1 / 37

Emerging Topics Related to Enterprise Integration

Emerging Topics Related to Enterprise Integration. IST 421 Spring 2004 Lecture 12. Security. 1996, Dan Farmer, a security consultant used a tool known as SATAN to check security of a number of Internet sites 2200 sites examined 65% were vulnerable to attack

pblackwood
Download Presentation

Emerging Topics Related to Enterprise Integration

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Emerging Topics Related to Enterprise Integration IST 421 Spring 2004 Lecture 12

  2. Security • 1996, Dan Farmer, a security consultant used a tool known as SATAN to check security of a number of Internet sites • 2200 sites examined • 65% were vulnerable to attack • Sites belonged to banks, insurance companies, credit card companies and government departments

  3. Security • Reasons why the internet is insecure compared with other closed networks: • Internet protocols are public; intruders know more about Internet than a proprietary network • Internet is pervasive • Web servers are extensible: they are connected to all types of technologies

  4. Security • Speed of development of Internet has been huge; little thought given to security aspects • Browsers originally had very little functionality • Demand to increase functionality resulted in plug-ins which had serious security flaws

  5. Security • Myth about computer security is that intrusions are carried out by software experts • Forms of attack: • Integrity threats: intruder modifies stored data or data in transit • Confidentiality threats: reading important stored data like credit card details • Denial of service threats: flooding a Web server with transactions

  6. Security • Authentication threats: intruder impersonates a legitimate user, such as a B2B system user making large financial transactions

  7. Examples of Attacks • Non-technical attacks • Guessing someone’s password • Stealing a password • Destructive devices • E-mail bomb • Viruses

  8. Examples of Attacks • Scanners – a program which detects security weaknesses • Security Administrator’s Tool for Analyzing Networks (SATAN) • It detected a weakness and provided an authoritative tutorial on the weakness • Was developed for the UNIX operating system

  9. Examples of Attacks • Password crackers – program that attempts to find out a user’s password or the identity of a number of passwords stored on a computer • Originally developed to help administer systems

  10. Examples of Attacks • Sniffers – read the packets of data that travel around a network • Designed to determine the efficiencies and inefficiencies in a network, i.e., bottlenecks • Used to siphon off sensitive data • Trojan horses – code which looks legitimate but attempts to do something which the user does not expect it to do. • Very difficult to detect • Example, shareware program which allows several uses, but then destroys many of the files

  11. Examples of Attacks • Spoofing – intruder uses a computer to masquerade as another trusted computer in order to carry out operations • IP-spoofing

  12. Security • Security is often an afterthought in the implementation of a new technology • Security needs to be built in from the ground up • Whenever information is • sent or received from enterprise-wide systems, • when interfaces to systems are built, • or when middleware is being implemented • security must be considered

  13. Security • In most cases B2B application integration security will be built on top of an existing security structure • Top Secret, RACF, or others • In addition to integrating applications, B2B application integrations needs to integrate the security system

  14. Security • Five fundamental requirements of secure transaction: • Privacy: How do you ensure that the information you transmit over the Internet has not been captured without your knowledge? • Integrity: How do you ensure that the information you send or receive has not be compromised or altered?

  15. Security • Authentication: How do the sender and receiver of a message prove their identities to each other? • Authorization: How do we ensure that users can access certain necessary resources, while valuable information is protected? • Nonrepudiation: How do you legally prove that a message was sent or received?

  16. Cryptography • First recorded in ancient Egypt • Two main methods were: • substitution ciphers – every occurrence of a given letter is replaced by a different letter • Caesar Cipher • and transposition ciphers – ordering of the letters is shifted

  17. Cryptography • Symmetric key cryptography • Sender encrypts the data using an algorithm which depends on a key • Encrypted data is sent over some insecure medium such as the Internet • Key is conveyed to the recipient in a secure method • Recipient received the key and decrypts the message

  18. Cryptography • Public key cryptography • Does not require the used of the same key to encrypt and decrypt • Uses two keys, a public key and a private key • One key is held securely, while the other is distributed • Keys must be generated in pairs and it must be computationally infeasible to obtain one key from the other key alone

