3. SECURING E-COMMERCE
NETWORKS
The selection and operation of technologies that
ensure network security should be based on:
Defense in depth
Need-to-access basis
policy of least privilege (POLP)
Policy of blocking access to network resources unless access is
required to conduct business
Role-specific security
Monitoring
Patch management
Incident response team (IRT)
4. FIREWALLS
firewall
A single point between two or more networks where all traffic must pass
(choke point); the device authenticates, controls, and logs all traffic
packet
Segment of data sent from one computer to another on a network
application-level proxy
A firewall that permits requests for Web pages to move from the public Internet
to the private network
bastion gateway
A special hardware server that utilizes application-level proxy software to limit
the types of requests that can be passed to an organization’s internal networks
from the public Internet
5. intrusion detection systems (IDSs)
A special category of software that can monitor activity
across a network or on a host computer, watch for
suspicious activity, and take automated action based
on what it sees
honeynet
A network of honeypots
honeypot
Production system (e.g., firewalls, routers, Web
servers, database servers) that looks like it does real
work, but which acts as a decoy and is watched to
study how network intrusions occur
6. personal firewall
A network node designed to protect an individual user’s desktop system
from the public network by monitoring all the traffic that passes through
the computer’s network interface card
virtual private network (VPN)
A network that uses the public Internet to carry information but remains
private by using encryption to scramble the communications,
authentication to ensure that information has not been tampered with,
and access control to verify the identity of anyone using the network.
protocol tunneling
Method used to ensure confidentiality and integrity of data transmitted
over the Internet, by encrypting data packets, sending them in packets
across the Internet, and decrypting them at the destination address
7. proxies
Special software programs that run on the gateway server
and pass repackaged packets from one network to the
other
demilitarized zone (DMZ)
Network area that sits between an organization’s internal
network and an external network (Internet), providing
physical isolation between the two networks that is
controlled by rules enforced by a firewall
10. Hyper Text transfer protocols
HTTPS is the Hyper-Text Transfer Protocol with SSL Encryption. It is
the most popular network protocol for establishiing secure connections
for exchanging documents on the World-Wide Web. It is basically
HTTP carried over a TCP socket, which has been secured using SSL
Developed by CommerceNet Consortium
Extension to HTTP that provides numerous security features
Client and server authentication
Spontaneous encryption
Request/response nonrepudiation
Provides symmetric and public-key encryption, and message digests
(summaries of messages as integers)
Whereas SSL is designed to establish a secure connection between two
computers, S-HTTP is designed to send individual messages securely.
11. HTTP messages contain two parts: the header and the body of
the message. The header contains instructions to the
recipients (browser and server) on how to process the
message’s body
During the transfer transaction, both the client browser and
the server, use the information contained in the HTTP header
to negotiate formats they will use to transfer the requested
information.
The S-HTTP protocol extends this negotiation between the
client browser and the server to include the negotiation for
security matters. Hence S-HTTP uses additional headers for
message encryption, digital certificates and authentication in
the HTTP format which contains additional instructions on
how to decrypt the message body.
12. Secure Sockets Layer
SSL (Secure Sockets Layer) is a standard security technology
for establishing an encrypted link between a server and a
client—typically a web server (website) and a browser; or a mail
server and a mail client (e.g., Outlook).
It is used by the most companies to provide security and privacy
and establishes a secure session between a browser and a server.
A channel is the two way-way communication stream
established between the browser and the server, and the
definition of a channel security indicates three basic
requirements:
The channel is reliable.
The channel is private.
The channel is authenticated.
13. Secure Sockets Layer (cont.)
This encryption is preceded by a ‘data handshake’ and has two major
phases:
The first phase is used to establish private communication, and uses
the key-agreement algorithm.
The second phase is used for client authentication.
Limits of SSL:
While the possibility is very slight, successful cryptographic attacks
made against these technologies can render SSL insecure.
A downside of both SSL and SET protocols is that they both require to
use cryptographic algorithms that place significant load on the
computer systems involved in commerce transactions.
For the low and medium e-commerce applications, there is no
additional server cost to support SET over SSL.
14. ROLES OF SSL IN E-COMMERCE
To secure online credit card transactions.
To secure system logins and any sensitive information exchanged
online.
To secure webmail and applications like Outlook Web Access,
Exchange and Office Communications Server.
To secure workflow and virtualisation applications like Citrix Delivery
Platforms or cloud-based computing platforms.
To secure the connection between an email client such as Microsoft
Outlook and an email server such as Microsoft Exchange.
To secure the transfer of files over https and FTP(s) services such as
website owners updating new pages to their
To secure intranet based traffic such as internal networks, file sharing,
extranets, and database connections.
To secure network logins and other network traffic with SSL VPNs such
as VPN Access Servers or applications like the Citrix Access Gateway.
15. WHAT IS VPN ?
Virtual Private Network is a type of private network that
uses public telecommunication, such as the Internet,
instead of leased lines to communicate.
Became popular as more employees worked in remote
locations .
Terminologies to understand how VPNs work.
17. Disadvantages
VPNs require an in-depth understanding of public network
security issues and proper deployment of precautions .
Availability and performance depends on factors largely
outside of their control .
Immature standards .
VPNs need to accommodate protocols other than IP and
existing internal network technology .
18. Roles of VPNs
Large-scale encryption between multiple fixed sites
such as remote offices and central offices
Network traffic is sent over the branch office Internet
connection
This saves the company hardware and management
expenses
19. Intrusion Detection Systems (IDS)
IDS classification
Host-based IDS: monitor single host activity
Network-based IDS: monitor network traffic
logical components:
Sensors
collect data from various sources such as log files, network packets
sends them to the analyzer
Analyzers
process data from sensors and determine if intrusion has occurred
may also provide guidance for the actions to take
user interface
view the output and manage the behavior
20. IDS REQUIREMENT
o run continually with minimal human supervision
o be fault tolerant
o resist subversion
o minimal overhead on system
scalable, to serve a large numbe of users
configured according to system security policies
o allow dynamic reconfiguration
21. Fire wall
A network node designed to protect an individual
user’s desktop system from the public network by
monitoring all the traffic that passes through the
computer’s network interface card
22. Firewalls
A firewall is a barrier placed between the private
network and the outside world.
All incoming and outgoing traffic must pass
through it.
Can be used to separate address domains.
Control network traffic.
Cost: ranges from no-cost (available on the
Internet) to $ 100,000 hardware/software system.
Types:
Router-Based
Host Based
Circuit Gateways
23. PUBLIC KEY INFRASTRUCTURE
A PKI (public key infrastructure) enables users of a
basically unsecure public network such as the Internet
to securely and privately exchange data and money
through the use of a public and a private cryptographic
key pair that is obtained and shared through a trusted
authority.