• Refine Query
  • Source
  • Publication year
  • to
  • Language
  • 65
  • 29
  • 23
  • 17
  • 10
  • 7
  • 4
  • 3
  • 1
  • 1
  • 1
  • 1
  • 1
  • Tagged with
  • 167
  • 70
  • 52
  • 44
  • 26
  • 25
  • 24
  • 21
  • 21
  • 20
  • 19
  • 19
  • 17
  • 16
  • 16
  • About
  • The Global ETD Search service is a free service for researchers to find electronic theses and dissertations. This service is provided by the Networked Digital Library of Theses and Dissertations.
    Our metadata is collected from universities around the world. If you manage a university/consortium/country archive and want to be added, details can be found on the NDLTD website.
111

MINIMIZING CONGESTION IN PEER-TO-PEER NETWORKS UNDER THE PRESENCE OF GUARDED NODES

FAIRBANKS, MICHAEL STEWART 20 July 2006 (has links)
No description available.
112

Hybrid Hardware/Software Architectures for Network Packet Processing in Security Applications

Fießler, Andreas Christoph Kurt 14 June 2019 (has links)
Die Menge an in Computernetzwerken verarbeiteten Daten steigt stetig, was Netzwerkgeräte wie Switches, Bridges, Router und Firewalls vor Herausfordungen stellt. Die Performance der verbreiteten, CPU/softwarebasierten Ansätze für die Implementierung dieser Aufgaben ist durch den inhärenten Overhead in der sequentiellen Datenverarbeitung limitiert, weshalb solche Funktionalitäten vermehrt auf dedizierten Hardwarebausteinen realisiert werden. Diese bieten eine schnelle, parallele Verarbeitung mit niedriger Latenz, sind allerdings aufwendiger in der Entwicklung und weniger flexibel. Nicht jede Anwendung kann zudem für parallele Verarbeitung optimiert werden. Diese Arbeit befasst sich mit hybriden Ansätzen, um eine bessere Ausnutzung der jeweiligen Stärken von Soft- und Hardwaresystemen zu ermöglichen, mit Schwerpunkt auf der Paketklassifikation. Es wird eine Firewall realisiert, die sowohl Flexibilität und Analysetiefe einer Software-Firewall als auch Durchsatz und Latenz einer Hardware-Firewall erreicht. Der Ansatz wird auf einem Standard-Rechnersystem, welches für die Hardware-Klassifikation mit einem rekonfigurierbaren Logikbaustein (FPGA) ergänzt wird, evaluiert. Eine wesentliche Herausforderung einer hybriden Firewall ist die Identifikation von Abhängigkeiten im Regelsatz. Es werden Ansätze vorgestellt, welche den redundanten Klassifikationsaufwand auf ein Minimum reduzieren, wie etwa die Wiederverwendung von Teilergebnissen der hybriden Klassifikatoren oder eine exakte Abhängigkeitsanalyse mittels Header Space Analysis. Für weitere Problemstellungen im Bereich der hardwarebasierten Paketklassifikation, wie dynamisch konfigurierbare Filterungsschaltkreise und schnelle, sichere Hashfunktionen für Lookups, werden Machbarkeit und Optimierungen evaluiert. Der hybride Ansatz wird im Weiteren auf ein System mit einer SDN-Komponente statt einer FPGA-Erweiterung übertragen. Auch hiermit können signifikante Performancegewinne erreicht werden. / Network devices like switches, bridges, routers, and firewalls are subject to a continuous development to keep up with ever-rising requirements. As the overhead of software network processing already became the performance-limiting factor for a variety of applications, also former software functions are shifted towards dedicated network processing hardware. Although such application-specific circuits allow fast, parallel, and low latency processing, they require expensive and time-consuming development with minimal possibilities for adaptions. Security can also be a major concern, as these circuits are virtually a black box for the user. Moreover, the highly parallel processing capabilities of specialized hardware are not necessarily an advantage for all kinds of tasks in network processing, where sometimes a classical CPU is better suited. This work introduces and evaluates concepts for building hybrid hardware-software-systems that exploit the advantages of both hardware and software approaches in order to achieve performant, flexible, and versatile network processing and packet classification systems. The approaches are evaluated on standard software systems, extended by a programmable hardware circuit (FPGA) to provide full control and flexibility. One key achievement of this work is the identification and mitigation of challenges inherent when a hybrid combination of multiple packet classification circuits with different characteristics is used. We introduce approaches to reduce redundant classification effort to a minimum, like re-usage of intermediate classification results and determination of dependencies by header space analysis. In addition, for some further challenges in hardware based packet classification like filtering circuits with dynamic updates and fast hash functions for lookups, we describe feasibility and optimizations. At last, the hybrid approach is evaluated using a standard SDN switch instead of the FPGA accelerator to prove portability.
113

