Providing security over the Web and the Internet for the customers of

Document Sample
Providing security over the Web and the Internet for the customers of Powered By Docstoc
					Providing Security over the Web and the Internet
A report prepared by the engineers and technicians of P rospect Technologies

3 2 4 6 P ro sp e c t S t r e e t N W Washington, DC 20007-3214 202.965.2390 202.965.2393 – FAX www.prospect-tech.com

Prospect Technologies: providing e-business and technology solutions for government, corporations, industry, associations, and academe.

Outline of this Presentation:
INTRODUCTION AND PURPOSE: .............................................................................................................4 BACKGROUND ON THE INTERNET: .........................................................................................................5
Internet 101 .............................................................................................................................................................. 6 Untangling the Net: The not-so-simple route of the Simple E-mail Message! .......................................................... 7

HOW DOES ONE USE THESE CONCEPTS TO MAKE INFORMATION SECURE? ..................................................9
On the Web / E-mail Server.................................................................................................................................... 11 Transmissions over the Web .................................................................................................................................. 13

WHAT THIS MEANS FOR INTERNET USERS? .......................................................................................... 15 WHO IS PROSPECT TECHNOLOGIES AND HOW DID THEY DEVELOP THEIR SECURITY EXPERTISE? ................ 15 NEED MORE INFORMATION ON SECURITY? ........................................................................................... 18

Page 2 of 20

Prospect Technologies: providing e-business and technology solutions for government, corporations, industry, associations, and academe.

References for Systems, Networking, Software, and Internet Security ............................................. 19

ENDNOTES:....................................................................................................................................... 20

Page 3 of 20

Prospect Technologies: providing e-business and technology solutions for government, corporations, industry, associations, and academe.

Introduction and Purpose:
hile business has witnessed an explosion of transactions over the Internet during the last several years, recent publicity and as well as events following September 11th have given rise as to the question:

"How secure is my information as it travels over the Internet?"

1 2

Unfortunately this is not an easy question to answer. However, in this short paper, Prospect Technologies will give you some background on what happens when E-mail, files, and / or Web pages are transmitted over the Internet. Want to read what more about security on the Web? Take a look at: Using this introduction as a basis, this paper will highlight of some of the practices and procedures that may be employed to protect a customer's information as it travels over the Web and the Internet. The security methodologies illustrated herein will help a firm when they send / receive E-mail or when a secure Web page is being viewed over the Web. While only one method is discussed thoroughly in this paper, we invite you to inquire about our many other forms of security that you may require.
www.yahoo.com/computers_and_internet/internet/world_wide_web/security/

Page 4 of 20

Prospect Technologies: providing e-business and technology solutions for government, corporations, industry, associations, and academe.

B a ckg ro und on t h e Int e r n e t:
Usually when we think of the Internet we envision the following sort of picture:

www.myfirm.com • e-mail SW • Web Browser

Web site Server
High Speed Internet Access

Person_at_home@aol.com

Person_on_a_LAN@myfirm.com

Page 5 of 20

Prospect Technologies: providing e-business and technology solutions for government, corporations, industry, associations, and academe.

This "picture" seems to indicate that when a user "logs onto" his / her ISP, he / she is transported directly to the Web site Server [e.g. www.myfirm.com] for some specific Web information or to an E-mail server [xxx@myfirm.com] that handles the E-mail for an organization. Unfortunately, this is not the case nor is the picture shown above quite so simple.

Internet 101
As seen in the diagram below, few if any computers connect directly to the servers at their ultimate destination. As an example, there can be several "hops" or intermediate servers/routers/devices between someone's computers sending an E-mail message through an Internet service Provider (ISP), to an end user. There are many steps that will connect through one or more Network Access Points (NAPs). NAPs act as gateways between major ISPs transferring E-mail and Web electronic traffic.

Page 6 of 20

Prospect Technologies: providing e-business and technology solutions for government, corporations, industry, associations, and academe.

