Securing Networked Applications with Cryptographic Segmentation
Networked Applications. 2 There are many applications such as: Web-enabled database access Internet...
-
date post
21-Dec-2015 -
Category
Documents
-
view
216 -
download
1
Transcript of Networked Applications. 2 There are many applications such as: Web-enabled database access Internet...
Networked Applications
2
Networked Applications
There are many applications such as: Web-enabled database access Internet E-mail IP telephony for voice-data convergence
Each is important
3
Web-Enabled Database Access
Problem: Database is on a “database server”
Mainframe or client/server server These need proprietary client software or a
terminal
Problem: Most users only have browsers Solution: an application server (webserver
with intermediary software) mediates between the two
User with Browser Database ServerApplication Server
4
Web-Enabled Database Access Step 1: User types URL of data entry form Step 2: Webserver application sends form
Step 3: User types information in form, hits Send Browser puts data in a request line GET keyword /cgi-bin is the absolute path to a directory holding
an intermediary program, bogo.exe Data separated from absolute path by ? last field contains the value Lee first field contains the value Pat
User with Browser Database Server
URL
FormApplication Server
GET /cgi-bin/bogo.exe?last=Lee&first=Pat
5
Web-Enabled Database Access
Step 3: Application server webserver software passes data form to the intermediary program, Bogo.exe, on the webserver
Application Server
WebserverApplicationSoftware
IntermediaryProgram
(Bogo.exe)
6
Web-Enabled Database Access
Step 4: Bogo.exe puts the data into a query in the database server’s standard format Sends the query to the server
User with Browser Database Server
StandardQuery
Application Server
(Bogo.exe)
7
Web-Enabled Database Access
Step 5: Database server sends response in its standard format to the intermediary program, Bogo.exe
User with Browser Database Server
StandardResponse
Application Server
(Bogo.exe)
8
Web-Enabled Database Access Step 6: Application server
intermediary software (Bogo.exe) creates a new HTML webpage containing the response
Application Server
IntermediaryProgram
(Bogo.exe)
WebpageWebpage
9
Web-Enabled Database Access
Step 7: Application server intermediary software passes this webpage to the webserver application program
Step 8: Webserver application program passes the webpage to the browser
Application Server
WebserverApplicationSoftware
IntermediaryProgram
(Bogo.exe)
WebpageWebpage
User with Browser
WebpageWebpage
Application Server
Step7 Step8
10
Transparency Browser does not know that it is dealing with a
database server; it sends standard webserver commands, gets webpages back
Database server does not know it is dealing with a browser; receives standard database server requests, sends standard database server responses
No changes are needed in the browser or database application software; process is transparent to both the browser and the database server
11
Web-Enabled Database Access CGI and Other Programs
Intermediary program (Bogo.exe) does the actual translation work
Webserver application programs have a standardized way of moving data to and from other programs
Common Gateway Interface (CGI) standard
WebserverApplication
Program
WebserverApplication
Program
IntermediaryProgram
(Bogo.exe)
IntermediaryProgram
(Bogo.exe)
DatabaseApplication
Program
DatabaseApplication
ProgramCGI
12
Web-Enabled Database Access
CGI Starts a new copy of the intermediary
program every time the intermediary program is called
This is very slow OK only for small applications
WebserverApplication
Program
WebserverApplication
Program
IntermediaryProgram
(Bogo.exe)
IntermediaryProgram
(Bogo.exe)
DatabaseApplication
Program
DatabaseApplication
Program
CGI IntermediaryProgram
(Bogo.exe)
IntermediaryProgram
(Bogo.exe)
IntermediaryProgram
(Bogo.exe)
IntermediaryProgram
(Bogo.exe)
13
Web-Enabled Database Access
Application Program Interfaces (APIs) Database servers have proprietary ways of
communication with other application programs
Other application program sends an application program interface (API) call to the database program
Faster than CGI but proprietary
Webserver applications do not support all database APIs
WebserverApplication
Program
WebserverApplication
Program
DatabaseApplication
Program
DatabaseApplication
Program
API
14
Web-Enabled Database Access Client-Side Processing
Webserver can download webpage with Java or Active-X program
Client can then communicate directly with the database server
User with Browser Database Server
Webpage withJava applet
Subsequent Interactions
15
Mainframes
Contain about 70% of corporate data from operations (accounting, payroll, billing, etc.)
