E-Commerce Internet security standards

Introduction

Electronic commerce is buying and selling of goods and services across the
Internet. An e-commerce site can be as simple as a catalog page with a phone
number or it can range all the way to a real-time credit card processing site
where customers can purchase downloadable goods and receive them on the
spot. Electronic commerce merchants can range from the small business with a
few items for sale all the way to a large on-line retailer such as Amazon.com.

Commercial activities over the Internet have been growing in an exponential

manner over the last few years. Despite this rapid growth the security of
monetary transaction over the wide-open Internet has been a major point of
uneasiness for many to join this new modality of buying and selling.
OSI Layer
These 7 layers further divide the tasks of moving the data across the network into subtask
and hence complete one communication cycle between two computers or two network

devices. Each layer is assigned a task and the task is completed independently. The OSI
layers have the clear and independent characteristics and tasks.

The 7 layers of the OSI models can be divided into upper and lower layers. I have defined
the characteristics, tasks and features of each layer separately.
Layer 7: Application Layer
The application layer defines the interfaces for communication and data transfer.
This layer also provides and support services such as job transfer, handles network
access, e-mail, supports user applications and error recovery.

Protocols: FTP, DNS, SNMP, SMTP, FINGER, TELNET, TFTP, BOOTP and SMB
protocol are operated on the application layer.
Network Devices: Gateway network device is operated on the application layer.

Layer 6:Presentation Layer

The presentation layer presents the data into a uniform format and masks the difference
of data format between two dissimilar systems. It also translates the data from application
to the network format. Presentation layer is also responsible for the protocol conversion,
encryption, decryption and data compression. Presentation layer is a best layer for
cryptography.
Network Devices: Gateway Redirector is operates on the presentation layer.

Layer 5: Session Layer

Session layer establish and manages the session between the two users at different ends in
a network. Session layer also manages who can transfer the data in a certain amount of
time and for how long. The examples of session layers and the interactive logins and file
transfer sessions. Session layer reconnect the session if it disconnects. It also reports and
logs and upper layer errors.
Protocols: The protocols that work on the session layer are NetBIOS, Mail Slots, Names
Pipes, RPC
Network Devices: Gateway

Layer 4: Transport Layer

Transport layer manages end to end message delivery in a network and also provides the
error checking and hence guarantees that no duplication or errors are occurring in the data
transfers across the network. Transport layer also provides the acknowledgement of the
successful data transmission and retransmits the data if no error free data was transferred.

It also provides and error handling and connectionless oriented data deliver in the
network.
Protocols: These protocols work on the transport layer TCP, SPX, NETBIOS, ATP and
NWLINK.

Network Devices: The Brouter, Gateway and Cable tester work on the transport layer.

Layer 3: Network Layer

The network layer determines that how data transmits between the network devices. It
also translates the logical address into the physical address e.g computer name into MAC
address. It is also responsible for defining the route, managing the network problems and
addressing. Router works on the network layer and if a sending device does not break the
data into the similar packets as the receiving device then network layer split the data into
the smaller units and at the receiving end the network layer reassemble the data.

Network layer routes the packets according to the unique network addresses. Router
works as the post office and network layer stamps the letters (data) for the specific
destinations.
Protocols: These protocols work on the network layer IP, ICMP, ARP, RIP, OSI, IPX and
OSPF.
Network Devices: Network devices including Router, Brouter, Frame Relay device and
ATM switch devices work on the network layer.

Layer 2:Data Link Layer

Defines procedures for operating the communication links

Frames packets
Detects and corrects packets transmit errors
Protocols: Logical Link Control
• error correction and flow control
• manages link control and defines SAPs
802.1 OSI Model
802.2 Logical Link Control
Media Access Control
• communicates with the adapter card
• controls the type of media being used:

Layer 1: Physical Layer

Physical layer defines and cables, network cards and physical aspects. It defines raw bit
stream on the physical media. It also provides the interface between network and network
communication devices. It is also responsible for how many volts for 0 and how many for
1. Physical layer also checks the number of bits transmitted per second and two ways or
one way transmission. Physical layer also dealing with the optical, mechanical and
electrical features.
Protocols: Protocols that work on the physical layer are ISDN, IEEE 802 and IEEE 802.2

Network Devices: Hubs, Repeaters, Oscilloscope and Amplifier works on the network
devices

Network security policy

The major role of network security policy is to ensure that each of the four
fundamental components that make up computer security, Authentication,
Access Control, Integrity and Confidentiality are adequately addressed.