Untangling the Net: The not-so-simple route of the Simple E-mail Message!
The diagram above shows that a typical E-mail package may still have several computer servers or "hops" to transverse before a single E-mail reaches a company or association's LAN and ultimately the receiver’s computer. In the diagram above, the E-mail message passes through at least 5 "hops" -- 1 local LAN, and roughly 4 different Internet access connections between these "hops". Notice that nothing has been said about either the quality of the Internet connection (i.e. bandwidth) 3 anywhere along the line, nor the speed, capability, security, or even frequency by which the E-mail message is transported from the sender to the receiver. Each of these items adds an additional variable that may cause the package of information to degenerate rapidly. The information transmitted across the Internet may be vulnerable each time is passes through a computer, router, or a similar device. Each of these legs of the journey may be referred to as a "hop". The information is vulnerable at each “hop” because security measures may not exist at any of these stops or may be totally unsuitable to support our transport of information. To further illustrate this point, let's use a simple example.

Page 7 of 20

Prospect Technologies: providing e-business and technology solutions for government, corporations, industry, associations, and academe.

Say I want to visit a Web page somewhere over the Internet. Let's further say I want to check to see how many "hops" might occur in the path from where I am logged in now (my ISP!) to wherever the target server is located. A simple program called "tracert" or on some systems simply "traceroute" will help us answer this question. Traceroute is an Internet program, which sends a small packet of data from one Internet server to another and receives a response back from each machine / server / router along the way. We must Traceroute also qualify this previous statement that was just made. There may be several devices along the route that may not be capable of being configured to answer traceroute’s request for information. Given this qualification, how many "hops" might there be to complete this connection? To the right is displayed the results of "tracing" the route to the MIT main computer in Cambridge, MA from the Prospect Technologies offices in Washington, DC. As seen in a copy of the computer screen, the connection from a computer in Washington, DC to the MIT server shows that these data packets went through at least 10 different servers to get to the MIT computer in Cambridge!

Page 8 of 20

Prospect Technologies: providing e-business and technology solutions for government, corporations, industry, associations, and academe.

In actual fact, ONLY having data packets travel through 10 servers is quite a good sign. Usually, a typical Web page’s data packet is normally transmitted through 15 to 25 different "hops" between the sender and receiver! Again each of these points or “hops” can serve to intercept some of the data.

How does one use these conce pts to make inf or mation secure?
It is important to note that there is not just one point where the security must be strengthened. As seen in the path of the simple E-mail message or the Traceroute just performed to MIT form Washington, DC, there may be many points or "hops" which need to be made secure the Internet chain. It should be noted that security processes and procedures – hardware, software, practices, networking, physical access, etc. -could become very expensive. Prospect Technologies has seen firms pay literally hundreds of thousands of dollars to attempt to secure a "front door" into a server with sensitive data or support E-mail / Web transmissions. However, with all the money these firms have spent securing the front door, they fail to close many "back doors" allowing any nefarious individual to stroll right in and access a firm's confidential information. For hackers, all corporate, educational, or government sites are considered "target rich environments." Much like the crowded battlefield, no matter which direction the hacker points his weaponry, he's bound

Page 9 of 20

Prospect Technologies: providing e-business and technology solutions for government, corporations, industry, associations, and academe.

to hit something that therein creates a domino effect and allows the hacker access to all of the corporate resources. The reasons for security over the Internet and Web are obvious. If you run a server that contains sensitive data, or has some sort of form that might ask you for confidential personal information or credit card data, then you need to ensure that that information is transmitted in a way to ensure that no one else but the intended viewer sees the message. Remember, without any form of security, the protocols that transmit Web pages and Emails can be considered "clear" transitions which could lend themselves to be intercepted any where along the transmission routes. Basically, there are two general areas, outside of the users machine, where most of the security risks exist:   On the Web / E-mail Server Transmissions over the Web

Let's look at each area.

Page 10 of 20

Prospect Technologies: providing e-business and technology solutions for government, corporations, industry, associations, and academe.

On the Web / E-mail Server
At Prospect Technologies we have made a conscious decision to house our secure server farm at a Tier I Internet provider. Tier I providers are the large, sophisticated professionals, like MCI and Sprint. There are 12 Tier I providers that form the "back bone" of the Internet. 4 Most, if not all, of the "other / smaller" carriers / ISPs lease bandwidth and services from these 12. The decision to house our server farm at a Tier I provider was done for three major reasons:  First, the bandwidth we supply to our customers to the Internet is 10 Megabits per second or roughly 6 to 7 times faster than that of a T1. This enables our customers to have the MAXIMUM in available bandwidth at a mere fraction of what they would pay without using the services of Prospect Technologies. Secondly, our Tier I provider will act as an extension of our professional staff. They employ individuals that are completely "on top-of" developments, changes, and problems with the Internet and the World Wide Web. This information provides Prospect Technologies with an enormous amount of first hand advanced Internet data months before it becomes apparent to many other firms and computer companies. The third reason is that our Server farm is located in an ultra secure, 7 x 24 controlled and monitored facility that has no access to the general public. It also has back-up power supplies to keep the