Hantering av brandväggsregler med generativ AI: möjligheter och utmaningar / Managing firewall rules with generative AI: opportunities and challenges

El Khadam, Youssef, Yusuf, Ahmed Adan January 2024 (has links)
Brandväggar är en kritisk komponent i nätverkssäkerhet som kontrollerar och filtrerar nätverkstrafik för att skydda mot obehörig åtkomst och cyberhot. Effektiv hantering av brandväggsregler är avgörande för att säkerställa att ett nätverk fungerar smidigt och säkert. I stora företagsnätverk som Scania kan hanteringen av dessa regler bli komplex och resurskrävande, vilket kan leda till duplicerade och överlappande regler som försämrar systemets prestanda.Detta examensarbete undersöker tillämpningen av generativ artificiell intelligens (GAI) och maskininlärning för att hantera och optimera brandväggsregler, med fokus på identifiering och hantering av duplicerade och överlappande regler. Problemställningen adresserar de växande utmaningarna med att underhålla effektiva brandväggsregler i stora företagsnätverk som Scania. Genom att implementera och utvärdera en prototyp baserad på XGBoost, utforskar arbetet potentialen hos AI-tekniker för att förbättra hanteringen och säkerheten av nätverkstrafik. Resultaten visar att AI kan spela en kritisk roll i automatiseringen av processer för upptäckt och korrigering av felaktiga regler, vilket bidrar till ökad nätverkssäkerhet och optimerad resursanvändning. Studien bekräftar att användningen av AI inom brandväggshantering erbjuder betydande fördelar, men lyfter också fram behovet av fortsatt forskning för att adressera säkerhetsutmaningar relaterade till AI-lösningar. / Firewalls are a critical component of network security, controlling and filtering network traffic to protect against unauthorized access and cyber threats. Effective management of firewall rules is essential to ensure that a network operates smoothly and securely. In large enterprise networks like Scania, managing these rules can become complex and resourceintensive, leading to duplicate and overlapping rules that degrade system performance and security.This thesis investigates the application of generative AI (GAI) and machine learning to manage and optimize firewall rules, focusing on the identification and handling of duplicate and overlapping rules. The problem addresses the growing challenges of maintaining effective firewall rules in large enterprise networks like Scania. By implementing and evaluating a prototype based on XGBoost, this work explores the potential of AI techniques to improve the management and security of network traffic. The results demonstrate that AI can play a critical role in automating the processes for detecting and correcting faulty rules, contributing to increased network security and optimized resource usage. The study confirms that the use of AI in firewall management offers significant benefits but also highlights the need for further research to address security challenges related to AI solutions.
114

Security Analysis and Access Control Enforcement through Software Defined Networks / Analyse de sécurité et renforcement de control d’accès à travers les réseaux programmables

Zerkane, Salaheddine 05 November 2018 (has links)
Les réseaux programmables (SDN) sont un paradigme émergent qui promet de résoudre les limitations de l'architecture du réseau conventionnel. Dans cette thèse, nous étudions et explorons deux aspects de la relation entre la cybersécurité et les réseaux programmables. D'une part, nous étudions la sécurité pour les réseaux programmables en effectuant une analyse de leurs vulnérabilités. Une telle analyse de sécurité est un processus crucial pour identifier les failles de sécurité des réseaux programmables et pour mesurer leurs impacts. D'autre part, nous explorons l'apport des réseaux programmables à la sécurité. La thèse conçoit et implémente un pare-feu programmable qui transforme la machine à états finis des protocoles réseaux, en une machine à états équivalente pour les réseaux programmables. En outre, la thèse évalue le pare-feu implémenté avec NetFilter dans les aspects de performances et de résistance aux attaques d’inondation par paquets de synchronisation. De plus, la thèse utilise l'orchestration apportée par les réseaux programmables pour renforcer la politique de sécurité dans le Cloud. Elle propose un Framework pour exprimer, évaluer, négocier et déployer les politiques de pare-feu dans le contexte des réseaux programmables sous forme de service dans le Cloud. / Software Defined Networking (SDN) is an emerging paradigm that promises to resolve the limitations of the conventional network architecture.SDN and cyber security have a reciprocal relationship. In this thesis, we study and explore two aspects of this relationship. On the one hand, we study security for SDN by performing a vulnerability analysis of SDN. Such security analysis is a crucial process in identifying SDN security flaws and in measuring their impacts. It is necessary for improving SDN security and for understanding its weaknesses.On the other hand, we explore SDN for security. Such an aspect of the relationship between SDN and security focusses on the advantages that SDN brings into security.The thesis designs and implements an SDN stateful firewall that transforms the Finite State Machine of network protocols to an SDN Equivalent State Machine. Besides, the thesis evaluates SDN stateful firewall and NetFilter regarding their performance and their resistance to Syn Flooding attacks.Furthermore, the thesis uses SDN orchestration for policy enforcement. It proposes a firewall policy framework to express, assess, negotiate and deploy firewall policies in the context of SDN as a Service in the cloud.
115

