370 likes | 376 Views
Emerging Topics Related to Enterprise Integration. IST 421 Spring 2004 Lecture 12. Security. 1996, Dan Farmer, a security consultant used a tool known as SATAN to check security of a number of Internet sites 2200 sites examined 65% were vulnerable to attack
E N D
Emerging Topics Related to Enterprise Integration IST 421 Spring 2004 Lecture 12
Security • 1996, Dan Farmer, a security consultant used a tool known as SATAN to check security of a number of Internet sites • 2200 sites examined • 65% were vulnerable to attack • Sites belonged to banks, insurance companies, credit card companies and government departments
Security • Reasons why the internet is insecure compared with other closed networks: • Internet protocols are public; intruders know more about Internet than a proprietary network • Internet is pervasive • Web servers are extensible: they are connected to all types of technologies
Security • Speed of development of Internet has been huge; little thought given to security aspects • Browsers originally had very little functionality • Demand to increase functionality resulted in plug-ins which had serious security flaws
Security • Myth about computer security is that intrusions are carried out by software experts • Forms of attack: • Integrity threats: intruder modifies stored data or data in transit • Confidentiality threats: reading important stored data like credit card details • Denial of service threats: flooding a Web server with transactions
Security • Authentication threats: intruder impersonates a legitimate user, such as a B2B system user making large financial transactions
Examples of Attacks • Non-technical attacks • Guessing someone’s password • Stealing a password • Destructive devices • E-mail bomb • Viruses
Examples of Attacks • Scanners – a program which detects security weaknesses • Security Administrator’s Tool for Analyzing Networks (SATAN) • It detected a weakness and provided an authoritative tutorial on the weakness • Was developed for the UNIX operating system
Examples of Attacks • Password crackers – program that attempts to find out a user’s password or the identity of a number of passwords stored on a computer • Originally developed to help administer systems
Examples of Attacks • Sniffers – read the packets of data that travel around a network • Designed to determine the efficiencies and inefficiencies in a network, i.e., bottlenecks • Used to siphon off sensitive data • Trojan horses – code which looks legitimate but attempts to do something which the user does not expect it to do. • Very difficult to detect • Example, shareware program which allows several uses, but then destroys many of the files
Examples of Attacks • Spoofing – intruder uses a computer to masquerade as another trusted computer in order to carry out operations • IP-spoofing
Security • Security is often an afterthought in the implementation of a new technology • Security needs to be built in from the ground up • Whenever information is • sent or received from enterprise-wide systems, • when interfaces to systems are built, • or when middleware is being implemented • security must be considered
Security • In most cases B2B application integration security will be built on top of an existing security structure • Top Secret, RACF, or others • In addition to integrating applications, B2B application integrations needs to integrate the security system
Security • Five fundamental requirements of secure transaction: • Privacy: How do you ensure that the information you transmit over the Internet has not been captured without your knowledge? • Integrity: How do you ensure that the information you send or receive has not be compromised or altered?
Security • Authentication: How do the sender and receiver of a message prove their identities to each other? • Authorization: How do we ensure that users can access certain necessary resources, while valuable information is protected? • Nonrepudiation: How do you legally prove that a message was sent or received?