Often the “database server” in web-enabled database applications
Dominated by IBM
Mainframe competitors build clones Called plug-compatible machines
16
Terminal-Host Communication Traditionally, Just a Terminal, Host, and
Transmission Line Poor response time Poor user interface: sending graphics over a
distance is expensive (and lines usually are slow)
Inadequate for production workers who use their terminals hours per day
17
Mainframe Communication
User site has multiple terminal users 3270 Terminals
High speeds, some color, some graphics
UserSite
3270 Terminal
18
Mainframe Communication Cluster Controller at User Site
Supports a cluster of terminals and printers
Provides limited on-screen text editing power to terminals
This elimination of text editing work allows the mainframe to focus on high-value database chores
ClusterController
LimitedText Editing
19
Mainframe Communication Cluster Controller at User Site
Supports a cluster of terminals and printers
Provides limited on-screen text editing power to terminals
This also reduces response time because editing is done locally
ClusterController
LimitedText Editing
20
Mainframe Communication
Cluster Controller at User Site Multiplexes transmissions of multiple
terminals and printers to the central site This reduces transmission costs, which
are expensive for higher-speed long-distance links
CentralSite
CentralSiteLong-
DistanceLine
A A A A AA A
BB
B B
21
Mainframe Communication Transmission Line
Long-distance lines are expensive per bit sent
But 3270 terminals need high speeds Multiplexes terminal communication onto
56 kbps, 1.544 Mbps or faster line to give high speed but keep cost reasonable
CentralSite
CentralSiteLong-
DistanceLine
22
Mainframe Communication Central Site Communications Controller
Handles multiplexing to reduce transmission cost
Handles detailed interactions with cluster controllers, freeing mainframe to deal with database processing
CommunicationsController
23
Mainframe Communication Mainframe
Handles high-value database work Must be freed of low-value
communications processing work to be economically efficient
Mainframe
24
Mainframe Communication
Reducing Response Time Text editing work is done locally Still delay for heavy database work on
mainframe
Reducing Transmission Costs Multiplexing, and
Cluster controller provides limited local screen editing, so fewer bits need to be transmitted to and from the mainframe
25
Mainframe Communication
Reducing Work the Mainframe Needs to Do, so that it can Focus on High-Value Database Processing Cluster controller handles most text-
editing chores freeing mainframe from having to support this work, and
Communications controller handles details of communication with cluster controllers, freeing mainframe from having to support this work
26
Application Servers
NOT Part of Mainframe Communications Can act as terminals or cluster controllers
Transparent to mainframe: no need to do anything differently on mainframe system
App Server
App Server
27
Mainframes Use SNA Standards Architecture
Instead of TCP/IP Not peer-to-peer control; Master-slave
control under a System Services Control Point program on a mainframe
SSCP program governs all sessions among devices
SSCP
28
Mainframes
SNA Standards Architecture Like TCP/IP and OSI, uses layering
Uses OSI standards at the physical and data link layers
SNA Path Control layer is like TCP/IP internet layer and OSI network layer
SNA Transmission Control layer is like the OSI and TCP/IP transport layer
However, not peer to peer operation; master-slave operation under the control of the SSCP
29
Mainframes
SNA Standards Architecture Highest layers are like OSI layers
Network Addressable Unit (NAU) Services layer is like OSI session layer
Data Flow Control layer is like OSI presentation layer
However, applications are not standardized within SNA
There is no SNA application layer
30
Mainframes
SNA NAUs Communication takes place between
network addressable units (NAUs) Unit is a general name for a
communicating entity In networks, communicating entities must
have addresses; So they are network addressable units
31
Mainframes Logical Units
Deal directly with end users Terminals are logical units!
