122 - 16.1 Web Basics

Team-Fly    

 
Oracle Security
By William Heney, Marlene Theriault
Table of Contents
Chapter 16.  Using the Internet and the Web


16.1 Web Basics

There are many reasons why more and more businesses and government agencies are joining the ranks of those who have (and provide access to information through) web sites. The major reason to host a web site is to improve communication between employees (through an intranet) or between your company and potential, current, or past customers (through the Internet). The ease of reaching a large number of people with minimum expense is very appealing. The Internet enables small businesses with very limited funds to reach larger audiences of potential customers easily. Large companies can also benefit from the high Internet traffic.

Let's look at some services you and your company might provide via the Internet or an intranet:

  • Help desks and technical support

  • Educational opportunities and computer-based training

  • Sales and unique services

  • Public announcements and government policies

  • Publication of reports and scientific data

Some government agencies are even using the Internet to provide employees with notification of " suspense " dates dates when specific information is due to be delivered to one or more organizations. The volume of topics on which you can find information on the Internet is almost limitless.

Here's an interesting excerpt from Volume 7 May, 1998 Netscape Netcenter News, "Netscape.htm," an electronic, information document sent out, free of charge, by Netscape Communications Corporation:

"Thanks to everyone who took last month's small-business survey! Here is what you told us:

  • 50 percent of you buy products online

  • 28 percent of you sell products online

  • 44 percent of you have a web page or home page for your company, while 56 percent have yet to make one"

The statistics cited from the Netcenter News indicate that, in just the few years since the World Wide Web originated, at least one-half of the people who use the Internet and web technology have really begun to feel comfortable with the idea of conducting business online both as buyers and as sellers. This confidence indicates that the public believes the information they supply to vendors , such as credit card numbers and personal data, will be kept safe and secure. Are they right or are they just nave about the risks involved in placing highly sensitive information on the Internet? We think a lot of the confidence is currently unfounded.

16.1.1 About Networking

Many DBAs have managed to escape the need to learn or understand much about how a network is put together. You receive software from Oracle with documentation that tells you to install the code and configure some files. Once the installation and configuration tasks are completed, you try to start a process called the SQL*Net Listener so that you and your users can communicate with the database from a client machine. As you get more skilled with doing the configuration tasks, you are more successful at getting a listener process up and running quickly.

You may be aware that in later versions of Oracle, there is a second listener process called a bequeath adapter , which helps you connect to the database directly from an operating system account when you are not using the SQL*Net listener. You might know about the underlying network protocol, usually TCP/IP, that you are running to support your listener processes and your SQL*Net traffic. (Chapter 8 contains a brief discussion of SQL*Net and security.)

From there, things may get a bit fuzzy. You may hear buzzwords about things like routers, gateways, bridges, and bandwidth, and have a less-than -clear understanding of what they are. To ensure that we are all " singing from the same page," the following sections give an overview of some basic Internet and web concepts. These sections explain (in the simplest terms) how a basic network functions and supply some of the terminology that will help you understand how the Internet and web sites work. Consult some of the references in Appendix A for more technical information.

16.1.1.1 LANs and WANs

If you connect a group of computers together both logically (with identifying names ) and physically (with cables or fiber optic lines) in order to exchange information, you have created a computer network . If the computers within the network are connected to each other within a short distance (say, a few hundred meters ), the network is called a Local Area Network , or LAN. On the other hand, if the computers are separated by a substantial distance (several to hundreds of miles), the network is said to be a Wide Area Network , or WAN. The Internet is composed of many computer networks. We'll look more closely at the terms Internet and intranet in a moment. For now, let's look at how information is moved over the network from one computer to another.

16.1.1.2 Moving data around a network

If you were going to design a mechanism to move data from one computer to another, what would your approach be? Realizing that there is a finite amount of information which can flow through a network cable at a time, what would be the best way to enable many people to move data at the same time? You would realize very quickly that if one user were moving a really large file as one complete transaction, no one else would be able to interact with that network line until the file had been completely moved. If the computer receiving the file had a limit on how much data could be received, the file transfer might fail before completion. The approach that makes the most sense would be to break the transmission into many small pieces and send each of the pieces separately. Many people could send information at the same time since there would be room for many pieces to travel across a network at once. If each piece of data contained information about its name and sequence number, the receiving computer could easily reorganize the pieces into their original order.

When you write an electronic mail (email) message and press the "send" button, your email software takes your message and breaks it into many small pieces called packets . At the beginning of each packet, there is information, called header data , which tells the receiving software how to put the packets back together again in their proper order so that the message you sent will be readable by the person who receives it. The standard used to describe how the messages will be divided up and reassembled is called the Internet Protocol (IP). There are two basic types of protocols which are used to transport information over a network:

  • Those that send information in streams for example, TCP/IP (Transmission Control Protocol/Internet Protocol)

  • Those that send information in a series of packets for example, UDP (User Datagram Protocol)

16.1.1.3 Internet and intranet terminology

The word Internet is derived from the words "interconnect" and "network" and is a worldwide conglomerate of computer networks. No one person or organization owns the Internet; it's a cooperative interconnection of computers around the world with many different types of computers and different technologies. If the Internet is made up of so many diverse computers, how do they all talk to one another? The problem of interconnecting all of the diverse computers to form one network is overcome by using a common communications protocol TCP/IP. By establishing a standard and ensuring that every organization that wants to participate in the network follows that standard, the dream of being able to communicate with someone you've never met, who lives thousands of miles away from you, has become a reality.

