Electrical, Electronics and Computer Engineering,
Information Engineering and Technology,
Mechanical, Industrial and Manufacturing Engineering,
Automation and Mechatronics Engineering,
Material and Chemical Engineering,
Civil and Architecture Engineering,
Biotechnology and Bio Engineering,
Environmental Engineering,
Petroleum and Mining Engineering,
Marine and Agriculture engineering,
Aerospace Engineering.
This document discusses the Address Resolution Protocol (ARP) and its use in intrusion detection systems. It proposes a standardized 64-byte ARP protocol structure to more easily capture ARP packets from a network. The structure includes fields for frame information, destination and source addresses, ARP type details, and sender/target MAC and IP addresses. This standardized structure could be integrated into network monitoring to help detect intrusions without affecting normal data transfer processes. Overall, the document aims to optimize the ARP sequence for use in intrusion detection systems.
Layered Approach for Preprocessing of Data in Intrusion Prevention SystemsEditor IJCATR
Due to extensive growth of the Internet and increasing availability of tools and methods for intruding and attacking
networks, intrusion detection has become a critical component of network security parameters. TCP/IP protocol suite is the defacto
standard for communication on the Internet. The underlying vulnerabilities in the protocols is the root cause of intrusions. Therefor
Intrusion detection system becomes an important element in network security that controls real time data and leads to huge
dimensional problem. Processing large number of packets and data in real time is very difficult and costly. Therefor data preprocessing
is necessary to remove redundant and unwanted information from packets and clean network data. Here, we are focusing on
two important aspects of intrusion detection; one is accuracy and other is performance. The layered approach of TCP/IP model can be
applied to packet pre-processing to achieve early and faster intrusion detection. Motivation for the paper comes from the large impact
data preprocessing has on the accuracy and capability of anomaly-based NIPS. In this paper it is demonstrated that high attack
detection accuracy can be achieved by using layered approach for data preprocessing in Internet. To reduce false positive rate and to
increase efficiency of detection, the paper proposed framework for preprocessing in intrusion prevention system. We experimented
with real time network traffic as well as he KDDcup99 dataset for our research.
This document discusses evaluating the performance of a DMZ (demilitarized zone) network configuration. It begins with an introduction to DMZs and their purpose of adding an additional layer of network security. It then reviews related work that has evaluated DMZ performance and firewall performance but not specifically DMZ performance. The document aims to explore evaluating DMZ performance using network simulation software. It provides background on common firewall types - packet filtering, stateful inspection, and application-proxy gateways - before discussing ways to test DMZ configurations and analyze the effects on network performance.
A NOVEL HEADER MATCHING ALGORITHM FOR INTRUSION DETECTION SYSTEMSIJNSA Journal
The evolving necessity of the Internet increases the demand on the bandwidth. Therefore, this demand opens the doors for the hackers’ community to develop new methods and techniques to gain control over networking systems. Hence, the intrusion detection systems (IDS) are insufficient to prevent/detect unauthorized access the network. Network Intrusion Detection System (NIDS) is one example that still suffers from performance degradation due the increase of the link speed in today’s networks. In This paper we proposed a novel algorithm to detect the intruders, who’s trying to gain access to the network using the packets header parameters such as;
source/destination address, source/destination port, and protocol without the need to inspect each packet content looking for signatures/patterns. However, the “Packet Header Matching” algorithm enhances the overall speed of the matching process between the incoming packet headers against the rule set. We ran the proposed algorithm to proof the proposed concept in coping with the traffic arrival speeds and the various bandwidth demands. The achieved results were of significant enhancement of the overall performance in terms of detection speed.
The document discusses the history and development of virtual private networks (VPNs). It explains that early VPNs used IPSec but had problems with complexity and interoperability. This led to the development of user-space VPNs using virtual network interfaces and encapsulating IP packets in UDP for transmission over public networks like the internet. OpenVPN is highlighted as an open-source user-space VPN that follows this model and provides a more portable and easier to configure alternative to IPSec VPNs.
A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules.
Firewalls have been the first line of defense in network security for over 25 years. They establish a barrier between secured and controlled internal networks that can be trusted and untrusted outside networks, such as the Internet.
A firewall can be hardware, software, or both.
This document proposes a novel method to defend against IP spoofing attacks using packet filtering and marking techniques. It involves a network architecture model with trusted nodes that can access each other after authentication. The proposed method uses packet tracing and cooperation between trusted adjacent nodes to detect and block spoofed packets entering the trusted network from external sources. It aims to effectively defend against distributed denial of service attacks and IP spoofing attacks.
1) Packet filter firewalls operate at the network layer and filter network traffic based on IP addresses, ports, and protocols. They are fast but cannot block application-specific attacks.
2) Stateful inspection firewalls add awareness of transport layer connections to packet filtering but open high-numbered ports, increasing risk.
3) Application proxy firewalls authenticate users and can block application commands but are slower and less adaptable than other firewall types.
This document discusses the Address Resolution Protocol (ARP) and its use in intrusion detection systems. It proposes a standardized 64-byte ARP protocol structure to more easily capture ARP packets from a network. The structure includes fields for frame information, destination and source addresses, ARP type details, and sender/target MAC and IP addresses. This standardized structure could be integrated into network monitoring to help detect intrusions without affecting normal data transfer processes. Overall, the document aims to optimize the ARP sequence for use in intrusion detection systems.
Layered Approach for Preprocessing of Data in Intrusion Prevention SystemsEditor IJCATR
Due to extensive growth of the Internet and increasing availability of tools and methods for intruding and attacking
networks, intrusion detection has become a critical component of network security parameters. TCP/IP protocol suite is the defacto
standard for communication on the Internet. The underlying vulnerabilities in the protocols is the root cause of intrusions. Therefor
Intrusion detection system becomes an important element in network security that controls real time data and leads to huge
dimensional problem. Processing large number of packets and data in real time is very difficult and costly. Therefor data preprocessing
is necessary to remove redundant and unwanted information from packets and clean network data. Here, we are focusing on
two important aspects of intrusion detection; one is accuracy and other is performance. The layered approach of TCP/IP model can be
applied to packet pre-processing to achieve early and faster intrusion detection. Motivation for the paper comes from the large impact
data preprocessing has on the accuracy and capability of anomaly-based NIPS. In this paper it is demonstrated that high attack
detection accuracy can be achieved by using layered approach for data preprocessing in Internet. To reduce false positive rate and to
increase efficiency of detection, the paper proposed framework for preprocessing in intrusion prevention system. We experimented
with real time network traffic as well as he KDDcup99 dataset for our research.
This document discusses evaluating the performance of a DMZ (demilitarized zone) network configuration. It begins with an introduction to DMZs and their purpose of adding an additional layer of network security. It then reviews related work that has evaluated DMZ performance and firewall performance but not specifically DMZ performance. The document aims to explore evaluating DMZ performance using network simulation software. It provides background on common firewall types - packet filtering, stateful inspection, and application-proxy gateways - before discussing ways to test DMZ configurations and analyze the effects on network performance.
A NOVEL HEADER MATCHING ALGORITHM FOR INTRUSION DETECTION SYSTEMSIJNSA Journal
The evolving necessity of the Internet increases the demand on the bandwidth. Therefore, this demand opens the doors for the hackers’ community to develop new methods and techniques to gain control over networking systems. Hence, the intrusion detection systems (IDS) are insufficient to prevent/detect unauthorized access the network. Network Intrusion Detection System (NIDS) is one example that still suffers from performance degradation due the increase of the link speed in today’s networks. In This paper we proposed a novel algorithm to detect the intruders, who’s trying to gain access to the network using the packets header parameters such as;
source/destination address, source/destination port, and protocol without the need to inspect each packet content looking for signatures/patterns. However, the “Packet Header Matching” algorithm enhances the overall speed of the matching process between the incoming packet headers against the rule set. We ran the proposed algorithm to proof the proposed concept in coping with the traffic arrival speeds and the various bandwidth demands. The achieved results were of significant enhancement of the overall performance in terms of detection speed.
The document discusses the history and development of virtual private networks (VPNs). It explains that early VPNs used IPSec but had problems with complexity and interoperability. This led to the development of user-space VPNs using virtual network interfaces and encapsulating IP packets in UDP for transmission over public networks like the internet. OpenVPN is highlighted as an open-source user-space VPN that follows this model and provides a more portable and easier to configure alternative to IPSec VPNs.
A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules.
Firewalls have been the first line of defense in network security for over 25 years. They establish a barrier between secured and controlled internal networks that can be trusted and untrusted outside networks, such as the Internet.
A firewall can be hardware, software, or both.
This document proposes a novel method to defend against IP spoofing attacks using packet filtering and marking techniques. It involves a network architecture model with trusted nodes that can access each other after authentication. The proposed method uses packet tracing and cooperation between trusted adjacent nodes to detect and block spoofed packets entering the trusted network from external sources. It aims to effectively defend against distributed denial of service attacks and IP spoofing attacks.
1) Packet filter firewalls operate at the network layer and filter network traffic based on IP addresses, ports, and protocols. They are fast but cannot block application-specific attacks.
2) Stateful inspection firewalls add awareness of transport layer connections to packet filtering but open high-numbered ports, increasing risk.
3) Application proxy firewalls authenticate users and can block application commands but are slower and less adaptable than other firewall types.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
A firewall manages secure network traffic flow between trusted and untrusted networks. It monitors traffic and acts as a barrier. Firewalls differ from antivirus software which protects against internal threats rather than external network attacks. Firewall types include packet filtering, stateful inspection, proxy, and next generation firewalls. A firewall's functions are to securely allow authorized network traffic while restricting unauthorized access and monitoring all network activity.
It is for the new users those don't have much knowledge regarding IT Security. Here i focus on Windows In built firewall, Comodo, Zone Alarm and Out Post pro configuration basics.
This document discusses firewalls and their configuration. It begins by defining what a firewall is and how they can be implemented as hardware or software. It then describes common firewall filtering techniques like packet filtering, application gateways, circuit-level gateways, and proxy servers. Next, it outlines characteristics of firewall protection such as different protection levels based on network location, protection of wireless networks, access to networks and the internet, and protection against intruders. Finally, it lists important aspects to consider when configuring a firewall, such as enabling/disabling it, setting security levels, and configuring permissions and rules for programs and connections.
This document proposes a new framework to prevent DDoS attacks using multilevel filtering of distributed firewalls. At the primary level, distributed firewalls filter IP addresses from both the internet and intranet. At the secondary level, hop count and TTL based filtering provide additional secure filtration. The framework reduces limitations of previous techniques by combining benefits of distributed firewalls and dual filtering approaches. Distributed firewalls are installed throughout the network and centrally controlled. They filter traffic based on centralized security policies. Additional hop count and TTL filtering of packets further strengthens prevention of spoofed IP addresses and DDoS attacks.
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology
A COMBINATION OF THE INTRUSION DETECTION SYSTEM AND THE OPEN-SOURCE FIREWALL ...IJCNCJournal
There are many security models for computer networks using a combination of Intrusion Detection System and Firewall proposed and deployed in practice. In this paper, we propose and implement a new model of the association between Intrusion Detection System and Firewall operations, which allows Intrusion Detection System to automatically update the firewall filtering rule table whenever it detects a weirdo intrusion. This helps protect the network from attacks from the Internet.
Genetic Algorithm based Layered Detection and Defense of HTTP BotnetIDES Editor
A System state in HTTP botnet uses HTTP protocol
for the creation of chain of Botnets thereby compromising
other systems. By using HTTP protocol and port number 80,
attacks can not only be hidden but also pass through the
firewall without being detected. The DPR based detection
leads to better analysis of botnet attacks [3]. However, it
provides only probabilistic detection of the attacker and also
time consuming and error prone. This paper proposes a Genetic
algorithm based layered approach for detecting as well as
preventing botnet attacks. The paper reviews p2p firewall
implementation which forms the basis of filtering.
Performance evaluation is done based on precision, F-value
and probability. Layered approach reduces the computation
and overall time requirement [7]. Genetic algorithm promises
a low false positive rate.
The document discusses analyzing the password generating algorithms used in wireless routers commonly deployed in the Netherlands. The authors were able to reverse engineer routers from several major Dutch internet providers and telecom companies. They found the routers used insecure proprietary algorithms to generate default WPA2 passwords that were trivial to recover within minutes, leaving networks vulnerable to attack. The authors worked with the Dutch government to disclose the issues responsibly and coordinate public notifications.
This document discusses and compares four main methodologies used in Intrusion Detection and Prevention Systems (IDPS): signature-based, anomaly-based, stateful protocol analysis-based, and hybrid-based. It provides details on how each methodology works and its strengths and weaknesses. A hybrid methodology that combines two or more of the other approaches is described as generally providing the best detection capabilities by taking advantage of the strengths of the individual methodologies. The document concludes by offering a way to evaluate IDPS systems based on parameters like resistance to evasion, accuracy, overhead, and other factors.
