E-commerce network security and firewall

Views:
 
Category: Education
     
 

Presentation Description

E-commerce notes on Network security and firewalls

Comments

Presentation Transcript

Electronic commerce BCA VI SEM:

Electronic commerce BCA VI SEM By Smt Bhagya R Patil . BLDEA’s A.S.Patil college of commerce,(Autonomous) Bijapur.

Chapter - 3 Network security and firewalls:

Chapter - 3 Network security and firewalls Client server network security Emerging client server security threats Firewall and network security Data and message security Challenge response system Encrypted documents and e-mail U.S.Government regulations and encryption

3.1 Client server network security:

3.1 Client server network security Security threat: it is defined as a circumstance, condition or event with the potential to cause economic hardship to data or network resources in the form of distribution ,disclosers, modification of data, denial of service and fraud. Security concern e-commerce is divided into 1. Client server security (password protection, encrypted smart cards, biometric systems and firewalls) 2. Data and transaction security (data encryption) Problems leads to Client server network security threats: Physical security holes (unauthorized access , hackers gain the password ) Software security holes ( bad program,sendmail hole –knees 88,root access) Inconsistent usage holes (admin assembles h/w and s/w) To over come these problems the following Protection methods have been developed.

3.1 Client server network security:

Protection methods: Trust based security : this approach assumes that no one ever makes an expensive breach such as getting root access and deleting all files. Security through obscurity: Hiding password in binary files or in scripts with the assumption that “nobody will ever find them”, It is good in stand alone systems but not possible in Unix because users free to move around file system. Password schemes: using a mixed password or changing every day. Biometric systems: finger prints, palm prints, retinal patterns, signature verification and voice recongnization. 10-30 sec is sufficient to verify. 3.1 Client server network security

3.2 emerging client server security threats:

3.2 emerging client server security threats Security threat is emerging in the electronic commerce world is mobile code , virus threat. Treats are divided into two categories: 1.Threats to local computing environment from mobile software. 2. Access control and threats to servers that include impersonation, packet replay and modification. Ex: hackers have potential access to a large number of system. Hackers can use popular Unix programs to discover account details

3.3 Firewall and network security:

3.3 Firewall and network security INTERNET Enterprise LAN Or WAN Stop FIREWALL Firewall bypass should not be allowed Corporate Network Fig: firewall secured internet connection Firewall: It is method of placing a devices a computer or router between the network and internet to control and monitor all traffic between outside world and local network. Firewall functions: Filtering Inspection Detection Logging Alerting Firewall is used in the following traffic routing: Ip packet screening routers (proxy application gateway, Hardened firewall hosts)

PowerPoint Presentation:

Advantages Properly configured routers can plug many security holes. High packet security. Disadvantages Difficult to specify screening rules. routers are inflexible . If router is circum rented by a hacker.rist of network is open to attack. It contains two techniques: Proxy application gate way Hardened firewall hosts Fig:secured firewall with IP packet screening routers IP packet screening routers It is a static traffic routing service placed between he network service providers router and internal network.Firewall router filters incoming packets to permit or deny IP packets based on several screening rules.

PowerPoint Presentation:

Proxy application gate way: it is a special server that typically runs on firewall machine the primary use is accesses WWW within secured perimeter Clients inside the firewall Proxy server on the firewall machine that connects to external internet Web HTTP server FTP server Usernet news server Telnet server Gopher server Public internet Secured subnet inside the firewall security perimeter N/w protocols NNTP Telnet Gopher FTP HTTP Advantages Allow to ignore the complex networking code which is necessary to support every firewall protocol. Single web client with proxy server. Proxies manages Ip address. Limiting dangerous subsets of HTTP. Enforcing client/server access to designate the host. Implementing access control. Checking various protocol for well-formed commands.

PowerPoint Presentation:

Hardened firewall hosts : Is stripped down machine that has been configured for increased security , the primary use is connecting the Inside /outside users to trusted applications on firewall machine. Steps: Remove all user accounts except necessary operations. Remove all non crucial files. Extending traffic logging and monitoring to check remote access. Disables Ip . Advantages 1. Concentration of security. 2. Information hiding. 3. Centralized and simplified n/w service management. Security policies and firewall management: The firewall method of protection spans a continuum between ease of use and paranoid security.

3.4 Data and message security:

3.4 Data and message security Transaction security issues divided as Data security and message security. Data security : it is important when people are consider banking and financial transaction by PC. Major threat of data security is Packet sniffing (unauthorized n/w monitoring),Sniffers use the n/w traffic , Ex: Telnet, FTP and relogin sessions through it gains the information like username and password . Message security : threats to message security fall into three categories. Message confidentiality : is need for sensitive data such as credit card numbers, employee records , govt files ,etc. Environment must protect all message traffic (after delivery it shows remove from environment). Distributed and wire less n/w valunrate the data communication. Message and system integrity : it is unauthorized combining of message either by intermixing, concatenation. Error detection code, check sum, sequence no and encryption technique are the methods of integrity. Message sender authentication or identification: It verifies the identity of an user using certain encrypted information transferred from sender to receiver.

