network security education. The program, founded on a core in traditional computer science, is extended by a progression of specialized courses and a broad set of information assurance research projects. A CISR objective has been improvement of information assurance education and training for the U.S. military and government. Pursuant to that objective, CISR is developing a computer simulation game, CyberCIEGE, to teach computer security principles. CyberCIEGE players construct computer networks and make choices effecting the ability of these networks and the game's virtual users to protect valuable assets from attack by both vandals and well-motivated Professionals [1]. A key CyberCIEGE innovative is a scenario definition language that permits educators to generate many different security scenarios, each playable as an independent game. Every scenario includes a briefing that describes an enterprise (e.g., a business that depends on the secrecy of proprietary information) and gives the player information about what must be done to help make the enterprise successful. The scenario language is used to define a set of users and assets. Users are typically enterprise employees whose productive work makes money for the enterprise. Assets are various kinds of information required for user productivity. Example assets are secret formulas...

Bitcoin and Beyond: Exclusively Informational Monies

Bergstra, Jan A.; de Leeuw, Karl
Fonte: Universidade Cornell Publicador: Universidade Cornell
Tipo: Artigo de Revista Científica
Português
Relevância na Pesquisa
38.790034%
The famous new money Bitcoin is classified as a technical informational money (TIM). Besides introducing the idea of a TIM, a more extreme notion of informational money will be developed: exclusively informational money (EXIM). The informational coins (INCOs) of an EXIM can be in control of an agent but are not owned by any agent. INCOs of an EXIM cannot be stolen, but they can be lost, or thrown away. The difference between an EXIM and a TIM shows up when considering a user perspective on security matters. Security for an EXIM user is discussed in substantial detail, with the remarkable conclusion that computer security (security models, access control, user names, passwords, firewalls etc.) is not always essential for an EXIM, while the application of cryptography based information security is unavoidable for the use of an EXIM. Bitcoin seems to meet the criteria of an EXIM, but the assertion that "Bitcoin is an EXIM", might also be considered problematic. As a thought experiment we will contemplate Bitguilder, a hypothetical copy of Bitcoin that qualifies as an EXIM. A business ethics assessment of Bitcoin is made which reveals a number of worries. By combining Bitguilder with a so-called technical informational near-money (TINM) a dual money system...

Reliable Process for Security Policy Deployment

Preda, Stere; Cuppens-Boulahia, Nora; Cuppens, Frederic; Garcia-Alfaro, Joaquin; Toutain, Laurent
Fonte: Universidade Cornell Publicador: Universidade Cornell
Tipo: Artigo de Revista Científica
Publicado em 08/05/2009 Português
Relevância na Pesquisa
38.71521%
We focus in this paper on the problem of configuring and managing network security devices, such as Firewalls, Virtual Private Network (VPN) tunnels, and Intrusion Detection Systems (IDSs). Our proposal is the following. First, we formally specify the security requirements of a given system by using an expressive access control model. As a result, we obtain an abstract security policy, which is free of ambiguities, redundancies or unnecessary details. Second, we deploy such an abstract policy through a set of automatic compilations into the security devices of the system. This proposed deployment process not only simplifies the security administrator's job, but also guarantees a resulting configuration free of anomalies and/or inconsistencies.; Comment: 12 pages

Directed Security Policies: A Stateful Network Implementation

Diekmann, Cornelius; Hupel, Lars; Carle, Georg
Fonte: Universidade Cornell Publicador: Universidade Cornell
Tipo: Artigo de Revista Científica
Publicado em 05/05/2014 Português
Relevância na Pesquisa
38.790034%
Large systems are commonly internetworked. A security policy describes the communication relationship between the networked entities. The security policy defines rules, for example that A can connect to B, which results in a directed graph. However, this policy is often implemented in the network, for example by firewalls, such that A can establish a connection to B and all packets belonging to established connections are allowed. This stateful implementation is usually required for the network's functionality, but it introduces the backflow from B to A, which might contradict the security policy. We derive compliance criteria for a policy and its stateful implementation. In particular, we provide a criterion to verify the lack of side effects in linear time. Algorithms to automatically construct a stateful implementation of security policy rules are presented, which narrows the gap between formalization and real-world implementation. The solution scales to large networks, which is confirmed by a large real-world case study. Its correctness is guaranteed by the Isabelle/HOL theorem prover.; Comment: In Proceedings ESSS 2014, arXiv:1405.0554

Distributed firewalls and IDS interoperability checking based on a formal approach

