Showing papers on "Internet security published in 2000"

A survey of trust in internet applications

Abstract: Trust is an important aspect of decision making for Internet applications and particularly influences the specification of security policy, i.e., who is authorized to perform actions as well as the techniques needed to manage and implement security to and for the applications. This survey examines the various definitions of trust in the literature and provides a working definition of trust for Internet applications. The properties of trust relationships are explained and classes of different types of trust identified in the literature are discussed with examples. Some influential examples of trust management systems are described.

Internet Security Glossary

Abstract: This Glossary (191 pages of definitions and 13 pages of references) provides abbreviations, explanations, and recommendations for use of information system security terminology. The intent is to improve the comprehensibility of writing that deals with Internet security, particularly Internet Standards documents (ISDs). To avoid confusion, ISDs should use the same term or definition whenever the same concept is mentioned. To improve international understanding, ISDs should use terms in their plainest, dictionary sense. ISDs should use terms established in standards documents and other well-founded publications and should avoid substituting private or newly made-up terms. ISDs should avoid terms that are proprietary or otherwise favor a particular vendor, or that create a bias toward a particular security technology or mechanism versus other, competing techniques that already exist or might be developed in the future.

Internet Privacy and Security: An Examination of Online Retailer Disclosures

Abstract: The Federal Trade Commission has declared the privacy and security of consumer information to be two major issues that stem from the rapid growth in e-commerce, particularly in terms of consumer-related commerce on the Internet. Although prior studies have assessed online retailer responses to privacy and security concerns with respect to retailers’ disclosure of their practices, these studies have been fairly general in their approaches and have not explored the potential for such disclosures to affect consumers. The authors examine online retailer disclosures of various privacy- and security-related practices for 17 product categories. They also compare the prevalence of disclosures to a subset of data from a consumer survey to evaluate potential relationships between online retailer practices and consumer perceptions of risk and purchase intentions across product categories.

Image encryption for secure Internet multimedia applications

Abstract: Internet multimedia applications have become very, popular. Valuable multimedia content such as digital images, however, is vulnerable to unauthorized access while in storage and during transmission over a network. Streaming digital images also require high network bandwidth for transmission. For effective image transmission over the Internet, therefore, both security and bandwidth issues must be considered. We present a novel scheme, which combines the discrete wavelet transform (DWT) for image compression and block cipher Data Encryption Standard (DES) for image encryption. The simulation results indicate that our proposed method enhances the security for image transmission over the Internet as well as improves the transmission rate.

Integrated system for network layer security and fine-grained identity-based access control

Abstract: The present invention provides a method, system, and computer program product for enhancing security within a distributed computing network while enabling fine-grained access control for packets traveling through the network. The disclosed techniques enable this fine-grained access control while simultaneously providing broad-brush application-independent and user-independent security for Internet Protocol (IP) packets that are in transit over both secure networks (such as a corporate intranet) and non-secure networks (such as the public Internet). Access control decisions are delegated to an access control engine, and are based upon mutually authenticated identity information (e.g. of a system user and/or application) that is extracted from information exchanged as part of an underlying security service (such as the Internet Key Exchange of the IP Security Protocol).

SubDomain: Parsimonious Server Security

Abstract: Internet security incidents have shown that while network cryptography tools like SSL are valuable to Internet service, the hard problem is to protect the server itself from attack. The host security problem is important because attackers know to attack the weakest link, which is vulnerable servers. The problem is hard because securing a server requires securing every piece of software on the server that the attacker can access, which can be a very large set of software for a sophisticated server. Sophisticated security architectures that protect against this class of problem exist, but because they are either complex, expensive, or incompatible with existing application software, most Internet server operators have not chosen to use them.This paper presents SubDomain: an OS extension designed to provide sufficient security to prevent vulnerability rot in Internet server platforms, and yet simple enough to minimize the performance, administrative, and implementation costs. SubDomain does this by providing a least privilege mechanism for programs rather than for users. By orienting itself to programs rather than users, SubDomain simplifies the security administrator's task of securing the server.This paper describes the problem space of securing Internet servers, and presents the SubDomain solution to this problem. We describe the design, implementation, and operation of SubDomain, and provide working examples and performance metrics for services such as HTTP, SMTP, POP, and DNS protected with SubDomain.

