FiLDB : An Architecture for Securely Connecting Databases to the Internet

Hermansson, Tobias

January 2001

<p>Today more and more Information systems exist and they contain more and more information. Many information systems contain information about people that is secret or sensitive. Such information should not be allowed to leak from a database. This problem grows more and more as databases are made available via the Internet.</p><p>There have been a number of publicised occasions where hackers have passed security barriers and got information that is not intended to be publicly available. There have also been cases where the administrators of systems have made mistakes, so that classified information was published on the Internet.</p><p>The FiLDB architecture uses existing technology together with new components to provide an environment in which databases can be connected to the Internet without losing security. Two databases, with physical separation between them, are used as a security measure. Secret information is stored only in an internal database, which is separated from the Internet. An external database contains information which is to be used from the Internet, and hence sensitive information is not stored in this database.</p>

database

firewall

architecture

security

Computer and systems science

Data- och systemvetenskap

Entfernte Analyse von Netzen / remote network analysis

Höfler, Torsten

03 May 2004

Workshop "Netz- und Service-Infrastrukturen" Sicherheit von Netzwerken hängt oft davon ab, wie viel man vor dem Feind verbergen kann. Jedoch ein potentieller Angreifer kann mit einfachsten Mitteln vieles über die Netztopologie ableiten ohne Zugriff zum Netz zu haben oder erkannt zu werden.

ddc:004

Firewall

Internetzwerk

Netzwerk

Netzwerkanalysator

Netzwerkanalyse

Netzwerktopologie

Configuration and Implementation Issues for a Firewall System Running on a Mobile Handset

Martinsen, Pal-Erik

January 2005

Any device connected to the Internet needs to be protected. Using a firewall as a first line of defence is a very common way to provide protection. A firewall can be set up to protect an entire network or just a single host. As it is becoming more and more popular to connect mobile phones and other hand held devices to the Internet, the big question is;"how to protect those devices from the perils of the Internet?" This work investigates issues with the implementation of a firewall system for protecting mobile devices. Firewall administration is an error prone and difficult task. Setting up a correctly configured firewall in a network setting is a difficult task for a network administrator. To enable an ordinary mobile phone user to set up a firewall configuration to protect his mobile phone it is important to have a system that is easy to understand and warns the user of possible mistakes. Generic algorithms for firewall rule-set sorting and anomaly discovery are presented. This ensures that the rule-set is error free and safe to use. This is a vital part of any firewall system. The prototype developed can be used to find errors in existing firewall rule-sets. The rule-set can be in either a native firewall configuration format (currently only IPF is supported) or in a generic XML format. This generic XML format was developed as a part of this research project. Further a new graphical visualization concept that allows the end user to configure an advanced firewall configuration from a device with a small screen and limited input possibilities is presented.

Firewall

rule-set

sorting

anomaly detection

visualization

mobile handset

Schutz von Web Services durch erweiterte und effiziente Nachrichtenvalidierung /

Gruschka, Nils.

January 2008

Zugl.: Kiel, Universiẗat, Diss., 2008.

Localization of Spyware in Windows Environments

Bergstrand, Fredrik, Bergstrand, Johan, Gunnarsson, Håkan

January 2004

This is a thesis about different methods that can be used to detect spyware. Methods included are Layered Service Provider, Internet Protocol Helper API, TDI filtering and API hooking. Some firewall testing applications, leak tests, that use methods that can be used by real spyware program to penetrate firewalls have also been examined. The goal was to develop a Windows 2000/XP program that is able to detect as many of our examined leak tests as possible. Our program uses the methods TDI filtering and API hooking for detection of spyware because our study showed that these methods were the best. To evaluate the program it was tested against our examined leak test programs. Our program managed to detect all leak tests except one. / Fredrik Bergstrand cfb@home.se Johan Bergstrand jb78@home.se Håkan Gunnarsson hakan.gunnarsson@klostersfalad.se

spyware

firewall

leak test

API hooking

Software Engineering

Programvaruteknik

NFtables och IPtables : En jämförelse av latens / NFtables and IPtables : A Comparison in Latency