Karoui, Kamel; Ftima, Fakher Ben; Ghezala, Henda Ben
Fonte: Universidade Cornell Publicador: Universidade Cornell
Tipo: Artigo de Revista Científica
Publicado em 10/10/2013 Português
Relevância na Pesquisa
39.24495%
To supervise and guarantee a network security, the administrator uses different security components, such as firewalls, IDS and IPS. For a perfect interoperability between these components, they must be configured properly to avoid misconfiguration between them. Nevertheless, the existence of a set of anomalies between filtering rules and alerting rules, particularly in distributed multi-component architectures is very likely to degrade the network security. The main objective of this paper is to check if a set of security components are interoperable. A case study using a firewall and an IDS as examples will illustrate the usefulness of our approach.; Comment: Security component, relevancy, misconfigurations detection, interoperability cheking, formal correction,formal verification, projection, IDS, Firewall

Implementation of Portion Approach in Distributed Firewall Application for Network Security Framework

Kaur, Harleen; E., Omid MahdiEbadati; Alm, M. Afshar
Fonte: Universidade Cornell Publicador: Universidade Cornell
Tipo: Artigo de Revista Científica
Publicado em 22/01/2012 Português
Relevância na Pesquisa
39.27938%
The stimulate of this research seeks collaboration of firewalls which, could reach to the capability of distributed points of security policy; the front-end entity may much interact by the invaders so the separation between this entity and back-end entity to make the secure domain protection is necessary; collaborative security entity has the various task in the organization and there is a certain security policy to apply in; the entities like DPFF have to be protected from outsiders. Firewalls are utilized typically to be the main layer of security in the network framework. The research is presented the particular segment of the proposed framework that DPFF based on the developed iptable firewall to be the layers of defense, which is protected front and backend of the framework with a dynamic security and policy update to control the framework's safeguard through proposed portion approach algorithm that utilize to reduce the traffic and efficiency in detection and policy update mechanism. The policy update mechanism for DPFF is given the way of its employment. The complete framework signifies a distributed firewall, where the administrator configures the policy rules set, which could be separately or else from administration nodes' side.; Comment: 11 pages...

Detecting Danger: Applying a Novel Immunological Concept to Intrusion Detection Systems

Greensmith, Julie; Aickelin, Uwe; Twycross, Jamie
Fonte: Universidade Cornell Publicador: Universidade Cornell
Tipo: Artigo de Revista Científica
Publicado em 03/02/2010 Português
Relevância na Pesquisa
38.794038%
In recent years computer systems have become increasingly complex and consequently the challenge of protecting these systems has become increasingly difficult. Various techniques have been implemented to counteract the misuse of computer systems in the form of firewalls, anti-virus software and intrusion detection systems. The complexity of networks and dynamic nature of computer systems leaves current methods with significant room for improvement. Computer scientists have recently drawn inspiration from mechanisms found in biological systems and, in the context of computer security, have focused on the human immune system (HIS). The human immune system provides a high level of protection from constant attacks. By examining the precise mechanisms of the human immune system, it is hoped the paradigm will improve the performance of real intrusion detection systems. This paper presents an introduction to recent developments in the field of immunology. It discusses the incorporation of a novel immunological paradigm, Danger Theory, and how this concept is inspiring artificial immune systems (AIS). Applications within the context of computer security are outlined drawing direct reference to the underlying principles of Danger Theory and finally...

What Should be Hidden and Open in Computer Security: Lessons from Deception, the Art of War, Law, and Economic Theory

Swire, Peter P.
Fonte: Universidade Cornell Publicador: Universidade Cornell
Tipo: Artigo de Revista Científica
Publicado em 24/09/2001 Português
Relevância na Pesquisa
59.129233%
"What Should be Hidden and Open in Computer Security: Lessons from Deception, the Art of War, Law, and Economic Theory" Peter P. Swire, George Washington University. Imagine a military base. It is defended against possible attack. Do we expect the base to reveal the location of booby traps and other defenses? No. But for many computer applications,a software developer will need to reveal a great deal about the code to get other system owners to trust the code and know how to operate with it. This article examines these conflicting intuitions and develops a theory about what should be open and hidden in computer security. Part I of the paper shows how substantial openness is typical for major computer security topics, such as firewalls, packaged software, and encryption. Part II shows what factors will lead to openness or hiddenness in computer security. Part III presents an economic analysis of the issue of what should be open in computer security. The owner who does not reveal the booby traps is like a monopolist, while the open-source software supplier is in a competitive market. This economic approach allows us to identify possible market failures in how much openness occurs for computer security. Part IV examines the contrasting approaches of Sun Tzu and Clausewitz to the role of hiddenness and deception in military strategy. The computer security...