This document describes a distributed intrusion detection system based on honeypots. It proposes using honeypots to collect invasion characteristics on the network and genetic clustering algorithms to extract data for analysis. The system combines protocol analysis and signature detection modules to improve detection performance. An evaluation using KDDCUP 99 intrusion data showed the system can better detect intrusions and improve network security compared to traditional intrusion detection systems.
A Survey on DPI Techniques for Regular Expression Detection in Network Intrus...ijsrd.com
This document surveys various techniques for regular expression detection in deep packet inspection for network intrusion detection systems. It discusses how regular expressions are used with techniques like deterministic finite automata to detect attack signatures by matching packet payloads to predefined regular expression patterns. Specifically, it examines techniques like LaFA, TCAM, StriFA, CompactDFA, and DFA/EC that aim to improve regular expression matching performance by reducing memory usage, increasing matching speed, or decreasing the number of required states. The survey aims to understand these techniques and their potential application in improving intrusion detection in wireless networks.
Access control lists (ACLs) determine which devices can access routers based on IP address. ACLs can filter packets based on port numbers and are configured for inbound or outbound traffic. Standard ACLs filter based on source IP, while extended ACLs can filter based on additional attributes like protocol, ports, and IP addresses. Virtual private networks (VPNs) use protocols like IPSec and SSL with authentication methods such as certificates to securely transmit data over unsecured networks.
Wireless Networks Security in Jordan: A Field StudyIJNSA Journal
- The document summarizes a study that evaluated the security of wireless networks in Jordan through a process called "wardriving" where the researchers drove around with wireless network detection tools.
- The results found that the majority (79.52%) of wireless networks tested were unsecured and vulnerable. Most networks used either low levels of encryption (68.67%) or no encryption at all (11.45%).
- Nearly all networks broadcast the default SSID (92.17%), leaving them exposed to potential hackers since changing the SSID is a basic security precaution.
The document discusses data security in local networks using distributed firewalls. It describes how distributed firewalls work to overcome issues with traditional firewalls, which rely on a single entry point. Distributed firewalls are centrally managed from a network server but installed on endpoints throughout the network. This allows security policies to be defined and pushed centrally while filtering traffic both from the internet and internally. It also discusses how distributed firewalls use pull and push techniques to update endpoints with the latest security policies from the central management server.
The document describes a hybrid honeypot framework for collecting and analyzing malware. The framework uses both client honeypots and server honeypots controlled by a central honeypot controller. Client honeypots actively visit URLs to detect client-side attacks, while server honeypots passively detect server-side attacks. Collected malware is stored in a central database and analyzed on an analysis server to detect known and unknown malware types through dynamic execution and static analysis. The integrated framework was able to collect thousands of malware samples, including some not detected by antivirus software.
The document discusses firewall design principles, characteristics, and types. It describes three common firewall configurations: screened host with single-homed bastion host, screened host with dual-homed bastion host, and screened subnet. It also covers trusted systems, access control, and defending against Trojan horse attacks.
International Journal of Engineering Research and DevelopmentIJERD Editor
Electrical, Electronics and Computer Engineering,
Information Engineering and Technology,
Mechanical, Industrial and Manufacturing Engineering,
Automation and Mechatronics Engineering,
Material and Chemical Engineering,
Civil and Architecture Engineering,
Biotechnology and Bio Engineering,
Environmental Engineering,
Petroleum and Mining Engineering,
Marine and Agriculture engineering,
Aerospace Engineering.
International Journal of Engineering Research and DevelopmentIJERD Editor
Electrical, Electronics and Computer Engineering,
Information Engineering and Technology,
Mechanical, Industrial and Manufacturing Engineering,
Automation and Mechatronics Engineering,
Material and Chemical Engineering,
Civil and Architecture Engineering,
Biotechnology and Bio Engineering,
Environmental Engineering,
Petroleum and Mining Engineering,
Marine and Agriculture engineering,
Aerospace Engineering.
International Journal of Engineering Research and DevelopmentIJERD Editor
This document discusses failure mechanisms in turbine blades of gas turbine engines. It begins by providing background on gas turbine engines and noting that turbine blade failures account for 42% of failures in some studies. The main failure mechanisms discussed are fatigue, creep, and corrosion. Fatigue can be low-cycle or high-cycle depending on the number of stress cycles and can initiate from cracks. Creep is stress-related deformation that increases with temperature and time. It can cause blade tips to rub casing. Corrosion can occur when blade coatings are removed from tip contact exposing the alloy.
International Journal of Engineering Research and DevelopmentIJERD Editor
Electrical, Electronics and Computer Engineering,
Information Engineering and Technology,
Mechanical, Industrial and Manufacturing Engineering,
Automation and Mechatronics Engineering,
Material and Chemical Engineering,
Civil and Architecture Engineering,
Biotechnology and Bio Engineering,
Environmental Engineering,
Petroleum and Mining Engineering,
Marine and Agriculture engineering,
Aerospace Engineering.
International Journal of Engineering Research and DevelopmentIJERD Editor
Electrical, Electronics and Computer Engineering,
Information Engineering and Technology,
Mechanical, Industrial and Manufacturing Engineering,
Automation and Mechatronics Engineering,
Material and Chemical Engineering,
Civil and Architecture Engineering,
Biotechnology and Bio Engineering,
Environmental Engineering,
Petroleum and Mining Engineering,
Marine and Agriculture engineering,
Aerospace Engineering.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
A firewall manages secure network traffic flow between trusted and untrusted networks. It monitors traffic and acts as a barrier. Firewalls differ from antivirus software which protects against internal threats rather than external network attacks. Firewall types include packet filtering, stateful inspection, proxy, and next generation firewalls. A firewall's functions are to securely allow authorized network traffic while restricting unauthorized access and monitoring all network activity.
It is for the new users those don't have much knowledge regarding IT Security. Here i focus on Windows In built firewall, Comodo, Zone Alarm and Out Post pro configuration basics.
This document discusses firewalls and their configuration. It begins by defining what a firewall is and how they can be implemented as hardware or software. It then describes common firewall filtering techniques like packet filtering, application gateways, circuit-level gateways, and proxy servers. Next, it outlines characteristics of firewall protection such as different protection levels based on network location, protection of wireless networks, access to networks and the internet, and protection against intruders. Finally, it lists important aspects to consider when configuring a firewall, such as enabling/disabling it, setting security levels, and configuring permissions and rules for programs and connections.
This document proposes a new framework to prevent DDoS attacks using multilevel filtering of distributed firewalls. At the primary level, distributed firewalls filter IP addresses from both the internet and intranet. At the secondary level, hop count and TTL based filtering provide additional secure filtration. The framework reduces limitations of previous techniques by combining benefits of distributed firewalls and dual filtering approaches. Distributed firewalls are installed throughout the network and centrally controlled. They filter traffic based on centralized security policies. Additional hop count and TTL filtering of packets further strengthens prevention of spoofed IP addresses and DDoS attacks.
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology
A COMBINATION OF THE INTRUSION DETECTION SYSTEM AND THE OPEN-SOURCE FIREWALL ...IJCNCJournal
There are many security models for computer networks using a combination of Intrusion Detection System and Firewall proposed and deployed in practice. In this paper, we propose and implement a new model of the association between Intrusion Detection System and Firewall operations, which allows Intrusion Detection System to automatically update the firewall filtering rule table whenever it detects a weirdo intrusion. This helps protect the network from attacks from the Internet.
Genetic Algorithm based Layered Detection and Defense of HTTP BotnetIDES Editor
A System state in HTTP botnet uses HTTP protocol
for the creation of chain of Botnets thereby compromising
other systems. By using HTTP protocol and port number 80,
attacks can not only be hidden but also pass through the
firewall without being detected. The DPR based detection
leads to better analysis of botnet attacks [3]. However, it
provides only probabilistic detection of the attacker and also
time consuming and error prone. This paper proposes a Genetic
algorithm based layered approach for detecting as well as
preventing botnet attacks. The paper reviews p2p firewall
implementation which forms the basis of filtering.
Performance evaluation is done based on precision, F-value
and probability. Layered approach reduces the computation
and overall time requirement [7]. Genetic algorithm promises
a low false positive rate.
The document discusses analyzing the password generating algorithms used in wireless routers commonly deployed in the Netherlands. The authors were able to reverse engineer routers from several major Dutch internet providers and telecom companies. They found the routers used insecure proprietary algorithms to generate default WPA2 passwords that were trivial to recover within minutes, leaving networks vulnerable to attack. The authors worked with the Dutch government to disclose the issues responsibly and coordinate public notifications.
This document discusses and compares four main methodologies used in Intrusion Detection and Prevention Systems (IDPS): signature-based, anomaly-based, stateful protocol analysis-based, and hybrid-based. It provides details on how each methodology works and its strengths and weaknesses. A hybrid methodology that combines two or more of the other approaches is described as generally providing the best detection capabilities by taking advantage of the strengths of the individual methodologies. The document concludes by offering a way to evaluate IDPS systems based on parameters like resistance to evasion, accuracy, overhead, and other factors.
This document describes a distributed intrusion detection system based on honeypots. It proposes using honeypots to collect invasion characteristics on the network and genetic clustering algorithms to extract data for analysis. The system combines protocol analysis and signature detection modules to improve detection performance. An evaluation using KDDCUP 99 intrusion data showed the system can better detect intrusions and improve network security compared to traditional intrusion detection systems.
A Survey on DPI Techniques for Regular Expression Detection in Network Intrus...ijsrd.com
This document surveys various techniques for regular expression detection in deep packet inspection for network intrusion detection systems. It discusses how regular expressions are used with techniques like deterministic finite automata to detect attack signatures by matching packet payloads to predefined regular expression patterns. Specifically, it examines techniques like LaFA, TCAM, StriFA, CompactDFA, and DFA/EC that aim to improve regular expression matching performance by reducing memory usage, increasing matching speed, or decreasing the number of required states. The survey aims to understand these techniques and their potential application in improving intrusion detection in wireless networks.
Access control lists (ACLs) determine which devices can access routers based on IP address. ACLs can filter packets based on port numbers and are configured for inbound or outbound traffic. Standard ACLs filter based on source IP, while extended ACLs can filter based on additional attributes like protocol, ports, and IP addresses. Virtual private networks (VPNs) use protocols like IPSec and SSL with authentication methods such as certificates to securely transmit data over unsecured networks.
Wireless Networks Security in Jordan: A Field StudyIJNSA Journal
- The document summarizes a study that evaluated the security of wireless networks in Jordan through a process called "wardriving" where the researchers drove around with wireless network detection tools.
- The results found that the majority (79.52%) of wireless networks tested were unsecured and vulnerable. Most networks used either low levels of encryption (68.67%) or no encryption at all (11.45%).
- Nearly all networks broadcast the default SSID (92.17%), leaving them exposed to potential hackers since changing the SSID is a basic security precaution.
The document discusses data security in local networks using distributed firewalls. It describes how distributed firewalls work to overcome issues with traditional firewalls, which rely on a single entry point. Distributed firewalls are centrally managed from a network server but installed on endpoints throughout the network. This allows security policies to be defined and pushed centrally while filtering traffic both from the internet and internally. It also discusses how distributed firewalls use pull and push techniques to update endpoints with the latest security policies from the central management server.
The document describes a hybrid honeypot framework for collecting and analyzing malware. The framework uses both client honeypots and server honeypots controlled by a central honeypot controller. Client honeypots actively visit URLs to detect client-side attacks, while server honeypots passively detect server-side attacks. Collected malware is stored in a central database and analyzed on an analysis server to detect known and unknown malware types through dynamic execution and static analysis. The integrated framework was able to collect thousands of malware samples, including some not detected by antivirus software.
The document discusses firewall design principles, characteristics, and types. It describes three common firewall configurations: screened host with single-homed bastion host, screened host with dual-homed bastion host, and screened subnet. It also covers trusted systems, access control, and defending against Trojan horse attacks.
International Journal of Engineering Research and DevelopmentIJERD Editor
Electrical, Electronics and Computer Engineering,
Information Engineering and Technology,
Mechanical, Industrial and Manufacturing Engineering,
Automation and Mechatronics Engineering,
Material and Chemical Engineering,
Civil and Architecture Engineering,
Biotechnology and Bio Engineering,
Environmental Engineering,
Petroleum and Mining Engineering,
Marine and Agriculture engineering,
Aerospace Engineering.
