CSE 127: Lecture 16

The topics covered in this lecture are Defensive Programming Firewalls IDS

Defensive Programming

The use of syntactic macros (see quicksort handout) allows late-binding of the decision to use a macro versus a real function (when inline functions are unavailable), but prevents errors.

The use of non-lvalues on the left hand side of a comparision operator in C/C++ is good habit, since accidental omission of an equal sign will not compile.

Network Topology & Firewalls

Layered defense: Screening routers which allows only TCP connections from the outside to certain ports/hosts to go through.

Bastion hosts. Single host which do not forward IP packets (or only very few kinds) with two (or more) network interfaces. Accesses to internal network servers must first be authenticated to the bastion host, with appropriate authorization checks.

DMZs. Separate subnet between external Internet and internal network. Public services on machines in the DMZ.

Intrusion Detection

Intrusion detection systems can look for known signatures of attacks or anomalous activity. There are several ways to classify them. One is whether they are Network-based IDSes (NIDSes) or Host-based IDSes (HIDSes). NIDSes watch a network segment -- perhaps a backbone segment of your internal network -- and is more scalable. HIDSes watch activity internal to a host (e.g., system call activity), and can see things that a NIDS cannot, e.g., an authorized user using ssh on a machine who is trying to exceed his/her authority to gain root.

Links

These are links additional security-related information. Exploring them is optional unless otherwise stated.

[ search CSE | CSE | bsy's home page | links | webster | MRQE | google | yahoo | citeseer | pgp certserver | openpgp certserver ]
picture of bsy

bsy+cse127.w03@cs.ucsd.edu, last updated Fri Mar 14 05:39:59 PST 2003. Copyright 2003 Bennet Yee.
email bsy.

Don't make me hand over my privacy keys!