Page 11 of 20

Prospect Technologies: providing e-business and technology solutions for government, corporations, industry, associations, and academe.

entire facility operational in case of a power outage. In addition, it has backups for all systems such as multiple redundant network access points to the Internet, multiple site hosting facilities, and other items only associated with Tier I Internet providers. The Prospect Technologies servers reside in locked cabinets, behind several securely controlled doors, and are visually / camera monitored 24 hours per day. There are several hardware and software firewall screening the requests for information and transmissions into the server farm. In addition, Prospect Technologies does not support direct dial-up into the server [. . . a dominate source of hacking! ] and follows Department of Defense (DOD) procedures to ensure that the server farm is adequately protected. The firm is also on top of major developments in the commercial and hacking community to ensure that vulnerabilities are know before they are exploited. It is those firms / agencies / organizations the do not follow these guidelines that have had their Web sites transformed into rubble overnight. In addition, Prospect Technologies uses some of the most advanced User and Password Required secure commercially available computer operating systems which requires user extensive IDs and Passwords to access secure / confidential Web pages. Passwords and IDs are changed frequently and also adhere to DOD and all of the stronger commercial standards.

Page 12 of 20

Prospect Technologies: providing e-business and technology solutions for government, corporations, industry, associations, and academe.

Only Prospect Technologies cleared personnel are allowed to work on the server, and the ultimate responsibility for security co-resides with the Chief Technologist, the EVP/COO, and the President / CEO.

Transmissions over the Web
As mentioned earlier, data is transmitted via numerous "hops" to pass information from a Web server to an individual viewer. Most commercially available browsers -Netscape and MS Internet Explorer -- support an encapsulating Web protocol that utilizes a "public-key" encryption called Secure Sockets Layer (SSL). An example of how this works may be helpful. When one views a "normal" Web site, a small "broken key" or "open lock" 5 is visible in Netscape at the lower left-hand side of the screen. This broken key means that that Web page you are viewing is neither secure nor encrypted by any SSL protocol during transmission.
Un-secure Indication

Security Information

Page 13 of 20

Prospect Technologies: providing e-business and technology solutions for government, corporations, industry, associations, and academe.

However, if the server contains the special transmission encryption protocol installed with the operating system and other Web software, a user can have a secure transaction. While the setting up and maintenance of this protocol is complex and can take a great deal of time, Prospect Technologies provides this service to our customers and continues to monitor the generation of public and private "key pairs". These "key pairs" are separately transmitted to the user to ensure an encrypted transmission no matter how many "hops" the Web site information travels. When this occurs, the "broken key" turns solid gold and shows up on a blue background. 6 This process also verifies that the intended recipient of the information (the server and the user) has verified each other’s identities and locations on the Internet. This process stops a major form of hacking called "IP spoofing" in which a hacker "pretends" to be another machine on the Internet in order to capture data. This "golden key" or the equivalent indication 7on other browsers, tells the viewer that the SSL encryption is in place, and that it indicates that it is safe for a user to pass confidential information -- including credit cards! -- and Electronic Commerce applications over the Web.

Secure Indication

Page 14 of 20

Prospect Technologies: providing e-business and technology solutions for government, corporations, industry, associations, and academe.

What this means for Inter net Users?
Tools, practices, and procedures currently exist to protect users information as it is transmitted over the Internet and the Web. These techniques are constantly being re-evaluated, re-thought, and re-visited due to technological, social, as well as human advances. The bottom line, if using the services of a good firm, with understanding of the perils on the Internet and the Web, you should be able to rest easy! However, what about tomorrow? This may take more effort. Teaming with a technology partner is essential if a firm seeks to build e-business / E-commerce or even put in place information transmission / sharing capabilities. The technology partner firm should be well aware of security on the Internet and be a recognized leader in enabling secure E-mail, secure Web site transfer protocol, as well as securely supporting simple File Transfer Protocol (FTP).