International Journal of Engineering Research and DevelopmentIJERD Editor
Electrical, Electronics and Computer Engineering,
Information Engineering and Technology,
Mechanical, Industrial and Manufacturing Engineering,
Automation and Mechatronics Engineering,
Material and Chemical Engineering,
Civil and Architecture Engineering,
Biotechnology and Bio Engineering,
Environmental Engineering,
Petroleum and Mining Engineering,
Marine and Agriculture engineering,
Aerospace Engineering.
International Journal of Engineering Research and DevelopmentIJERD Editor
This document discusses failure mechanisms in turbine blades of gas turbine engines. It begins by providing background on gas turbine engines and noting that turbine blade failures account for 42% of failures in some studies. The main failure mechanisms discussed are fatigue, creep, and corrosion. Fatigue can be low-cycle or high-cycle depending on the number of stress cycles and can initiate from cracks. Creep is stress-related deformation that increases with temperature and time. It can cause blade tips to rub casing. Corrosion can occur when blade coatings are removed from tip contact exposing the alloy.
International Journal of Engineering Research and DevelopmentIJERD Editor
Electrical, Electronics and Computer Engineering,
Information Engineering and Technology,
Mechanical, Industrial and Manufacturing Engineering,
Automation and Mechatronics Engineering,
Material and Chemical Engineering,
Civil and Architecture Engineering,
Biotechnology and Bio Engineering,
Environmental Engineering,
Petroleum and Mining Engineering,
Marine and Agriculture engineering,
Aerospace Engineering.
International Journal of Engineering Research and DevelopmentIJERD Editor
Electrical, Electronics and Computer Engineering,
Information Engineering and Technology,
Mechanical, Industrial and Manufacturing Engineering,
Automation and Mechatronics Engineering,
Material and Chemical Engineering,
Civil and Architecture Engineering,
Biotechnology and Bio Engineering,
Environmental Engineering,
Petroleum and Mining Engineering,
Marine and Agriculture engineering,
Aerospace Engineering.
International Journal of Engineering Research and DevelopmentIJERD Editor
This document presents the results of a study comparing the hardened concrete properties of mixes containing micro silica or alccofine as supplementary cementitious materials. Concrete cubes, beams, and cylinders were cast with micro silica or alccofine added to cement at increments of 0%, 3.34%, 6.68%, 10.02%, 13.36%, and 16.7%. The hardened properties tested included compressive strength, flexural strength, splitting tensile strength, and impact resistance. Test results showed that the concretes with micro silica and alccofine additions generally exhibited higher strength properties compared to the control mix without additions.
This study examined the effects of different irrigation and fertigation levels on cowpea growth inside a polyhouse. Four treatments were tested that varied the frequency of irrigation (daily or alternate days) and fertigation (alternate days or every four days). The results showed that daily irrigation at an estimated water requirement of 2.2 L per plant per day produced the highest cowpea yield. Applying fertilizers through fertigation once every four days was also sufficient. Overall, the treatment combining daily irrigation with fertigation every four days resulted in the maximum cowpea yield of 32,632 kg/ha.
International Journal of Engineering Research and DevelopmentIJERD Editor
Electrical, Electronics and Computer Engineering,
Information Engineering and Technology,
Mechanical, Industrial and Manufacturing Engineering,
Automation and Mechatronics Engineering,
Material and Chemical Engineering,
Civil and Architecture Engineering,
Biotechnology and Bio Engineering,
Environmental Engineering,
Petroleum and Mining Engineering,
Marine and Agriculture engineering,
Aerospace Engineering.
International Journal of Engineering Research and DevelopmentIJERD Editor
This document summarizes a study on the effects of erosion from the Agulu-Nanka complex on local communities in Anambra State, Nigeria. Data collected through questionnaires with 154 households found that 54 households (35%) were displaced, with 235 hectares of farmland and 80 houses destroyed. The erosion has severely impacted the socio-economic conditions of residents by destroying homes and farmland, disrupting transportation, and forcing people to relocate. While various control efforts have been undertaken, more coordinated long-term efforts are needed to fully address the erosion problem and support affected communities. Recommendations include sustained government funding, reforestation programs, an erosion control appeal fund, and preventing waste from worsening the erosion
This document discusses using packet filtering as a mechanism for network security. It describes how packet filters examine packet headers to make routing decisions based on rules. Factors like asymmetric access requirements and protocol characteristics can complicate rule implementation. The document provides an example set of rules to allow access between two networks in most cases, but deny it from a specific subnet due to security issues. It notes that correctly specifying complex filter rules is difficult, and reordering rules can unintentionally change the access policy that was intended. Packet filtering shows promise as a network security tool but has limitations that must be understood.
International Journal of Engineering Research and DevelopmentIJERD Editor
Electrical, Electronics and Computer Engineering,
Information Engineering and Technology,
Mechanical, Industrial and Manufacturing Engineering,
Automation and Mechatronics Engineering,
Material and Chemical Engineering,
Civil and Architecture Engineering,
Biotechnology and Bio Engineering,
Environmental Engineering,
Petroleum and Mining Engineering,
Marine and Agriculture engineering,
Aerospace Engineering.
International Journal of Engineering Research and DevelopmentIJERD Editor
Electrical, Electronics and Computer Engineering,
Information Engineering and Technology,
Mechanical, Industrial and Manufacturing Engineering,
Automation and Mechatronics Engineering,
Material and Chemical Engineering,
Civil and Architecture Engineering,
Biotechnology and Bio Engineering,
Environmental Engineering,
Petroleum and Mining Engineering,
Marine and Agriculture engineering,
Aerospace Engineering.
International Journal of Engineering Research and DevelopmentIJERD Editor
Electrical, Electronics and Computer Engineering,
Information Engineering and Technology,
Mechanical, Industrial and Manufacturing Engineering,
Automation and Mechatronics Engineering,
Material and Chemical Engineering,
Civil and Architecture Engineering,
Biotechnology and Bio Engineering,
Environmental Engineering,
Petroleum and Mining Engineering,
Marine and Agriculture engineering,
Aerospace Engineering.
International Journal of Engineering Research and DevelopmentIJERD Editor
Electrical, Electronics and Computer Engineering,
Information Engineering and Technology,
Mechanical, Industrial and Manufacturing Engineering,
Automation and Mechatronics Engineering,
Material and Chemical Engineering,
Civil and Architecture Engineering,
Biotechnology and Bio Engineering,
Environmental Engineering,
Petroleum and Mining Engineering,
Marine and Agriculture engineering,
Aerospace Engineering.
International Journal of Engineering Research and DevelopmentIJERD Editor
Electrical, Electronics and Computer Engineering,
Information Engineering and Technology,
Mechanical, Industrial and Manufacturing Engineering,
Automation and Mechatronics Engineering,
Material and Chemical Engineering,
Civil and Architecture Engineering,
Biotechnology and Bio Engineering,
Environmental Engineering,
Petroleum and Mining Engineering,
Marine and Agriculture engineering,
Aerospace Engineering.
International Journal of Engineering Research and DevelopmentIJERD Editor
Electrical, Electronics and Computer Engineering,
Information Engineering and Technology,
Mechanical, Industrial and Manufacturing Engineering,
Automation and Mechatronics Engineering,
Material and Chemical Engineering,
Civil and Architecture Engineering,
Biotechnology and Bio Engineering,
Environmental Engineering,
Petroleum and Mining Engineering,
Marine and Agriculture engineering,
Aerospace Engineering.
This study evaluated the effect of fly ash content, fiber length, and fiber dosage on the fresh and hardened properties of self-compacting concrete. Cement was replaced with 20% and 30% fly ash. Macro synthetic fibers of 36mm and 47mm length were added at dosages of 2kg/m3 and 4kg/m3. Test results showed that increasing fly ash content and fiber dosage and length generally decreased workability but increased compressive, splitting tensile, and flexural strengths at 28 and 56 days, with fiber reinforcement improving mechanical properties the most at higher dosages.
International Journal of Engineering Research and DevelopmentIJERD Editor
Electrical, Electronics and Computer Engineering,
Information Engineering and Technology,
Mechanical, Industrial and Manufacturing Engineering,
Automation and Mechatronics Engineering,
Material and Chemical Engineering,
Civil and Architecture Engineering,
Biotechnology and Bio Engineering,
Environmental Engineering,
Petroleum and Mining Engineering,
Marine and Agriculture engineering,
Aerospace Engineering.
International Journal of Engineering Research and DevelopmentIJERD Editor
This document presents a study that uses an Imperialistic Competitive Algorithm (ICA) to optimize both real power loss and voltage stability limit in power transmission systems. The algorithm is applied to a New England power system model with 39 buses. It simultaneously optimizes transformer tap positions, UPFC location and injection voltage. Simulation results show the ICA approach reduces real power loss and improves voltage stability compared to a prior Bacteria Foraging Algorithm approach. The dual objectives of minimizing losses and maximizing stability are achieved through the evolutionary optimization of the ICA.
B.R. Iresh Maduwantha is seeking an opportunity in apparel manufacturing to contribute his knowledge and skills. He has a Bachelor of Applied Science in Textile Technology from Brandix College in collaboration with RMIT University Australia. He also has a Diploma in Clothing Technology & Management from Brandix College. For experience, he worked as a management trainee at SINTESI Ltd and did an internship at Brandix factories. He is proficient in quality assurance, design, molding processes, and computer programs like Adobe Illustrator and Accumark Gerber. His referees include the course coordinator at Brandix College and its CEO who can verify his skills and qualifications for manufacturing roles.
Cryptography Project by Aelsayed & Kyasser.pdfahmeddeath6
The document discusses firewall technologies and architectures. It begins by explaining the need for firewalls to protect internal networks from external threats. It then describes various firewall types including filtering routers, which inspect IP and TCP/UDP headers; stateful inspection, which tracks connection states; circuit gateways, which operate at the transport layer; and proxy servers, which break direct connections and mediate traffic. It provides examples of how each type of firewall works and their advantages and limitations. It also covers firewall configurations like the single-homed bastion system.
Crypto Mark Scheme for Fast Pollution Detection and Resistance over NetworkingIRJET Journal
The document proposes a new scheme called HOPVOTE to efficiently detect pollution attacks in networks. HOPVOTE is a packet HOP_VOTE technique that attaches an encrypted key to each packet to verify its integrity at each hop. It aims to rapidly identify polluters and misbehaving data/routes. The scheme uses keybit verification and cache-based recovery to identify and block nodes that drop or modify data, and recovers polluted data for retransmission. Simulation results show the scheme can effectively detect pollution attacks with low overhead. Future work will analyze routing performance under common network applications and flows.
A Combination of the Intrusion Detection System and the Open-source Firewall ...IJCNCJournal
There are many security models for computer networks using a combination of Intrusion Detection System and Firewall proposed and deployed in practice. In this paper, we propose and implement a new model of the association between Intrusion Detection System and Firewall operations, which allows Intrusion Detection System to automatically update the firewall filtering rule table whenever it detects a weirdo intrusion. This helps protect the network from attacks from the Internet.
This document discusses network security and firewalls. It provides an overview of different types of firewalls including packet filtering firewalls, stateful inspection firewalls, application-level gateways, and circuit-level gateways. It also discusses firewall configuration options such as bastion hosts, host-based firewalls, personal firewalls, demilitarized zone networks, and distributed firewall setups. The key purpose of firewalls is to control access and enforce a site's security policy by filtering network traffic based on security rules.
Analysis Of Internet Protocol ( IP ) DatagramsEmily Jones
Here are the key points about wireless sensor networks:
- WSN consist of small, low-cost sensors that can sense and monitor various environments and phenomena. They communicate wirelessly to form dense networks.
- The sensors have limited processing, storage and power capabilities. They must operate autonomously for long periods with small batteries or energy harvesting.
- WSN enable ubiquitous sensing and monitoring without being constrained by wires. They provide more flexibility in deployment compared to wired networks.
- Common applications of WSN include environmental/habitat monitoring, healthcare applications, home automation, traffic control, and industrial/machine monitoring.
- Key technical challenges in WSN include limited power/energy, dynamic network topology, fault tolerance
IRJET - Efficient Public Key Cryptosystem for Scalable Data Sharing in Cloud ...IRJET Journal
This document summarizes and evaluates several existing approaches for securely sharing data stored in the cloud. It discusses key aggregate cryptosystems that allow a user to generate a single aggregate key to decrypt a set of ciphertexts. It also reviews other techniques such as attribute-based encryption with proxy re-encryption, dynamic auditing services using random sampling and fragment structures, the Oruta system using ring signatures for public auditing of shared data, and privacy-preserving public auditing using message authentication codes. The document analyzes the advantages and disadvantages of each approach, such as increased key sizes with attribute-based encryption and the storage overhead of fragment structures.
A network security detection and prevention
scheme using a combination of network taps
and aggregation devices can improve visibility
and redundancy, reduce system complexity
and diminish initial and continuing costs for
implementation.