Coherence in distributed packet filters

Penz, Leandro Lisboa January 2008 (has links)
Redes de computadores estão sob constante ameaça, ainda mais quando conectadas à Internet. Para reduzir o risco, dispositivos de segurança como o filtro de pacotes são usados. Uma primeira camada de segurança, o filtro de pacotes é responsável pelo bloqueio do tráfego indesejado em posições chave da rede. Os pacotes que devem ser permitidos ou bloqueados pelo filtro são definidos através de um conjunto de regras programadas pelo administrador da rede. Essas regras tem duas partes: a seleção e a ação. Conforme cresce a rede e o número de serviços, a quantidade de regras tende a aumentar. Passado certo limite, a complexidade de manter uma quantidade grande de regras se torna um fardo para o administrador. Isso aumenta a probabilidade de enganos que podem prejudicar a segurança da rede. Este trabalho desenvolve o conceito de “anomalia”, cada qual representa um problema em potencial, uma contradição ou uma regra supérflua dentro do conjunto de regras; ou seja, cada anomalia alerta o administrador da rede para determinada situação. Há 7 tipos de anomalias, que podem ser divididos em dois grupos: anomalias de filtro único e anomalias em rede. As anomalias de filtro único alertam o administrador sobre regras que se contradizem (“bloqueio”) ou que não possuem efeito no filtro (“invisibilidade” e “redundância”). As anomalias em rede, por sua vez, alertam o administrador sobre filtros que se contradizem (“discordância”), filtros que bloqueiam tráfego desejado (“bloqueio”), regras que não se aplicam a nenhum pacote que passe pelo filtro onde estão (“irrelevância”) e roteadores que permitem a passagem de tráfego indesejado (“vazamento”). Cada um desses tipos de anomalia é definido formalmente e apresentado junto com um algoritmo que a encontra. As anomalias e seus algoritmos foram usados para implementar uma ferramenta, o Packet Filter Checker (PFC), que lê as regras e a descrição da topologia da rede e cria um relatório com todas as anomalias presentes. Este trabalho apresenta um caso de uso fictício que é analisado e corrigido com base nos resultados apresentados pela ferramenta. O caso de uso é apresentado em diversas iterações, cada uma representando alterações nos requisitos da rede. Este caso mostra a ferramenta e os conceitos no contexto-alvo: na ajuda ao administrador da rede. / Computer networks are under constant threat, even more when connected to the Internet. To decrease the risk of invasions and downtime, security devices such as the packet filter are deployed. As a first layer of security, the packet filter is responsible for blocking out unwanted traffic at key network locations. The packets dropped or forwarded by the filter are defined by a set of rules programmed by the network administrator. These rules are in the form of guarded commands, each with a condition and a decision section. As the number of services and networks grow, the number of rules tend to grow as well. Beyond a certain threshold, the complexity of maintaining such a large and distributed set of rules becomes a burden for the network administrator. Mistakes can be easily made, compromising security. This work develops the concept of “anomaly”, each representing a potential problem, a contradiction or a superfluous rule in the rule set; i.e. a warning to the system administrator. There are 7 types of anomalies divided in two groups: single filter anomalies and networked anomalies. The single-filter anomalies warns the administrator about rules that contradict one another (the “conflict” anomaly) or have no effect (“invisibility” and “redundancy”) in the analysed filter. The networked anomalies, on the other hand, analyse the filters in the context of the network topology and warn the administrator about filters that contradict one another (“disagreement”), filters that block desired traffic (“blocking”), rules that have no effect on the given network topology (“irrelevancy”) and routers that are enabling unwanted traffic (“leaking”). Each type of anomaly is formally defined along with its algorithm. The developed concepts were used to implement a tool — the Packet Filter Checker (PFC) — that reads a description of the rules and network topology in a simple custom language and reports all anomalies present. This tool is used to analyse and fix a fictional user case in several iterations of changing requirements. This shows the tool and the anomalies in the target context: where they help the network administrator.
116