Connection points on mainframe (not mainframe itself) deal with application programs,which are considered to be end users
LU6Connection
Application
HumanUser
32
Mainframes
Physical Units Do not deal directly with end users Mainframe, communications controller,
cluster controller Path control network connects cluster
controller and communication controller
PathControlNetwork
PathControlNetwork
33
Mainframes
SSCP Third type of NAU Program located on the mainframe In classic SNA, two other NAUs can only
be connected under the control of the SSCP
34
Mainframes SSCP
Third type of NAU Program located on the mainframe In classic SNA, two other NAUs can only be connected under
the control of the SSCP
Versions of SNA Classic SNA
All communication under the control of SSCP
Advanced Peer-to-Peer Networking (APPN) Newer; NAUs can connect directly
High-Performance Routing Classic SNA and APPN are difficult to route Newer still; HPR improves routing
35
Mainframes
SNA and Router Networks To link cluster controllers to
communications controller over routed networks
Data Link Switching (DLSw) standard supports SNA transmission through routers
High-Performance Routing (HPR) is better
36
Mainframes Mainframes and TCP/IP Networks
TN3270E TN3270E servers communicate with
mainframe Users have PCs with TN3270E client
software that emulates 3270 terminals
TCP/IPNetwork
TCP/IPNetwork
PC withTN3270E
Client
TN3270E Server
37
Electronic Mail
Client Software and Mail Hosts Client PC has E-Mail client software that
communicates with user’s mail host Mail hosts deliver outgoing mail to other
mail hosts
PC withE-Mail Client Mail Host Mail Host
PC withE-Mail Client
38
SMTP
Simple Mail Transfer Protocol (SMTP) Standard for mail host-mail host
exchanges E-Mail Client often sends messages to
mail host via SMTP, but not always
PC withE-Mail Client Mail Host Mail Host
SMTP SMTP
39
SMTP Operation For Each Message, the Sending
Process Makes a connection Gives name of sender (From) and gets OK Gives names of receivers individually and
gets OK for each separately Asks to send message, gets OK Sends message, gets confirmation Closes connection
40
Receiving and Sending E-Mail
User’s Mail Host Stores Incoming Files in the User’s Mailbox User later retrieves them User also sends outgoing mail
Client PC Mail HostWith User’s Mailbox
Receive Mail
Send Mail
41File Server Program Access E-Mail
Use proprietary ways to send messages, get messages, and in other ways interact with the mail host Can be used only on LANs Cannot be used over the Internet
LAN
PC with FSPAE-Mail Program
42
POP Clients
POP (Post Office Protocol) is the most popular standard for mail downloading Download messages all or selectively Send outgoing messages via SMTP Works via Internet
PC withInternet E-Mail Client Mail Host Mail Host
SMTP SMTP
POP
43
POP Operation Several client-mail host interactions
needed to download new mail Log into mail host Can ask how many new messages there are
and how long they are Can download all or download one at a time If download one at a time, can decide based
on length Can delete messages on host after
downloading Close the session
44
IMAP Clients IMAP (Internet Message Access
Protocol) But not as widely supported as POP Send outgoing messages via SMTP Works via the Internet More sophisticated than POP
Can do more on mail server’s mailbox than download and delete messages; can fully manage the mailbox
PC withInternet E-Mail Client Mail Host Mail Host
SMTP SMTP
IMAP
45Browser Clients (Web-Based E-Mail) Client is Browser Mail Host is a Webserver
Mail host sends HTML pages to client User types messages and retrieval data in
forms, sends back All communication is via HTTP
PC withBrowser
WebserverMail Host
Mail Host
HTTP SMTP
46
Telnet Clients Some mail hosts support Telnet Telnet client on PC emulates a simple
terminal No color or graphics Monospaced Text Sometimes only way to interact with a
mail host
PC withTelnet Client
Mail HostSupporting Telnet
Mail Host
Telnet SMTP
47Recap on Internet E-Mail Transmission
Communication Between Mail Hosts SMTP
Communication From Client to its Mail Host SMTP Proprietary file server program access on
LANs HTTP Telnet
48Recap on Internet E-Mail Transmission
Communication to Client from its Mail Host to deliver messages POP or IMAP Proprietary file server program access on
LANs HTTP Telnet
49
Message Structure Standards
RFC 822 Text-only message bodies
MIME Multimedia message bodies and headers Not widely used for bodies or headers
HTML Bodies Becoming common Not well standardized; Limited
interoperability between mail clients
50
