Global ETD Search

151	Enterprise transition to Software-defined networking in a Wide Area Network : Best practices for a smooth transition to SD-WAN / Företagsövergång till mjukvarudefinierat nätverk i ett Wide Area Network : Bästa praxis för en smidig övergång till SD-WAN Yassin, Ahmed, Yalcin, Fatih January 2019 (has links) Software defined wide area networks (SD-WAN) is a relatively new concept for enterprises to structure their networks throughout sites. This thesis was to find best practices for enterprises wanting to transition their current infrastructure to SD-WAN with multiple factors considered. To accomplish this, results gathered from literature reviews, lab testing and interviews with employees from two different enterprises was made. What was accomplished from the literature review was an overview from Equity Office’s transition to SD-WAN which gave a positive result, as well as a cost of ownership tests with Talari SD-WAN units by NSS Labs. Lab testing with Talari SD-WAN units and a cloud site from Amazon Web Services resulted in improvements in performance and stability compared to a local traditional setup to the cloud site, especially on multiple simultaneous connections. Lastly, results from interviews provided deep insight on how the enterprises planned the transition, what results were expected as well as gained profits in forms of cost and effectivity. A definitive best practice which every enterprise should follow could not be made. Instead, best practices were found by factoring in different criteria that are unique for different enterprises. For future work, narrowing down to one methodology with more resources, could help in obtaining more realistic and accurate results. / Mjukvarudefinierade wide area networks (SD-WAN) är ett relativt nytt koncept för företag att strukturera sina nätverk genom sina kontor. Projektets mål var att hitta bästa praxis för företag som vill övergå från sin nuvarande infrastruktur till SD-WAN med hänsyn till flera faktorer. För att uppnå detta samlades resultat in från litteraturstudier, tester med laboration och intervjuer med anställda från två olika företag. Det som uppnåddes från litteraturstudien var en översikt över Equity Offices övergång till SD-WAN vilket gav ett positivt resultat, samt en överblick av tester på ägandekostnader med Talari SD-WAN enheter som utfördes av NSS Labs. Tester med Talari SD-WAN enheter och en molnuppsättning på Amazon Web Services resulterade i förbättringar i prestanda och stabilitet jämfört med en lokal traditionell uppsättning till molnet, särskilt vid parallella anslutningar. Slutligen gav resultaten från intervjuer en djup inblick i hur företagen planerade övergången, vilka resultat som förväntades samt vinster i form av kostnad och effektivitet. En slutgiltig bästa praxis som varje företag bör följa kunde inte bestämmas. Istället hittades bästa praxis genom att ta hänsyn till olika kriterier som är unika för olika företag. För framtida arbeten kan man smala ner arbetet till en typ av metodik med mer resurser, för att hjälpa till med att få mer realistiska och korrekta resultat. SD-WAN Amazon Web Services MPLS Firewall best practices SD-WAN Amazon Web Services MPLS brandvägg bästa praxis Computer Engineering Datorteknik
152	Detection of Vulnerability Scanning Attacks using Machine Learning : Application Layer Intrusion Detection and Prevention by Combining Machine Learning and AppSensor Concepts / Detektering av sårbarhetsscanning med maskininlärning : Detektering och förhindrande av attacker i applikationslagret genom kombinationen av maskininlärning och AppSensor koncept Shahrivar, Pojan January 2022 (has links) It is well-established that machine learning techniques have been used with great success in other domains and has been leveraged to deal with sources of evolving abuse, such as spam. This study aims to determine whether machine learning techniques can be used to create a model that detects vulnerability scanning attacks using proprietary real-world data collected from tCell, a web application firewall. In this context, a vulnerability scanning attack is defined as an automated process that detects and classifies security weaknesses and flaws in the web application. To test the hypothesis that machine learning techniques can be used to create a detection model, twenty four models were trained. The models showed a high level of precision and recall, ranging from 91% to 0.96% and 85% to 0.93%, respectively. Although the classification