Usable Firewall Rule Sets

Voronkov, Artem January 2017 (has links)
Correct functioning is the most important requirement for any system. Nowadays there are a lot of threats to computer systems that undermine confidence in them and, as a result, force a user to abandon their use. Hence, a system cannot be trusted if there is no proper security provided. Firewalls are an essential component of network security and there is an obvious need for their use. The level of security provided by a firewall depends on how well it is configured. Thus, to ensure the proper level of network security, it is necessary to have properly configured firewalls. However, setting up the firewall correctly is a very challenging task. These configuration files might be hard to understand even for system administrators. This is due to the fact that these configuration files have a certain structure: the higher the position of a rule in the rule set, the higher priority it has. Challenging problems arise when a new rule is being added to the set, and a proper position, where to place it, needs to be found. Misconfiguration might sooner or later be made and that will lead to an inappropriate system's security. This brings us to the usability problem associated with the configuration of firewalls. The overall aim of this thesis is to identify existing firewall usability gaps and to mitigate them. To achieve the first part of the objective, we conducted a series of interviews with system administrators. In the interviews, system administrators were asked about the problems they face when dealing with firewalls. After having ascertained that the usability problems exist, we turned to literature to get an understanding on the state-of-the-art of the field and therefore conducted a systematic literature review. This review presents a classification of available solutions and identifies open challenges in this area. To achieve the second part of the objective, we started working on one identified challenge. A set of usability metrics was proposed and mathematically formalized. A strong correlation between our metrics and how system administrators describe usability was identified. / Network security is an important aspect that must be taken into account. Firewalls are systems that are used to make sure that authorized network traffic is allowed and unauthorized traffic is prohibited. However, setting up a firewall correctly is a challenging task. Their configuration files might be hard to understand even for system administrators. The overall aim of this thesis is to identify firewall usability gaps and to mitigate them. To achieve the first part of the objective, we conduct a series of interviews with system administrators. In the interviews, system administrators are asked about the problems they face when dealing with firewalls. After having ascertained that the usability problems exist, we conduct a systematic literature review to get an understanding on the state of the art of the field. This review classifies available solutions and identifies open challenges. To achieve the second part of the objective, a set of usability metrics is proposed and mathematically formalized. A strong correlation between our metrics and how system administrators describe usability is identified. / HITS, 4707
117

Multiple Subliminal Channels and Chameleon Hash Functions and Their Applications

Lin, Dai-Rui 10 September 2010 (has links)
A digital signature technique has evolved into varies digital signature schemes in different application environments. In general, a digital signature consists of a random number and a hash function in addition to signing function. The random number can be used to provide the randomization of digital signatures. The hash function can be used for generating a message digest that has a fix length and is convenient for signing. The random number that hides in the digital signature is a useful factor. If we can use this factor well, then the digital signature can carry the other secret messages. On the basis of the concept of a subliminal channel proposed by Simmon, we have proposed multiple subliminal channels that can carry more than one subliminal message to different subliminal receivers. Furthermore, by using the concept of a subliminal channel, we can use the random number as another secure parameter of the digital signature. This concept leads to a forward-secure digital signature with backward-secure detection when the subliminal channel is embedded in the signature. We have proposed a forward-backward secure digital signature. A hash function is an important tool for generating a message digest. The hash function used in a signature must be one-way and collision resistant. A signing message will map to a message digest via a hash function. In recent years, several chameleon hash functions have been proposed. A chameleon hash function is a trapdoor one-way hash function that prevents everyone except the holder of the trapdoor key from computing the collisions for a randomly given input. There are various studies that apply the chameleon hash function to online/offline digital signatures and sterilization signatures. In this thesis, we apply this concept to a network secure gateway. We have achieved fast blind verification for an application gateway, such as a firewall. Further, we propose triple-trapdoor chameleon hash function and apply to vehicle owenship identification scheme. We have achieved the fast identification for vehicle ownership without connect to online database. We also have proposed threshold chameleon hash function and achieved that the collision will control under the threshold value. The trapdoor information will be exposed after the number of collision has accomplished.
118