Types of encryption methods :

Types of encryption methods Secret-key cryptography DES Public key cryptography RSA and Public key cryptography Mixing RSA and DES Digital public key certificates Clipper chip Digital signatures(DSS) Secret-key cryptography : encrypted by transmitter and decrypted by receiver Example User A encrypts and set secret key send email to B ,B checks header to identify and unlocks his e-key storing area. Sender and receiver should agree for encryption. DES(Data encryption standard) : a widely adopted implementation of secret key cryptography uses DES. it is introduced in 1975 by IBM, It is symmetric cryptosystem when used for communication, both sender and receiver must know same secrete key which is used for both encrypt and decrypt message. It operates on 64 bits a 56 bit secrete key Public key cryptography: it involves pair of keys private and public keys Encrypted by private key and decrypted by public key. Private key keeps message secrete. RSA and Public key cryptography : It is a public cryptosystem for both encryption and authentication developed in 1977 by Ron R ivest , Adi S hamir, and Leonard A dleman . RSA is predicated by product of two numbers greater than 2 512. it use to enable the digital signature.

PowerPoint Presentation:

Mixing RSA and DES: mixing together first the message is encrypted with a random DES key , then before being sent over an insecure communication channel ,the DES key is encrypted with RSA. Together, the DES encrypted message and RSA encrypted DES key are sent. This protocol is known as an RSA digital envelope. RSA - Secrete key exchange the digital signature. DES - Encrypts the message. Digital public key certificates : it is data structure, digitally signed by a certification authority ,that binds a private key value to the identity of the entity holding the corresponding private key. The latter entity known as the Subject of the certificate. Clipper chip: it was designed to balance the competing concerns of federal law enforcement agencies with those of private citizens and industry. the idea is that communication would be encrypted with secure algorithm. Digital Signatures: it consist two parts : a method of signing a document such that forgery is infeasible, and a method of verifying that a signature was actually generated by whomever it represents.

3.5 Challenge response system:

3.5 Challenge response system It uses the following authentication methods Token or smart card authentication: it computes a password or encryption key and furnishes it directly to the computer for the logon procedure when a user wants Third party authentication : Consider Kerberos case study the popular third-party authentication protocol encryption based system, the session key is issued to third party person to authorized to the encryption. He should perform under some conditions like maintain confidentiality, taking part in legal issues

3.6 Encrypted documents and E-mail:

Most email messages you send travel vast distances over many networks, secure and insecure, monitored and unmonitored, passing through and making copies of themselves on servers all over the Internet. In short, pretty much anyone with access to any of those servers - or sniffing packets anywhere along the way - can read your email messages sent in plain text. There are two confidential sender authentication methods 1. PGP (Pretty Good Privacy) : it is a free s/w developed by philip – zimmerman that encrypts email, software won't protect you against the focused attention of a major government, but it will stop efforts to harvest credit card numbers and information that can be used to commit identity theft. Email encryption is easy, free and offers strong protection against prying eyes. How PGP email encryption works Consider this scenario. Sam wants to send Jane a secret email love letter that he doesn't want Joe, Jane's jealous downstairs neighbor who piggybacks her wifi , to see. Jane uses PGP, which means she has a PUBLIC key (which is basically a bunch of letters and numbers) which she's published on her web site for anyone who wants to send her encrypted email messages to use. Jane's also got a PRIVATE key which no one else - including Joe the Jealous Wifi Piggybacker - has. So Sam looks up Jane's public key. He composes his ardent profession of love, encrypts it with that public key, and sends Jane his message. In sending, copies of that message are made on Sam's email server and Jane's email server - but that message looks like a bunch of garbled nonsense. Joe the Jealous Wifi Piggybacker shakes his fist in frustration when he sniffs Jane's email for any hint of a chance between them. He can't read Sam's missive. However, when Jane receives the message in Thunderbird, her private key decrypts it. When it does, she can read all about Sam's true feelings in (pretty good) privacy. 3.6 Encrypted documents and E-mail

PowerPoint Presentation:

PEM(Privacy Enhanced Mail): There is increasing interest at Rutgers in using email to transmit private information, and to be able to verify that validity of email. This document will describe use of the Internet standards for Privacy Enhanced Mail. The facilities described here Are reasonably easy to use, although the first time you use privacy enhanced mail, you'll have some setup to do. Allow you to send documents in "encrypted" form, meaning that they are encoded in such a way that only the recipient can read them Allow you to digitally sign a message, meaing that the recipient can verify that they actually came from you (with some reservations, noted below). This document has three primary sections Creating and loading a certificate. This describes what you have to do in order to use privacy-enhanced mail. You have to do this process once a year. Using privacy enhanced mail. This describes how to send and receive privacy-enhanced mail using Microsoft Outlook, Mozilla software (particularly Thunderbird), and Macintosh Mail. How secure is privacy-enhanced mail?

3.7 US Government regulations encryption:

3.7 US Government regulations encryption The U S Govt has been disclosed, to grant export license for encryption products stronger than some basic level. Under regulation, cryptography first submits a request to state departments a request to state departments defense trade control office. All cryptographic products need export licenses from state dept, and acting under authority of ITAR(international traffic in Arms Regulations) Before export it approved by NSA

authorStream Live Help