This document discusses network security mechanisms including firewalls, access control methods, and security attacks and defenses. It provides details on different types of firewalls (e.g. packet inspection, application proxy), access control methods like discretionary access control and role-based access control, and security mechanisms to prevent, avoid, and detect attacks such as cryptography, authentication, and intrusion detection systems. The document is part of a course on advanced network security.
In IT industry – You going to need a security certification
In the US Military or a government contractor- required in most cases
(DoD 8570.01-M) / State Department Skills Incentive Program
Short Video about Security +
Exam Objectives
Exam Content
Taking the exam
Practice Questions
Tips to Prepare
A firewall filters network traffic between an organization's private network and the internet. It allows or blocks traffic based on predefined rules. A firewall includes components like packet filtering, NAT, stateful inspection. Benefits include protecting against threats like viruses, blocking unauthorized access, and hiding private network details.
Firewalls are hardware, software, or a combination of both that are used to prevent unauthorized access to private networks and computers. There are different types of firewalls including hardware firewalls, which protect entire networks, and software firewalls, which protect individual computers. Firewall rules determine whether network traffic is allowed, blocked, or requires user approval to pass through the firewall.
Security Plus Training Event for ITProcamp Jacksonville 2016. Helping those new to the IT Security get prepared. Understand how to complete your DOD 8570.m requirements.. Discussion about Exam Objectives
SECURE ADHOC ROUTING PROTOCOL FOR PRIVACY RESERVATIONEditor IJMTER
Privacy preserving routing is crucial for some Ad hoc networks that require
stronger privacy protection. A number of schemes have been proposed to protect privacy in
Ad hoc networks. However, none of these schemes offer unobservability property since data
packets and control packets are still linkable and distinguishable in these schemes. In this
paper, we define stronger privacy requirements regarding privacy preserving routing in
mobile ad hoc networks. Then we propose an Unobservable Secure Routing scheme (USOR)
to offer complete unlinkability and content unobservability for all types of packets. USOR is
efficient as it uses a novel combination of group signature and ID-based encryption for route
discovery. Security analysis demonstrates that USOR can well protect user privacy against
both inside and outside attackers. We implement USOR on Network Security (NS2), and
evaluate its performance by comparing with Ad Hoc On demand Distance Vector Routing
(AODV) and MASK. The simulation results show that USOR not only has satisfactory
performance compared to AODV, but also achieves stronger privacy protection than existing
schemes like Mask.
Firewalls are network security devices that control incoming and outgoing network traffic based on a set of security rules. There are three main types of firewalls: packet filtering firewalls, which filter network traffic at the packet level; application-level firewalls, which filter traffic at the application layer; and circuit-level firewalls, which monitor traffic connections and sessions. Firewalls provide security benefits but also have limitations, such as not preventing unauthorized internal access or protecting against social engineering attacks.
The document discusses firewall implementation for a company called Acme. It describes how Acme can set up firewalls to restrict access between internal and external networks and between different internal departments. Packet filtering, proxy servers, and demilitarized zones are implemented to enforce access controls and monitor network traffic flow while protecting sensitive data. The completed Acme intranet design includes multiple firewalls configured in screened subnets and dual-homed gateways to secure remote access and internal information flows.
Watchguard Firewall overview and implemetationKaveh Khosravi
This document explains firewall technologies and intrusion detection techniques by using the combination of watchguard firewall and snort , the widely known intrusion detection system ,.
This document summarizes a paper on packet filtering as a basic network security tool. It defines packet filtering as controlling network access by analyzing packets and allowing or blocking them based on header information like source/destination addresses and ports. It then discusses how packet filters work by examining these header fields, provides an example Linux configuration, and outlines some limitations like inability to inspect payloads or track connection state. It concludes by describing common applications of packet filtering like ingress/egress rules to block spoofed addresses and unoffered services.
Reduce the False Positive and False Negative from Real Traffic with Intrusion...inventy
Research Inventy : International Journal of Engineering and Science is published by the group of young academic and industrial researchers with 12 Issues per year. It is an online as well as print version open access journal that provides rapid publication (monthly) of articles in all areas of the subject such as: civil, mechanical, chemical, electronic and computer engineering as well as production and information technology. The Journal welcomes the submission of manuscripts that meet the general criteria of significance and scientific excellence. Papers will be published by rapid process within 20 days after acceptance and peer review process takes only 7 days. All articles published in Research Inventy will be peer-reviewed.
A firewall is a system or group of systems that controls network traffic between trusted and untrusted networks according to pre-configured rules. There are different types of firewalls including packet filtering, stateful packet inspection, application-level gateways, and circuit-level gateways. Firewalls work by examining packets and filtering traffic based on criteria like source/destination addresses and ports to enforce a security policy between networks.
This document discusses different types of firewalls. It begins by defining a firewall as a network security device that monitors and filters incoming and outgoing network traffic based on an organization's security policies. It acts as a barrier between an internal network and the public internet, allowing safe traffic in while keeping dangerous traffic out. The document then discusses the history of firewalls and lists several common types, including packet filtering, circuit-level gateway, application-level gateway, stateful inspection, next-generation, software, hardware, and cloud firewalls. It explains that firewalls are important as the network's first line of defense, helping to identify and block threats to decrease risks to the internal network. Specifically, it provides details on how packet filtering
Similar to International Journal of Engineering Research and Development (20)
A Novel Method for Prevention of Bandwidth Distributed Denial of Service AttacksIJERD Editor
Distributed Denial of Service (DDoS) Attacks became a massive threat to the Internet. Traditional
Architecture of internet is vulnerable to the attacks like DDoS. Attacker primarily acquire his army of Zombies,
then that army will be instructed by the Attacker that when to start an attack and on whom the attack should be
done. In this paper, different techniques which are used to perform DDoS Attacks, Tools that were used to
perform Attacks and Countermeasures in order to detect the attackers and eliminate the Bandwidth Distributed
Denial of Service attacks (B-DDoS) are reviewed. DDoS Attacks were done by using various Flooding
techniques which are used in DDoS attack.
The main purpose of this paper is to design an architecture which can reduce the Bandwidth
Distributed Denial of service Attack and make the victim site or server available for the normal users by
eliminating the zombie machines. Our Primary focus of this paper is to dispute how normal machines are
turning into zombies (Bots), how attack is been initiated, DDoS attack procedure and how an organization can
save their server from being a DDoS victim. In order to present this we implemented a simulated environment
with Cisco switches, Routers, Firewall, some virtual machines and some Attack tools to display a real DDoS
attack. By using Time scheduling, Resource Limiting, System log, Access Control List and some Modular
policy Framework we stopped the attack and identified the Attacker (Bot) machines
Hearing loss is one of the most common human impairments. It is estimated that by year 2015 more
than 700 million people will suffer mild deafness. Most can be helped by hearing aid devices depending on the
severity of their hearing loss. This paper describes the implementation and characterization details of a dual
channel transmitter front end (TFE) for digital hearing aid (DHA) applications that use novel micro
electromechanical- systems (MEMS) audio transducers and ultra-low power-scalable analog-to-digital
converters (ADCs), which enable a very-low form factor, energy-efficient implementation for next-generation
DHA. The contribution of the design is the implementation of the dual channel MEMS microphones and powerscalable
ADC system.
Influence of tensile behaviour of slab on the structural Behaviour of shear c...IJERD Editor
-A composite beam is composed of a steel beam and a slab connected by means of shear connectors
like studs installed on the top flange of the steel beam to form a structure behaving monolithically. This study
analyzes the effects of the tensile behavior of the slab on the structural behavior of the shear connection like slip
stiffness and maximum shear force in composite beams subjected to hogging moment. The results show that the
shear studs located in the crack-concentration zones due to large hogging moments sustain significantly smaller
shear force and slip stiffness than the other zones. Moreover, the reduction of the slip stiffness in the shear
connection appears also to be closely related to the change in the tensile strain of rebar according to the increase
of the load. Further experimental and analytical studies shall be conducted considering variables such as the
reinforcement ratio and the arrangement of shear connectors to achieve efficient design of the shear connection
in composite beams subjected to hogging moment.
Gold prospecting using Remote Sensing ‘A case study of Sudan’IJERD Editor
Gold has been extracted from northeast Africa for more than 5000 years, and this may be the first
place where the metal was extracted. The Arabian-Nubian Shield (ANS) is an exposure of Precambrian
crystalline rocks on the flanks of the Red Sea. The crystalline rocks are mostly Neoproterozoic in age. ANS
includes the nations of Israel, Jordan. Egypt, Saudi Arabia, Sudan, Eritrea, Ethiopia, Yemen, and Somalia.
Arabian Nubian Shield Consists of juvenile continental crest that formed between 900 550 Ma, when intra
oceanic arc welded together along ophiolite decorated arc. Primary Au mineralization probably developed in
association with the growth of intra oceanic arc and evolution of back arc. Multiple episodes of deformation
have obscured the primary metallogenic setting, but at least some of the deposits preserve evidence that they
originate as sea floor massive sulphide deposits.
The Red Sea Hills Region is a vast span of rugged, harsh and inhospitable sector of the Earth with
inimical moon-like terrain, nevertheless since ancient times it is famed to be an abode of gold and was a major
source of wealth for the Pharaohs of ancient Egypt. The Pharaohs old workings have been periodically
rediscovered through time. Recent endeavours by the Geological Research Authority of Sudan led to the
discovery of a score of occurrences with gold and massive sulphide mineralizations. In the nineties of the
previous century the Geological Research Authority of Sudan (GRAS) in cooperation with BRGM utilized
satellite data of Landsat TM using spectral ratio technique to map possible mineralized zones in the Red Sea
Hills of Sudan. The outcome of the study mapped a gossan type gold mineralization. Band ratio technique was
applied to Arbaat area and a signature of alteration zone was detected. The alteration zones are commonly
associated with mineralization. The alteration zones are commonly associated with mineralization. A filed check
confirmed the existence of stock work of gold bearing quartz in the alteration zone. Another type of gold
mineralization that was discovered using remote sensing is the gold associated with metachert in the Atmur
Desert.
Reducing Corrosion Rate by Welding DesignIJERD Editor
This document summarizes a study on reducing corrosion rates in steel through welding design. The researchers tested different welding groove designs (X, V, 1/2X, 1/2V) and preheating temperatures (400°C, 500°C, 600°C) on ferritic malleable iron samples. Testing found that X and V groove designs with 500°C and 600°C preheating had corrosion rates of 0.5-0.69% weight loss after 14 days, compared to 0.57-0.76% for 400°C preheating. Higher preheating reduced residual stresses which decreased corrosion. Residual stresses were 1.7 MPa for optimal X groove and 600°C
Router 1X3 – RTL Design and VerificationIJERD Editor
Routing is the process of moving a packet of data from source to destination and enables messages
to pass from one computer to another and eventually reach the target machine. A router is a networking device
that forwards data packets between computer networks. It is connected to two or more data lines from different
networks (as opposed to a network switch, which connects data lines from one single network). This paper,
mainly emphasizes upon the study of router device, it‟s top level architecture, and how various sub-modules of
router i.e. Register, FIFO, FSM and Synchronizer are synthesized, and simulated and finally connected to its top
module.
Active Power Exchange in Distributed Power-Flow Controller (DPFC) At Third Ha...IJERD Editor
This paper presents a component within the flexible ac-transmission system (FACTS) family, called
distributed power-flow controller (DPFC). The DPFC is derived from the unified power-flow controller (UPFC)
with an eliminated common dc link. The DPFC has the same control capabilities as the UPFC, which comprise
the adjustment of the line impedance, the transmission angle, and the bus voltage. The active power exchange
between the shunt and series converters, which is through the common dc link in the UPFC, is now through the
transmission lines at the third-harmonic frequency. DPFC multiple small-size single-phase converters which
reduces the cost of equipment, no voltage isolation between phases, increases redundancy and there by
reliability increases. The principle and analysis of the DPFC are presented in this paper and the corresponding
simulation results that are carried out on a scaled prototype are also shown.
Mitigation of Voltage Sag/Swell with Fuzzy Control Reduced Rating DVRIJERD Editor
Power quality has been an issue that is becoming increasingly pivotal in industrial electricity
consumers point of view in recent times. Modern industries employ Sensitive power electronic equipments,
control devices and non-linear loads as part of automated processes to increase energy efficiency and
productivity. Voltage disturbances are the most common power quality problem due to this the use of a large
numbers of sophisticated and sensitive electronic equipment in industrial systems is increased. This paper
discusses the design and simulation of dynamic voltage restorer for improvement of power quality and
reduce the harmonics distortion of sensitive loads. Power quality problem is occurring at non-standard
voltage, current and frequency. Electronic devices are very sensitive loads. In power system voltage sag,
swell, flicker and harmonics are some of the problem to the sensitive load. The compensation capability
of a DVR depends primarily on the maximum voltage injection ability and the amount of stored
energy available within the restorer. This device is connected in series with the distribution feeder at
medium voltage. A fuzzy logic control is used to produce the gate pulses for control circuit of DVR and the
circuit is simulated by using MATLAB/SIMULINK software.
