CSE331: Introduction to Networks and Security Lecture 30 Fall 2002.

Slides:

Advertisements

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Advertisements

CSCI Intelligent Embedded Systems, Spring A Distributed Location System for the Active Office Andy Harter, Andy Hopper.

Communications of the ACM (CACM), Vol. 32, No. 6, June 1989

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

IUT– Network Security Course 1 Network Security Firewalls.

FIREWALLS Chapter 11.

By Hiranmayi Pai Neeraj Jain

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Security Firewall Firewall design principle. Firewall Characteristics.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Firewalls and Intrusion Detection Systems

CSE331: Introduction to Networks and Security Lecture 15 Fall 2002.

Electronic Commerce 2. Definition Ecommerce is the process of buying and selling products and services via distributed electronic media, usually the World.

Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.

Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey

CSE331: Introduction to Networks and Security Lecture 29 Fall 2002.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

CSC 386 – Computer Security Scott Heggen. Agenda Introduction to Software Security.

Chapter 20 Firewalls.

FIREWALL Mạng máy tính nâng cao-V1.

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.

Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.

Lecture#2 on Internet and World Wide Web. Internet Applications Electronic Mail ( ) Electronic Mail ( ) Domain mail server collects incoming mail.

Chapter 11 Firewalls.

October 15, 2002Serguei A. Mokhov, 1 Intro to Internet-services from Security Standpoint SOEN321-Information-Systems Security Revision.

BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.

Buffer Overflows Lesson 14. Example of poor programming/errors Buffer Overflows result of poor programming practice use of functions such as gets and.

FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.

1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.

Internet and Intranet Fundamentals Class 9 Session A.

1 Firewalls G53ACC Chris Greenhalgh. 2 Contents l Attacks l Principles l Simple filters l Full firewall l Books: Comer ch

Firewalls and Info Services Prevent unathorized access between nets Most of the protection is based upon examination of the IP packets There is always.

1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.

Firewall Tutorial Hyukjae Jang Nc lab, CS dept, Kaist.

Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.

Network Security Chapter 11 powered by DJ 1. Chapter Objectives  Describe today's increasing network security threats and explain the need to implement.

1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.

Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.

A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.

Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:

Buffer overflow and stack smashing attacks Principles of application software security.

Web Security Firewalls, Buffer overflows and proxy servers.

Role Of Network IDS in Network Perimeter Defense.

What's a Firewall? A security system that acts as a protective boundary between a network and the outside world Isolates computer from the internet using.

Software Security. Bugs Most software has bugs Some bugs cause security vulnerabilities Incorrect processing of security related data Incorrect processing.

Lecture 12 Page 1 CS 136, Spring 2009 Network Security: Firewalls CS 136 Computer Security Peter Reiher May 12, 2009.

@Yuan Xue Worm Attack Yuan Xue Fall 2012.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

FIREWALLS An Important Component in Computer Systems Security By: Bao Ming Soh.

FIREWALL configuration in linux

Protecting Memory What is there to protect in memory?

Network Security Marshall Leitem 11/30/04

Computer Data Security & Privacy

* Essential Network Security Book Slides.

Software Security Lesson Introduction

Firewalls Jiang Long Spring 2002.

Session 20 INST 346 Technologies, Infrastructure and Architecture

FIGURE Illustration of Stack Buffer Overflow

Presentation transcript:

CSE331: Introduction to Networks and Security Lecture 30 Fall 2002

CSE331 Fall Announcements Homework 3 will be available on the web site this afternoon. Project 2 is graded –Mean: 89

CSE331 Fall Recap Capability Lists Firewalls Today –Firewalls –Program Security (Buffer Overflows)

CSE331 Fall When to Filter Router Inside Outside

CSE331 Fall On Input or Output Filtering on output can be more efficient since it can be combined with table lookup of the route. However, some information is lost at the output stage –e.g. the physical input port on which the packet arrived. –Can be useful information to prevent address spoofing. Filtering on input can protect the router itself.

CSE331 Fall Recommend: Filter ASAP Actionsrcportdestportcomment blockBAD***we don’t trust them allow**GW25connect to our SMTP allowGW25**our reply packets Actionsrcportdestportcomment block**BAD*subtle difference allow**GW25connect to our SMTP allowGW25**our reply packets Is preferred over:

CSE331 Fall Example of a Pitfall Filter output to allow incoming and outgoing mail, but prohibit all else. Apply this output filter set to both interfaces of the router. Does it work? Unintended consequence: allows all communication on high numbered ports! Actiondestportcomment allow*25incoming mail allow*>= 1024outgoing responses block**nothing else

CSE331 Fall Circuit Level Gateways Caller connects to a TCP port on the gateway and the gateway connects to a TCP port on the other side. It relays bytes, acting like a wire. More general-purpose than application-level but allows finer control than filtering only. Example: valuable logs of connections can be kept.

CSE331 Fall Application Level Gateways The gateway acts as an intermediary at the level of the application, receiving outgoing commands, relaying them, obtaining responses and relaying them back to the source. Mail gateways are a typical example. Very strong control over security, but Special purpose software is required.

CSE331 Fall Program Security Firewalls are not enough! –Some data & code is intentionally permitted through the firewall Programs have vulnerabilities –Exploitable bugs in “good” programs –Too many “features” (i.e. automatically execute macros) Malicious programs –Viruses –Worms –Trojan Horses

CSE331 Fall Buffer Overflow Attacks > 50% of security incidents reported at CERT are due to buffer overflow attacks Problem is access control but at a very fine level of granularity C and C++ programming languages don’t do array bounds checks

CSE331 Fall C’s Control Stack f() { g(parameter); } g(char *args) { int x; // more local // variables... } f’s stack frame Input parameter return address base pointer int x; // local // variables Larger Addresses

CSE331 Fall C’s Control Stack f() { g(parameter); } g(char *args) { int x; // more local // variables... } f’s stack frame Input parameter Larger Addresses

CSE331 Fall C’s Control Stack f() { g(parameter); } g(char *args) { int x; // more local // variables... } f’s stack frame Larger Addresses base pointer int x; // local // variables Input parameter return address

CSE331 Fall Buffer Overflow Example g(char *text) { char buffer[128]; strcpy(buffer, text); } f’s stack frame base pointer buffer[] return address text … Attack code 128 bytes ADDR

CSE331 Fall Buffer Overflow Example g(char *text) { char buffer[128]; strcpy(buffer, text); } f’s stack frame base pointer buffer[] return address text … Attack code 128 bytes ADDR … Attack code 128 bytes ADDR

CSE331 Fall The Problem C’s strcpy, gets, strcat functions don’t check array bounds These functions are used extensively –Feb : Internet Explorer HTML tags –telnetd Unix Telnet Daemon –Microsoft Outlook –…

CSE331 Fall Solutions Don’t write code in C –Use a safe language instead (Java, C#, …) –Not always possible (low level programming) –Doesn’t solve legacy code problem Link C code against safe version of libc –May degrade performance unacceptably Software fault isolation –Instrument executable code to insert checks Program analysis techniques –Examine program to see whether “tainted” data is used as argument to strcpy