Method and system for targeting internet advertisements and messages by geographic location

Abstract: A method and system of targeting an Internet messaged to an Internet client based on geographic information of the Internet client is disclosed. The present invention first obtains IP addresses of Internet clients as they visit their web sites. The present invention then obtains addresses from the Internet clients and transforming the addresses to latitude/longitude coordinates for each of the Internet clients. A lookup table can thus be generated by correlating the IP addresses with the addresses and latitude/longitude coordinates. The information can be mined to resolve multiple entry conflicts to extract most likely position of a particular address. When an Internet client visits a web server, the IP address is collected from the Internet client to be targeted. The location of the Internet client can then be approximated by comparing the client's IP address with the lookup table. Upon approximation, a commercial message is transmitted to the Internet client, wherein the commercial message is related to the geographical location of the Internet client.

Hacking Exposed

Abstract: From the Publisher: This one-of-a-kind book provides in-depth expert insight into how hackers infiltrate e-business,and how they can be stopped. In today's round-the-clock,hyper-connected,all-digital economy,computer security is everyone's business. Hacking Exposed: Network Security Secrets & Solutions,Second Edition brings even more in-depth insight into how hackers infiltrate e-business,and how they can be stopped. Security insiders Stuart McClure,Joel Scambray,and George Kurtz present more than 220 all-new pages of technical detail and case studies in an easy-to-follow style. The world of Internet security moves even faster than the digital economy,and all of the brand-new tools and techniques that have surfaced since the publication of the best-selling first edition are covered here. Use the real-world countermeasures in this one-of-a-kind volume to plug the holes in your network today—before they end up in the headlines tomorrow. New and Updated Material: Brand new "Hacking the Internet User" chapter covers insidious Internet client attacks against web browsers,email software,and active content,including the vicious new Outlook email date field buffer overflow and ILOVEYOU worms. A huge new chapter on Windows 2000 attacks and countermeasures covers offline password database attacks and Encrypting File System (EFS) vulnerabilities. Coverage of all the new Distributed Denial of Service (DDoS) tools and techniques that almost broke down the Internet in February 2000 (Trinoo,TFN2K,Stacheldraht). Significantly updated e-commerce hacking methodologies including new IIS and Cold Fusion vulnerabilities. A revised and updated dial-up chapter with new material onPBX and voicemail system hacking. New network discovery tools and techniques,including an updated section on Windows-based scanners,how to carry out eavesdropping attacks on switched networks using ARP redirection,and RIP spoofing attacks. Coverage of new back doors and forensic techniques,including defenses against Win9x back doors like Sub7. Updated coverage of security attacks against Windows 9x,Windows Me,Windows 2000,Windows NT,UNIX,Linux,NetWare,and dozens of other platforms,with appropriate countermeasures.

Method, apparatus and computer program product for a network firewall

Abstract: An improved firewall for providing network security is described. The improved firewall provides for dynamic rule generation, as well using conventional fixed rules. This improvement is provided without significant increase in the processing time required for most packets. Additionally, the improved firewall provides for translation of IP addresses between the firewall and the internal network.

Defeating distributed denial of service attacks

Abstract: Security experts generally acknowledge that the long-term solution to distributed denial of service attacks is to increase the security level of Internet computers. Attackers would then be unable to find zombie computers to control. Internet users would also have to set up globally coordinated filters to stop attacks early. However, the critical challenge in these solutions lies in identifying the incentives for the Internet's tens of millions of independent companies and individuals to cooperate on security and traffic control issues that do not appear to directly affect them. We give a brief introduction to: network weaknesses that DDoS attacks exploit; the technological futility of addressing the problem solely at the local level; potential global solutions; and why global solutions require an economic incentive framework.

System and method for improved network security

Abstract: A system is provided for establishing a secure link among multiple users on a single machine with a remote machine. The system includes a subsystem to filter traffic so that traffic from each user is separate. The subsystem generates and associates a Security Association (SA) with at least one filter corresponding to the user and the traffic, and employs the SA to establish the secure link. An Internet Key Exchange module and a policy module may be included to generate and associate the security association, wherein the policy module is configured via Internet Protocol Security (IPSEC).

