University of Toronto School of Continuing Studies...
Transcript of University of Toronto School of Continuing Studies...
Day 3 - Conceptual Overview of E-Business Technologies
n Communication Protocols
n “Thinking Beyond the Box” Case Study Series:
l Canadian Imperial Bank of Commerce: - Digital Employee Privacy
n Network Security and E-Commerce
Communication Protocols for E-Business
n The Open Systems Interconnection (OSI) Model
n Understanding the Internet
n Connection to the Internet
n The Internet Protocol Suite
n Hypertext Transfer Protocol
n Intranet and Extranet
n Virtual Private Network
What is a Protocol?
n Rules of Communication
n Communication consists of small acts
n Protocols formalize the notion of communication
The Open Systems Interconnection (OSI) Model
Good Reference:www.ictp.trieste.it/~radionet/1998_school/networking_presentation/index.html
ApplicationLayer
PresentationLayer
SessionLayer
TransportLayer
NetworkLayer
Data LinkLayer
PhysicalLayer
InternetLayer
ApplicationLayer HTTP FTP SMTP POP3 NTP PPTP NNTP
IP
Host-to-HostTransport
LayerTCP UDP
TokenRingEthernet ATMFrame
Relay
NetworkInterface
Layer
OSI Model Layers
TCP/IP Protocol
Architecture Layers
TCP/IP Protocol Suite
ARPICMPIGMP
Introduction to the Internet
n Data Centric Network
n Separation of Communication and Data Processing between two types of computers
l Hosts and routers
The Internet Protocol Suite
n Developed independently of OSI
n Can be mapped to OSI model
n Layer 3, network layer: IP, Internet protocol
n Layer 4, transport layer: TCP, transmission control protocol
n Layer 7, application: FTP, HTTP
Internet Protocol – IP / Domain Name Service - DNS
n Internet addressing (IP)
l 32 bit Internet address:10000001 00011111 10000001 00011111 is written as129.31.129.31
l Index of all IP addresses in the worldhttp://www.networkinformation.com/ip/ipindex/
n Domain name addressing (DNS)
l Domain name servers (DNS) translates an IP address to a domain name like www.utoronto.ca
n Different domains: edu, gov, com, mil, net
Transmit Control Protocol - TCP
n Establish connections between programs in Internet hosts
n Guarantees reliable and in-order delivery
Page 129, E-commerce – Business. Technology. Society. By Kenneth C. Laudon and Carol Guercio Traver
Hypertext Transfer Protocol - HTTP
n Used to transfer Web pages
n URL – Uniform Resource Locator
l [protocol]://[Web server address]:[port]/[directory]/[file]
l http://www.utoronto.ca:8080/SCS/Internet/welcome.htm
Intranet and Extranet
n Intranet
l High Bandwidth, controlled, only for internal employees
n Extranet
l Low Bandwidth, opened to the world
“Thinking Beyond the Box” Case Study Series:
n Canadian Imperial Bank of Commerce: Digital Employee Privacy
l What are the main arguments for and against installing the Assentor software?
l Should email be considered any differently from other forms of corporate communication? What does CIBC need?
l If you, as an employer discovered through routine monitoring of email that some employees are exchanging sexually inappropriate messages, what would you do?
Day 3 - Conceptual Overview of E-Business Technologies
n Communication Protocols
n “Thinking Beyond the Box” Case Study Series:
l Canadian Imperial Bank of Commerce: - Digital Employee Privacy
n Network Security and E-Commerce
Network Security and E-Commerce
n Estimate the technical security requirements for a network.
n Evaluate the business impact of security decisions.
n Conduct a security audit of a small network.
n Control access to the computing resources.
n Establish acceptable security solutions.
n Understand how viruses operate and how to protect systems from them.
n Security training for users
Authentication, Encryption, and Digital Payment
n Understand the importance of authentication.
n Understand the various encryption alternatives.
n Differentiate between symmetric and asymmetric encryption.
n Determine how and why encryption is important for e-commerce.
n Understand how security applies to e-mail, the Web, the intranet, and the extranet.
n Understand the core technologies that build a virtual private network work
n Plan for strategies to fend-off security threats.
Internet Frauds
n Top E-Commerce Fraudulent Activities
l Identity Theft
l Communication Fraud (e.g. phishing)
l Credit or Debit Card Fraud
l Non-Delivery
l Auction Fraud (items not exist or stolen items)
Reference:FBI’s Internet Frand Complaint Center Report 2003
Internet Security Requirements
n Secrecy
l Deals with the protection of information due to unauthorized disclosure and the authentication of the data source.
n Integrity
l Addresses the validity of data and the guarantee that the data have not been tampered during transfer.
n Availability
l Insurance that the site is reachable in a timely manner
Security Threats
n Access and Distortion of Data by Hackers
n Risks from Viruses
n Unauthorized Access to the System
n Financial Loss to Company or Customers
n Breaches of Personal Privacy
Security Threats (cont.)