performance was strong, the models were not calibrated sufficiently which resulted in an underconfidence in the predictions. The results can therefore been viewed as a performance baseline. Nevertheless, the results demonstrate an advancement over the simplistic threshold-based techniques developed in the early days of the internet, but require further research and development to tune and calibrate the models. / Det är väletablerat att tekniker för maskininlärning har använts med stor framgång inom andra domäner och har utnyttjats för att hantera källor till växande missbruk, såsom spam. Denna studie syftar till att avgöra om maskininlärningstekniker kan tillämpas för att skapa en modell som upptäcker sårbarhets-skanningsattacker med hjälp av proprietär data som samlats in från tCell, en webbapplikationsbrandvägg. I detta sammanhang definieras en sårbarhetsskanningsattack som en automatiserad process som upptäcker och klassificerar säkerhetsbrister och brister i webb-applikationen. För att testa hypotesen att maskininlärningstekniker kan användas för att skapa en detektionsmodell, tränades tjugofyra modeller. Modellerna visade en hög nivå av precision och sensitivitet, från 91% till 0,96% och 85% till 0,93%, respektive. Även om klassificeringsprestandan var god, var modellerna inte tillräckligt kalibrerade, vilket resulterade i ett svagt förtoende för förutsägelserna. De presenterade resultaten kan därför ses som en prestationsbaslinje. Resultaten visar ett framsteg över de förenklade tröskelbaserade teknikerna som utvecklades i begynnelsen av internet, men kräver ytterligare forskning och utveckling för att kalibrera modellerna. Vulnerability Scanning Random Forest Web application security Next-Gen Web application Firewall Machine learning Dynamic application security testing Intrusion detection & prevention Computer and Information Sciences Data- och informationsvetenskap
153	Evaluation of Explainable AI Techniques for Interpreting Machine Learning Models Muhammad, Al Jaber Al Shwali January 2024 (has links) Denna undersökning utvärderar tillvägagångssätt inom "Explainable Artificial Intelligence" (XAI), särskilt "Local Interpretable Model Agnostic Explanations" (LIME) och 'Shapley Additive Explanations' (SHAP), genom att implementera dem i maskininlärningsmodeller som används inom cybersäkerhetens brandväggssystem. Prioriteten är att förbättra förståelsen av flervals klassificerings uppgift inom brandvägg hantering. I takt med att dagens AI-system utvecklas, sprids och tar en större roll i kritiska beslutsprocesser, blir transparens och förståelighet alltmer avgörande. Denna studie demonstrerar genom detaljerad analys och metodisk experimentell utvärdering hur SHAP och LIME belyser effekten av olika egenskaper på modellens prognoser, vilket i sin tur ökar tilliten till beslut som drivs av AI. Resultaten visar, hur funktioner såsom "Elapsed Time (sec)”, ”Network Address Translation” (NAT) källa och "Destination ports" ansenlig påverkar modellens resultat, vilket demonstreras genom analys av SHAP-värden. Dessutom erbjuder LIME detaljerade insikter i den lokala beslutsprocessen, vilket förbättrar vår förståelse av modellens beteende på individuell nivå. Studiet betonar betydelsen av XAI för att minska klyftan mellan AI operativa mekanismer och användarens förståelse, vilket är avgörande för felsökning samt för att säkerställa rättvisa, ansvar och etisk integritet i AI-implementeringar. Detta gör studiens implikationer betydande, då den ger en grund för framtida forskning om transparens i AI-system inom olika sektorer. / This study evaluates the explainable artificial intelligence (XAI) methods, specifically Local Interpretable Model-Agnostic Explanations (LIME) and Shapley Additive Explanations (SHAP), by applying them to machine learning models used in cybersecurity firewall systems and focusing on multi-class classification tasks within firewall management to improve their interpretability. As today's AI systems become more advanced, widespread, and involved in critical decision-making, transparency and interpretability have become essential. Through accurate analysis and systematic experimental evaluation, this study illustrates how SHAP and LIME clarify the impact of various features on model predictions, thereby leading to trust in AI-driven decisions. The results indicate that features such as Elapsed Time (sec), Network Address Translation (NAT) source, and Destination ports markedly affect model outcomes, as demonstrated by SHAP