Professional Documents
Culture Documents
Structure
7.1 Introduction
Objectives
7.2 Intranet and Extranet Security: Threats and Protection
7.3 Protection Methods
7.4 Data and Message Security
7.5 Firewalls
7.6 Summary
7.7 Glossary
7.8 Terminal Questions
7.9 Answers
References
7.1 Introduction
In the earlier units, you learnt that a considerable volume of business today is
conducted over public networks. There is exchange of large volumes of
confidential data such as credit card details, financial records and other important
information. So, security and confidentiality should be ensured before businesses
can conduct financial transactions over the Internet.
At a time when e-commerce is growing at a fast pace, the lack of data
security on the Internet has become a complex issue. Hence, e-security has
become a major concern. In this unit, you will learn about security threats, client
server security, messagedata security, network security and Web security.
Objectives
After studying this unit, you should be able to:
Asses the security concerns of intranet and extranet
Differentiate between various security problems in a clientserver
environment
Compare the two broad categories of clientserver security threats
Evaluate the various protection methods adopted by organizations
State how data and message security is ensured over the Net
Summarize the components, types and limitations of firewalls
E-Commerce
Unit 7
Employees
Extranet
Trusted Services
Trusted Transactions
Trusted ID & Authentication
Intranet
E-Commerce
Unit 7
Hacker
Corporate
Intranet
HR/
Finance
Mobile Worker
Contractors
Customer
Web Site
Employees
Supplier
Manufacturing
Engineering
Svr
Hacker
Hacker
Branch Office
E-Commerce
Unit 7
E-Commerce
Unit 7
E-Commerce
Unit 7
E-Commerce
Unit 7
Type of Attack
Average Loss
1,363,915
1,307146
Financial Fraud
656,927
Telecom Fraud
595,766
164,817
Spoofing
128,000
110,944
Telecom Eavesdropping
96,833
Denial of Service
77,417
Virus
65,997
Active Wiretapping
49,000
38,744
Laptop Theft
35,348
Average Loss
215,753
Self-Assessment Questions
1. State whether the following statements are true or false.
(a) Intranets and extranets are more economical than WANs.
(b) It is impossible to intercept data over the network using TCP/IP.
(c) A Trojan horse will perform only the desired task.
Sikkim Manipal University
E-Commerce
Unit 7
E-Commerce
Unit 7
Self-Assessment Questions
3. State whether the following statements true or false.
(a) In a trust-based security, all users working in a network can share
information.
(b) Biometric systems are cheap.
4. Fill in the blanks with the appropriate word.
(a) The simplest method adopted by password hackers is..
(b) Biometric systems involve some identification aspects related to the.
E-Commerce
Unit 7
user number of the person logging into other machines. This is the information
a sniffer needs to log in to a machine.
Message security
Threats to message security fall into three categories:
Confidentiality
Integrity
Authentication
(a) Message confidentiality
Message confidentiality means when a message passes between the client
and the server on a public network, third parties cannot view and intercept this
data. Confidentiality is important for user-sensitive data such as credit card
number. This requirement will be amplified when other kinds of data, such as
employee records, government files and social security number, begin traversing
the Net.
(b) Message integrity
The contents of transaction must be unmodified during transit. It must be clear
that no one has added, deleted or modified any part of the message. Error
detection codes or checksum, sequence number and encryption techniques
are methods to enhance information integrity. Sequence numbers prevent
recording, losing or replaying of messages by an attacker. Encryption techniques,
such as digital signature, can detect any modification of a message.
(c) Message sender authentication
In an e-commerce environment, it is important that clients authenticate
themselves to servers, that servers authenticate themselves to clients and that
both authenticate themselves to each other. Authentication in e-commerce
basically requires the user to prove his or her identity for each requested service.
Third-party authentication services must exist within a distribution network
environment where a sender cannot be trusted to identify itself correctly to a
receiver. A digital certificate is used for this (authentication) purpose.
7.5 Firewalls
One of the most common security measures in use today is the firewall. A
firewall is meant to act as a defence mechanism. It prevents unauthorized people
E-Commerce
Unit 7
Internet
40,000
networks;
number of
hackers?
Enterprise
LAN
or
WAN
Firewall
bypass should
not be allowed
Importance of a firewall
A firewall can monitor incoming and outgoing security alerts and record
and track down an intrusion attempt depending on the severity.
Some firewalls, but not all, can delete viruses, worms, Trojan horses or
data collectors.
A firewall can also be used to prevent employees from accessing selected
sites on WWW.