  19. Cryptography • Information encrypted by one key can be decrypted only the other key of the key pair • Originally proposed in 1976 by Whitfield Diffie and Martin Hellman

  20. Techniques and Tools • Logging tools – monitor the use of a computer and log events that occur to a secure file • User mistyping a password several times • Virus scanners • Network topology techniques • Firewall • Security checking software

  21. Ubiquitous and Mobile Computing

  22. Mobile Computing • Main driver behind evolution of the Internet is mobile computing • Cellular phones • Small, lightweight computers • Given rise to the term m-commerce • e-commerce activities which are carried out on the move

  23. Mobile Computing • Problems with mobile computing: • Mobile devices are less powerful than computers found in offices; limits the amount of client code that can be embedded in these devices • Bandwidth can be a problem depending on location of use

  24. Mobile Computing • Reliability is a concern; subject to interruptions in service which can cause problems for the application • Mobile applications have less interaction with a network

  25. Mobile Computing • Non-system problems with mobile computing: • Survey conducted by International Data Corporation (2000) 9% of mobile phone users accessed the Internet with cell phone • 6% of net users had access to a wireless device • In U.S. mobile phone pricing structure is different than that found in Europe • User pays for both outbound and inbound communication

  26. Mobile Computing • U.S. wireless telecommunications industry lags behind that in Europe • Land-based telephony has been very reliable • U.S. wireless coverage is poor • Lack of development of wireless technology and standards • U.S. will lag behind Europe and Japan in development of ubiquitous computing

  27. Applications of Mobile Computing • Active badges • Badge has microprocessor in it • Track staff within a building or campus • Badge emits a 48 bit code which is transmitted as an infrared signal to sensors in the building • Sensor information stored in a database of badge wearers • Can also be used to tag valuable equipment tripping an alarm if moved

  28. Applications of Mobile Computing • Visiting Nurse Service of New York • Hand-held computer on patient home visits • Data is gathered and sent to a hospital server via mobile phone link • Problems have included poor battery performance and some interruptions in service in some locations

  29. Applications of Mobile Computing • Tracking cows in Britain • BSE outbreak in 1990s, health offices now require farmers to report cow births, deaths, and import or export information • Normal procedure is to record information on a postcard • Using mobile phone, fill in a form with details and send it to a government database

  30. Applications of Mobile Computing • Tracking stolen cars • Patrol cars can now be equipped with a computer which access law enforcement databases • Officer enters car registration number and is presented with information on vehicle registration, driver’s license, whether the car is stolen. • Radio modems transmit messages using high degree of security

  31. Mobile System Aspects

  32. Mobile System Aspects • Special Protocols • Protocol mediates between protocols used by mobile phones and IP protocol used with Internet • Wireless Application Protocol (WAP) uses Wireless Markup Language (WML) • i-mode popular Japanese-based wireless Internet service using cHTML (compact HTML) • Sun J2ME (Java 2 Micro Edition) uses MIDP (Mobile Information Device Profile) as an API

  33. Markup Languages • Wireless Markup Language (WML) is similar to HTML • Number of tags to display visual elements • Developed using XML • Defines the content of screens known as cards • Less sophisticated than HTML due to limited content delivered on device screens

  34. Markup Languages • WML: • Facilities for defining a screen or card and a set of screens (a deck) • Facilities for defining actions to be taken when an event occurs • Facilities for carrying out tasks such as refreshing a screen • Facilities for displaying and processing user input

  35. Markup Languages • WML: • Facilities for hyperlinking • Facilities for displaying images • Facilities for text formatting

  36. <?xml version = "1.0"?> <!DOCTYPE wml PUBLIC "-//WAPFORUM//DTD WML 1.2//EN" "http://www.wapforum.org/DTD/wml12.dtd"> <!-- Fig. 26.5 : index.wml --> <!-- tip test start screen --> <wml> <card id = "index" title = "Tip Test"> <do type = "accept" label = "Enter"> <go href = "WAP/info.wml"/> </do> <p> eLearning Programming Tips </p> </card> </wml>

  37. Openwave UP simulator • Sun Mobility Systems

More Related