value analysis. Additionally, LIME offers detailed insights into the local decision making process, enhancing our understanding of model behavior at the individual level. The research underlines the importance of XAI in reducing the gap between AI operational mechanisms and user understanding, which is critical for debugging, and ensuring fairness, responsibility, and ethical integrity in AI implementations. This makes the implications of this study substantial, providing a basis for future research into the transparency of AI systems across different sectors. Explainable AI SHAP LIME machine learning firewall management cybersecurity model interpretability multiclass classification Förklarbar AI SHAP LIME maskininlärning brandväggshantering cybersäkerhet modellens tolkbarhet flervalsklassificering Software Engineering Programvaruteknik
154	Effekterna av brandväggsregler för FreeBSD PF & IPtables / The impact of firewall rule sets for FreeBSD PF & IPtables Polnäs, Andreas January 2018 (has links) Paketfiltrering är en av nyckelfunktionerna i de flesta av dagens brandväggar, vilket gör paketfiltrering till en viktig del av det dagliga arbetet för många systemadministratörer. Sedan uppkomsten av paketfiltrering har nätverkskomplexiteten ökat drastiskt, Många av dagens tjänster har behov av olika protokoll för att kommunicera. I kombination med detta måste brandväggen bearbeta en större mängd data än tidigare för att tillgodose dagens nätverkstopologier.Denna studie syftar till att undersöka om det finns någon skillnad i prestanda mellan två moderna iterationer av de populära UNIX-brandväggarna IPtables och FreeBSD PF. Detta sker genom att de två brandväggarna utsätts för olika antal regler, samtidigt som de genomströmmas av olika stora paketflöden.De båda brandväggarna kommer att jämföras baserat på tre attribut, CPU, genomströmning och latens. tre olika bandbredder testas. 100, 500 och 1000Mbit/s. Testet omfattar längre tester som upprepas flera gånger för att öka studiens giltighet. Testerna som utförs görs på ursprungliga operativsystemet för varje brandvägg. Linux Ubuntu 16 för IPtables och FreeBSD 11 för FreeBSD PF.Studien kom fram till att brandväggarnas prestanda är likvärdiga i genomströmning och latens vid lägre regelmängder. Vid högre regelmängder skiljer sig prestandan och PF är bättre anpassad för stora regeluppsättningar. IPtables anses vara den bättre brandväggen för låga regeluppsättningar på grund av dess låga CPU-användning. / Packetfiltering is one of the key features in most of today’s firewalls. With many packetfilters being used daily in a system administrator’s work. Over the years since founding of the packetfilter technology the complexity of the network has increased drastically, where many of today’s services relies on different protocols to communicate, combined with a much larger amount of data that the firewall must process to satisfy todays network topologies.This study aims to explore if there is any difference in performance between two modern iterations of popular UNIX firewalls, IPtables and FreeBSD PF. By submitting them to different number of rulesets while at the same testing them under a series of different packet flows through the firewall.Both firewalls will be compared based on three attributes, CPU, throughput and latency, and three different bandwidths will be tested. 100, 500 and 1000Mbits/s. The test include longer tests that is repeated multiple times to increase the validity of the study. The tests were performed on the native operating system of each firewall. Linux Ubuntu 16 for IPtables and FreeBSD 11 for FreeBSD PF.The study concluded that the performance of the firewalls is equal in throughput and latency at lower volumes. At higher amounts of rulesets, performance is different between the firewalls and PF is considered better for large rules, while IPtables are considered to be a better firewall for low rulesets due to its low CPU usage. Firewall FreeBSD PF IPtables Ubuntu 16 FreeBSD 11 Dual-homed network CPU Latency Throughput packetfilter rules firewall rules Brandvägg FreeBSD PF IPtables Ubuntu 16 FreeBSD 11 Dual-homed network CPU latens genomströmning brandväggsregler Computer and Information Sciences Data- och informationsvetenskap Natural Sciences Naturvetenskap