A method and apparatus for managing a firewall

Abstract: A method and apparatus are disclosed for managing a firewall. The disclosed firewall manager facilitates the generation of a security policy for a particular network environment, and automatically generates the firewall-specific configuration files from the security policy simultaneously for multiple gateways. The security policy is separated from the vendor-specific rule syntax and semantics and from the actual network topology. Thus, the security administrator can focus on designing an appropriate policy without worrying about firewall rule complexity, rule ordering, and other low-level configuration issues. In addition, the administrator can maintain a consistent policy in the presence of intranet topology changes. The disclosed firewall manager utilizes a model definition language (MDL) and an associated parser to produce an entity relationship model. A model compiler translates the entity-relationship model into the appropriate firewall configuration files. The entity-relationship model provides a framework for representing both the firewall-independent security policy, and the network topology. The security policy is expressed in terms of "roles," which are used to define network capabilities of sending and receiving services. A role may be assumed by different hosts or host-groups in the network. A visualization and debugging tool is provided to transform the firewall-specific configuration files into a graphical representation of the current policy on the actual topology, allowing the viability of a chosen policy to be evaluated. A role-group may be closed to prevent the inheritance of roles.

Security system linked to the internet

Abstract: A security network includes a security system having an alarm module coupled to a computer. The computer is coupled to a computer network. The alarm module can communicate to the computer network using the communication hardware and software of the computer. The computer network includes a security company server coupled to a security company and the Internet. This links the security system to the Internet and allows individuals to externally access the security system via the Internet. The security system also includes a plurality of remote sensors/transmitters to sense an alarm condition and to transmit wireless signals to the alarm module indicative of the alarm condition. When an alarm condition exists, the security system transmits an alarm signal to the security company server, and the security company server transmits e-mail or other information to the security system in response to the alarm signal. The status of the security system and alarm conditions can be monitored via the Internet.

Usability meets security - the Identity-Manager as your personal security assistant for the Internet

Abstract: In today's applications, most users disregard the security functionality. They do not have the knowledge and/or the motivation to configure or to use the existing security functions correctly. In this paper, we present a new concept to improve the usability of security mechanisms, introducing an extended classification of protection goals. As a result, the everyday use of security functionality can be reduced to selecting the user's identity, which is the basis of the Identity-Manager, a new security tool presented in this paper. It offers a user interface for security functionality that is compatible with all Internet applications, so even inexperienced users are able to configure and negotiate their security needs in a convenient way.

Awareness and challenges of Internet security

Abstract: Internet security is an important issue today. Corporate data are at risk when they are exposed to the Internet. Current technologies provide a number of ways to secure data transmission and storage, including encryption, firewalls, and private networks. This article discusses the awareness of Internet security and challenges faced in both the public and the private sectors.

Security Technologies for the World Wide Web

Abstract: From the Publisher: This hands-on book gives you a comprehensive analysis of current trends in WWW security, plus an evaluation of existing technologies, such as anonymity services and security products. It helps you guarantee that electronic commerce applications on your website are executed with the utmost security and protection. What's more, it helps you understand content protection and the benefits and drawbacks of censorship on the web.. "Geared toward proactive Internet security professionals, this handy resource helps you comprehend existing security technologies, evaluate and choose those that best suit your needs, understand corresponding software and hardware, and more.

E-Business and E-Commerce for Managers

Abstract: From the Publisher: Dr. Harvey M. Deitel and Paul J. Deitel are the principals of Deitel & Associates, Inc., the internationally recognized corporate training and content-creation organization specializing in e-Business, e -Commerce, Internet, World Wide Web and software technologies. In e-Business & e-Commerce for Managers, the Deitels and their colleague, Kate Steinbuhler, discuss the Internet, the Web, e-Business and e-Commerce topics including: e-Business/e-Commerce Models "Clicks-and-Mortar" Businesses Building e-Businesses Turnkey e-Business Solutions Online Monetary Transactions Hardware, Software, Communications Wireless Internet and m-Business Internet Security/Digital Signatures Public Key Cryptography/SSL/SET™ e-Marketing/e-Advertising Partnering/Affiliate Program Models e-Customer Relationship Management Legal/Ethical Issues/Internet Taxation Copyright/File Sharing Privacy/Personalization/Cookies Globalization/Localization Social and Political Issues/Cybercrime Web Access for People with Disabilities Online Industries Online Banking and Investing e-Learning/Web-Based Training e-Publishing/Online News Services Online Entertainment/Interactive Television Online Career Services e-Business & e-Commerce for Managers includes extensive pedagogic features: Terminology, chapter summaries, self-review exercises and answers, exercises Internet and World Wide Webresources sections with URLs of important Web sites Challenging projects that encourage students to visit and analyze key Web sites A unique feature of the book is the optional case study on programming an e-business. Designed for non-programmers, this case study leads the reader step-by-step through the implementation of a storefront e-business. It develops a multi-tier, client/server architecture, teaches HTML through the intermediate level and carefully introduces eight other popular technologies for building e-businesses: JavaScript (for making Web pages dynamic), ASP (Active Server Pages; for processing client requests), VBScript (for programming the business logic on the server), ADO (ActiveX Data Objects; for generically accessing a variety of databases), SQL (for making database queries), HTTP (HyperText Transfer Protocol; for transferring information over the Web), XML (eXtensible Markup Language; for describing data) and XSL (eXtensible Stylesheet Language; for formatting XML-encoded data). e-Business & e-Commerce for Managers is the centerpiece of a complete family of resources for teaching and learning e-Business & e-Commerce, including companion Web sites.