Parallel Firewalls on General-Purpose Graphics Processing Units

Reddy, Kamal Chandra; Tharwani, Ankit; Krishna, Ch. Vamshi; V, Lakshminarayanan.
Fonte: Universidade Cornell Publicador: Universidade Cornell
Tipo: Artigo de Revista Científica
Publicado em 15/12/2013 Português
Relevância na Pesquisa
38.690276%
Firewalls use a rule database to decide which packets will be allowed from one network onto another thereby implementing a security policy. In high-speed networks as the inter-arrival rate of packets decreases, the latency incurred by a firewall increases. In such a scenario, a single firewall become a bottleneck and reduces the overall throughput of the network.A firewall with heavy load, which is supposed to be a first line of defense against attacks, becomes susceptible to Denial of Service (DoS) attacks. Many works are being done to optimize firewalls.This paper presents our implementation of different parallel firewall models on General-Purpose Graphics Processing Unit (GPGPU). We implemented the parallel firewall architecture proposed in and introduced a new model that can effectively exploit the massively parallel computing capabilities of GPGPU.

An Analytical Approach to the Adoption of Asymmetric Bidirectional Firewalls: Need for Regulation?

Khouzani, M. H. R.; Sen, Soumya; Shroff, Ness B.
Fonte: Universidade Cornell Publicador: Universidade Cornell
Tipo: Artigo de Revista Científica
Publicado em 07/03/2012 Português
Relevância na Pesquisa
38.690276%
Recent incidents of cybersecurity violations have revealed the importance of having firewalls and other intrusion detection systems to monitor traffic entering and leaving access networks. But the adoption of such security measures is often stymied by `free-riding' effects and `shortsightedness' among Internet service providers (ISPs). In this work, we develop an analytical framework that not only accounts for these issues but also incorporates technological factors, like asymmetries in the performance of bidirectional firewalls. Results on the equilibrium adoption and stability are presented, along with detailed analysis on several policy issues related to social welfare, price of anarchy, and price of shortsightedness.; Comment: 9 pages, 1 figure, technical report (detailed version) of a conference submission

Randomized LU decomposition: An Algorithm for Dictionaries Construction

Rotbart, Aviv; Shabat, Gil; Shmueli, Yaniv; Averbuch, Amir
Fonte: Universidade Cornell Publicador: Universidade Cornell
Tipo: Artigo de Revista Científica
Publicado em 17/02/2015 Português
Relevância na Pesquisa
38.437146%
In recent years, distinctive-dictionary construction has gained importance due to his usefulness in data processing. Usually, one or more dictionaries are constructed from a training data and then they are used to classify signals that did not participate in the training process. A new dictionary construction algorithm is introduced. It is based on a low-rank matrix factorization being achieved by the application of the randomized LU decomposition to a training data. This method is fast, scalable, parallelizable, consumes low memory, outperforms SVD in these categories and works also extremely well on large sparse matrices. In contrast to existing methods, the randomized LU decomposition constructs an under-complete dictionary, which simplifies both the construction and the classification processes of newly arrived signals. The dictionary construction is generic and general that fits different applications. We demonstrate the capabilities of this algorithm for file type identification, which is a fundamental task in digital security arena, performed nowadays for example by sandboxing mechanism, deep packet inspection, firewalls and anti-virus systems. We propose a content-based method that detects file types that neither depend on file extension nor on metadata. Such approach is harder to deceive and we show that only a few file fragments from a whole file are needed for a successful classification. Based on the constructed dictionaries...

Modeling Internet Security Investments: The Case of Dealing with Information Uncertainty

Pal, Ranjan; Hui, Pan
Fonte: Universidade Cornell Publicador: Universidade Cornell
Tipo: Artigo de Revista Científica
Publicado em 04/04/2011 Português
Relevância na Pesquisa
38.53358%
Modern distributed communication networks like the Internet and censorship-resistant networks (also a part of the Internet) are characterized by nodes (users) interconnected with one another via communication links. In this regard, the security of individual nodes depend not only on their own efforts, but also on the efforts and underlying connectivity structure of neighboring network nodes. By the term 'effort', we imply the amount of investments made by a user in security mechanisms like antivirus softwares, firewalls, etc., to improve its security. However, often due to the large magnitude of such networks, it is not always possible for nodes to have complete effort and connectivity structure information about all their neighbor nodes. Added to this is the fact that in many applications, the Internet users are selfish and are not willing to co-operate with other users on sharing effort information. In this paper, we adopt a non-cooperative game-theoretic approach to analyze individual user security in a communication network by accounting for both, the partial information that a network node possess about its underlying neighborhood connectivity structure, as well as the presence of positive externalities arising from efforts exerted by neighboring nodes. We investigate the equilibrium behavior of nodes and show 1) the existence of symmetric Bayesian Nash equilibria of efforts and 2) better connected nodes choose lower efforts to exert but earn higher utilities with respect to security improvement irrespective of the nature of node degree correlations amongst the neighboring nodes. Our results provide ways for Internet users to appropriately invest in security mechanisms under realistic environments of information uncertainty.