155	Détection dynamique des intrusions dans les systèmes informatiques / Dynamic intrusion detection in computer systems Pierrot, David 21 September 2018 (has links) La démocratisation d’Internet, couplée à l’effet de la mondialisation, a pour résultat d’interconnecter les personnes, les états et les entreprises. Le côté déplaisant de cette interconnexion mondiale des systèmes d’information réside dans un phénomène appelé « Cybercriminalité ». Des personnes, des groupes mal intentionnés ont pour objectif de nuire à l’intégrité des systèmes d’information dans un but financier ou pour servir une cause. Les conséquences d’une intrusion peuvent s’avérer problématiques pour l’existence d’une entreprise ou d’une organisation. Les impacts sont synonymes de perte financière, de dégradation de l’image de marque et de manque de sérieux. La détection d’une intrusion n’est pas une finalité en soit, la réduction du delta détection-réaction est devenue prioritaire. Les différentes solutions existantes s’avèrent être relativement lourdes à mettre place aussi bien en matière de compétence que de mise à jour. Les travaux de recherche ont permis d’identifier les méthodes de fouille de données les plus performantes mais l’intégration dans une système d’information reste difficile. La capture et la conversion des données demandent des ressources de calcul importantes et ne permettent pas forcément une détection dans des délais acceptables. Notre contribution permet, à partir d’une quantité de données relativement moindre de détecter les intrusions. Nous utilisons les événements firewall ce qui réduit les besoins en terme de puissance de calcul tout en limitant la connaissance du système d’information par les personnes en charge de la détection des intrusions. Nous proposons une approche prenant en compte les aspects techniques par l’utilisation d’une méthode hybride de fouille de données mais aussi les aspects fonctionnels. L’addition de ces deux aspects est regroupé en quatre phases. La première phase consiste à visualiser et identifier les activités réseau. La deuxième phase concerne la détection des activités anormales en utilisant des méthodes de fouille de données sur la source émettrice de flux mais également sur les actifs visés. Les troisième et quatrième phases utilisent les résultats d’une analyse de risque et d’audit technique de sécurité pour une prioritisation des actions à mener. L’ensemble de ces points donne une vision générale sur l’hygiène du système d’information mais aussi une orientation sur la surveillance et les corrections à apporter. L’approche développée a donné lieu à un prototype nommé D113. Ce prototype, testé sur une plate-forme d’expérimentation sur deux architectures de taille différentes a permis de valider nos orientations et approches. Les résultats obtenus sont positifs mais perfectibles. Des perspectives ont été définies dans ce sens. / The expansion and democratization of the digital world coupled with the effect of the Internet globalization, has allowed individuals, countries, states and companies to interconnect and interact at incidence levels never previously imagined. Cybercrime, in turn, is unfortunately one the negative aspects of this rapid global interconnection expansion. We often find malicious individuals and/or groups aiming to undermine the integrity of Information Systems for either financial gain or to serve a cause. The consequences of an intrusion can be problematic for the existence of a company or an organization. The impacts are synonymous with financial loss, brand image degradation and lack of seriousness. The detection of an intrusion is not an end in itself, the reduction of the delta detection-reaction has become a priority. The different existing solutions prove to be cumbersome to set up. Research has identified more efficient data mining methods, but integration into an information system remains difficult. Capturing and converting protected resource data does not allow detection within acceptable time frames. Our contribution helps to detect intrusions. Protect us against Firewall events which reduces the need for computing power while limiting the knowledge of the information system by intrusion detectors. We propose an approach taking into account the technical aspects by the use of a hybrid method of data mining but also the functional aspects. The addition of these two aspects is grouped into four phases. The first phase is to visualize and identify network activities. The second phase concerns the detection of abnormal activities using data mining methods on the source of the flow but also on the targeted assets. The third and fourth phases use the results of a risk analysis and a safety verification