E-Commerce
Unit 7
E-Commerce
Unit 7
in the TCP/IP packet header. The filters can be configured to accept or discard
a packet on the basis of the following information given in the packet header:
Source address
Destination address
Application or protocol
Source port number
Destination port number
This router stores a table containing rules specified for security purposes.
While examining a packet header, the firewall compares the information in it
with the rules stored in the access control table (these rules are the parameters
for blocking a packet or allowing it to pass through the router). If the information
in the packet header does not match with any of the specified rules, the firewall
applies the default rule.
Now, what is a default rule? The default rule generally follows the allow
all or deny all model. For strict security; the firewall default rule should be the
deny all model which most packet filters actually follow. (See Figure 4.8.)
Public Internet
Disadvantages
Packet filters cannot support user authentication and blocking based on
contents at the application level.
For complex protocols that specify return data ports dynamically, the
filtering protocol becomes difficult and complex.
The creation of packet-filtering rules can become tedious when used for
filtering all the permutations and combinations of packet attributes.
Sikkim Manipal University
E-Commerce
Unit 7
Web HTTP
Server
Client
inside the
firewall
FTP
Server
Proxy server
on the
firewall
machine that
connects to
external
Internet
Gopher
Server
Telnet
Server
USENET
News Server
E-Commerce
Unit 7
E-Commerce
Unit 7
Self-Assessment Questions
5. State whether the following statements are true or false.
(a) A sniffer program attacks the network traffic, telnet or FTP session
that a legitimate user initiates to gain access to another system.
Sikkim Manipal University
E-Commerce
Unit 7
E-Commerce
Unit 7
to frequent the Net without the assistance of a firewall. You will probably have to
do a trial and error before you find the firewall best suited to your needs.
Self-Assessment Questions
7. State whether the following statements are true or false.
(a) A firewall prevents unauthorized people from gaining access to
sensitive data.
(b) All firewalls can delete worms and viruses.
(c) The firewall must be easy to install, run and use.
8. Fill in the blanks with the appropriate word.
(a) Firewall ______consists of a separate computer dedicated to running
the firewall software functions.
(b) A firewall cannot offer protection against those threats that______.
(c) A firewall cannot protect well against_______.
7.6 Summary
Let us recapitulate the important concepts discussed in this unit:
Security threats refer to circumstances or occasions that result in the
destruction, disclosure or modification of data thereby causing economic
harm to network resources.
The client-server security threats can be divided into two broad
categoriesthreats to client and threats to server.
Threats to clients arise from virus, worm and Trojan horse.
To take care of this, a security threat solution is essential which can
transparently and automatically control access to corporate intranets or
extranets.
Some of the popular methods adopted by organizations to reduce security
threats include trust-based security, security through obscurity, password
schemes and biometric system.
Firewalls are important to control and monitor traffic between the outside
world and a local network. A firewall places a device, a computer or a
router between the Internet and the network.
Sikkim Manipal University
E-Commerce
Unit 7
7.7 Glossary
Security threat: A circumstance, condition, or an event that causes
economic loss to data or network resources in the form of destruction,
disclosure, and modification of data, denial of services, fraud and waste
Clientserver security: Ensures that only authorized users access the
information and includes such mechanisms as password protection,
encrypted smart cards, biometrics and firewalls
Biometric system: Involves some identical aspects that are related to
the human body, such as fingerprints, palm prints and voice recognition
Virus: A code segment that replicates by attaching copies of itself to
existing executable files
Trojan horse: A program that performs a desired task and also includes
unexpected functions
Worm: A self-replicating program that is self-continued and does not
require any host program.
Firewall: A barrier between two networks and includes an internal network
often called the trusted network and an external network called untrusted
network
E-Commerce
Unit 7
7.9 Answers
Answers to Self-Assessment Questions
1. (a) True; (b) False; (c) False
2. (a) authorized; (b) virus; (c) worm
3. (a) True; (b) False
4. (a) dictionary comparison; (b) human body
5. (a) True; (b) True
6. (a) packet sniffing; (b) Sequence numbers
7. (a) True; (b) False; (c) True
8. (a) hardware; (b) do not pass through it; (c) viruses
References
1. Laudon, Kenneth C. and Carol Guercio Traver. E-Commerce: Business,
Technology, Society. N.J: Prentice Hall, 2004.
2. Turban, Efraim, Jae Kuy Lee and Michael Chung. Electronic Commerce:
A Managerial Perspective. Prentice-Hall, 1999.
3. Whitley, David. E-Commerce: Strategy, Technologies and Applications.
Tata McGraw-Hill, 1998.