Domain based Internet security policy management

Abstract: As security devices and protocols become widely used on the Internet, the task of managing and processing communication security policies grows steeply in its complexity. This paper presents a scaleable, robust, secure distributed system that can manage communication security policies associated with multiple network domains and resolving the policies-esp. those that specify the use of IP-AH/ESP security protocols-into security requirements for inter-domain communication. Technology innovation includes a formal model for IPsec policy specification and resolution, a platform independent policy specification language and a distributed policy server system. The formal model consists of a hierarchical domain model for IPsec policy enforcement and a lattice model of IPsec policy semantics. The policy specification language enables users to specify IPsec policies using the formal model regardless of the make of the security devices. The policy servers maintain the security policies in a distributed database, and negotiate the security associations for protecting inter-domain communication. Both the policy database and the policy exchange protocol are protected from passive and active attacks. Several UNIX implementations are available for non-commercial uses.

Firewall for real-time internet applications

Abstract: The present invention relates to a firewall for use in association with real-time Internet applications such as Voice over Internet Protocol (VoIP). The firewall applies an application proxy to the signaling and control channels and a packet filter to the bearer channels. One of the features of hybrid firewall is that the application proxy can instruct the packet filter as to which bearer channels to enable and disable for the duration of a real-time Internet application session. The hybrid firewall can also intelligently perform network address translation (NAT) on Internet protocol packets incoming and outgoing to the firewall.

Will wap deliver the wireless internet

Abstract: With users increasingly adopting Internet-enabled cellular phones and other handheld devices, vendors are looking for platform-independent wireless technologies to help these devices effectively access Internet content and services, and communicate with each other. WAP is designed to address small devices' technical limitations and work with a variety of wireless platforms. WAP (the Wireless Application Protocol) offers a scalable, extensible protocol stack that handles security, the establishment of sessions, and other aspects of mobile communications. Proponents and many industry observers are touting WAP as the technology that will become the standardized basis and future of the mobile Internet.

Method of virtual private network communication in security gateway apparatus and security gateway apparatus using the same

Abstract: A method of the Virtual Private Network (VPN) communication employed for a security gateway apparatus and the security gateway apparatus using the same, which allow a personal computer outside a local area network (LAN) to access, via a WAN, to a terminal on the LAN, virtually regarding the outside PC as a terminal on the LAN. The communication method is employed for a security gateway apparatus to connect, through concentration and conversion process, between a LAN and a WAN including a public network. Security Architecture for the Internet Protocol (IPsec) establishes VPN with an outside PC having a dialup connection to the WAN. During an Internet Key Exchange (IKE) communication that is performed prior to the IPsec communication, the security gateway apparatus integrates a Dynamic Host Configuration Protocol (DHCP) communication option into an IKE data, and designates the IP address of the outside PC from a tunneled IP packet.

Transparent network security policy enforcement

Abstract: Recent work in the area of network security, such as IPsec, provides mechanisms for securing the traffic between any two interconnected hosts. However, it is not always possible, economical, or even practical from an administration and operational point of view to upgrade the software and configuration of all the nodes in a network to support such security protocols. One apparent solution to this problem is the use of security gateways that apply the relevant security protocols on behalf of the protected nodes, under the assumption that the "last hop" between the security gateway and the end node is safe without cryptography. Such a gateway can be set to enforce specific security policies for different types of traffic. While this solution is appealing in static scenarios (such as building so-called "intranets"), the use of Layer-3 (network) routers as security gateways presents some transparency and configuration problems with regards to peer authentication in the automated key management protocol. This paper describes the architecture and implementation of a Layer-2 (link layer) bridge with extensions for offering Layer-3 security services. We extend the OpenBSD ethernet bridge to perform simple IP packet filtering and IPsec processing for incoming and outgoing packets on behalf of a protected node, completely transparently to both the protected and the remote communication endpoint. The same mechanism may be used to construct "virtual local area networks," by establishing IPsec tunnels between OpenBSD bridges connected geographically separated LANs. As our system operates in the link layer, there is no need for software or configuration changes in the protected nodes.

