Network Security Tool for a Novice

Ganduri, Rajasekhar

08 1900

Network security is a complex field that is handled by security professionals who need certain expertise and experience to configure security systems. With the ever increasing size of the networks, managing them is going to be a daunting task. What kind of solution can be used to generate effective security configurations by both security professionals and nonprofessionals alike? In this thesis, a web tool is developed to simplify the process of configuring security systems by translating direct human language input into meaningful, working security rules. These human language inputs yield the security rules that the individual wants to implement in their network. The human language input can be as simple as, "Block Facebook to my son's PC". This tool will translate these inputs into specific security rules and install the translated rules into security equipment such as virtualized Cisco FWSM network firewall, Netfilter host-based firewall, and Snort Network Intrusion Detection. This tool is implemented and tested in both a traditional network and a cloud environment. One thousand input policies were collected from various users such as staff from UNT departments' and health science, including individuals with network security background as well as students with a non-computer science background to analyze the tool's performance. The tool is tested for its accuracy (91%) in generating a security rule. It is also tested for accuracy of the translated rule (86%) compared to a standard rule written by security professionals. Nevertheless, the network security tool built has shown promise to both experienced and inexperienced people in network security field by simplifying the provisioning process to result in accurate and effective network security rules.

Network Security

Cloud Computing

OpenStack

Network Security Functions

Secure Wireless Communication

Muhovic, Admir

January 2007

The need for and requests for utilization of wireless equipment are growing rapidly. Advantages of using wireless communication are easy to realize. Having access to electronically stored information no matter where you are is a big advantage. Furthermore, wireless communication is increasingly utilized in everyday work and there is a constant development of new wireless equipment. Today, utilization of wireless communication is very practical as well as effective. On the other hand, using wireless equipment and communication entails risk unless efforts are made to secure this communication. Some wireless protocols exist and are used, despite their being vulnerable to attacks. Additionally, the traffic can easily be eavesdropped. Incorrect installation of wireless equipment contributes to the vulnerabilities of wireless communication. Some of the IT-equipment available on the market today offers wireless communication. This equipment is increasingly used within FMV. Such equipment includes: laptops, PDAs, cellular phones, etc. This wireless equipment, according to FMV’s information security policy, must be approved from a security viewpoint before it can be used at FMV. Thus an analysis of risks associated with usage of wireless equipment must take place and the mechanisms necessary to ensure adequate security must be identified. The document “Requirements on Security Functions (Kraven på SäkerhetsFunktioner, KSF)” identifies the technical and/or administrative requirements for such equipment.</p> The aim of this thesis was to analyze if it is possible to utilize wireless equipment at FMV, specifically, if it can be connected to the internal LAN at FMV. In other words, the wireless equipment must be able to offer security protection corresponding to the information security class: HEMLIG/RESTRICTED. The thesis contains an analysis of which security functions are available on the market today and evaluates whether these security functions meet the requirements given in KSF. The result is a proposal for the best security mechanism(s) within the constraints of KSF and the available equipment. The thesis proposes a technical solution along with suitable security mechanisms. The advantages and drawbacks of each has been analyzed. Additionally, the thesis presents a number of (administrative) security policies in order to be able to handle security aspects which are not covered by the KSF. / Behoven och efterfrågan av mobil och trådlös utrustning är i dagsläget allt större. Fördelarna med att använda sig av trådlös kommunikation är enkla att inse. Att kunna ha tillgång till elektroniskt lagrad information oavsett var man än befinner sig är en stor fördel. Vidare implementeras trådlös kommunikation allt mer i det vardagliga arbetet samtidigt som utrustning för denna sorts kommunikation är i ständig utveckling. I slutändan är användandet av trådlös kommunikation väldigt praktiskt samtidigt som det är effektivt. Användandet av trådlös utrustning och kommunikation medför ett risktagande då denna typ av kommunikation allmänt är osäker. Detta eftersom teknologin fortfarande är i utvecklingsfasen. De i dagsläget aktuella trådlösa protokollen är sårbara för attacker och det är dessutom enkelt att avlyssna trafiken. Felaktig installation av utrustning bidrar dessutom också till att den trådlösa kommunikationen blir sårbar. En del av den IT-utrustning som idag finns tillgänglig ute på marknaden och som alltmer används inom FMV har möjlighet att kommunicera trådlöst med omgivningen. Exempel på sådan utrustning är bärbara datorer, PDA:er, mobiltelefoner mm. Denna typ av utrustning, dvs. trådlös utrustning, skall enligt FMVs informationssäkerhetspolicy godkännas från säkerhetssynpunkt innan den får tas i bruk på FMV. Det innebär att man utför en analys av vilka risker som är förknippade med användandet av trådlös utrustning samt att man identifierar adekvata skyddsåtgärder. Till sin hjälp använder man sig av Kraven på SäkerhetsFunktioner (KSF) som består av tekniska och/eller administrativa krav. Syftet med detta examensarbete var att undersöka om det finns möjlighet att använda trådlös utrustning på FMV, dvs. att denna används på interna LAN på FMV. Med andra ord skall den trådlösa utrustningen kunna erbjuda ett skydd motsvarande högst informationssäkerhetsklassen HEMLIG/RESTRICTED (H/R). Examensarbetet innefattar en analys av vilka säkerhetsfunktioner idag finns tillgängliga ute på marknaden och utvärderar huruvida dessa säkerhetsfunktioner uppfyller kraven givna i Kraven på SäkerhetsFunktioner (KSF). Resultatet är ett förslag på de bästa säkerhetsmekanismerna inom restriktionerna av KSF och den tillgängliga utrustningen. Examensarbetet föreslår en teknisk lösning med lämpliga säkerhetsmekanismer. Dess för- och nackdelar har analyserats. Examensarbetet presenterar dessutom ett antal (administrativa) säkerhets policies som hanterar säkerhetsaspekter som inte omhändertas av KSF.