Study on the Fused Deposition Modelling In Additive ManufacturingIJERD Editor
Additive manufacturing process, also popularly known as 3-D printing, is a process where a product
is created in a succession of layers. It is based on a novel materials incremental manufacturing philosophy.
Unlike conventional manufacturing processes where material is removed from a given work price to derive the
final shape of a product, 3-D printing develops the product from scratch thus obviating the necessity to cut away
materials. This prevents wastage of raw materials. Commonly used raw materials for the process are ABS
plastic, PLA and nylon. Recently the use of gold, bronze and wood has also been implemented. The complexity
factor of this process is 0% as in any object of any shape and size can be manufactured.
Spyware triggering system by particular string valueIJERD Editor
This computer programme can be used for good and bad purpose in hacking or in any general
purpose. We can say it is next step for hacking techniques such as keylogger and spyware. Once in this system if
user or hacker store particular string as a input after that software continually compare typing activity of user
with that stored string and if it is match then launch spyware programme.
A Blind Steganalysis on JPEG Gray Level Image Based on Statistical Features a...IJERD Editor
This paper presents a blind steganalysis technique to effectively attack the JPEG steganographic
schemes i.e. Jsteg, F5, Outguess and DWT Based. The proposed method exploits the correlations between
block-DCTcoefficients from intra-block and inter-block relation and the statistical moments of characteristic
functions of the test image is selected as features. The features are extracted from the BDCT JPEG 2-array.
Support Vector Machine with cross-validation is implemented for the classification.The proposed scheme gives
improved outcome in attacking.
Secure Image Transmission for Cloud Storage System Using Hybrid SchemeIJERD Editor
- Data over the cloud is transferred or transmitted between servers and users. Privacy of that
data is very important as it belongs to personal information. If data get hacked by the hacker, can be
used to defame a person’s social data. Sometimes delay are held during data transmission. i.e. Mobile
communication, bandwidth is low. Hence compression algorithms are proposed for fast and efficient
transmission, encryption is used for security purposes and blurring is used by providing additional
layers of security. These algorithms are hybridized for having a robust and efficient security and
transmission over cloud storage system.
Application of Buckley-Leverett Equation in Modeling the Radius of Invasion i...IJERD Editor
A thorough review of existing literature indicates that the Buckley-Leverett equation only analyzes
waterflood practices directly without any adjustments on real reservoir scenarios. By doing so, quite a number
of errors are introduced into these analyses. Also, for most waterflood scenarios, a radial investigation is more
appropriate than a simplified linear system. This study investigates the adoption of the Buckley-Leverett
equation to estimate the radius invasion of the displacing fluid during waterflooding. The model is also adopted
for a Microbial flood and a comparative analysis is conducted for both waterflooding and microbial flooding.
Results shown from the analysis doesn’t only records a success in determining the radial distance of the leading
edge of water during the flooding process, but also gives a clearer understanding of the applicability of
microbes to enhance oil production through in-situ production of bio-products like bio surfactans, biogenic
gases, bio acids etc.
Gesture Gaming on the World Wide Web Using an Ordinary Web CameraIJERD Editor
- Gesture gaming is a method by which users having a laptop/pc/x-box play games using natural or
bodily gestures. This paper presents a way of playing free flash games on the internet using an ordinary webcam
with the help of open source technologies. Emphasis in human activity recognition is given on the pose
estimation and the consistency in the pose of the player. These are estimated with the help of an ordinary web
camera having different resolutions from VGA to 20mps. Our work involved giving a 10 second documentary to
the user on how to play a particular game using gestures and what are the various kinds of gestures that can be
performed in front of the system. The initial inputs of the RGB values for the gesture component is obtained by
instructing the user to place his component in a red box in about 10 seconds after the short documentary before
the game is finished. Later the system opens the concerned game on the internet on popular flash game sites like
miniclip, games arcade, GameStop etc and loads the game clicking at various places and brings the state to a
place where the user is to perform only gestures to start playing the game. At any point of time the user can call
off the game by hitting the esc key and the program will release all of the controls and return to the desktop. It
was noted that the results obtained using an ordinary webcam matched that of the Kinect and the users could
relive the gaming experience of the free flash games on the net. Therefore effective in game advertising could
also be achieved thus resulting in a disruptive growth to the advertising firms.
Hardware Analysis of Resonant Frequency Converter Using Isolated Circuits And...IJERD Editor
-LLC resonant frequency converter is basically a combo of series as well as parallel resonant ckt. For
LCC resonant converter it is associated with a disadvantage that, though it has two resonant frequencies, the
lower resonant frequency is in ZCS region[5]. For this application, we are not able to design the converter
working at this resonant frequency. LLC resonant converter existed for a very long time but because of
unknown characteristic of this converter it was used as a series resonant converter with basically a passive
(resistive) load. . Here, it was designed to operate in switching frequency higher than resonant frequency of the
series resonant tank of Lr and Cr converter acts very similar to Series Resonant Converter. The benefit of LLC
resonant converter is narrow switching frequency range with light load[6] . Basically, the control ckt plays a
very imp. role and hence 555 Timer used here provides a perfect square wave as the control ckt provides no
slew rate which makes the square wave really strong and impenetrable. The dead band circuit provides the
exclusive dead band in micro seconds so as to avoid the simultaneous firing of two pairs of IGBT’s where one
pair switches off and the other on for a slightest period of time. Hence, the isolator ckt here is associated with
each and every ckt used because it acts as a driver and an isolation to each of the IGBT is provided with one
exclusive transformer supply[3]. The IGBT’s are fired using the appropriate signal using the previous boards
and hence at last a high frequency rectifier ckt with a filtering capacitor is used to get an exact dc
waveform .The basic goal of this particular analysis is to observe the wave forms and characteristics of
converters with differently positioned passive elements in the form of tank circuits.
Simulated Analysis of Resonant Frequency Converter Using Different Tank Circu...IJERD Editor
LLC resonant frequency converter is basically a combo of series as well as parallel resonant ckt. For
LCC resonant converter it is associated with a disadvantage that, though it has two resonant frequencies, the
lower resonant frequency is in ZCS region [5]. For this application, we are not able to design the converter
working at this resonant frequency. LLC resonant converter existed for a very long time but because of
unknown characteristic of this converter it was used as a series resonant converter with basically a passive
(resistive) load. . Here, it was designed to operate in switching frequency higher than resonant frequency of the
series resonant tank of Lr and Cr converter acts very similar to Series Resonant Converter. The benefit of LLC
resonant converter is narrow switching frequency range with light load[6] . Basically, the control ckt plays a
very imp. role and hence 555 Timer used here provides a perfect square wave as the control ckt provides no
slew rate which makes the square wave really strong and impenetrable. The dead band circuit provides the
exclusive dead band in micro seconds so as to avoid the simultaneous firing of two pairs of IGBT’s where one
pair switches off and the other on for a slightest period of time. Hence, the isolator ckt here is associated with
each and every ckt used because it acts as a driver and an isolation to each of the IGBT is provided with one
exclusive transformer supply[3]. The IGBT’s are fired using the appropriate signal using the previous boards
and hence at last a high frequency rectifier ckt with a filtering capacitor is used to get an exact dc
waveform .The basic goal of this particular analysis is to observe the wave forms and characteristics of
converters with differently positioned passive elements in the form of tank circuits. The supported simulation
is done through PSIM 6.0 software tool
Amateurs Radio operator, also known as HAM communicates with other HAMs through Radio
waves. Wireless communication in which Moon is used as natural satellite is called Moon-bounce or EME
(Earth -Moon-Earth) technique. Long distance communication (DXing) using Very High Frequency (VHF)
operated amateur HAM radio was difficult. Even with the modest setup having good transceiver, power
amplifier and high gain antenna with high directivity, VHF DXing is possible. Generally 2X11 YAGI antenna
along with rotor to set horizontal and vertical angle is used. Moon tracking software gives exact location,
visibility of Moon at both the stations and other vital data to acquire real time position of moon.
“MS-Extractor: An Innovative Approach to Extract Microsatellites on „Y‟ Chrom...IJERD Editor
Simple Sequence Repeats (SSR), also known as Microsatellites, have been extensively used as
molecular markers due to their abundance and high degree of polymorphism. The nucleotide sequences of
polymorphic forms of the same gene should be 99.9% identical. So, Microsatellites extraction from the Gene is
crucial. However, Microsatellites repeat count is compared, if they differ largely, he has some disorder. The Y
chromosome likely contains 50 to 60 genes that provide instructions for making proteins. Because only males
have the Y chromosome, the genes on this chromosome tend to be involved in male sex determination and
development. Several Microsatellite Extractors exist and they fail to extract microsatellites on large data sets of
giga bytes and tera bytes in size. The proposed tool “MS-Extractor: An Innovative Approach to extract
Microsatellites on „Y‟ Chromosome” can extract both Perfect as well as Imperfect Microsatellites from large
data sets of human genome „Y‟. The proposed system uses string matching with sliding window approach to
locate Microsatellites and extracts them.
Importance of Measurements in Smart GridIJERD Editor
- The need to get reliable supply, independence from fossil fuels, and capability to provide clean
energy at a fixed and lower cost, the existing power grid structure is transforming into Smart Grid. The
development of a smart energy distribution grid is a current goal of many nations. A Smart Grid should have
new capabilities such as self-healing, high reliability, energy management, and real-time pricing. This new era
of smart future grid will lead to major changes in existing technologies at generation, transmission and
distribution levels. The incorporation of renewable energy resources and distribution generators in the existing
grid will increase the complexity, optimization problems and instability of the system. This will lead to a
paradigm shift in the instrumentation and control requirements for Smart Grids for high quality, stable and
reliable electricity supply of power. The monitoring of the grid system state and stability relies on the
availability of reliable measurement of data. In this paper the measurement areas that highlight new
measurement challenges, development of the Smart Meters and the critical parameters of electric energy to be
monitored for improving the reliability of power systems has been discussed.
Study of Macro level Properties of SCC using GGBS and Lime stone powderIJERD Editor
The document summarizes a study on the use of ground granulated blast furnace slag (GGBS) and limestone powder to replace cement in self-compacting concrete (SCC). Tests were conducted on SCC mixes with 0-50% replacement of cement with GGBS and 0-20% replacement with limestone powder. The results showed that replacing 30% of cement with GGBS and 15% with limestone powder produced SCC with the highest compressive strength of 46MPa, meeting fresh property requirements. The study concluded that this ternary blend of cement, GGBS and limestone powder can improve SCC properties while reducing costs.
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Tatiana Kojar
Skybuffer AI, built on the robust SAP Business Technology Platform (SAP BTP), is the latest and most advanced version of our AI development, reaffirming our commitment to delivering top-tier AI solutions. Skybuffer AI harnesses all the innovative capabilities of the SAP BTP in the AI domain, from Conversational AI to cutting-edge Generative AI and Retrieval-Augmented Generation (RAG). It also helps SAP customers safeguard their investments into SAP Conversational AI and ensure a seamless, one-click transition to SAP Business AI.
With Skybuffer AI, various AI models can be integrated into a single communication channel such as Microsoft Teams. This integration empowers business users with insights drawn from SAP backend systems, enterprise documents, and the expansive knowledge of Generative AI. And the best part of it is that it is all managed through our intuitive no-code Action Server interface, requiring no extensive coding knowledge and making the advanced AI accessible to more users.
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
This presentation provides valuable insights into effective cost-saving techniques on AWS. Learn how to optimize your AWS resources by rightsizing, increasing elasticity, picking the right storage class, and choosing the best pricing model. Additionally, discover essential governance mechanisms to ensure continuous cost efficiency. Whether you are new to AWS or an experienced user, this presentation provides clear and practical tips to help you reduce your cloud costs and get the most out of your budget.
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
Trusted Execution Environment for Decentralized Process MiningLucaBarbaro3
Presentation of the paper "Trusted Execution Environment for Decentralized Process Mining" given during the CAiSE 2024 Conference in Cyprus on June 7, 2024.
Trusted Execution Environment for Decentralized Process Mining
International Journal of Engineering Research and Development
1. International Journal of Engineering Research and Development
e-ISSN: 2278-067X, p-ISSN: 2278-800X, www.ijerd.com
Volume 10, Issue 8 (August 2014), PP.71-81
A Mechanism to Achieve Network Security through IP
Packet Filtering
Rajendra Singh Shahi, Ashis Saklani, R P Joshi
1Assistant Professor Kumaon Institute of Technology (BTKIT) Dwarahat, Almora, Uttarakhand
2Assistant Professor Kumaon Institute of Technology (BTKIT) Dwarahat, Almora, Uttarakhand
3Assistant Professor Kumaon Institute of Technology (BTKIT) Dwarahat, Almora, Uttarakhand
Abstract:- In Gist we are in era of Networks and a Network cannot be imagined without DTE,DSE,DCE’s.