A Formal Approach To Firewalls Testing Techniques

Barabanov, Alexander; Markov, Alexey; Tsirlov, Valentin
Fonte: Universidade Cornell Publicador: Universidade Cornell
Tipo: Artigo de Revista Científica
Publicado em 08/06/2013 Português
Relevância na Pesquisa
38.5722%
Traditional technologies of firewall testing are overlooked. A new formalized approach is presented. Recommendations on optimization of test procedures are given.; Comment: Keywords: information security, firewall, security analysis, test procedures, conformance evaluation, security certification, performance optimization

Formal Checking of Multiple Firewalls

Souayeh, Nihel Ben Youssef Ben; Bouhoula, Adel
Fonte: Universidade Cornell Publicador: Universidade Cornell
Tipo: Artigo de Revista Científica
Publicado em 16/07/2012 Português
Relevância na Pesquisa
39.405168%
When enterprises deploy multiple firewalls, a packet may be examined by different sets of firewalls. It has been observed that the resulting complex firewall network is highly error prone and causes serious security holes. Hence, automated solutions are needed in order to check its correctness. In this paper, we propose a formal and automatic method for checking whether multiple firewalls react correctly with respect to a security policy given in a high level declarative language. When errors are detected, some useful feedback is returned in order to correct the firewall configurations. Furthermore, we propose a priority-based approach to ensure that no incoherencies exist within the security policy. We show that our method is both correct and complete. Finally, it has been implemented in a prototype of verifier based on a satisfiability solver modulo theories. Experiment conducted on relevant case studies demonstrates the efficiency of our approach.; Comment: 9 pages; IJCSI journal, volume 9, issue 3, num 2, may 2012, ISSN: 1694-0814

Firewall strategies using network processors

Mariani, Matthew
Fonte: Rochester Instituto de Tecnologia Publicador: Rochester Instituto de Tecnologia
Tipo: Tese de Doutorado
Português
Relevância na Pesquisa
49.54047%
The emergence of network processors provides a broad range of new applications, particularly in the field of network security. Firewalls have become one of the basic building blocks of implementing a network's security policy; however, the security of a firewall can potentially lead to a bottleneck in the network. Therefore, improving the performance of the firewall means also improving the performance of the protected network. With the ability to direcdy monitor and modify packet information at wire speeds, the network processor provides a new avenue for the pursuit of faster, more efficient firewall products. This paper describes the implementation of two simulated network processor based firewalls. The first architecture, a basic packet filtering firewall, utilizes tree-based structures for manipulating IP and transport level firewall rules while also utilizing parallelism available in the network processor during firewall rule look-ups. In the second architecture, a parallel firewall is created using a network processor based, load-balancing switch along with two network processor based firewall machines, both utilizing the basic packet filter operations of the first architecture. When added to existing routing software, these implementations demonstrate the feasibility of creating dynamic packet-filtering routers using network processor technology.

Evaluating the effectiveness of packet filter firewall applications in a “dual stack” internet protocol environment

Snyder, Walter C.
Fonte: Rochester Instituto de Tecnologia Publicador: Rochester Instituto de Tecnologia
Tipo: Tese de Doutorado
Português
Relevância na Pesquisa
48.588384%
Technology providers have been implementing IPv6 capabilities including networking services and security tools for the past several years in anticipation for the transition from IPv4 to IPv6. This thesis will describe the technical background and an experiment to test the capability of two different host based applications for effective packet filtering in a dual IPv4, IPv6 stack environment.

Firewall resistance to metaferography in network communications

Savacool, Richard
Fonte: Rochester Instituto de Tecnologia Publicador: Rochester Instituto de Tecnologia
Tipo: Tese de Doutorado
Português
Relevância na Pesquisa
49.94583%
In recent years corporations and other enterprises have seen a consolidation of security services on the network perimeter. Services that have traditionally been stand-alone, such as content filtering and antivirus scanning, are pushing their way to the edge and running on security gateways such as firewalls. As a result, firewalls have transitioned from devices that protect availability by preventing denial-of-service to devices that are also responsible for protecting the confidentiality and integrity of data. However, little, if any, practical research has been done on the ability of existing technical controls such as firewalls to detect and prevent covert channels. The experiment in this thesis has been designed to evaluate the effectiveness of firewalls—specifically application-layer firewalls—in detecting, correcting, and preventing covert channels. Several application-layer HTTP covert channel tools, including Wsh and CCTT (both storage channels), as well as Leaker/Recover (a timing channel), are tested using the 7-layer OSI Network Model as a framework for analysis. This thesis concludes that with a priori knowledge of the covert channel and proper signatures, application-layer firewalls can detect both storage and timing channels. Without a priori knowledge of the covert channel...