• Journal of Korea Society of Industrial Information Systems
• /
• v.2 no.1
• /
• pp.103-123
• /
• 1997

This dissertation provides a theoretic study on the network security in general , the firewall in particular. In fact the firewall has been recognized as a very promising option to obtain the security inthe real work network environment . The dissertation provides a throuth theoretic investigation on the various problems raised in the computer network, and also explores a methodology of the security against IP spoofing. Moreover, it investigates a systematic procddure to make analysis and plans of the firewall configuration . Based on the above investigation and analysis, this dissertation provides two approaches to network security , which address anumber of issuesboth at the network and at applicatino level. At the network level, a new method is proposed which uses packet filtering based on the analysis of the counter plot about the screen router.On the other hand, at the application level, a novel method is explored which employs secureity software. Firewall-1 , on Bastion host. To demonstrate the feasibililty and the effectiveness of the proposed methodologties , a prototype implementation is made The experiment result shows that the screen router employing the proposed anti-IP spoofing method at the network level is effective enough for the system to remain secure without being invaded by any illegal packets entering form external hackers. Meanwhile , at the application level, the proposed software approach employing Firewall-1 is proved to be robust enugh to prevent hackings from the outer point the point protocal connnection . Theoretically, it is not possible to provide complete security to the network system, because the network security involve a number of issues raised form low level network equipments form high level network protocol. The result inthis dissertation provides a very promising solution to network security due to its high efficiency of the implementation and superb protectiveness from a variety of hacking.

• Journal of the Korea Society of Computer and Information
• /
• v.15 no.9
• /
• pp.99-107
• /
• 2010

This paper showed that the integrated system to fortify security was much more efficient than the respective system through the analysis of problems from Firewall and IPS system in the existing security systems. The results of problem analysis revealed that there were the delay of processing time and lack of efficiency in the existing security systems. Accordingly, their performance was evaluated by using the separated Firewall, IPS system, and the integrated system. The result of evaluation shows that the integrated security system this paper suggested is five times faster than the existing one in terms of processing speed of response. This paper demonstrated the excellence of the proposed security system is also more than fivefold in session handling per second and six times process speeding in the CPU processing performance. In addition, several security policies are applied, and it provided a fact that it gave an excellent performance when it comes to protecting from harmful traffic attacks. In conclusion, this paper emphasized that fortifying the integrated security system was more efficient than fortifying the existing one considering in various respects such as cost, management, time, space and so on.

• The Transactions of the Korea Information Processing Society
• /
• v.5 no.4
• /
• pp.967-974
• /
• 1998

Access control scheme of the firewall systems protects the systems from threats by using the conventional discretionary access control mechanism. The discretionary access control mechanism is insufficient to control secure information flow on the multievel network. Thus, it is necessary to provide the mandatory access control mechanism to the firewall systems for the multilevel security environment. In this paper, we present a design scheme of the security mechanisms concerning the sensitivity label and the mandatory access control for securely processing the multilevel information.

• Journal of Institute of Control, Robotics and Systems
• /
• v.9 no.4
• /
• pp.310-319
• /
• 2003

As the importance and the need for network security are increased, many organizations use the various security systems. They enable to construct the consistent integrated security environment by sharing the network vulnerable information among IDS (Intrusion Detection System), firewall and vulnerable scanner. The multiple IDSes coordinate by sharing attacker's information for the effective detection of the intrusion is the effective method for improving the intrusion detection performance. The system which uses BBA (Blackboard Architecture) for the information sharing can be easily expanded by adding new agents and increasing the number of BB (Blackboard) levels. Moreover the subdivided levels of blackboard enhance the sensitivity of the intrusion detection. For the simulation, security models are constructed based on the DEVS (Discrete Event system Specification) formalism. The intrusion detection agent uses the ES (Expert System). The intrusion detection system detects the intrusions using the blackboard and the firewall responses to these detection information.