Data Terminal Equipments (DTE) are devices that are responsible for interdomain connectivity. Whether we are
in Intranets or Extranets without DTE a Network cannot be imagined, here DTE imply means Routers and in
this Emerging Technology Router is necessary. Even grower Networks number of outers are increasing and
Ever-increasing numbers of IP router products are offering packet filtering as a ool for improving network
security. Used properly, packet filtering is a useful tool for the security on scions network
administrator, but its effective use requires a thorough understanding of its capabilities and
weaknesses, and of the quirks of particular protocols that filters are being applied to. This paper examines
he utility of IP packet filtering as a network security measure, briefly contrasts IP packet filtering to
lternative network security approaches such as application-level gate- ways, describes what packet filters
ight examine in each packet, and describes the characteristics of common application protocols as they
relate to packet filtering. The paper then identifies and examines problems common to many current
packet iltering implementations, shows how these problems can easily undermine the net- work
administrator's ntents and lead to a false sense of security, and proposes solu- tions to these problems.
Finally, the paper oncludes that packet filtering is currently a viable network security mechanism,
but that its utility ould be greatly improved with the extensions proposed in the paper.
Keywords:- DTE,DSE,DCE,IP-Filtering, ICMP,RIP,TCP,UDP,DNS
I. INTRODUCTION
This paper considers packet filtering as a mechanism for implementing network security policies.
The consideration is from the point of view of a site or network administrator (who is interested in
providing the best possible service to their users while maintaining adequate security of their site or
network, and who often has an "us versus them" attitude with regard to external organizations), which is not
necessarily the same point of view that a service provider or router vendor (who is interested in providing
network services or products to customers) might have. An assumption made throughout is that a site
administrator is generally more
interested in keeping outsiders out than in trying to police insiders, and that the goal is to keep outsiders from
breaking in and insiders from accidentally exposing valuable data or services, not to prevent insiders
from intentionally and maliciously subverting security measures. This paper does not consider military-grade
"secure IP" implementations (those that implement the "IP security options" that may be specified
in IP packet headers) and related issues; it is limited to what is commonly available for sale to the general
public.
Packet filtering may be used as a mechanism to implement a wide variety of network security
policies. The primary goal of these policies is generally to prevent unauthorized network access
without hindering authorized network access; the definitions of "unauthorized access" and "authorized
access" vary widely from one organization to another. A secondary goal is often that the mechanisms be
transparent in terms of performance, user awareness, and application awareness of the security measures.
Another secondary goal is often that the mechanisms used be simple to configure and maintain, thus
increasing the likelihood that the policy will be correctly and completely implemented; in the words of Bill
Cheswick of AT&T Bell Laboratories, "Complex security isn't". Packet filtering is a mechanism which
can, to a greater or lesser extent, fulfill all these goals, but only through thorough understanding of its
strengths and weaknesses and careful application of its capabilities.
Several factors complicate implementation of these policies using packet filtering, including
asymmetric access requirements, differing requirements for various internal and external groups of
machines, and the varying characteristics of the particular protocols, services, and implementations of
these protocols and services that the filters are to be applied to. A symmetric access requirements
71
2. A Mechanism To Achieve Network Security Through IP Packet Filtering
usually arise when an organization desires that its internal systems have more access to external systems
than vice versa. Differing requirements arise when an organization desires that some groups of
machines have different network access privileges than other groups of machines (for instance, the
organization may feel that a particular subnet is more secure than standard, and thus can safely take
advantage of expanded network access, or they may feel that a particular subnet is especially valuable,
and thus its exposure to the external network should be as limited as possible). Alternatively, an
organization may desire to allow more or less network access to some specific group of external
machines than to the rest of the external world (for instance, a company might want to extend greater
network access than usual to a key client with whom they are collaborating, and less network access
than usual to a local university which is known to be the source of repeated cracker attacks).
The characteristics of particular protocols, services, and implementations also greatly affect how effective
filtering can be; this particular issue is discussed in detail below, in Section 3 and Appendix A.
Common alternatives to packet filtering for network security include securing each machine
with network access and using application gateways. Allowing network access on an all-or-nothing basis (a
very coarse form of packet filtering) then attempting to secure each machine that has network access is
generally impractical; few sites have the resources to secure and then monitor every machine that needs even
occasional network access. Application gate- ways, such as those used by AT&T [Ches90], Digital
Equipment Corporation [Ranum92], and several other organizations, are also often impractical because they
require internal hosts to run modified (and often custom-written or otherwise not commonly available)
versions of applications (such as "ftp" and "telnet") in order to reach external hosts. If a suitably
modified version of an application is not available for a given internal host (a modified TELNET client for
a personal computer, for instance), that internal host's users are simply out of luck and are unable to
reach the past the application gateway.
II. HOW PACKET FILTERING WORKS
72
2.1. What packet filters base their decisions on
Current IP packet filtering implementations all operate in the same basic fashion; they parse the
headers of a packet and then apply rules from a simple rule base to determine whether to route or drop†
the packet. Generally, the header fields that are available to the filter are packet type (TCP, UDP, etc.),
source IP address, destination IP address, and destination TCP/UDP port. For some reason, the source
TCP/UDP port is often not one of the available fields; this is a significant deficiency discussed in detail in
Section 4.2.
In addition to the information contained in the headers, many filtering implementations also
allow the administrator to specify rules based on which router interface the packet is des- tined to go out
on, and some allow rules based on which interface the packet came in on. Being able to specify filters
on both inbound and outbound† interfaces allows you significant control over where the router appears
in the filtering scheme (whether it is "inside" or "out- side" your packet filtering "fence"), and is very
convenient (if not essential) for useful filtering on routers with more than two interfaces. If certain packets
can be dropped using inbound filters on a given interface, those packets don't have to be mentioned in the
outbound filters on all the other interfaces; this simplifies the filtering specifications. Further, some
filters that an administrator would like to be able to implement require knowledge of which interface a
packet came in on; for instance, the administrator may wish to drop all packets coming inbound from
the external interface that claim to be from an internal host, in order to guard against attacks from the
outside world that use faked internal source addresses.
Some routers with very rudimentary packet filtering capabilities don't parse the headers, but
instead require the administrator to specify byte ranges within the header to examine, and the patterns to
look for in those ranges. This is almost useless, because it requires the adminis- trator to have a very
detailed understanding of the structure of an IP packet. It is totally unworkable for packets using IP
option fields within the IP header, which cause the location of the beginning of the higher-level TCP or
UDP headers to vary; this variation makes it very difficult for the administrator to find and examine the
TCP or UDP port information.
2.2. How packet filtering rules are specified
Generally, the filtering rules are expressed as a table of conditions and actions that are applied in
a certain order until a decision to route or drop the packet is reached. When a partic- ular packet meets all the
conditions specified in a given row of the table, the action specified in that row (whether to route or drop the
packet) is carried out; in some filtering implementations [Mogul89], the action can also indicate whether or
not to notify the sender that the packet has been dropped (through an ICMP message), and whether or not to
3. A Mechanism To Achieve Network Security Through IP Packet Filtering
log the packet and the action taken on it. Some systems apply the rules in the sequence specified by the
administrator until they find a rule that applies [Mogul89][Cisco90], which determines whether to drop
or route the packet. Others enforce a particular order of rule application based on the criteria in the
rules, such as source and destination address, regardless of the order in which the rules were specified
by the administrator. Some, for instance, apply filtering rules in the same order as ing implementation
(and sometimes on the filtering specification), the router might send an ICMP message (usual- ly "host
unreachable") back to the source of a packet that is dropped, or it might simply pretend it never received the
packet.
Throughout this paper, the terms "inbound" and "outbound" are usually used to refer to
connections or packets from the point of view of the protected network as a hole, and sometimes used
to refer to packets from the point of view of the filtering router (which is at the edge of the internal
network, between the internal network and the external world), or to the router interfaces those packets will
pass through. A packet might appear to be "inbound" to the filtering router on its way to the external world,
but that packet is "outbound" from the internal network as a whole. An "outbound connection" is a connection
initiated from a client on an internal machine to a server on an external machine; note that while the connection
as a whole is outbound, it includes both outbound packets (those from the internal client to the external
server) and inbound packets (those from the external server back to the internal client). Similarly, an "inbound
connection" is a connection initiated from a client on an exter- nal machine to a server on an internal machine.
The "inbound interface" for a packet is the interface on the filter- ing router that the packet appeared on, while
the "outbound interface" is the interface the packet will go out on if it isn't denied by the application of the
filtering rules. routing table entries; that is, they apply rules referring to more specific addresses (such as rules
pertaining to specific hosts) before rules with less specific addresses (such as rules pertaining to whole
subnets and networks) [CHS91][Telebit92a]. The more complex the way in which the router reorders
rules, the more difficult it is for the administrator to understand the rules and their application; routers
which apply rules in the order specified by the administrator, without reordering the rules, are easier
for an administrator to understand and configure, and therefore more likely to yield correct and complete
filter sets.
73
2.3. A packet filtering example
For example, consider this scenario. The network administrator of a company with Class B network
123.45 wishes to disallow access from the Internet to his network in general (123.45.0.0/16)†. The
administrator has a special subnet in his network (123.45.6.0/24) that is used in a collaborative project with
a local university which has class B network 135.79; he wishes to permit access to the special subnet
(123.45.6.0/24) from all subnets of the university (135.79.0.0/16). Finally, he wishes to deny access
(except to the subnet that is open to the whole university) from a specific subnet (135.79.99.0/24) at
the university, because the subnet is known to be insecure and a haven for crackers. For simplicity, we will
consider only pack- ets flowing from the university to the corporation; symmetric rules (reversing the
SrcAddr and DstAddr in each of the rules below) would need to be added to deal with packets from the cor-poration
to the university. Rule C is the "default" rule, which specifies what happens if none of the
other rules apply.
A router that applies the rules in the order ABC will achieve the desired results: packets from the
"hacker haven" subnet at the university to the company network in general (such as packet 1 above)
will be denied (by rule B), packets from the university "hacker haven" subnet at the university to the
4. A Mechanism To Achieve Network Security Through IP Packet Filtering
company's collaboration subnet (such as packet 2 above) will be Throughout this paper, the syntax
"a.b.c.d/y" denotes "the address a.b.c.d, with the top y bits significant for comparison". In other words,
123.45.0.0/16 means that the top 16 bits (123.45) are significant for comparisons to other addresses. The
address 123.45.6.7 thus matches 123.0.0.0/8, 123.45.0.0/16, and 123.45.6/24, but not 123.45.99.0/24.
A pattern with 0 significant bits (such as 0.0.0.0/0) matches any address, while a pattern with 32 significant bits
(such as 123.45.6.7/32) matches only that particular address (123.45.6.7). This syntax is a simpler form of
expressing an address pattern than the traditional "address, wildcard mask" tuple, particularly when the
boundary between the wild carded and non wild carded bits doesn't fall on an 8-bit boundary (for
instance, on a Cisco router, the pattern 123.0.0.0/8 would be represented as "123.0.0.0 0.255.255.255",
123.45.6.0/24 would be represented as "123.45.6.0 0.0.0.255", and 123.45.6.240/28 would be represented
as "123.45.6.240 0.0.0.15"). This syntax was originated in the KA9Q networking package for PCs, and
is used in the Telebit Net Blazer and other products. permitted (by rule A), packets from the university's
general network to the company's "open" subnet (such as packet 3 above) will be permitted (by
rule A), and packets from the university's general network to the company's general network (such
as packet 4 above) will be denied (by rule C). If, however, the router reorders the rules by sorting them
into order by number of significant bits in the source address then number of significant bits in the
destination address, the same set of rules will be applied in the order BAC. If the rules are applied in
the order BAC, packet 2 will be denied, when we want it to be permitted.
