2009 Personal Firewall Robustness Evaluation

The evolution of the internet as a platform for commerce, banking, general information and personal communications has resulted in a situation where many individuals who may not have previously required internet access now require this connectivity as part of their everyday lives. In addition to this the widespread adoption of mobile broadband has lead to an increasing number of individuals having public facing IP addresses with no firewall appliances present. This situation has dramatically increased reliance on personal firewalls as the first and often last defence against intruders (human and malware alike). The evaluation performed demonstrates the capabilities of current personal firewall software to mitigate the threat posed by these intruders. The results show that the majority of personal firewall products evaluated are somewhat effective in reducing the risks remote exploitation but leave something to be desired in the area of information disclosure

The 2009 Personal Firewall Robustness Evaluation

The evolution of the internet as a platform for commerce, banking, general information and personal communications has resulted in a situation where many individuals who may not have previously required internet access now require this connectivity as part of their everyday lives. In addition to this the widespread adoption of mobile broadband has lead to an increasing number of individuals having public facing IP addresses with no firewall appliances present. This situation has dramatically increased reliance on personal firewalls as the first and often last defence against intruders (human and malware alike). The evaluation performed demonstrates the capabilities of current personal firewall software to mitigate the threat posed by these intruders. The results show that the majority of personal firewall products evaluated are somewhat effective in reducing the risks remote exploitation but leave something to be desired in the area of information disclosure

Evaluation of network security based on next generation intrusion prevention system

Next Generation Intrusion Prevention System (NGIPS) is a system that works to monitor network traffic, to detect suspicious activity, and to conduct early prevention toward intrusion that can cause network does not run as it supposed to be, NGIPS provides vulnerability protection broader compared to the traditional IPS, especially in the application layer that has ability to detect and learn vulnerability asset and carried out layering inspection until layer 7 packet. This paper intended to analyze and evaluate the NGIPS to protect network from penetration system that utilize the weakness from firewall, that is exploitation to HTTP port. By the existence of NGIPS, it is expected can improve the network security, also network administrator could monitor and detect the threats rapidly. Research method includes scenario and topology penetration testing plan. The result of this research is the evaluation of penetration testing that utilizes HTTP port to exploit through malicious domain. The evaluation conducted to ensure the NGIPS system can secure the network environment through penetration testing. This study can be concluded that it can become reference to optimize network security with NGIPS as network security layer

Multi-scale location analysis of vulnerabilities and their link to disturbances within digital ecosystems

As computer networks evolve, so too does the techniques used by attackers to exploit new vulnerabilities. Natural ecosystems already have resistant and resilient properties that help protect them from unwanted disturbances despite the existence of different vulnerabilities. Computer networks and their environments can be considered as digital ecosystems with different vulnerabilities, and security attacks can be considered as unwanted disturbances. Analysis of vulnerabilities and attacks from this perspective may open up new ecosystem-based security strategies