• Journal of Advanced Marine Engineering and Technology
• /
• v.27 no.1
• /
• pp.65-75
• /
• 2003

The internet telephony service is one of the successful internet application services. VoIP is the key technology for the service to come true. VoIP uses H.323 or SIP as the standard protocol for the distributed multimedia services over the internet environment, in which QoS is not guaranteed. VoIP carries the packetized voice by using the RTP/UDP/IP protocol stack. The UDP-based internet services cause the data transmission problem to the users behind the internet firewall. So does the internet telephony service. The users are not able to listen the voices of the counter-parts on the public internet or PSTN. It makes the problem more difficult that the internet telephony service addressed in this paper uses only one UDP port number to send the voice data of all sessions from gateway to terminal node. In this paper, two schemes including the usage of dummy UDP datagrams, and the protocol conversion are suggested. The implementation of one of the schemes, the protocol conversion, and the performance evaluation are described in detail.

• Proceedings of the Korean Institute of Information and Commucation Sciences Conference
• /
• 2000.10a
• /
• pp.296-301
• /
• 2000

This paper provides the solution for supporting H.323 services through firewalls with proxy server. The paper Provides a survey of H.323 Protocol, and framework for firewalls. The Paper also discusses the issues of H.323 and proxy server - why H.323 is hard for firewalls, and service scenarios with H.323 terminals and proxy server. Finally, the paper propose an application proxy service architecture for supporting H.323 protocol.

• Proceedings of the Korea Society of Information Technology Applications Conference
• /
• 2005.11a
• /
• pp.297-300
• /
• 2005

Especially, system security is very important in the ubiquitous environment. This paper proposes a protecting scheme for security policies in Firewall and intrusion detection system (IDS). The one-way hash function and the symmetric cryptosystem are used to make the protected rules for Firewalls and IDSs. The proposed scheme could be applied in diverse kind of defense systems which use rules.

• 제어로봇시스템학회:학술대회논문집
• /
• 2001.10a
• /
• pp.59.1-59
• /
• 2001

The attackers on Internet-connected systems we are seeing today are more serious and more technically complex than those in the past. Computer security incidents are different from many other types of crimes because detection is unusually difficult. So, network security managers need a IDS and Firewall. IDS (Intrusion Detection System) monitors system activities to identify unauthorized use, misuse or abuse of computer and network system. It accomplishes these by collecting information from a variety of systems and network resources and then analyzing the information for symptoms of security problems. A Firewall is a way to restrict access between the Internet and internal network. Usually, the input ...

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.23 no.4
• /
• pp.667-677
• /
• 2013

As the firewall is a typical network security equipment, it is usually installed at most of internal/external networks and makes many packet data in/out. So analyzing the its logs stored in it can provide important and fundamental data on the network security research. However, along with development of communications technology, the speed of internet network is improved and then the amount of log data is becoming 'Massive Data' or 'BigData'. In this trend, there are limits to analyze log data using the traditional database model RDBMS. In this paper, through our Method of Analyzing Firewall log data using MapReduce based on NoSQL, we have discovered that the introducing NoSQL data base model can more effectively analyze the massive log data than the traditional one. We have demonstrated execellent performance of the NoSQL by comparing the performance of data processing with existing RDBMS. Also the proposed method is evaluated by experiments that detect the three attack patterns and shown that it is highly effective.

• The KIPS Transactions:PartD
• /
• v.10D no.1
• /
• pp.153-160
• /
• 2003

Recently, deployments of firewalls and NATs ire increasing to provide network security features or to solve the problem of public IP shortage. But, in these environments, peers in different firewall or NAT environments may get limited services because they cannot open direct communicate channels. This can be a significant problem in pure P2P environments where the peers should get or provide services by opening direct channels among themselves. In this paper, we propose a scheme for dynamically selecting a peer that fan be used as a proxy server. The proxy server supports the communication between the peers in different firewall or NAT environments. The proposed scheme is operating system independent and supports bidirectional communication among the peers in P2P environments. Additionally, the proposed scheme can distribute network traffic by dynamically allocating proxy servers to the peers that is not located in the firewall or NAT environments.