74
2.4. Packet filtering caveats
2.4.1. Complexity of packet filtering specifications
In fact, there's a subtle error in this example that illustrates how difficult it is to correctly set up filters
using such low-level specifications. Rule B above, which appears to restrict access from the "hacker
haven" net, is actually superfluous and unnecessary, and is the cause of the incorrect denial of packet
2 if the rules are applied in the order BAC. If you remove rule B, both types of routers (those that
apply rules in the order specified, and those that reorder rules by number of significant bits in source
or destination addresses) will process the rules in the order AC. When processed in that order, the result
table becomes:
There are two points here. First, correctly specifying filters is difficult. Second, reordering filtering rules
makes correctly specifying filters even more difficult, by turning a filter set that works (even if it's in
fact over specified) if evaluated in the order given into a filter set that doesn't work. Even though the
example presented above is a relatively simple application of packet filtering, most administrators will
probably read through it several times before they feel they understand what is going on. Consider that
the more difficult the rules are to comprehend, the less likely the rules will be correct and complete. The way
in which filtering rules must be specified and the order in which they are applied are key determinants
of how useful and powerful a given router's filtering capabilities are. Most implementations require the
administrator to specify filters in ways which make the filters easy for the router to parse and apply,
but make them very difficult for the administrator to comprehend and consider.
2.4.2. Reliance on accurate IP source addresses
Most filtering implementations, of necessity, rely on the accuracy of IP source addresses to
make filtering decisions. IP source addresses can easily be faked, however, as discussed in [Bellovin89],
[Kent89], [Bellovin92a], and [Bellovin92b]. This is a particular case where being able to filter inbound
packets is useful. If a packet that appears to be from one internal machine to another internal machine
comes in over the link from the outside world, you should be mighty suspicious. If your router can be told to
drop such packets using inbound filters on the external interface, your filtering specifications for internal
interfaces can be made both much simpler and more secure.
2.4.3. Dangers of IP source routing
Another IP feature ripe for potential abuse is IP source routing. Essentially, an IP packet with source
routing information included tells routers how to route the packet, rather than let- ting the routers
decide for themselves. An attacker could use this to their advantage [Bello- vin89]. Unless you have a
5. A Mechanism To Achieve Network Security Through IP Packet Filtering
specific need to allow packets with IP source routes between your internal network and the outside world,
it's probably a good idea for your router to ignore IP source route instructions; whether source routing
can be disabled, whether it is enabled or disabled by default, and how to disable it vary from vendor to vendor.
75
2.4.4. Complications due to IP fragmentation
Yet another complication to packet filtering is IP packet fragmentation. IP supports the notion that
any router along a packet's path may "fragment" that packet into several smaller packets, to
accommodate the limitations of underlying media, to be reassembled into the origi- nal IP packet at the
destination. For instance, an FDDI frame is much larger than an Ethernet frame; a router between an
FDDI ring and an Ethernet may need to split an IP packet that fit in a single FDDI frame into
multiple fragments that fit into the smaller Ethernet frames. The problem with this, from a packet
filtering point of view, is that only the first of the IP fragments has the higher-level protocol (TCP or
UDP) headers from the original packet, which may be necessary to make a filtering decision
concerning the fragment. Different filtering implementations take a variety of responses to this situation.
Some apply filters only to the first fragment (which contains the necessary higher-level protocol
headers), and simply route the rest, on the assumption that if the first fragment is dropped by the
filters, the rest of the fragments can't be reassembled into a full packet, and wil l cause no harm
[CHS91]. Others keep a cache of recently-seen first fragments and the filtering decision that was
reached, and look up non-first fragments in this cache in order to apply the same decision [Mogul89].
In particular, it is dangerous to suppress only the first fragment of outbound packets; you might be
leaking valuable data in the non-first fragments that are routed on out.
III. FILTERING-RELATED CHARACTERISTICS OF APPLICATION PROTOCOLS
Each application protocol has its own particular characteristics that relate to IP packet filtering,
that may or may not differ from other protocols. Particular implementations of a given protocol also
have their own characteristics that are not a result of the protocol per se, but a result of design decisions
made by the implementers. Since these implementation characteristics are not covered in the specification
of the protocol (though they aren't counter to the specification), they are likely to vary between
different implementations of the same protocol, and might change even within a given implementation
as that implementation evolves. These characteristics include what port a server uses, what port a client
uses, whether the service is typically offered over UDP or TCP or both, and so forth. An
understanding of these characteristics is essential for setting up effective filters to allow, disallow, or
limit the use of these protocols. Appendix A discusses in detail the filtering-related characteristics of
several com- mon protocols.
3.1. "Random" ports aren't really random
Although implementations of various protocols might appear to use a "random" ports for the client
end and a well-known port for the server end, the ports chosen for the client end used are usually not
totally random. While not explicitly supported by the RFCs, systems based on BSD UNIX usually reserve
ports below 1024 for use by "privileged" processes, and allow only processes running as root to bind
to those ports; conversely, non-privileged processes must use ports at or above 1024. Further, if a
program doesn't request a particular port, it is often simply assigned the port after the last one assigned;
if the last port assigned was 5150, the next one assigned will probably be 5151.
3.2. Privileged versus non-privileged ports
The distinction between "privileged" and "non-privileged" ports (those below 1024 and at or above
1024, respectively) is found throughout BSD-based systems (and other systems that draw from a BSD
background; keep in mind that almost all UNIX IP networking, including Sys VIP networking, draws
heavily from the original BSD network implementation). This distinction is not codified in the RFCs, and
is therefore best regarded as a widely used convention, but not as a standard. Nonetheless, if you're
protecting UNIX systems, the convention can be a useful one. You can, for instance, generally forbid
all inbound connections to ports below 1024, and then open up specific exceptions for specific services that
you wish to enable the outside world to use, such as SMTP, TELNET, or FTP; to allow the "return"
packets for connections to such services, you allow all packets to external destination ports at or above
1024.
While it would simplify filtering if all services were offered on ports below 1024 and all clients used
ports at or above 1024, many vulnerable services (such as X, Open Windows, and a number of database
servers) use server ports at or above 1024, and several vulnerable clients (such as the Berkeley r* programs)
use client ports below 1024. These should be carefully excepted from the "allow all packets to
6. A Mechanism To Achieve Network Security Through IP Packet Filtering
destination ports at or above 1024" type of rules that allow return packets for outbound services.
IV. PROBLEMS WITH CURRENT PACKET FILTERING IMPLEMENTATIONS
IP packet filtering, while a useful network security tool, is not a panacea, particularly in the form
in which it is currently implemented by many vendors. Problems with many current implementations
include complexity of configuration and administration, omission of the source UDP/TCP port from the fields
that filtering can be based on, unexpected interactions between "unrelated" parts of the filter rule set,
cumbersome filter specifications forced by simple specification mechanisms, a lack of testing and
debugging tools, and an inability to deal effectively with RPC-based protocols such as YP/NIS and NFS.
76
4.1. Filters are difficult to configure
The first problem with many current IP packet filtering implementations as network secu- rity
mechanisms is that the filtering is usually very difficult to configure, modify, maintain, and test, leaving the
administrator with little confidence that the filters are correctly and completely specified. The simple syntax
used in many filtering implementations makes life easy for the router (it's easy for the router to parse
the filter specifications, and fast for the router to apply them), but difficult for the administrator (it's like
programming in assembly language). Instead of being able to use high-level language abstractions ("if
this and that and not something-else then permit else deny"), the administrator is forced to produce a tabular
representation of rules; the desired behavior may or may not map well on to such a representation.
Administrators often consider networking activity in terms of "connections", while packet filtering, by
definition, is concerned with the packets making up a connection. An administrator might think in terms of
"an inbound SMTP connection", but this must be translated into at least two filtering rules (one for the
inbound packets from the client to the server, and one for the outbound packets from the server back to the
client) in a table-driven filtering implementa- tion. The concept of a connection is applied even when
considering a connectionless protocol such as UDP or ICMP; for instance, administrators speak of "NFS
connections" and "DNS connections". This mismatch between the abstractions used by many
administrators and the mechanisms provided by many filtering implementations contributes to the
difficulty of correctly and completely specifying packet filters.
4.2. TCP and UDP source port are often omitted from filtering criteria
Another problem is that current filtering implementations often omit the source UDP/TCP port from
consideration in filtering rules, leading to common cases where it is impossible to allow both inbound
and outbound traffic to a service without opening up gaping holes to other services. For instance, without
being able to consider both the source and destination port numbers of a given packet, you can't allow
inbound SMTP connections to internal machines (for inbound email) and outbound SMTP connections to all
external machines (so that you can send outbound mail) without ending up allowing all connections between
internal and external machines where both ends of the connection are on ports at or above port 1024.
To see this, imagine your router's rule table has 6 variables for rules on a given interface: direction
(whether the packet is inbound to or outbound from internal network), packet type (UDP or TCP),
source address, destination address, destination port, and action (whether to drop or route the packet).
You would need 5 rules in such a table to allow both inbound SMTP (where an external host connects to
an internal host to send email) and outbound SMTP (where an internal host connects to any external host to
send mail). The rules would look something like this:
The default action (rule E), if none of the preceding rules apply, is to drop the packet.
Rules A and B, together, allow the "inbound" SMTP connections; for inbound packets, the
source address is an "external" address, the destination address is "internal", and the destination port is
25, while for outbound packets, the source address is "internal", the destination address is "external",
and the destination port is at or above 1024. Rules C and D, together, similarly allow the “outgoing”
SMTP connections. Consider, however, a TCP connection between an internal host and an external host
where both ports used in the connection are above 1023. Incoming packets for such a connection will
be passed by rule D. Outgoing packets for such a connection will be passed by rule B. The problem
7. A Mechanism To Achieve Network Security Through IP Packet Filtering
is that, while rules A and B together do what you want and rules C and D together do what you
want, rules B and D together allow all connections between internal and external hosts where both
ends of the connection are on a port number above 1024. Current filter specification syntaxes are ripe with
opportunities for such unexpected and undesired interactions. If source port could be examined in making
the routing decisions, the rule table above would become:
In this case, all the rules are firmly anchored to port 25 (the well-known port number for SMTP) at
one end or the other, and you don't have the problem of inadvertently allowing all connections where
both ports are at or above 1024. Consider again the example given above, a TCP connection between an
internal and an external host where both ends of the connection were at or above 1024; such a connection
doesn't qualify with any of the above filtering rules, since in all of the above rules, one end of the connection has
to be at port 25.
4.3. Special handling of start-of-connection packets is impossible
Note that the even the above filters with source port still don't protect your servers living at or above
port 1024 from an attack launched from port 25 on an external machine (which is certainly possible if
the person making the attack controls the machine the attack is coming from); rules C and D will allow
this. One way to defeat this type of attack is to suppress TCP start-of-connection packets (packets with the
TCP "SYN" flag set) in rule C; at least one filter implementation provides a mechanism for stating that
rules apply only to packets in "established" connections (those packets without the SYN bit set) [Cisco90].
Unfortunately, UDP sessions are "connectionless", so there is never a "start-of-connection”
packet that can be suppressed in a UDP session. A solution for UDP is often to disallow UDP
entirely except for a specific exception for DNS. This exception for DNS can generally be made safely
even with a filtering implementation that ignores source port, because of a quirk in the most common DNS
implementation. The quirk causes DNS server-to-server queries made over UDP to always use port 53
at both ends of the connection, rather than a random port at one end. Disallowing UDP except for
DNS also allows you to avoid most of the problems with filtering RPC-based services (since most RPC
services are UDP based) that are discussed in Section 4.6.
4.4. Tabular filtering rule structures are too cumbersome
While tabular rule structures such as those shown above are relatively easy and thus efficient
for the router to parse and apply, they rapidly become too cumbersome for the administrator to use to
specify complex independent filtering requirements. Even simple appli- cations of these cumbersome
syntaxes are difficult, and often have unintended and undesired side effects, as demonstrated in Section 4.2.
77
4.5. Testing and monitoring filters is difficult
With many router products, the beleaguered administrator's life is further complicated by a lack of
built-in mechanisms to test the filter set or to monitor its performance in action. This makes it very
difficult to debug and validate filtering rule sets, or to modify existing rule sets; the administrator always
has to wonder if the filtering rules are really accomplishing what was intended, or if the rule set has some
inadvertent hole in it that the administrator has somehow
Over looked.
4.6. RPC is very difficult to filter effectively
Finally, RPC-based protocols offer a special challenge, since they don't reliably appear on a
given UDP or TCP port number. The only RPC-related service that is guaranteed to be at a certain port is the
"portmapper" service. Portmapper maps an RPC service number (which is a 32-bit number assigned by Sun
Microsystems to each individual RPC service, including ser- vices created by users and other vendors) to
the particular TCP or UDP port number (which are much smaller 16-bit numbers) that the service is
currently using on the particular machine being queried. When an RPC-based service starts up, it
registers with the portmapper to announce what port it is living at; the portmapper then passes this info
along to anyone who requests it.