LATENCY AND THROUGHPUT COMPARISON BETWEEN IPTABLES AND NFTABLES AT DIFFERENT FRAME AND RULE-SET SIZES / LATENS- OCH GENOMSTRÖMNIGSJÄMFÖRELSE MELLAN IPTABLES OCH NFTABLES VID OLIKA RAM- OCH REGELUPPSÄTTNINGSSTORLEKAR

Jonsson, Tomas January 2018 (has links)
Firewalls are one of the most common security tools used in computer networks. Its purpose is to prevent unwanted traffic from coming in to or out of a computer network. In Linux, one of the most common server operating system kernels available, iptables has been the go-to firewall for nearly two decades but a proposed successor, nftables, is available. This project compared latency and throughput performance of both firewalls with ten different rule-set sizes and seven different frame sizes using both linear look-ups and indexed data structures. Latency was measured through the round-trip time of ICMP packets while throughput was measured by generating UDP traffic using iPerf3. The results showed that, when using linear look-ups, nftables performs worse than iptables when using small frame sizes and when using large rule-sets. If the frame size was fairly large and rule-set fairly small, nftables was often performed slightly better both in terms of latency and in terms of throughput. When using indexed data structures, performance of both firewalls was very similar regardless of frame size or rule-set size. Minor, but statistically significant, differences were found both in favour of and against nftables, depending on the exact parameters used. / Brandväggar är en av de vanligaste säkerhetsverktygen som används i datornätverk. Dess syfte är att förhindra oönskad trafik att komma in på eller lämna ett datornätverk. I Linux, en av de vanligaste operativsystemkärnorna som används i serversystem, har iptables varit den rekommenderade brandväggen i nästan två årtionden men en tänkt ersättare, nftables, är tillgänglig. Detta projektet jämförde latens och genomströmning för båda brandväggarna med tio olika storlekar på regeluppsättning samt sju olika ramstorlekar genom både linjära regeluppslag och indexerade datastrukturer. Latens mättes genom tur- och returtid för ICMP-paket medan genomströmning mättes genom att generera UDP-trafik med iPerf3. Resultaten visade att, när linjära regeluppslag användes, nftables presterade sämre än iptables när små ramstorlekar användes samt när stora regeluppsättningar användes. Om ramstorleken var relativt stor samt regeluppsättningen relativt liten presterade nftables något bättre än iptables både i fråga om latens och i fråga om genomströmning. När indexerade datastrukturer användes var prestandan för bägge brandväggarna jämförbar oavsett ramstorlek eller storlek på regeluppsättning. Mindre, men statistiskt signifikanta, skillnader fanns både till nftables för- och nackdel, beroende på vilka parametrar som användes.
119

Implementando segurança e controle em redes de computadores / Implementing security and control in computer networks

Bertholdo, Leandro Márcio January 1997 (has links)
O crescimento e proliferação da Internet nos últimos anos tem trazido à tona vários problemas relativos à segurança e operacionabilidade das máquinas de universidades e empresas. Inúmeras invasões são realizadas anualmente. Entretanto, a grande maioria delas não possui registro algum, sendo muitas vezes de total desconhecimento do administrador local. Para prover soluções para estes problemas foi realizado um estudo, aqui apresentado, que tem como principal objetivo propor uma filosofia de gerência de segurança. São utilizados para isso conceitos de gerenciamento de redes como SNMPv2, aliado à implementação de um conjunto de ferramentas que garantam a integridade dos vários sistemas envolvidos. O resultado foi um sistema denominado CUCO1, que alerta sobre tentativas de ataque e situações de risco. CUCO foi projetado para permitir a um administrador, protegido ou não por uma firewall, dispor de um controle maior e melhor sobre acessos e tentativas de acessos indevidos à sua rede. O sistema usa uma estratégia de monitoração de eventos em diferentes níveis e aplicações, tentando com isto detectar e alertar a ocorrência de ataques tradicionais. Também está incorporado um bloco de funções que visam identificar um agressor situado em algum lugar da Internet, e obter maiores informações sobre ele e o domínio onde esta localizado. / The Internet increase and proliferation in the last years has brought a lot of problems related to the security and handling of hosts in universities and corporations. Many break-ins are done each year, without any record or knowledge by the site’s administrator. To give solutions to this problems was made up a study, here presented, has as the main goal the proposal of a security management philosophy. Are used network management concepts, joined with a toolkit to ensure the integrity of many systems envolved. The result was a system named CUCO2, that alerts about attacks and risks situations. CUCO was designed to allow an administrator, protected or not by firewall, to have a bigger and better access control in his network. The system uses an event monitor strategy in different levels and applications, trying to detect and alert the occurrence of common attacks. Moreover, it is also incorporated by a set of functions that attempt to identify aggressor’s location in any place in the Internet, and get information about him and the domain where he is located.
120