Authentication, firewall-1 and gateways provide customers, including remote

users and telecommuters, with secure, authenticated access to enterprise
resources using multiple authentication schemes. User authentication services
securely validate that the users attempting to make a connection are who they
say they are before the communication is allowed to proceed. Modifications to
local servers or client applications are not required. Authentication services are
fully integrated into the enterprise-wide security policy and can be centrally
managed through the graphical user interface. All authentication sessions can be
monitored and tracked through the Log Viewer.

Firewall-1 and gateways provide two major authentication methods:

1. User Authentication
2. Client Authentication

User Authentication

FireWall-1 and gateways include transparent User Authentication providing

access privileges on a per user basis for FTP, Telnet, HTTP, and Relogin
connections, regardless of the user's IP address. If a local user is temporarily
away from the office and logging in from a different host, the security
administrator may define a rule that allows that user to work on the local network
without extending access to all users on the same host.

Client Authentication

Client Authentication enables an administrator to grant access privileges to a

specific user at a specific IP address. In contrast to User Authentication, Client
Authentication provides a mechanism for authenticating users of any application,
standard or custom. Client authentication is not transparent, in that the user must
first connect with the firewall-1 or VPN-1 gateway to be authenticated. It does
not, however, require any additional software or modifications on either the client
or server. Client Authentication is done via a Telnet or a Web browser where the
user accesses the firewall, and is then authenticated before being granted
access to network resources. All authentication schemes (e.g. SecurID token
cards, RADIUS-based solutions, and static passwords) are supported.
Protection against common attacks

There are several common types of attacks that hackers employ to gain access
or damage a company’s network. These attacks are easily defeated by FireWall-
1 and VPN-1 Gateways.

• IP Spoofing - A technique where an attacker attempts to gain

unauthorized access through a false source address to make it appear as

though communications have originated in a part of the network with
higher access privileges. For example, a packet originating on the Internet
may be masquerading as a local packet with the source IP address of an
internal host. Firewall-1 and VPN-1 gateways protect against IP spoofing
attacks by limiting network access based on the gateway interface from
which data is being received.

• Denial of Service Attack - There are many types of denial of service

(DOS) attacks. One type of DOS attack is a Synchronized Data Packet

(SYN) flood the new type of attack that came out late last year which
disabled Internet service providers. The SYN flood is not an intrusion
attack, it does not attempt to access or modify data, instead its purpose is
to disable servers and thus it is classified as a denial of service attack.

The user (client) sends a SYN to the server, the server then returns a
SYN/ACK (to acknowledge receipt of the packet). The connection
between the client and server is now established and they can
communicate with each other. An SYN flood attacker sends numerous
connection requests to a server, from a false address. As a result, the
server is unable to respond and places the request in a queue awaiting a
SYN/ACK (acknowledgement frame from the false address). After several
minutes the server’s TCP sockets time out. If enough false requests are
made, the server’s pending connection queue will full up and it will be
unable to respond to requests even valid ones. If you allow outsiders to
access your system, perhaps to make a purchase order or have access to
corporate information, then this service can be denied if you fall victim to
an SYN flood attack. For an Internet service to be successful, it is
essential that it is reliable, nothing is more frustrating for the user than
endlessly trying to connect a site.

Any company operating an Internet service can be vulnerable to a SYN

flood attack, not just Internet service providers. Software patches to block
SYN attacks are available. According to Mitch Wagner at Computer world
"the ANS subsidiary of America Online, Inc., COAST and Sun
Microsystems, Inc. all have software patches designed to block the SYN
 attack." Therefore, one has to consider checking from the firewall or
Internet service providers if they offer protection from SYN attacks.

