The secure internet application for business
education on the website
Sok Hwan Cho, Ph D.(KAIM, South Korea)
Sok Pal Cho, Ph. D.(Sungkyul University, South Korea)
The 85th SIEC/ISBE International Conference 2013 in Berlin,
Germany, August 5-9, 2013
Index
1. Network Concept
1.1 Network Component
1.2 Network Interconnection
1.3 Internet
1.4 Paradigm Shifts of B.E
2. Threats in Internets
2.1 Vulnerabilities of terminals on the Internet
2.2 Network Vulnerabilities
2.3 Preventing from external attackers
3. Secure Internet Application
3.1 Information Ambiguity (Ambiguousness)
3.2 Firewall or Demilitarized Zone
3.3 Secure Channels
4. Conclusion
-
1. Network
A network is the interconnection of a set of terminals
capable of communication. In this definition, a device can be a
host such as a large computer, desktop, laptop, workstation,
cellular phone, or security system. A terminal in this definition
can also be a connecting device such as a router a switch, a
modem that changes the form of data, and so on.
1.1 Network components
Five components on the website
1.3 The Internet
An internet is two or more networks that can
communicate with each other. It is composed of
thousands of interconnected networks.
Understanding about terminals.
The basic components of network>
1.4 Paradigm Shifts of education on the network
Teacher oriented education
learner oriented education
Distributed education,
Group education,
Community education,
Uniformed education
Individual ordered
education,
Lifelong education
Network
Off-line education : physical classroom education , On-line education : website education; distance learning, e-m-u-/learning
2. Threats of Internet
 a kind of threats;
–
–
–
–
–
–
–
–
Unauthorized access.
Malicious software; Virus, Worm, Trojan Code
Software failure.
Denial of service.
Modification by unauthorized person.
Calamity.
Interception by unauthorized person.
Etc.
Annoying learning activities
2.1 Vulnerabilities of Terminal on the Internet
Interception
(Theft)
Interruption
(Denial of Service)
Hardware
Modification
Fabrication
(Substitution)
Interruption
(Deletion)
Interception
Modification
Interruption
(Loss)
Software
data
Interception
Fabrication
Fabrication
Modification
2.3 Network Vulnerabilities1
Target
Vulnerability
Authentication -Impersonation
failures
-Eavesdropping
-Spoofing
-Session hijacking
Programming -Buffer overflow
flaws
-Addressing errors
-Parameter modification, time-of-check to time-ofuse errors
-Malicious active code: Java, Active
-Malicious code: virus, worm, Trojan horse
2.3.2 Network Vulnerabilities(Uncertain Message)
•
If A1 send a message to B3(A1 B3), it may be routed hosts
C or D. Host C may provide acceptable security, but not D.
Host C
Network A
Host A1
Network B
Host B3
Host D
Figure Uncertain Message Routing in a Network
2.3.4 Network Vulnerabilities(Impersonation)
 In
an impersonation(imitate), an attacker has several
choices:
Guess the identity and authentication details of the target.
 Pick up the identity and authentication details of the target
from a previous communication or from wiretapping.
 Circumvent or disable the authentication mechanism at the
target computer.
 Use a target that will not be authenticated.
 Use a target whose authentication data are known.

2.3.6 Network Vulnerabilities(Interception)
• A malicious middleman intercepts the response key and can
then eavesdrop on, or even decrypt, modify, and re-encrypt
any subsequent communications between two terminals.
Key Distributor
Malicious Interceptor
User 1
Figure Key Interception by a Man-in-the-Middle Attack
User 2
2.3.7 Network Vulnerabilities (Website vulnerabilities)
• Web Site Defacement(damage)
– One of the most widely known attacks is the web site
defacement attack.
– Web sites are designed so that their code is
downloaded, enabling an attacker to obtain the full
hypertext document and all programs directed to user
in the loading process.
– The download process essentially gives the attacker
the blueprints to the web site.
Hypertext:
2.3.8 Network Vulnerabilities(Denial of Service)
• Echo-Chargen (connection flooding)
– Chargen is a protocol that generates a stream of packets;
– The attackers sets up a Chargen process on host A, and if
host A sends a packet to destination host B, B reply to A
with echo packet;
– Namely host A produces a stream of packets
continuously to host B and host B reply to A, then A and
B puts in an endless loop.
send a stream of packet
echo packet
Host A
Set up “Chargen”
Host B
Endless loop
2.3.10 Distributed Denial of Service(DDoS)
To perpetrate a distributed denial-of-service(or DDoS)
attack, an attacker does two things.
① The attacker plants a Trojan horse on a target machine.
 That Trojan horse does not cause any harm to the target machine.
 The Trojan horse file may be named for a popular editor or entered into
the list of processes(daemons)activated at startup.
② The attacker repeats this process with many targets.
 Each of these target systems becomes what is know as a zombie.
 The target systems carry out their normal work, unaware of the resident
zombie.
Ref)Trojan horse에 대한 유래 설명
3.1.2 Cryptosystem
• Cryptosystem is a system for encryption and decryption.
plaintext encryption
ciphertext
Original
decryption plaintext
3.2.1 Introduction of I&A (Individual I&A)
• Individual I&A determines the individual learner or user
interacting with a process. In example is logging on a
computer as shown figure.
I&A
Which of the learner
that I know are you?
system
Individual identification and authentication
representation
3.2.2 I&A Procedure
• I&A service is requested by a using function, which has
the responsibility of passing information to the I&A
service to determine an identifier and authenticators.
Using
function
I&A
service
Request I&A service
I&A result
Permit
Learner,
User
Request ID, authenticator
Claimed ID, authenticator
Generic interaction model of I&A service
3.2.3 Type of I&A
• Three general strategies exist to satisfy I&A requirements:
automated I&A, physical I&A and procedural I&A.
- Physical and procedural I&A includes measures such as a
human guard reviewing ID badges, or a sign-in procedure.
- Automated I&A design encompasses computer-based
measures such as user IDs and password.
3.3 Protecting using a firewall or DMZ
B.E Web server
B.E DB
server
Cache
Attacker
Firewall or
DMZ
Memory
B.E
Application
Server
B.E
State
Server
3.3.1 Packet filter firewall

A packet filter firewall intercepts all traffic coming and going
from a port P and inspects its packets
- Data from coming or going to mistrusted address are rejected.
External
host
request
Packet request
filter
firewall
Internet
P Local host
3.4 Secure Internet Application for business
education
• Secure Channels; for sensitive communication across a
public network, create encrypted secure channels to
ensure that data remains confidential in transit.
• Demilitarized zone; separates the business
functionality and information from the Web servers.
• -Protection Reverse Proxy; protects the server
software at the level of the application protocol.
• Known partners; identify partner by Identification
and Authentication.
3.4.1 Secure Internet 1
E/D
E/D
E/D
I&A
with
E/D Learning
Contents
1st step: E/D: Encryption/Decryption
Users (Learner, Teachers, etc.)
2nd step: Firewall(Packet, Proxy, State full)
2nd step: I&A: Identification & Authentication
ISP: Information Service Provider
4. Conclusion
▣ Secure internet channel provides;
 Protecting user from attackers on the cyber space
 Better securing the e, m, u-learning systems that store,
process, or transmit the information of learning contents
 More learning opportunities
 Improving interactions.
 Improving higher quality
 Enabling well-informed LMS(Learning Management
System)