University of Toronto School of Continuing Studies

A Conceptual Overview of E-Business Technologies

Day 3 - Conceptual Overview of E-Business Technologies

n Communication Protocols

n “Thinking Beyond the Box” Case Study Series:

l Canadian Imperial Bank of Commerce: - Digital Employee Privacy

n Network Security and E-Commerce

Communication Protocols for E-Business

n The Open Systems Interconnection (OSI) Model

n Understanding the Internet

n Connection to the Internet

n The Internet Protocol Suite

n Hypertext Transfer Protocol

n Intranet and Extranet

n Virtual Private Network

What is a Protocol?

n Rules of Communication

n Communication consists of small acts

n Protocols formalize the notion of communication

Protocol Layers

n Different functions in a post-office based communication system

The Open Systems Interconnection (OSI) Model

Good Reference:www.ictp.trieste.it/~radionet/1998_school/networking_presentation/index.html

ApplicationLayer

PresentationLayer

SessionLayer

TransportLayer

NetworkLayer

Data LinkLayer

PhysicalLayer

InternetLayer

ApplicationLayer HTTP FTP SMTP POP3 NTP PPTP NNTP

IP

Host-to-HostTransport

LayerTCP UDP

TokenRingEthernet ATMFrame

Relay

NetworkInterface

Layer

OSI Model Layers

TCP/IP Protocol

Architecture Layers

TCP/IP Protocol Suite

ARPICMPIGMP

Introduction to the Internet

n Data Centric Network

n Separation of Communication and Data Processing between two types of computers

l Hosts and routers

Introduction to the Internet (continue)

n Connection-less network

n Best-effort delivery network

Connection to the Internet

Connection to the Internet (continue)

Connection to the Internet (continue)

For more ISP info in Canada, http://www.canadianisp.com

The Internet Protocol Suite

n Developed independently of OSI

n Can be mapped to OSI model

n Layer 3, network layer: IP, Internet protocol

n Layer 4, transport layer: TCP, transmission control protocol

n Layer 7, application: FTP, HTTP

Internet Protocol – IP / Domain Name Service - DNS

n Internet addressing (IP)

l 32 bit Internet address:10000001 00011111 10000001 00011111 is written as129.31.129.31

l Index of all IP addresses in the worldhttp://www.networkinformation.com/ip/ipindex/

n Domain name addressing (DNS)

l Domain name servers (DNS) translates an IP address to a domain name like www.utoronto.ca

n Different domains: edu, gov, com, mil, net

Transmit Control Protocol - TCP

n Establish connections between programs in Internet hosts

n Guarantees reliable and in-order delivery

Page 129, E-commerce – Business. Technology. Society. By Kenneth C. Laudon and Carol Guercio Traver

Hypertext Transfer Protocol - HTTP

n Used to transfer Web pages

n URL – Uniform Resource Locator

l [protocol]://[Web server address]:[port]/[directory]/[file]

l http://www.utoronto.ca:8080/SCS/Internet/welcome.htm

Hypertext Transfer Protocol secured by SSL - HTTPS

Intranet and Extranet

n Intranet

l High Bandwidth, controlled, only for internal employees

n Extranet

l Low Bandwidth, opened to the world

VPN – Virtual Private Network

“Thinking Beyond the Box” Case Study Series:

n Canadian Imperial Bank of Commerce: Digital Employee Privacy

l What are the main arguments for and against installing the Assentor software?

l Should email be considered any differently from other forms of corporate communication? What does CIBC need?

l If you, as an employer discovered through routine monitoring of email that some employees are exchanging sexually inappropriate messages, what would you do?

Day 3 - Conceptual Overview of E-Business Technologies

n Communication Protocols

n “Thinking Beyond the Box” Case Study Series:

l Canadian Imperial Bank of Commerce: - Digital Employee Privacy

n Network Security and E-Commerce

Network Security and E-Commerce

n Estimate the technical security requirements for a network.

n Evaluate the business impact of security decisions.

n Conduct a security audit of a small network.

n Control access to the computing resources.

n Establish acceptable security solutions.

n Understand how viruses operate and how to protect systems from them.

n Security training for users

Authentication, Encryption, and Digital Payment

n Understand the importance of authentication.

n Understand the various encryption alternatives.

n Differentiate between symmetric and asymmetric encryption.

n Determine how and why encryption is important for e-commerce.

n Understand how security applies to e-mail, the Web, the intranet, and the extranet.

n Understand the core technologies that build a virtual private network work

n Plan for strategies to fend-off security threats.

Internet Frauds

n Top E-Commerce Fraudulent Activities

l Identity Theft

l Communication Fraud (e.g. phishing)

l Credit or Debit Card Fraud

l Non-Delivery

l Auction Fraud (items not exist or stolen items)

Reference:FBI’s Internet Frand Complaint Center Report 2003

Internet Security Requirements

n Secrecy

l Deals with the protection of information due to unauthorized disclosure and the authentication of the data source.

n Integrity

l Addresses the validity of data and the guarantee that the data have not been tampered during transfer.

n Availability

l Insurance that the site is reachable in a timely manner

Security Threats

n Access and Distortion of Data by Hackers

n Risks from Viruses

n Unauthorized Access to the System

n Financial Loss to Company or Customers

n Breaches of Personal Privacy

Security Threats (cont.)