Desenvolvimento e análise de desempenho de um 'packet/session filter' / Development and performance analysis of a packet/session filter

Spohn, Marco Aurelio January 1997 (has links)
A segurança em sistemas de computação é uma das áreas mais críticas nas ciências da informação. Freqüentemente se ouve falar em alguma "brecha" descoberta em algum sistema. Não importando quão grave seja o problema, já existe certa paranóia em relação a questões de segurança. Esses furos na segurança podem ser explorados de diversas maneiras: para obter benefícios financeiros indevidos, personificação maliciosa a custos de uma pretensa "brincadeira", perda de informações sigilosas, danos em arquivos do sistema, etc. Esses são alguns dos motivos porque se investe cada vez mais em segurança. Como se não bastasse, ainda existem os problemas relativos a legislação: por um lado, o governo pode vir a exigir que a segurança em sistemas de informação seja encarada como um problema federal e impor controle sobre tudo que seja utilizado nos mecanismos de proteção; por outro lado, outros podem reclamar a necessidade de privacidade e liberdade de escolha em problemas relativos a segurança. Os sistemas são, a medida que agregam mais recursos, muito complexos e extensos, propiciando um meio fértil para acúmulo de erros e conseqüentes problemas de segurança. A conectividade alterou a realidade da computação: as redes de computadores estão aí para provar. Entretanto, os sistemas em rede a medida que facilitam a realização de uma série de tarefas também apresentam vulnerabilidades. As redes públicas são um exemplo crítico, pois todas as informações passam por meios não confiáveis sujeitos a alteração ou utilização por terceiros. A Internet talvez represente um dos ambientes mais críticos a nível de segurança. Devido a sua abrangência e velocidade com que cresce, ela é um dos ambientes mais propícios a disseminação e exploração de "furos" de segurança. Existem, entretanto, um esforço constante em desenvolvimento de mecanismos para protegê-la. "Internet Firewalls", são um conjunto de mecanismos utilizados para formar uma barreira de segurança entre a rede interna e a Internet. isolando-a das principais ameaças. Os componentes básicos de um "firewall" são o "packet filter" e o "proxy server". Basicamente, o que esses componentes fazem é uma filtragem dos pacotes. 0 "packet filter", como o nome sugere, faz uma filtragem dos pacotes até o nível de transporte (UDP e TCP). 0 "proxy server" atua como um procurador entre o cliente e o servidor real realizando uma filtragem a nível de aplicação; portanto, é uma tarefa mais apurada. Cada um desses componentes básicos apresentam os seus benefícios à segurança da rede interna. Um dos problemas desses mecanismos, é que eles acarretam em um "overhead" ao sistema, degradando o desempenho. Um "packet filter" tem de ser suficientemente rápido para que não seja o gargalo do sistema. De fato, como é apresentado nesse trabalho, pode-se conseguir um filtro tão rápido quanto necessário. A filtragem dos pacotes é baseada nas regras de filtragem que são elaboradas segundo a política de segurança, a qual estabelece qual o tipo de tráfego que pode existir entre a rede interna e a Internet. Cada pacote que passa pelo filtro é comparado com as regras de filtragem na ordem em que elas foram especificadas pelo administrador. Dependendo do número de regras, e este é um fator relevante porque são em grande número os serviços utilizados na rede, o tempo médio de filtragem aumenta. Uma solução para melhorar o desempenho na filtragem, é realizar a filtragem dos pacotes por sessão ("session filter"). Nesse caso somente se consegue atender aos serviços baseados no TCP (que é orientado a conexão); entretanto, considerando que os serviços mais utilizados na rede são baseados no TCP esse é um mecanismo viável. Na filtragem por sessão apenas o pacote de solicitação de conexão é comparado com a lista de regras de filtragem. Os pacotes subsequentes são verificados junto a uma "cache" de sessões ativas. Caso o pacote pertença a alguma sessão válida ele é passado adiante; caso contrário, ele é descartado. O acesso a "cache" deve ser suficientemente rápido para justificar esse procedimento. Além do ganho em desempenho, o filtro de sessões apresenta a vantagem de monitoramento: todas as sessões ativas entre a rede interna e a Internet estão registradas na "cache". Esta dissertação apresenta o projeto e a implementação de um "Packet/session filter". O filtro foi implementado como um módulo do "kernel" do sistema operacional "FreeBSD". O filtro "ip_fw" disponível como "freeware" na referida plataforma, serviu como referência básica para o desenvolvimento do filtro proposto. O utilitário "ipfw", disponível para gerenciar o filtro de pacotes "ip_fw", foi adaptado para interagir com o filtro desenvolvido. Os testes de desempenho apresentam resultados esperados. Ou seja, o filtro de sessão melhora consideravelmente o processo de filtragem em relação a um filtro convencional. O recurso de monitoramento das sessões ativas também representa uma facilidade a mais no controle e obtenção de estatísticas para o "firewall". / Security in computer systems is one of the most critical areas in "information sciences". Often it is heard something about a new "hole" discovered in some system. No matter how important is such a problem, there is a "paranoia" regarding questions about security. These security holes could be explored in a diversity of ways: to obtain financial benefits, to impersonate somebody to spoofing, to obtain secret informations, to damage to file systems, etc. Those are some of the reasons because so much time and money are spent in security. There are also some problems concerning legislation: government can demand that security in information systems is a federal problem and it can lead to impose control over everything that is used in protection mechanisms; on the other hand, there is the question of privacy and freedom of choice concerning to security. By adding new resources to the systems, the complexity is increase and new bugs and security problems can arise. Connectivity has changed the computer reality: computer networks show that. However, network systems also present weak points. Public networks are a critical example because all information flow by untrusted medias subject to modification or misuse by outsiders. The Internet may be one of the most critical environments concerning security. Because the internet covers almost all the world and grows so fast, it's able to dissiminate "holes" in security. There is, however, a constant effort to develop new mechanisms to protect the Internet, Internet Firewalls are a set of mechanisms used to build a security barrier between the internal network and the internet, maintaining the internal network far away from the main threats. The basic components of a firewall are the packet filter and the proxy server. These two components basically do a packet screening. The "packet filter", as the name suggests, makes a packet filtering up to the transport layer (UDP and TCP). The Proxy Server acts like a proxy between the client and the real server, the proxy does a packet filtering at the application level; therefore, it's a refined task. Each one of these components present their own benefits to the internal network security. A problem of those mechanisms is that they bring an overhead to the system, slowing the performance. A packet filter must be fast enough, otherwise it'll be the bottleneck in the system. The present work slows that, it's possible to obtain a filter as fast as necessary. The packet filtering is based on the filter rules which are prepared following the security policy that establishes what kind of traffic can flow between the internal network and the Internet. Each packet that passes through the filter is compared with the filtering rules to check if it is in the sequence specified by the administrator. Depending on the number of rules, and this is an important issue because there is a great number of services available in the network, the filtering mean time increases. A solution to improve the filtering process is to make the packet filtering by session (session filter). In this case it's only possible to attend to TCP, based services (connection oriented); however, considering that the most used services in the internet are based on TCP this is a feasible mechanism. In the session filtering only the first packet is compared against the filtering rules. The next packets are verified against a session cache. If the packet refers to a valid session it's sent forward; otherwise, it's dropped. The access time to the cache must be fast enough in order to allow applying this procedure. Beyond the performance improvement the session filter presents the advantage of monitoring: all the active sessions are recorded in the "cache". This work presents the project and development of a "packet/session filter". The filter was developed as a kernel module of the operating system "FreeBSD". The filter "ip_fw" available as freeware served as a basic reference to the implementation of the filter here presented. The "ipfw" utility available to manage the "ipfw" packet filter was adapted to interact to the developed filter. The performance benchmark presents expected results. The session filter enhances the filtering process when compared to the conventional packet filter. The monitoring facility also represents an enhancement the control and statistics gathering.

Page generated in 0.0231 seconds