technique to prioritize the actions to be carried out. All these points give a general vision on the hygiene of the information system but also a direction on monitoring and corrections to be made.The approach developed to a prototype named D113. This prototype, tested on a platform of experimentation in two architectures of different size made it possible to validate our orientations and approaches. The results obtained are positive but perfectible. Prospects have been defined in this direction. Securité Détection d'intrusions Pare-feu (firewall) Apprentissage supervisé Collecte de renseignements Journaux (logs) Évènements Attaques Clustering Validité des clusters Disponibilité Intégrité Confidentialité Traçabilité Apprentissage non-surpervisé Security Intrusion detection Firewall Supervised machine learning Unsupervised machine learning Information gathering Logs Events Attacks Clustering Cluster validity Avaibility Integrity Privacy Traceability 004
156	Segmentering av lokala nätverk - För mikro- och småorganisationer Hermansson, Christopher, Johansson, Sebastian January 2010 (has links) <p>Syftet med den här rapporten är att beskriva ett antal olika tillvägagångssätt man kan använda sig av då man har behov av att dela in ett lokalt nätverk i olika segment och med det även kunna reglera trafikflödet mellan segmenten. De lösningar som presenteras i arbetet är inriktade mot mikro- och småföretag.Anledningen till att vi har valt att arbeta med det här området är att vi anser att det är viktigt för organisationer att har en strukturerad och segmenterad design på sitt interna datornätverk.Vi har arbetat genom att i förväg samla in information om olika tekniker som kan tänkas lösa vårt problem, och därefter testat olika scenarion med dessa tekniker. Data har samlats in efter varje genomfört scenario och sammanställts i statistisk form för att kunna avgöra vilken metod som var att föredra.Vi har testat lösningar där man segmenterar nätverket i en lager 2-switch medan man möjliggör och förhindrar trafikflöde mellan segmenten i en router. Även lösningar där man använder en lager 3-switch har testats. På så sätt kan routningen ske direkt i switchen och det blir betydligt mindre belastning i routern. Resultatet visar att då man vill segmentera ett nätverk så är det rekommenderat att man använder sig av VLAN och ACL:er och eventuellt i kombination med en brandvägg.Slutresultatet av rapporten är att en lösning med ”router on a stick” är den billigaste lösningen och troligen den som de flesta mindre företag skulle klara sig med. Vilken lösning man väljer beror dock helt på hur mycket pengar man vill lägga på sitt nätverk samt vad kraven är.</p> / <p>The purpose of this report is to describe a number of approaches that can be used when you are in need of dividing a local area network in a number of segments, and with that also be able to control how data traffic is allowed to traverse between the different segments. The solutions that are presented are focused towards micro and small companies.The reason that we have chosen to work with this matter is that we believe it is important for organizations to have a structured and segmented design of its internal computer network.We have been working by in advance collecting information about various techniques that might solve our problem, and then testing different scenarios using these techniques. Data have been collected after each tested scenario and compiled in statistical form in order to determine which method that was preferable.We have been testing solutions were you segment the network in a layer 2 switch while you allow or deny communication between the segments in a router, and also solutions were you use a layer 3 switch. In that way you can let the routing be performed in the switch, which leads to significantly lower load on the router. The result was that if you are about to segment a local area network it is recommended that you use VLAN and ACL:s, and possibly in combination with a firewall.The final result of this report is that a solution using the “router on a stick”-technique is the cheapest one, and probably the one that most small companies would get along with. However, the solution that you choose depends completely on how much money you want to spend on your network, and also what the needs are.</p> segmentation local area network LAN virtual local area network VLAN firewall access control list acl segmentering lokala nätverk LAN virtuella lokala nätverk VLAN brandvägg access control list acl Computer science Datavetenskap