Page 258, E-commerce – Business. Technology. Society. By Kenneth C. Laudon and Carol Guercio Traver

Security Policy Development

n Establishing Security Policies

n Creating Security Procedures

Security Policies and Procedures

n What services are required by the business and how can they be met securely?

n How much do employees depend on the Internet and the use of e-mail?

n Do users rely on remote access to the internal network?

n Is access to the Web required?

n Are customers supported through the Web?

Security Policies

n Privacy policy

n Access policy

n Accountability policy

n Authentication policy

n Availability statement

n Violations reporting policy

n Supporting information

Security Policies (continue)

n Security architecture guide

n Incident-response procedures

n Acceptable use procedures

n System administration procedures

n Other management procedures

Security Procedures

n All systems and servers have their own weaknesses.

l Establish steps to harden the system- Limit exposed services/processes- Stronger password requirements

l Follow Security Recommendation in Systems Documentation

l Follow update/patching warning- From software publisher- From security community

l Monitor security listserv- http://www.CERT.org or http://www.sans.org

Security Procedures (continue)

n Access Control Lists (ACL)

l Users should have limited access to resources

l Access control list is compilation of access control entries

l Sample Access Control Entries (ACE) may contain:• Administrators – Full Control• Users (Authenticated) – Read Only

Security Procedures (continue)

n Assets Access Control

n Assets Access List with who, when, how access is provided

Security Procedures (continue)

n Maintain Anti-Virus Software and Definition File

n Common Type of Viruses

l File infectors

l System or boot-record infectors

l Macro viruses

l Worms

Security Procedures (continue)

n Backup and Recovery

l Organizations need to have clear procedures for backup and recovery- Onsite / Offsite / Network

l Organization must enforce these procedures

l Take advantage of new technologiesCompression / Optical storage

l Clear recovery procedures

l Backup Time over Internethttp://support.evault.com/bandcalc.htm

Training Users About Security Policies and Procedures

n Information Classification, Handling and Disposal

n System Access

n Virus Prevention

n Backup and Restore

n Software Licenses

n Internet Usage

n Email Usage

n Physical Security of Notebooks and PDAs

Use of Firewalls

n Benefits of a Firewall

l Service control

l Direction of transmission monitoring

l User/ profile monitoring

l Usage/ behavior monitoring

n Design Goals of a Firewall

l Traffic control between Internet and Intranet

l Local network security policies definition

l Simple implementation

Types of Firewalls

n Packet Filtering Router

n Circuit-Level Gateways

n Application-Level Gateways

l Proxy Servers

Packet Filtering Router

n Applies a set of rules to all incoming packetsl Allow forwarding or discarding packets

n Filtering rules are based on the fields in the header of the packet.l Protocol type: TCP / UDP / ICMP / PPTPl Port Number: e.g. TCP:80 for Web, TCP:25 for Maill Direction: Inbound vs. Outbound

Circuit-Level Gateways

n Establishes connections between users on the outside and users on the inside.

n No direct end-to-end links, only TCP redirection.

n Does not provides network-layer services.

l e.g. SOCKS software

Application-Level Gateways

n Establishes connections at the application level

l e.g. HTTP for Web, FTP for File download, SMTP for Mail

n Stricter security than packet filtering.

n Proxy servers are consider as Application-Level gateway

n Proxy servers also act as cache servers to enhance performance.

Page 283, E-commerce – Business. Technology. Society. By Kenneth C. Laudon and Carol Guercio Traver

Actual Implementation of Firewalls

Security Audit

n Security audits involve:

l Top-Down interviews

l Identification of deviation from existing policies.• May involve trial break-in exercises or remote scan

to look for network vulnerability

l Analysis using proven security practices methodology (SPM)

l Summary and recommendations for any in compliances

n Many companies outsource audits.

l Based on costs

l Based on skills

Security from More Perspectives …

n Organizational Level

l After all, what actually do we want to implement?

l What vendors or products do we use?

l How do we measure success?

Security from More Perspectives … (continue)

n End-User Level

l Caching

l CookiesSmall files that track data such as Web site preferences and passwords for repeat visits. Spyware gathers and spreads this information without user knowledge

l SpywareAn application secretly gathers information about your computing habits that may send the data to some unknown sites

l AdwareAn application generates pop-ups advertisement windows and banners randomly or based on current browser content

l Phishing

Security from More Perspectives … (continue)

n More Threats…

l Distributed Denial Of Service Attacks (DDOS)

l Other misuse of information from your site

Directory Service

n Definition

l A network service that identifies all resources on a network and makes them accessible to users and applications.

n Standards

l X.500 is an ISO and ITU standard that defines how global directories should be structured. X.500 directories are hierarchical

l LDAP – Lightweight directory access protocol provides secure query access to a directory so that program can authenticate user access based on information stored in a directory

Directory Services Vendors

n Number of solutions that based on Lightweight Directory Access Protocol (LDAP)

l Microsoft Active Directory Service (free with Windows Server software)

l NOVELL: NDS eDirectory Version 8.X

l CP: Injoin Directory Server v3.X

l NETSCAPE: iPlanet Directory Server 4.11

l ORACLE: Oracle Internet Directory 2.X

Home Readings

n E-Commerce - Business, Technology, Society:

l Chapter 3 and 5

l Preview for Next Class: Chapter 4, 5 and 6.1-6.2