Svensson Eidsheim, Jonas

January 2017

Firewalls are one of the essential tools to secure any network. IPtables has been the defacto firewall in all Linux systems, and the developers behind IPtables are alsoresponsible for its intended replacement, NFtables. Both IPtables and NFtables arefirewalls developed to filter packets. Some services are heavily dependent on lowlatency transport of packets, such as VoIP, cloud gaming, storage area networks andstock trading. This work is aiming to compare the latency between the selectedfirewalls while under generated network load. The network traffic is generated byiPerf and the latency is measured by using ping. The measurement of the latency isdone on ping packets between two dedicated hosts, one on either side of the firewall.The measurement was done on two configurations one with regular forwarding andanother with PAT (Port Address Translation). Both configurations are measured whileunder network load and while not under network load. Each test is repeated ten timesto increase the statistical power behind the conclusion. The results gathered in theexperiment resulted in NFtables being the firewall with overall lower latency bothwhile under network load and not under network load. / Brandväggen är ett av de viktigaste verktygen för att säkra upp nätverk. IPtables harvarit den främst använda brandväggen i alla Linux-system och utvecklarna bakomIPtables är också ansvariga för den avsedda ersättaren, NFtables. Både IPtables ochNFtables är brandväggar som utvecklats för att filtrera paket. Vissa tjänster är starktberoende av att paket som skickas anländer med låg latens. Tjänster som VoIP, cloudgaming, lagringsnät och aktiehandel. Detta arbete syftar till att jämföra latensenmellan de valda brandväggarna under en genererad nätverkslast. Nätverkslastengenereras av iPerf och latensen mäts med hjälp av ping. Mätningen av latensen görs påpingpaketen mellan två dedikerade värdar, en på vardera sida av brandväggen.Mätningen gjordes på två olika konfigurationer, en med vidarebefordran och en annanmed portadressöversättning (eng. PAT, Port Address Translation). Bådakonfigurationerna mäts både under nätverksbelastning och utan nätverksbelastning.Varje test upprepas tio gånger för att öka den statistiska signifikansen bakomslutsatsen. Resultaten som samlats in i experimentet visade att NFtables varbrandväggen med generell lägre latens både under last och inte under last.

firewall

nftables

iptables

security

latency

Computer Sciences

Datavetenskap (datalogi)

FiLDB : An Architecture for Securely Connecting Databases to the Internet

Hermansson, Tobias

January 2001

Today more and more Information systems exist and they contain more and more information. Many information systems contain information about people that is secret or sensitive. Such information should not be allowed to leak from a database. This problem grows more and more as databases are made available via the Internet. There have been a number of publicised occasions where hackers have passed security barriers and got information that is not intended to be publicly available. There have also been cases where the administrators of systems have made mistakes, so that classified information was published on the Internet. The FiLDB architecture uses existing technology together with new components to provide an environment in which databases can be connected to the Internet without losing security. Two databases, with physical separation between them, are used as a security measure. Secret information is stored only in an internal database, which is separated from the Internet. An external database contains information which is to be used from the Internet, and hence sensitive information is not stored in this database.

database

firewall

architecture

security

Information Systems

Pokročilé metody filtrování síťového provozu v systému Linux / Advanced methods of filtering network traffic in the Linux system

Peša, David

January 2008

This master's thesis is meant to provide techniques in designing and building a standalone packet filtering firewall in Linux machines, mainly for small sites who don’t give much service to Internet users. It deals with attenuating the effect of the most common types of attacks using iptables. It guides how to design, implement, run, and maintain Firewall. Techniques for continuously monitoring attacks is attempted. It also give a historical, architectural and technical overview of firewalls and security attacks.

Aplikace pro monitorování a kontrolu zabezpečení rozsáhlých počítačových sítí LAN a WAN / Application for monitoring and controlling the security of large LAN and WAN computer networks

Maloušek, Zdeněk

January 2008

Computer networks are used in much wider extent than 20 years ago. People use the computer mainly for communication, entertainment and data storage. Information is often stored only in electronic devices and that is why the security of the data is so important. The objective of my thesis is to describe network security problems and their solutions. First chapter deals with the network security, security checks and attacks. It describes procedures used in practise. First part deals with traffic scanning and filtering at various layers of the TCP/IP model. Second part presents the types of proxy and its pros and cons. Network Address Translation (NAT) is a favourite technique of managing IP addresses of inside and outside network which helps to improve the security and lower the costs paid for IP addresses. NAT description, IPSec, VPN and basic attacks are described in this section. The second chapter of the thesis presents set of Perl scripts for network security checking. The purpose of the project is not to check the whole network security. It is designed for contemporary needs of IBM Global Services Delivery Centrum Brno. The first script checks running applications on target object. The aim is to detect services that are not necessary to run or that are not updated. The second one checks the security of the Cisco device configuration. There is a list of rules that has to be kept. The third script inspects the Nokia firewall configuration which is on the border of IBM network. If some of the rule is broken, it shows the command that has to be proceeded at the particular device. The output of the first and the second script is an HTML file. The third script uses the command line for the final report. The last part of this chapter gives advice to configure Cisco devices. It is a list of security recommendations that can be used by configuring e.g. routers. The appendix presents two laboratory exercises. The aim is to give students an opportunity to learn something about programs and technologies which are used in practise by IT experts to check the weaknesses of their networks.

Laboratorní úloha CISCO Security / CISCO security laboratory exercise

Švec, Martin

January 2009

The main purpose of this diploma thesis is to become familiar with the principles and technical solutions regarding security components of Cisco company and configure assigned system according to valid rules of security. In introduction are explained the reasons for networks security solutions. This work also analyses different kinds of security weaknesses which include deficiencies of networks protocols and also the attacks from hackers. The principle of firewall is described and also its particular types. This work is focused on explanation and classification of PIX firewall, which has dominant role in the field of network security. The other equipments of Cisco, which are improving the level of security, are also mentioned. The practical part of this diploma thesis is composed of networks connections and configuration of system consisting of router, PIX firewall and switch. It also includes the detailed procedure and description of configuration of network equipments. The focus is put on minimalization of threats and elimination of DoS attacks.