FPGA-based Internet protocol firewall chip

Abstract: We present the design of a firewall for IP networks using a field-programmable gate array (FPGA). The FPGA implements, in hardware, the accept or deny rules of the firewall. A hardware-based firewall offers the advantages of speed over a software firewall, in addition to direct interfacing with network devices, such as an Ethernet or a serial line transceiver. This paper shows how the rules are translated to VHDL and then implemented in hardware, and how the hardware is utilized to filter network traffic in a packet-by-packet fashion, or based on connection information, with a speed of more than 500,000 packets per second.

Security considerations for FAN-Internet connections

Abstract: The interconnection between field area networks and IP-based LANs, as well as the Internet as a whole, is becoming increasingly popular. Emerging security issues have been neglected or underrated in the past. However, traditional security concepts that work well for LANs and the Internet are hardly applicable to field bus systems. Based on an example from home automation, we review the problem and consider ways to prevent attacks both from the outside world and from within the field bus. Particular emphasis is given to firewalls, which are found to be only of limited value for securing field bus-Internet gateways. To tackle the security problem both on the field bus level and on the Internet, we propose the use of smart cards for authentication and encryption. We discuss modifications that are necessary to make field bus nodes secure, why smart cards are "different" and strategies to implement access control on the gateway.

Systems for local network security

Abstract: Security systems for computers connected to networks transmitting packets are disclosed. One disclosed system includes a security agent and a local security device featuring a network hardware connector, a computer hardware connector, a flash memory and a microprocessor to perform a software instruction. The security agent closes the security device by altering a setting of a bit of the flash memory. Further disclosed is a firewall on a single chip for providing security to a network transmitting packets. The firewall includes a network hardware connector, a memory for storing a rule and a software instruction for examining each packet and a microprocessor. Preferably the rule is configurable by a user and the memory includes at least one displayable Web and Web server functionally for serving a Web page and accepting a command from a user such that said at least one rule is determined by the command.

Distributed robotics over the Internet

Abstract: We present a communication framework to enable control and collaboration between multiple users over the Internet. We first discuss standard Internet protocols and extensions known as middleware and technologies in the context of Internet telerobotics. A protocol and framework suitable for collaborative telerobotic control are then introduced and discussed. Finally, an example of how the framework might be used for a simple telerobotic system is presented. The system has been tested locally but is not yet freely available on the Internet.

Methods and systems for providing security for accessing networks, methods and systems for providing security for accessing the internet

Abstract: Systems and methods for providing network access, e.g. Internet access, are described. An architecture includes a host organization network through which network access is provided. The host organization network can be advantageously deployed in public areas such as airports and shopping malls. An authentication/negotiation component is provided for authenticating various users and negotiating for services with service providers on behalf of the system users. The authentication/negotiation component can include one or more specialized servers and a policy manager that contains policies that govern user access to the Internet. An authentication database is provided and authenticates various users of the system. An access module is provided through which individual client computing devices can access the Internet. In one embodiment, the access module comprises individual wireless access points that permit the client computing devices to wirelessly communicate data packets that are intended for the Internet. In one aspect, users are given a variety of choices of different service levels that they can use for accessing the Internet. The service levels can vary in such things as bandwidth allocation and security measures. The various service levels can be purchased by the users using their computing devices.

An innovative Internet architecture for application service providers

Abstract: In recent years, business on the Internet has exponentially increased. Consequently, the deployment and management of business applications on the Internet is becoming more and more complex, which requires the development of new Internet architectures suitable to efficiently run these business applications. We present and evaluate several computing models for application service providers and introduce the server-based model and the corresponding Internet architecture. Two case studies, which use the proposed architecture for application deployment, are also described.

Internet co-location facility security system

Abstract: An Internet co-location facility security system integrates all the major components of the system and makes tracking information from these components available to co-located members on a database accessible from the web. A web-based interface allows co-located members to assign visitor access to the Internet co-location facility through the Internet from remote computer terminals. A visitor access and enrollment system allows a visitor to enroll only once in the system to be granted access to one or more other Internet co-location facility security systems around the globe.