8. A Mechanism To Achieve Network Security Through IP Packet Filtering
The portmapper isn't required in order to establish an RPC connection, except to deter- mine
exactly which port to establish the connection to; if you know (or can guess) which port to establish the
connection to, you can bypass the portmapper altogether. What port a given RPC protocol (such as
YP/NIS, NFS, or any of a number of others) ends up using is random enough that the administrator can't
effectively specify filters for it (at least, not without risking the inadvertent filtering of something else that
happened to end up on the same port the administrator thought an RPC-based service might end up at),
but not so random that an attacker can't easily "guess" where a given protocol lives. Even if they can't or
don't guess, a systematic search of the entire port number space for the RPC service they're interested in
Attacking is not that difficult. Since RPC-based services might be on any port, the filtering
implementation has no sure way of recognizing what is and what isn't RPC; as far as the router is
concerned, it's all just UDP or TCP traffic.
Two fortuitous characteristics of most RPC-based services can be used to save us from this
morass, however. First, most RPC-based services are offered as only on UDP ports; we can simply
drop UDP packets altogether except for DNS, as described above. Second, almost all of those that are
offered on TCP ports use ports below 1024, which can be protected by an "deny all ports below 1024 except
specific services like SMTP" type of filter, such as shown in the example in Section 4.2.
V. POSSIBLE SOLUTIONS FOR CURRENT PACKET FILTERING PROBLEMS
5.1. Improve filter specification syntax
The major improvement that could be made to many vendor packet filtering implementations would be
to provide better filter specification mechanisms. The administrator should be able to specify rules in a
form that makes sense to the administrator (such as a propositional logic syntax), not necessarily a
form that is efficient for the router to process; the router can then convert the rules from the high-level
form to a form amenable to efficient processing. One possibility might be the creation of a "filter
compiler" that accepts filters in a high-level syntax that was convenient for the administrator, and emits
a "compiled" filter list that is acceptable to the router.
Addressing the conceptual mismatch between administrators, who think in terms of connections,
and routers, which operate in terms of the packets making up those connections, as discussed in Section
4.1 might also prove valuable.
5.2. Make all relevant header fields available as filtering criteria
The administrator should be able to specify all relevant header fields, particularly including
TCP/UDP source port (which is currently often omitted from many filtering implementations), as filter
criteria. Until this key feature is provided, it will be difficult or impossible to effectively use filtering
in certain common situations, as demonstrated in the example in Section 4.2. The administrator should
also be able to specify whether a filter rule should apply only to established TCP connections.
5.3. Allow inbound filters as well as outbound filters
The administrator should be able to specify both inbound and outbound filters on each interface,
rather than only outbound filters. This would allow the administrator to position the router either "inside"
or "outside" the filtering "fence", as appropriate. It would also allow simpler specification of filters on
routers with more than two interfaces by allowing some cases (such as a packet appearing from the outside
world that purports to be both to and from internal hosts) to be handled by the inbound set of filters on
the external interface, rather than having to duplicate these special cases into the outbound filter set on
each internal interface. The desired functionality may not even be possible with only outbound filters;
the case of a fake internal-to-internal packet showing up on the external interface, as discussed in
Section 2.4.2, can't be detected in an outbound filter set.
5.4. Provide tools for developing, testing, and monitoring filters
Better tools for developing, testing and validating rule sets, perhaps including test suites and
automatic test probe generators, would make a big difference in the usability of packet filtering
mechanisms. Such an automated test system might well be a part of the "filter compiler" described in
Section 5.1.
78
5.5. Simplify specification of common filters
It would be useful if administrators could specify common filtering cases (for instance, "allow
inbound SMTP to this single host") simply, without having to understand the details of the protocols or
filtering mechanisms involved.
9. A Mechanism To Achieve Network Security Through IP Packet Filtering
VI. CONCLUSIONS
Packet filtering is currently a viable and valuable network security tool, but some simple vendor
improvements could have a big impact. There are several critical deficiencies that seem to be common to
many vendors, such as the inability to consider source TCP/UDP port in filters, that need to be addressed.
Other improvements to filter specification mechanisms could greatly simplify the lives of network
administrators trying to use packet filtering capabilities, and increase their confidence that their filters are
doing what they think they are.
ACKNOWLEDGEMENTS
Thanks to Steve Bellowing and Bill Cheswick of AT&T Bell Laboratories for several lively and
fruitful discussions of packet filtering as a network security tool; in particular, I'd like to thank Steve
for providing me with prepublication copies of two of his IP security- related papers and of his 1989
article on TCP/IP security problems. Thanks to Ed DeHart of the Computer Emergency Response Team
for strongly and repeatedly encouraging me to write this paper after listening to me moan about the
issues discussed herein. Thanks to Elizabeth Zwicky of SRI International, Brian Lloyd of Lloyd &
Associates, and Steve Bellovin of AT&T Bell Laboratories for reviewing drafts of this paper and
providing valuable feedback and suggestions.
REFERENCES
[Bellovin89]
[1]. S. M. Bellovin, "Security Problems in the TCP/IP Protocol Suite"; Computer Communi- cations
Review, Volume 9, Number 2; April 1989; pp. 32-48.
[Bellovin92a]
[2]. Steven M. Bellovin, "Packets Found on an Internet"; in preparation; 1992.
[Bellovin92b]
[3]. Steven M. Bellovin, "There Be Dragons"; Proceedings of the Third USENIX UNIX Secu- rity
Symposium; Baltimore, MD; September, 1992.
[Ches90]
[4]. Bill Cheswick, "The Design of a Secure Internet Gateway"; Proceedings of the USENIX
Summer 1990 Conference; Anaheim, CA; June 11-15, 1990; pp. 233-237.
[CHS91]
[5]. Bruce Corbridge, Robert Henig, Charles Slater, "Packet Filtering in an IP Router"; Proceedings
of the Fifth USENIX Large Installation and System Administration Confer- ence (LISA V); San
Diego, CA; October, 1992; pp. 227-232.
[Cisco90]
[6]. Cisco Systems (Menlo Park, CA); "Gateway System Manual; Software Release 8.2"; 1990.
[CMQ92]
[7]. Smoot Carl-Mitchell and John S. Quarterman, "Building Internet Firewalls"; UnixWorld;
79
February, 1992; pp 93-102.
[Comer91]
[8]. Douglas E. Comer, Internetworking with TCP/IP, Volume I; Second Edition, 1991;
Prentice-Hall, Inc.
[Kent89]
[9]. Stephen Kent, "Comments on 'Security Problems in the TCP/IP Protocol Suite'"; Com- puter
Communications Review; July 1989.
[Mogul89]
[10]. Jeffrey C. Mogul, "Simple and Flexible Datagram Access Controls for UNIX-based Gate- ways";
Proceedings of the USENIX Summer 1989 Conference; pp. 203-221.
[Ranum92]
[11]. Marcus J. Ranum, "A Network Firewall"; Proceedings of the World Conference on Sys- tem
Administration and Security; July 1992; Washington, D.C.; pp. 153-163.
[RFC1058]
[12]. C. Hedrick, "Routing Information Protocol", Request For Comments 1058; available from the DDN
Network Information Center (NIC.DDN.MIL).
[RFC1340]
[13]. J. Reynolds and J. Postel, "Assigned Numbers", Request For Comments 1340; available from
the DDN Network Information Center (NIC.DDN.MIL).
[Telebit92a]
[14]. Telebit Corporation (Sunnyvale, CA), "NetBlazer Command Reference"; 1992.
10. A Mechanism To Achieve Network Security Through IP Packet Filtering
[Telebit92b]
[15]. Telebit Corporation (Sunnyvale, CA), "NetBlazer Version 1.4 Release Notes"; 1992.
Appendix A — Filtering Characteristics of Common IP Protocols
A.1. SMTP
SMTP is provided as a TCP service with the server end of the connection at port 25 and the client end at
80
a random port.
A.2. TELNET
TELNET is provided as a TCP service with the server end of the connection at port 23, and the
client end at a random port.
A.3. FTP
FTP is slightly tricky, in that an FTP conversation actually involves two TCP connections in typical
UNIX implementations: one for connection for commands, and one for data. The command connection
is at port 21 on the server, and the data connection is at port 20 on the erver; both connections use
random ports on the client side.
A.4. NNTP
NNTP is provided as a TCP service with the server end at port 119, and the client end at a random port.
A.5. DNS
DNS is provided as both a TCP and UDP service at port 53. The UDP service is usually used for client-to-
server queries (the client end will be at a random port) and server-to-server proxy queries (where a
server queries another server on behalf of a client), while the TCP ser- vice is usually used for server-to-server
bulk data transfers (typically zone transfers from pri- mary to secondary DNS servers for a given
zone).
One implementation characteristic of the most common DNS server implementation (the "BIND",
or "Berkeley Internet Name Daemon," implementation) is that server-to-server proxy queries are made
via UDP with both ends of the connection using port 53. Packet filtering specifications can take good
advantage of this characteristic, since DNS is often the only UDP-based protocol that sites want to
allow bidirectionally (i.e., allow both inbound and out- bound) between their internal machines and the
outside world. The fact that DNS uses port 53 for both ends of such a connection, rather than port 53 for
answering server end and a random port for the requesting server end, allows DNS to be bidirectionally
enabled in filtering imple- mentations that examine only destination ports (not source ports) without
running afoul of the "allowing any connection where both ends are above 1023" problem with allowing
bidirec- tional services in such routers (see Section 4.2 for a detailed discussion of this problem).
A.6. BSD r* services (rlogin, rsh, rcp, and rexec)
The BSD r* services (rlogin, rsh, rcp, and rexec) are another tricky case because they use privileged ports
(ports below 1024; see below for a discussion of "privileged" and "non- privileged" ports) for both the
server (port 512 for rexec, 513 for rlogin, and 514 for rsh and rcp) and client (a random privileged port).
A typical filtering set that allows outbound services by allowing outbound packets to specific privileged
ports and inbound packets to non- privileged ports won't allow any of these services, since their
inbound packets will be coming to random privileged ports. If you then allow inbound packets to
random privileged ports, you've just opened up all your own services on privileged ports to attacks
from the outside world. One possible solution is to this quandry is to allow only packets from
"established"
connections inbound, if your filtering implementation has that capability (see Section 4.3).
A.7. RIP
RIP broadcasts between routers uses UDP port 520 as for both source and destination. A RIP query may
use some other UDP port as their source port with 520 as the destination port; replies to the query will use
520 as the source port and the query's source port as the reply's destination port [RFC1058].
A.8. RPC and RPC-based services (YP/NIS and NFS)
RPC (Sun's Remote Procedure Call mechanism, which is at the heart of a number of other
protocols, notably YP/NIS and NFS) is a real can of worms when it comes to packet filtering. The
only ports a machine running RPC is certain to be using are UDP and TCP ports 111, for the "portmapper"
11. A Mechanism To Achieve Network Security Through IP Packet Filtering
process which maps requests for specific RPC services to the partic- ular ports (somewhat randomly
determined) that they are running on at the moment on that particular machine. See the complete
discussion of the problems with filtering RPC and RPC- based services in Section 4.6.
A.9. Window systems
Various window systems vary in what ports they use. X11, for instance, typically uses TCP port
6000 for the first display on a given machine, port 6001 for the second display (if the machine has a
second display), and so forth; to protect machines running X11 servers, you must filter ports 6000 through
6000+n, where n is the maximum number of X11 servers run- ning on any single machine behind your
filtering screen. OpenWindows uses port 2000.
81
A.10. ICMP
ICMP is a protocol parallel to TCP and UDP, layered on top of IP, that is used to transmit
control, information, and error messages between the IP software on different machines. Rather
than having source or destination ports, ICMP packets simply have a "type" code that indicates the nature of the
ICMP packets. Most packet filtering implementations can filter ICMP packets by type in the same way as
they can filter TCP or UDP by port. Some of these ICMP packet types are informational in nature (such as
messages that a packet failed to reach its destination because the destination is unreachable or because
the packet traveled through too many routers enroute and timed out), and should almost certainly be
permitted through filters. Other ICMP packet types are useful for network management and debugging
(such as "echo request" and "echo reply" messages), and should probably be permitted through filters. Still
other ICMP packet types are instructions (such as "redirect") that probably should not be permitted through
filters.†
Common network management tools such as "ping" and "traceroute" depend on being able to
send and receive ICMP messages. Ping works by sending ICMP echo request mes- sages, and listening
for ICMP echo response messages. Traceroute works by generating UDP probe packets that are destined
to a random UDP port, then listening for ICMP destination unreachable messages sent in response to the
probe packet.
A.11. Other services
Other network services, such as databases, license servers, print servers, "rlogin" and "rsh" servers,
and so forth, all use TCP or UDP ports. In general, if these servers are intended and required to run as
"root", they use BSD privileged ports (ports below 1024), and if not, they use BSD unprivileged ports
(ports at or above 1024), though this is not always true. If there's a particular service that's not discussed
here that you're interested in special-casing, you can often figure out what ports it uses by examining the
RFCs describing the service, the source code implementing the service, or (as a last resort) the output
of "netstat -a" while the service is in use.