157	Designing and implementing a small scale Internet Service Provider Brown, Johan, Gustafsson Brokås, Alexander, Hurtig, Niklas, Johansson, Tobias January 2009 (has links) <p>The objective of this thesis is to design and implement a small scaleInternet Service Provider (ISP) for the NetCenter sub department atMälardalen University. The ISP is intended to give NetCenter a networkseparate from the University’s network, providing them with a moreflexible environment for lab purposes. This will give their students anopportunity to experience a larger backbone with Internet accessibility,which has not been previously available. At the same time it will place theteachers in control of the network in the NetCenter lab premises.The network is designed with a layered approach including an Internetaccess layer, a larger core segment and a distribution layer with aseparated lab network. It also incorporates both a public and a privateserver network, housing servers running e.g. Windows Active Directory,external DNS services, monitoring tools and logging applications. TheInternet access is achieved by peering with SUNET providing a full BGPfeed.This thesis report presents methods, implementations and results involvedin successfully creating the NetCenter ISP as both a lab network and anInternet provider with a few inevitable shortcomings; the most prominentbeing an incomplete Windows Domain setup.</p> Computer science Datavetenskap
158	Securing Network Connected Applications with Proposed Security Models Konstantaras, Dimitrios, Tahir, Mustafa January 2008 (has links) <p>In today’s society, serious organizations need protection against both internal and external attacks. There are many different technologies available that organizations can incorporate into their organization in order to enhance security for their networking applications. Unfortunately, security is way to often considered as an afterthought and therefore implemented as an external part of the applications. This is usually performed by introducing general security models and technologies.</p><p>However, an already developed, well structured and considered security approach – with proper implementation of security services and mechanisms – different security models can be used to apply security</p><p>within the security perimeter of an organization. It can range from built into the application to the edge of a private network, e.g. an appliance. No matter the choice, the involved people must possess security expertise to deploy the proposed security models in this paper, that have the soul purpose to secure applications.</p><p>By using the Recommendation X.800 as a comparison framework, the proposed models will be analyzed in detail and evaluated of how they provide the security services concerned in X.800. By reasoning about what security services that ought to be implemented in order to prevent or detect diverse security attacks, the organization needs to carry out a security plan and have a common understanding of the deﬁned security policies.</p><p>An interesting ﬁnding during our work was that, using a methodology that leads to low KLOC-values results in high security, though low KLOC-values and high security go hand-in-hand.</p> Security service security mechanism security protocol security policy X.800 standard attacks application proxy firewall Virtual Private Network (VPN) plugin filter Team Software Process (TSP) IPsec Common Criteria (CC) DMZ Computer science Datavetenskap
159	以SDN為基礎之自動化防火牆：規則學習、入侵偵測與多路頻寬負載平衡器之實作 / SDN based Automatic Firewall for Rules Learning, IDS and Multi-WAN Load Balancer 王昌弘, Wang, Chang Hung Unknown Date (has links) 防火牆是現今網路中的重要設備，負責區隔內部網路和公共網路，維護內部網路安全。然而防火牆也存在幾個重要的問題，首先，防火牆的規則是由網管人員設定，近年來隨著網路科技蓬勃發展、虛擬技術大量應用，此項工作已帶給網管人員龐大的負擔。其次，防火牆雖可隔離外部網路，阻擋有害流量，但對內部網路的防範卻毫無用武之地。目前市面上普遍使用入侵偵測系統(IDS)進行偵測，但僅能在發現攻擊行為後發出警告訊息，無法即時處理。最後，企業在連外網路部分，通常採用多條線路進行備援，並倚賴多路頻寬負載平衡器(Multi-WAN load balancer)增加頻寬的使用率，但在線路數量上卻受限於廠商所制定之規格，無法彈性調整。而在負載平衡演算法方面，也只能基於網路特徵(IP位置)、權重比例(weight)或是輪詢機制(round robin)，無法依據目前網路狀況做出更好判斷。為改善上述問題，本論文在軟體定義網路(SDN)環境下，使用交換機取代傳統防火牆設備，透過封包分析與信任觀測區間達到規則學習，並整合Snort入侵偵測系統，透過特徵比對，找出危害網路環境之封包，即時阻擋該危險流量。本論文也提出基於隨需(on demand)概念，動態調整防火牆規則，降低管理人員負擔。最後利用交換機擁有多個實體通訊埠的概念，依需求可自由調整對外及對內線路數量，不再受限於廠商規格，取代傳統多路寬頻負載平衡器，建構更彈性的架構。並透過收集交換機上的實體埠與資料流表中的資訊，即時評估網路狀況，加強負載平衡。為驗證本論文所提出之⽅法的有效性，我們使用Linux伺服器架設KVM、OpenvSwitch以及POX控制器實際建構SDN網路環境，透過發送封包對防火牆提出請求，以驗證實驗方法的正確性。根據實驗結果顯示，本論文所提出之概念均能正確運作，有效降低調整防火牆所需之人工作業。