Wireless communication

Wireless equipment

Security policy

Security functions

Communication Systems

Kommunikationssystem

Secure electronic tendering

Du, Rong

January 2007

Tendering is a method for entering into a sales contract. Numerous electronic tendering systems have been established with the intent of improving the efficiency of the tendering process. Although providing adequate security services is a desired feature in an e-tendering system, current e-tendering systems are usually designed with little consideration of security and legal compliance. This research focuses on designing secure protocols for e-tendering systems. It involves developing methodologies for establishing security requirements, constructing security protocols and using formal methods in protocol security verification. The implication is that it may prove suitable for developing secure protocols in other electronic business domains. In depth investigations are conducted into a range of issues in relation to establishing generic security requirements for e-tendering systems. The outcomes are presented in a form of basic and advanced security requirements for e-tendering process. This analysis shows that advanced security services are required to secure e-tender negotiation integrity and the submission process. Two generic issues discovered in the course of this research, functional difference and functional limitations, are fundamental in constructing secure protocols for tender negotiation and submission processes. Functional difference identification derives advanced security requirements. Functional limitation assessment defines how the logic of generic security mechanisms should be constructed. These principles form a proactive analysis applied prior to the construction of security protocols. Security protocols have been successfully constructed using generic cryptographic security mechanisms. These protocols are secure e-tender negotiation integrity protocol suite, and secure e-tender submission protocols. Their security has been verified progressively during the design. Verification results show that protocols are secure against common threat scenarios. The primary contribution of this stage are the procedures developed for the complex e-business protocol analysis using formal methods. The research shows that proactive analysis has made this formal security verification possible and practical for complex protocols. These primary outcomes have raised awareness of security issues in e-tendering. The security solutions proposed in the protocol format are the first in e-tendering with verifiable security against common threat scenarios, and which are also practical for implementation. The procedures developed for securing the e-tendering process are generic and can be applied to other business domains. The study has made improvements in: establishing adequate security for a business process; applying proactive analysis prior to secure protocol construction; and verifying security of complex e-business protocols using tool aided formal methods.

e-tendering

e-procurement

e-auction

e-commerce

e-business

business process

e-tender negotiation

e-tender submission

security

security requirements

secure protocol

security functions

integrity

confidentiality

threat

threat scenario

cryptology

cryptography

generic securitymechanism

cryptographic hash function

digital signature

commitment scheme

identity based encryption

formal method

shvt

model checking

threat modeling

verification elements

verification process