Measures to make e-commerce security safe

• Firewall

Mention Internet security and most people start talking about firewalls. Firewalls
aren't an Internet security cure-all, but they are essential to just about any
Internet security strategy. A firewall is simply a barrier between two networks--in
most cases an internal network, often called the trusted network, and an external
network, called the untrusted network (in this case, the Internet). Firewalls
examine incoming and outgoing packets according to a set of policies defined by
the administrator, either let them through or block them.

These days, most firewalls use one or more of three packet-screening methods.
Many routers use a firewall technique called packet filtering, which examines the
source and destination addresses and ports of incoming TCP and UDP packets
and denies or allows packets to enter based on a set of predefined rules. Packet
filters are inexpensive, are transparent to users, and have a negligible impact on
network performance. Configuring packet filtering, however, is a relatively
complex process. It usually requires precise knowledge of network, transport,
and sometimes even application protocols.

• Encryption

As offices and organizations have connected to the Net to provide service for
consumers, many have begun eyeing the Internet infrastructure as an
inexpensive vehicle for wide area and remote connections. To use the Internet
for these purposes, however, companies have to protect their information with
encryption. Encryption is simply the process of using a formula, called an
encryption algorithm, to translate plain text into an incomprehensible cipher text
and then back to plain text again. Essential to encryption is a numeric value
called the key that becomes part of the encryption algorithm, setting the
encryption process in motion.

Many different types of encryption algorithms are available, but in this paper only
the most widely used for e-commerce security, such as Cryptography - Public
and Private keys cryptography, DES, RSA, S/MIME, SET, SSL, and Digital
Signature will be discussed.
Protocols in security Standards

• The word protocol is derived from the Greek word “protocollon”

which means a leaf of paper glued to manuscript volume
• Protocol can be called as set of rules
• a communication language or set of standards between two or more
computing devices.
• Protocols exist at the several levels of the OSI (open system
interconnectivity) layers model

Protocols Properties

• Detection of the physical (wired or wireless connection)

• How to format a message.
• How to send and receive a message.
• Negotiation of the various connections
• Correction of the corrupted or improperly formatted messages.
• Termination of the session.

HTTP (Hyper Text Transfer Protocol)

• Hypertext transfer protocol is a method of transmitting the

information on the web.
• HTTP is a language that is used to communicate between the
browser and web server.
• The information that is transferred using HTTP can be plain text,
audio, video, images, and hypertext

POP3 (Post Office Protocol)

• In computing, e-mail clients such as (MS outlook, outlook express

and thunderbird) use Post office Protocol to retreive emails from
the remote server over the TCP/IP connection
• Most email applications use POP protocol to retrieve email.

SMTP (Simple Mail Transfer Protocol)

 • Simple Mail Transfer Protocol is a protocol that is used to send the
email messages between the servers
• Most email systems and email clients use the SMTP protocol to
send messages to one server to another.
• In configuring an email application, you need to configure POP,
SMTP and IMAP protocols in your email software.
• SMTP uses the by default TCP port number 25

FTP (File Transfer Protocol)

• FTP or file transfer protocol is used to transfer (upload/download)

data from one computer to another over the internet or through or
computer network
• FTP is a most commonly communication protocol for transferring
the files over the internet.
IP (Internet Protocol)

• An Internet protocol (IP) is a unique address or identifier of each

computer or communication devices on the network and internet
• Any participating computer networking device such as routers,
computers, printers, internet fax machines and switches may have
their own unique IP address.
• Every domain on the internet must have a unique or shared IP
address.

IMAP (Internet Message Access Protocol)

• IMAP is an application layer protocol that is used to access to

access the emails on the remote servers.
• POP3 and IMAP are the two most commonly used email retrieval
protocols.
• Most of the email clients such as outlook express, thunderbird and
MS outlooks support POP3 and IMAP.
• IMAP is generally used in the large networks.

UDP (user datagram Protocol)

• The user datagram protocol is a most important protocol of the

TCP/IP suite and is used to send the short messages known as
datagram.
• UDP is an unreliable connectionless protocol that operates on the
transport layer and it is sometimes called Universal Datagram
Protocol.