在多路寬頻負載平衡器部分，本研究所提出之負載平衡方法，與round robin負載平衡方法相較之下，在最佳情況下，能有效提升約25%平均頻寬使用率，並降低約17.5%封包遺失率。 / Firewall is an important device that is responsible for securing internal network by separating Internet from Intranet, but here are several existing issues about the firewall. First, the firewall rules are set by the network admistrator manually. Along with the vigorous development of Internet technologies and great amount of applications of virtual technology in recent years. This work burdens the network adminstrator with a heavy workload. Second, the firewall is able to isolate the external network from harmful traffic, however, it can do nothing to the internal network. The common situation is to use IDS to detect the harmful packet, but it can only send an alert message to the adminstrater, no more actions can be done. Finally, most companies use several ISP connections to assure fault tolerance and use Multi-WAN load balancer to integrate those connections to enhance bandwidth utilization. But the number of WAN/LAN ports is set by the manufacturer, and the load balance algorithm is also limited by the manufacturer. It offers only a few algorithms (network-based features, round-robin, etc.), and there is no other way to provide more efficient algorithms. In order to resolve the mentioned problems, we propose an automatic firewall based Software Defined Network (SDN). We use Openflow switches to replace traditional firewalls, the system is able to learn the rules automaticlly by packet analysis during an observation interval. We aslo integrate Snort Intrusion Detection System (IDS) to localize the dangerous packets and block them immediately. Next, we propose an on-demand based dynamic firewall rules adjustment mechanism which is able to reduce management workload. Finally, we implement a Multi-WAN load balancer architecture and provide a more efficient load balance algorithm by collecting port usage and firewall rule information. In order to verify the proposed methods, we implement a SDN environment by using Linux Ubuntu servers with KVM, Open vSwitch and POX controller. According to the experiment result, it proves that the proposed method is able to reduce the firewall configuration effectively. In the Multi-WAN load balancer, experiment results show that our method outperforms round-robin argrithom in terms of average bandwidth utilization and packet loss rate by 25% and 17.5%, respectively. 軟體定義網路防火牆入侵偵測系統多路頻寬負載平衡器 SDN Firewall IDS Multi-WAN Load Balancer
160	Securing Network Connected Applications with Proposed Security Models Konstantaras, Dimitrios, Tahir, Mustafa January 2008 (has links) In today’s society, serious organizations need protection against both internal and external attacks. There are many different technologies available that organizations can incorporate into their organization in order to enhance security for their networking applications. Unfortunately, security is way to often considered as an afterthought and therefore implemented as an external part of the applications. This is usually performed by introducing general security models and technologies. However, an already developed, well structured and considered security approach – with proper implementation of security services and mechanisms – different security models can be used to apply security within the security perimeter of an organization. It can range from built into the application to the edge of a private network, e.g. an appliance. No matter the choice, the involved people must possess security expertise to deploy the proposed security models in this paper, that have the soul purpose to secure applications. By using the Recommendation X.800 as a comparison framework, the proposed models will be analyzed in detail and evaluated of how they provide the security services concerned in X.800. By reasoning about what security services that ought to be implemented in order to prevent or detect diverse security attacks, the organization needs to carry out a security plan and have a common understanding of the deﬁned security policies. An interesting ﬁnding during our work was that, using a methodology that leads to low KLOC-values results in high security, though low KLOC-values and high security go hand-in-hand. Security service security mechanism security protocol security policy X.800 standard attacks application proxy firewall Virtual Private Network (VPN) plugin filter Team Software Process (TSP) IPsec Common Criteria (CC) DMZ Computer Sciences Datavetenskap (datalogi)

Search results