Theory and practice of firewall outsourcing

A firewall system is a packet filter that is placed at the entry point of an enterprise network in the Internet. Packets that attempt to enter the enterprise network through this entry point are examined, one by one, against the rules of some underlying firewall F of the firewall system. Each rule in F has a decision which is either “accept” or “reject”. For any incoming packet p, the firewall system identifies the first rule (in the sequence of rules in F) that matches p. If the decision of this rule is “accept”, then the firewall system forwards p to the enterprise network. Otherwise the decision of this rule is “reject” and packet p is discarded and prevented from entering the network. Each firewall system consists of two units: a rule matching unit and a decision unit. Both units are usually executed in the firewall system. To simplify the task of managing the firewall system, we identify a special class of firewall systems, called the outsourced system, where the rule matching unit is executed in a public cloud. Unfortunately, public clouds are usually unreliable and execution of the rule matching unit in a public cloud can be vulnerable to two types of attacks: verifiability attacks and privacy attacks. The main objective of this dissertation is to discuss how to execute the rule matching unit of an outsourced system in a public cloud such that verifiability and privacy attacks are prevented from occurring. The main contribution of this dissertation is three-fold. First, we discuss how to design outsourced firewall system such that execution of the designed system in the public clouds prevents the occurrence of verifiability and privacy attacks. The resulting system, called the private system, make use of two public clouds. We show that this private system prevents verifiability and privacy attacks under the assumption that the two public clouds used in this system are both “sensible” and “non-colluding”. Second, we identify a special class of firewalls, called the partially specified firewall, where a firewall is called partially specified when the decisions of some of the rules in the firewall are not specified as “accept” or “reject”. We show that for every partially specified firewall PF, there is a (fully specified) firewall F such that PF and F are equivalent. We discuss how to design an outsourced system whose underlying firewall is a partially specified firewall PF such that the designed system prevents both verifiability and privacy attacks. We achieve this outsourced system by obtaining an equivalent firewall F from PF and designing a private system for F. Third, we present a generalization of firewalls called firewall expressions. A firewall expression is specified using one or more component firewalls and three firewall operators: “not”, “and”, and “or”. For example, the firewall expression (G and H) consists of two component firewalls G and H and one firewall operator “and”. This firewall expression accepts a packet p iff both firewalls G and H accept p. For any underlying firewall expression FE, we define an Expression System as a generalization of firewall systems that takes as input any packet p and determines whether the underlying firewall expression FE accepts or rejects packet p. We design an outsourced expression system for any underlying firewall expression FE. We achieve this outsourced expression system by using a private system for each component firewall of FE and combining these private systems through an overall decision unit to determine whether any packet is accepted or rejected according to the firewall expression FEComputer Science

Power Relationships in Information Systems Security Policy Formulation and Implementation

This thesis argues that organizational power impacts the development and implementation of Information Systems (IS) Security policy. The motivation for this research stems from the continuing concern of ineffective security in organizations, leading to significant monetary losses. IS researchers have contended that ineffective IS Security policy is a precursor to ineffective IS Security (Loch et al. 1992; Whitman et al. 2001; David 2002; Solms and Solms 2004). Beyond this pragmatic aspect, there is a gap in the literature concerning power relationships and IS Security policy. This research intends to bridge the gap. The dissertation is a two phased study whereby the first phase seeks to understand the intricacies of IS Security policy formulation and implementation. In the first phase, a conceptual framework utilizes Katz\u27s (1970) semantic theory. The conceptual framework provides the theoretical foundation for a case study that takes place at an educational institution\u27s Information Technology (IT) Department. In the results, it is confirmed that a disconnect exists between IS Security policy formulation and implementation. Furthermore, a significant emergent finding indicates that power relationships have a direct impact on this observed disconnect. The second phase takes place as an in depth case study at the IT department within a large financial organization. The theoretical foundation for the second phase is based was Clegg\u27s (2002) Circuits of Power. A conceptual framework for this phase utilizes this theory. This framework guides the study of power relationships and how they might affect the formulation and implementation of IS Security policy in this organization. The case study demonstrates that power relationships have a clear impact on the formulation and implementation of IS security policy. Though there is a strong security culture at the organization and a well defined set of processes, an improvement in the process and ensuing security culture is possible by accounting for the effect of power relationships

On Provable Security for Complex Systems

We investigate the contribution of cryptographic proofs of security to a systematic security engineering process. To this end we study how to model and prove security for concrete applications in three practical domains: computer networks, data outsourcing, and electronic voting. We conclude that cryptographic proofs of security can benefit a security engineering process in formulating requirements, influencing design, and identifying constraints for the implementation

Analysis of vulnerabilities in Internet firewalls

Firewalls protect a trusted network from an untrusted network by filtering traffic according to a specified security policy. A diverse set of firewalls is being used today. As it is infeasible to examine and test each firewall for all possible potential problems, a taxonomy is needed to understand firewall vulnerabilities in the context of firewall operations. This paper describes a novel methodology for analyzing vulnerabilities in Internet firewalls. A firewall vulnerability is defined as an error made during firewall design, implementation, or configuration, that can be exploited to attack the trusted network that the firewall is supposed to protect. We examine firewall internals, and cross reference each firewall operation with causes and effects of weaknesses in that operation, analyzing twenty reported problems with available firewalls. The result of our analysis is a set of matrices that illustrate the distribution of firewall vulnerability causes and effects over firewall operations. These matrices are useful in avoiding and detecting unforeseen problems during both firewall implementation and firewall testing. Two case studies of Firewall-1 and Raptor illustrate our methodology