Attachments
Send a message Attach a file (word processing document,
spreadsheet, graphic, etc.) E-mail can be a file delivery mechanism
Viruses Attachments may contain viruses
Even messages without attachments may contain viruses today
Virus scanning before opening is critical
51
Attachments Problem
Attached files use all 8 bits of each byte Called binary data
On Internet, can only use the first seven bits
Called 7-bit ASCII In Internet transmission, 7th bit may be
truncated if send binary file
1010101010101010
Binary
x1010101x1010101
Internet
52
Attachments Internet Encoding
Files must be Internet encoded before transmission to travel over the Internet using only the first 7 bits in each byte
At the receiving end, files must be Internet decoded so that applications can read them
1010101010101010
Binary
x1010101x1010101
Internet
x1010101x1010101
Internet
1010101010101010
Binary
InternetEncoding
InternetTransmission
InternetDecoding
53
Attachments
Internet Encoding Standards Communicating mail clients must use the
same Internet encoding standard to encode and decode
MIME Several versions of MIME exist Basic MIME is almost universally
supported by e-mail clients today Binhex is commonly used on Macintoshes UUENCODE is common in UNIX
54
Attachments
E-Mail users should negotiate before sending an attachment Internet encoding standard they will use Application file format they will use
If same application program and version, fine
If same application program and different versions, send in format of older version
If different application programs, send in a format and version the other can import
55
E-Mail Standards Recap
Transmission Standards Sending messages (SMTP, etc.) Receiving messages (POP, IMAP, etc.)
Message Structure Standards Message header and body (RFC 822, MIME,
HTML) Attachments: common Internet encoding
standard Attachments: common application file
format
56IP Telephony
Voice-Data Convergence
What is IP Telephony? Transmit telephone conversations in IP packets
sent over the Internet or another network, such as Ethernet, Frame Relay, or ATM carrying IP packets
Digitize the outgoing voice signal Packetize (place in packets) and send over IP
packet-switched networks Reverse at other end
IP Packet
57
Why IP Telephony? Save Money Digitizing Voice More Efficiently
Current telephone system also digitizes voice for internal digital communication within the telephone network
Current telephone system generates a stream of 64 kbps, then steals 8 kbps for signaling, leaving 56 kbps
This is a lot of bits to move per second on expensive long-distance and international lines
With newer technology, IP telephony digitizes voice to between 12 kbps and 16 kbps with good quality
Fewer bits to send means lower transmission cost
58
Why IP Telephony?
Packet-Switched Network Delivery Traditional telephony is circuit-switched
Charged for 56 kbps channels whether use them or not
Packet switching multiplexes transmissions
Only pay for capacity actually used
Voice-Data Convergence Corporations now have separate networks for voice and
data
This is expensive in terms of staffing labor and technical charges
Voice-data convergence: use one network (IP) for both
Reduces staff and technical costs
59
Why IP Telephony?
Save Money: Recap
Efficient digitization to send less than 8 kbps
Multiplexing on packet-switched networks Internet connection is already in place
Voice-data convergence reduces staff, other costs
60
Problem of Latency Packet-Switched Networks Often Have
Latency (Delay) Latency is Bad for Voice Conversations
At latency of 200 milliseconds (ms), conversation is difficult because of turn-taking awkwardness
At latency of 500 ms, conversation is impossible
Variable latency from one packet to the next makes voice sound jittery (jitter)
61
Reducing Latency
Problem is the Internet Backbone Often has high latency
ISPs Have Lower Latency Internally May offer service level agreements (SLAs)
for latency
SiteSite ISPISP InternetBackbone
InternetBackbone ISPISP SiteSite
OftenHigh Latency
UsuallyLow Latency
62
Reducing Latency
Solution Connect all corporate sites to a single ISP
Possible because some ISPs have access points in many places around the country or even around the world
Connect all corporate sites to a single packet-switched PSDN
Packet-switched PSDNs also have low latency, SLAs
SiteSite ISP/ PSDNISP/ PSDN SiteSite
SLA forLow Latency
63
IP Telephony Standards
Based on H.323 Videoconferencing Standard from ITU-T For videoconferencing over the Internet or
other IP networks
IETF, ITU-T have agreed to work together on IP telephony standards