The basic technology of the World Wide Web was developed in 1990 by Tim Berners-Lee while he was at the European Laboratory for Particle Science (CERN) in Switzerland. The web is essentially the combination of an authoring language, a distribution system, and a web browser ; the first browser, Mosaic, originated at the National Center for Supercomputing Applications (NCSA) at the University of Illinois, Urbana-Champaign.

A web server may be a computer that contains web pages. A web server may also be a program that receives and forwards information or fulfills requests for data. A web server may also:

  • Run programs to act as an electronic mail server or news server

  • Support downloadable files (act as an FTP, or File Transfer Protocol, site)

  • Support database query facilities

The term intranet is used to describe an internal, corporate network that uses web technologies such as web servers and browsers to provide company employees with easy access to internal data among departments. Web browsers are available for most of the platforms a company might use. Thus, development of web applications can be done on a much more cost-effective basis since the applications do not need to be ported from one platform to another. The information you need can be located in a room down the hall or across the country or halfway around the world you won't care or need to know the data's physical location. Unlike the Internet, which is not owned by a single person or organization, an intranet is owned by the corporation that creates and supports it. An intranet is not usually available for access by people outside of the business which owns it.

The term HTTP is short for HyperText Transport Protocol. HTTP is a set of rules and standards. Client programs use HTTP to read hypertext files on host computers. Along the same lines, the term HTML (HyperText Markup Language) is used to describe the authoring language that lets you connect to web sites and communicate with them.

A cookie is a block of ASCII text used to keep track of a web user's preferences. A cookie can either be stored in a user's web browser memory or, in the case of persistent cookies, on a user's disk. Although cookies were originally used to help track a user through several HTTP requests, cookies are sometimes used to help validate a user's identity to a web site. We'll discuss cookies further in the "Cookies" section later in this chapter.

The term firewall is generally used to describe a hardware and/or software system used to implement and enforce a security policy between two networks. The firewall software selectively forwards information to one or the other of the networks. A firewall may require that users authenticate themselves through the use of a certificate of authority, through an electronically -generated passcode, or possibly through the use of biometrics like fingerprints or retinal scans . We discuss firewalls further in the "Firewalls" section later on.

The World Wide Web is made up of intelligent servers, sometimes called HTTP servers, which perform several different functions:

  • Receive, forward, and process information and requests from client machines

  • Store vast amounts of information

  • Protect information from being accessed by unauthorized users

  • Are aware of information stored on other servers

  • Log network activity

Several forms of software are used to aid in making information available. HTML, Simple Mail Transfer Protocol (SMTP), web browsers, and other Internet standards are used to enable you to access and transfer data. Because of the potential security advantages offered by the Java language (described in the next section), more and more companies are implementing their applications in Java applets. (Applets are mini-applications, typically designed to be run by a web browser.)

16.1.1.4 The Java language and security

Java is similar to C++ and is an object-oriented language. One of the major advantages of using Java is that, instead of being compiled for a specific computer operating system, Java is compiled into machine-independent bytecode. After a Java program is compiled, the bytecode is downloaded to an operating system that has a Java Class Loader. The loader is used to upload the bytecode into the computer's memory. A Java Virtual Machine is used to run the bytecode. The bytecode can be run either directly from the operating system using an interpreter or from inside a web browser using a just-in-time compiler to convert the bytecode to the native machine code for that particular computer.

One of the major security advantages of using the Java language is that restraints have been placed on what a downloaded Java program can do. Since Java programs run in a virtual machine, they cannot directly manipulate a computer's hardware. So, if you download a Java script from the Internet, you will not have to worry that the code you download will run a program that will reformat your hard drive or erase files from one of your directories. Java programs are prohibited from making calls to a computer's operating system and are run with limited system privileges. You won't have to worry about a Java script running a program and giving itself enough system privileges to damage your system. Java scripts are not allowed to read the contents of a file or directory on a client machine and cannot make calls to the computer from which the Java applet was downloaded. Since they can't read the contents of files on your system and can't make calls back to their parent machine, you don't have to worry that a Java script is reporting back sensitive information to whoever owns the web site from which you got the Java program you are running.

The way Java script rules are enforced is through the use of an object-oriented class called the Security Manager. The Security Manager class is called before any potentially dangerous operations are executed. The Security Manager class then determines if the operation should or should not be permitted to execute. To ensure that a program is not attempting to tamper with or redefine the Security Manager class, the Class Loader is used to examine each class which is being used.

In early 1998, Larry Ellison, cofounder and Chief Executive Officer of Oracle Corporation, stated that Oracle software is going to become completely Java-based. More and more of the current Oracle code is being delivered as Java applets. In fact, almost the entire Oracle Enterprise Manager toolset (described in Chapter 13) is written using Java applets.


Team-Fly    
Top


Oracle Security
Oracle Security Handbook : Implement a Sound Security Plan in Your Oracle Environment
ISBN: 0072133252
EAN: 2147483647
Year: 1998
Pages: 154

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net