Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSE331: Introduction to Networks and Security Lecture 30 Fall 2002.

Published byAlly Dowdle Modified over 10 years ago

Similar presentations

Presentation on theme: "CSE331: Introduction to Networks and Security Lecture 30 Fall 2002."— Presentation transcript:

1 CSE331: Introduction to Networks and Security Lecture 30 Fall 2002

2 CSE331 Fall 20022 Announcements Homework 3 will be available on the web site this afternoon. Project 2 is graded –Mean: 89

3 CSE331 Fall 20023 Recap Capability Lists Firewalls Today –Firewalls –Program Security (Buffer Overflows)

4 CSE331 Fall 20024 When to Filter Router Inside Outside

5 CSE331 Fall 20025 On Input or Output Filtering on output can be more efficient since it can be combined with table lookup of the route. However, some information is lost at the output stage –e.g. the physical input port on which the packet arrived. –Can be useful information to prevent address spoofing. Filtering on input can protect the router itself.

6 CSE331 Fall 20026 Recommend: Filter ASAP Actionsrcportdestportcomment blockBAD***we don’t trust them allow**GW25connect to our SMTP allowGW25**our reply packets Actionsrcportdestportcomment block**BAD*subtle difference allow**GW25connect to our SMTP allowGW25**our reply packets Is preferred over:

7 CSE331 Fall 20027 Example of a Pitfall Filter output to allow incoming and outgoing mail, but prohibit all else. Apply this output filter set to both interfaces of the router. Does it work? Unintended consequence: allows all communication on high numbered ports! Actiondestportcomment allow*25incoming mail allow*>= 1024outgoing responses block**nothing else

8 CSE331 Fall 20028 Circuit Level Gateways Caller connects to a TCP port on the gateway and the gateway connects to a TCP port on the other side. It relays bytes, acting like a wire. More general-purpose than application-level but allows finer control than filtering only. Example: valuable logs of connections can be kept.

9 CSE331 Fall 20029 Application Level Gateways The gateway acts as an intermediary at the level of the application, receiving outgoing commands, relaying them, obtaining responses and relaying them back to the source. Mail gateways are a typical example. Very strong control over security, but Special purpose software is required.

10 CSE331 Fall 200210 Program Security Firewalls are not enough! –Some data & code is intentionally permitted through the firewall Programs have vulnerabilities –Exploitable bugs in “good” programs –Too many “features” (i.e. automatically execute macros) Malicious programs –Viruses –Worms –Trojan Horses

11 CSE331 Fall 200211 Buffer Overflow Attacks > 50% of security incidents reported at CERT are due to buffer overflow attacks Problem is access control but at a very fine level of granularity C and C++ programming languages don’t do array bounds checks

12 CSE331 Fall 200212 C’s Control Stack f() { g(parameter); } g(char *args) { int x; // more local // variables... } f’s stack frame Input parameter return address base pointer int x; // local // variables Larger Addresses

13 CSE331 Fall 200213 C’s Control Stack f() { g(parameter); } g(char *args) { int x; // more local // variables... } f’s stack frame Input parameter Larger Addresses

14 CSE331 Fall 200214 C’s Control Stack f() { g(parameter); } g(char *args) { int x; // more local // variables... } f’s stack frame Larger Addresses base pointer int x; // local // variables Input parameter return address

15 CSE331 Fall 200215 Buffer Overflow Example g(char *text) { char buffer[128]; strcpy(buffer, text); } f’s stack frame base pointer buffer[] return address text … Attack code 128 bytes ADDR

16 CSE331 Fall 200216 Buffer Overflow Example g(char *text) { char buffer[128]; strcpy(buffer, text); } f’s stack frame base pointer buffer[] return address text … Attack code 128 bytes ADDR … Attack code 128 bytes ADDR

17 CSE331 Fall 200217 The Problem C’s strcpy, gets, strcat functions don’t check array bounds These functions are used extensively –Feb. 25 2002: Internet Explorer HTML tags –telnetd Unix Telnet Daemon –Microsoft Outlook –…

18 CSE331 Fall 200218 Solutions Don’t write code in C –Use a safe language instead (Java, C#, …) –Not always possible (low level programming) –Doesn’t solve legacy code problem Link C code against safe version of libc –May degrade performance unacceptably Software fault isolation –Instrument executable code to insert checks Program analysis techniques –Examine program to see whether “tainted” data is used as argument to strcpy

Download ppt "CSE331: Introduction to Networks and Security Lecture 30 Fall 2002."

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
CSCI 599 - Intelligent Embedded Systems, Spring 20021 A Distributed Location System for the Active Office Andy Harter, Andy Hopper.

CSCI Intelligent Embedded Systems, Spring A Distributed Location System for the Active Office Andy Harter, Andy Hopper.
Communications of the ACM (CACM), Vol. 32, No. 6, June 1989

Communications of the ACM (CACM), Vol. 32, No. 6, June 1989
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
CSE331: Introduction to Networks and Security Lecture 15 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 15 Fall 2002.
Electronic Commerce 2. Definition Ecommerce is the process of buying and selling products and services via distributed electronic media, usually the World.

Electronic Commerce 2. Definition Ecommerce is the process of buying and selling products and services via distributed electronic media, usually the World.
Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.

Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.
Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey

Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey

Similar presentations

Ads by Google