Cryptography • First recorded in ancient Egypt • Two main methods were: • substitution ciphers – every occurrence of a given letter is replaced by a different letter • Caesar Cipher • and transposition ciphers – ordering of the letters is shifted
Cryptography • Symmetric key cryptography • Sender encrypts the data using an algorithm which depends on a key • Encrypted data is sent over some insecure medium such as the Internet • Key is conveyed to the recipient in a secure method • Recipient received the key and decrypts the message
Cryptography • Public key cryptography • Does not require the used of the same key to encrypt and decrypt • Uses two keys, a public key and a private key • One key is held securely, while the other is distributed • Keys must be generated in pairs and it must be computationally infeasible to obtain one key from the other key alone
Cryptography • Information encrypted by one key can be decrypted only the other key of the key pair • Originally proposed in 1976 by Whitfield Diffie and Martin Hellman
Techniques and Tools • Logging tools – monitor the use of a computer and log events that occur to a secure file • User mistyping a password several times • Virus scanners • Network topology techniques • Firewall • Security checking software
Mobile Computing • Main driver behind evolution of the Internet is mobile computing • Cellular phones • Small, lightweight computers • Given rise to the term m-commerce • e-commerce activities which are carried out on the move
Mobile Computing • Problems with mobile computing: • Mobile devices are less powerful than computers found in offices; limits the amount of client code that can be embedded in these devices • Bandwidth can be a problem depending on location of use
Mobile Computing • Reliability is a concern; subject to interruptions in service which can cause problems for the application • Mobile applications have less interaction with a network
Mobile Computing • Non-system problems with mobile computing: • Survey conducted by International Data Corporation (2000) 9% of mobile phone users accessed the Internet with cell phone • 6% of net users had access to a wireless device • In U.S. mobile phone pricing structure is different than that found in Europe • User pays for both outbound and inbound communication
Mobile Computing • U.S. wireless telecommunications industry lags behind that in Europe • Land-based telephony has been very reliable • U.S. wireless coverage is poor • Lack of development of wireless technology and standards • U.S. will lag behind Europe and Japan in development of ubiquitous computing
Applications of Mobile Computing • Active badges • Badge has microprocessor in it • Track staff within a building or campus • Badge emits a 48 bit code which is transmitted as an infrared signal to sensors in the building • Sensor information stored in a database of badge wearers • Can also be used to tag valuable equipment tripping an alarm if moved
Applications of Mobile Computing • Visiting Nurse Service of New York • Hand-held computer on patient home visits • Data is gathered and sent to a hospital server via mobile phone link • Problems have included poor battery performance and some interruptions in service in some locations
Applications of Mobile Computing • Tracking cows in Britain • BSE outbreak in 1990s, health offices now require farmers to report cow births, deaths, and import or export information • Normal procedure is to record information on a postcard • Using mobile phone, fill in a form with details and send it to a government database
Applications of Mobile Computing • Tracking stolen cars • Patrol cars can now be equipped with a computer which access law enforcement databases • Officer enters car registration number and is presented with information on vehicle registration, driver’s license, whether the car is stolen. • Radio modems transmit messages using high degree of security
Mobile System Aspects • Special Protocols • Protocol mediates between protocols used by mobile phones and IP protocol used with Internet • Wireless Application Protocol (WAP) uses Wireless Markup Language (WML) • i-mode popular Japanese-based wireless Internet service using cHTML (compact HTML) • Sun J2ME (Java 2 Micro Edition) uses MIDP (Mobile Information Device Profile) as an API
Markup Languages • Wireless Markup Language (WML) is similar to HTML • Number of tags to display visual elements • Developed using XML • Defines the content of screens known as cards • Less sophisticated than HTML due to limited content delivered on device screens
Markup Languages • WML: • Facilities for defining a screen or card and a set of screens (a deck) • Facilities for defining actions to be taken when an event occurs • Facilities for carrying out tasks such as refreshing a screen • Facilities for displaying and processing user input
Markup Languages • WML: • Facilities for hyperlinking • Facilities for displaying images • Facilities for text formatting
<?xml version = "1.0"?> <!DOCTYPE wml PUBLIC "-//WAPFORUM//DTD WML 1.2//EN" "http://www.wapforum.org/DTD/wml12.dtd"> <!-- Fig. 26.5 : index.wml --> <!-- tip test start screen --> <wml> <card id = "index" title = "Tip Test"> <do type = "accept" label = "Enter"> <go href = "WAP/info.wml"/> </do> <p> eLearning Programming Tips </p> </card> </wml>
Openwave UP simulator • Sun Mobility Systems