Page 258, E-commerce – Business. Technology. Society. By Kenneth C. Laudon and Carol Guercio Traver
Security Policies and Procedures
n What services are required by the business and how can they be met securely?
n How much do employees depend on the Internet and the use of e-mail?
n Do users rely on remote access to the internal network?
n Is access to the Web required?
n Are customers supported through the Web?
Security Policies
n Privacy policy
n Access policy
n Accountability policy
n Authentication policy
n Availability statement
n Violations reporting policy
n Supporting information
Security Policies (continue)
n Security architecture guide
n Incident-response procedures
n Acceptable use procedures
n System administration procedures
n Other management procedures
Security Procedures
n All systems and servers have their own weaknesses.
l Establish steps to harden the system- Limit exposed services/processes- Stronger password requirements
l Follow Security Recommendation in Systems Documentation
l Follow update/patching warning- From software publisher- From security community
l Monitor security listserv- http://www.CERT.org or http://www.sans.org
Security Procedures (continue)
n Access Control Lists (ACL)
l Users should have limited access to resources
l Access control list is compilation of access control entries
l Sample Access Control Entries (ACE) may contain:• Administrators – Full Control• Users (Authenticated) – Read Only
Security Procedures (continue)
n Assets Access Control
n Assets Access List with who, when, how access is provided
Security Procedures (continue)
n Maintain Anti-Virus Software and Definition File
n Common Type of Viruses
l File infectors
l System or boot-record infectors
l Macro viruses
l Worms
Security Procedures (continue)
n Backup and Recovery
l Organizations need to have clear procedures for backup and recovery- Onsite / Offsite / Network
l Organization must enforce these procedures
l Take advantage of new technologiesCompression / Optical storage
l Clear recovery procedures
l Backup Time over Internethttp://support.evault.com/bandcalc.htm
Training Users About Security Policies and Procedures
n Information Classification, Handling and Disposal
n System Access
n Virus Prevention
n Backup and Restore
n Software Licenses
n Internet Usage
n Email Usage
n Physical Security of Notebooks and PDAs
Use of Firewalls
n Benefits of a Firewall
l Service control
l Direction of transmission monitoring
l User/ profile monitoring
l Usage/ behavior monitoring
n Design Goals of a Firewall
l Traffic control between Internet and Intranet
l Local network security policies definition
l Simple implementation
Types of Firewalls
n Packet Filtering Router
n Circuit-Level Gateways
n Application-Level Gateways
l Proxy Servers
Packet Filtering Router
n Applies a set of rules to all incoming packetsl Allow forwarding or discarding packets
n Filtering rules are based on the fields in the header of the packet.l Protocol type: TCP / UDP / ICMP / PPTPl Port Number: e.g. TCP:80 for Web, TCP:25 for Maill Direction: Inbound vs. Outbound
Circuit-Level Gateways
n Establishes connections between users on the outside and users on the inside.
n No direct end-to-end links, only TCP redirection.
n Does not provides network-layer services.
l e.g. SOCKS software
Application-Level Gateways
n Establishes connections at the application level
l e.g. HTTP for Web, FTP for File download, SMTP for Mail
n Stricter security than packet filtering.
n Proxy servers are consider as Application-Level gateway
n Proxy servers also act as cache servers to enhance performance.
Page 283, E-commerce – Business. Technology. Society. By Kenneth C. Laudon and Carol Guercio Traver
Security Audit
n Security audits involve:
l Top-Down interviews
l Identification of deviation from existing policies.• May involve trial break-in exercises or remote scan
to look for network vulnerability
l Analysis using proven security practices methodology (SPM)
l Summary and recommendations for any in compliances
n Many companies outsource audits.
l Based on costs
l Based on skills
Security from More Perspectives …
n Organizational Level
l After all, what actually do we want to implement?
l What vendors or products do we use?
l How do we measure success?
Security from More Perspectives … (continue)
n End-User Level
l Caching
l CookiesSmall files that track data such as Web site preferences and passwords for repeat visits. Spyware gathers and spreads this information without user knowledge
l SpywareAn application secretly gathers information about your computing habits that may send the data to some unknown sites
l AdwareAn application generates pop-ups advertisement windows and banners randomly or based on current browser content
l Phishing
Security from More Perspectives … (continue)
n More Threats…
l Distributed Denial Of Service Attacks (DDOS)
l Other misuse of information from your site
Directory Service
n Definition
l A network service that identifies all resources on a network and makes them accessible to users and applications.
n Standards
l X.500 is an ISO and ITU standard that defines how global directories should be structured. X.500 directories are hierarchical
l LDAP – Lightweight directory access protocol provides secure query access to a directory so that program can authenticate user access based on information stored in a directory
Directory Services Vendors
n Number of solutions that based on Lightweight Directory Access Protocol (LDAP)
l Microsoft Active Directory Service (free with Windows Server software)
l NOVELL: NDS eDirectory Version 8.X
l CP: Injoin Directory Server v3.X
l NETSCAPE: iPlanet Directory Server 4.11
l ORACLE: Oracle Internet Directory 2.X