W h o i s P r o s p e c t Te c h n o l o g i e s a n d h o w d i d t h e y d e v e l o p their security exper tise?
Prospect Technologies provides e-business and technology solutions for government, corporations, industry, associations, and academe.

Page 15 of 20

Prospect Technologies: providing e-business and technology solutions for government, corporations, industry, associations, and academe.

Since its incorporation in 1996, Prospect Technologies has helped clients in the nation’s capital and across the United States find answers to pressing technology needs, especially in expanding services and customer support to the World Wide Web. The company is headquartered in the Georgetown area of Washington, DC with operations in nearby Columbia and College Park, MD, Ashburn, VA and Savannah, GA. In focusing on generating e-business and computer technology solutions for entrepreneurial firms, Prospect Technologies has developed several cutting-edge products and special services with broad market potential technology solutions for business and government. By using many of the security and encryption tools described in this paper, as well as other new and emerging security techniques, the company can offer state-of-the-art computer / technological security and encryption. These include the capability to access and archive client's information using sophisticated secure database applications via World Wide Web interfaces. In addition, these procedures and techniques allow Prospect Technologies to specialize in e-business and Electronic Commerce. In addition, it is able to provide Internet / networking products and services to support secure and unsecured E-mail and other electronic means of communications. In 1998, Prospect Technologies acquired a Maryland based 8 firm that provided computer networking, hardware, and software service and support. The company also designed and manufactured custom desktop computers and large scale Internet / Web servers to specifically meet client’s requirements. This

Page 16 of 20

Prospect Technologies: providing e-business and technology solutions for government, corporations, industry, associations, and academe.

large / high end computer manufacturing ability enables Prospect Technologies to push, in addition to computer performance barriers, the Internet and Web security / encryption "envelope" even further with this combination of "state-of-the-art" advanced computer hardware and software.

Page 17 of 20

Prospect Technologies: providing e-business and technology solutions for government, corporations, industry, associations, and academe.

Need more Infor mation on Security?
Visit out Web site at: http://www.Prospect-Tech.com Or E-mail us at: Webmaster@Prospect-Tech.com

Page 18 of 20

Prospect Technologies: providing e-business and technology solutions for government, corporations, industry, associations, and academe.

References for Systems, Networking, Software, and Internet Security

Name / Source
Internet Safety Watch Computer Hacker Web sites! System and Network Security Internet security Applications, Web Services Guide Center for Internet Security

URL
http://www.cyber-hoodwatch.org/tutorial_ie5_zones.htm http://www.progenic.com/

Other

http://www.cromwell-intl.com/security/ http://www.cnn.com/2000/TECH/computing /02/16/hacking.investigation.01/

http://internet.about.com/cs/enterpriseapps/

http://www.cert.org/

Page 19 of 20

Prospect Technologies: providing e-business and technology solutions for government, corporations, industry, associations, and academe.

Endnotes:
Since September 11th, 2001 a great deal of concern has been raised about security. Web sites are no different. Daily one hears of Web sites being hacked and information concerning credit cards, people’s identities, and other personal information illegally removed from Web sites for nefarious purposes. Prospect Technologies is a leader in providing secure, protected, highly interactive, and informative Web site complexes. A partial client list includes:
1

      

The US Coast Guard McGraw-Hill Princeton University The Federal Maritime Commission The 2002 International Fuel Cell Conference Georgetown University The US Chamber of Commerce

We provide secure / password protected / SSL encrypted Web sites which routinely process the filing of federal contracts, the searching and retrieval of secure government information, as well as the transmission / retrieval of credit card information. 2 Please see: http://www.prospect-tech.com/mayflower/yahoo.html. 3 Please see: http://www.prospect-tech.com/ec/bandwit.doc and http://www.prospect-tech.com/ec/bandwi~3.xls. 4 Please see: http://www.prospect-tech.com/news/ptservermove.htm and http://www.prospect-tech.com/news/digex.htm.
5

Please note that for an un-secure transaction a viewer sees

in his / her browser. Once the site resides behind SSL protection, the

security lock becomes closed. E.g. . 6 Ibid. 7 Ibid. 8 Please see: http://www.prospect-tech.com/news/pcs.htm.

Page 20 of 20


				
DOCUMENT INFO
Shared By:
Stats:
views:6
posted:11/27/2009
language:English
pages:20
Description: Providing security over the Web and the Internet for the customers of