size=+0>
16.1 Web Basics
There are many reasons why more and more businesses
and government agencies are joining the ranks of those who have (and
provide access to information through) web sites. The major reason to host
a web site is to improve communication between employees (through an
intranet) or between your company and potential, current, or past
customers (through the Internet). The ease of reaching a large number of
people with minimum expense is very appealing. The Internet enables small
businesses with very limited funds to reach larger audiences of potential
customers easily. Large companies can also benefit from the high Internet
traffic.
Let's look at some services you and your company might provide via the
Internet or an intranet:
Help desks and technical support
Educational opportunities and computer-based training
Sales and unique services
Public announcements and government policies
Publication of reports and scientific data
Some government agencies are even using the Internet to provide
employees with notification of "suspense" dates — dates when specific
information is due to be delivered to one or more organizations. The
volume of topics on which you can find information on the Internet is
almost limitless.
Here's an interesting excerpt from Volume 7 — May, 1998 Netscape
Netcenter News, "Netscape.htm," an electronic, information document sent
out, free of charge, by Netscape Communications Corporation:
"Thanks to everyone who took last month's small-business survey! Here
is what you told us:
50 percent of you buy products online
28 percent of you sell products online
44 percent of you have a web page or home page for your company,
while 56 percent have yet to make one"
The statistics cited from the Netcenter News indicate that, in just the
few years since the World Wide Web originated, at least one-half of the
people who use the Internet and web technology have really begun to feel
comfortable with the idea of conducting business online — both as buyers
and as sellers. This confidence indicates that the public believes the
information they supply to vendors, such as credit card numbers and
personal data, will be kept safe and secure. Are they right or are they
just na�ve about the risks involved in placing highly sensitive
information on the Internet? We think a lot of the confidence is currently
unfounded.
16.1.1 About Networking
Many DBAs have managed to escape the need to learn
or understand much about how a network is put together. You receive
software from Oracle with documentation that tells you to install the code
and configure some files. Once the installation and configuration tasks
are completed, you try to start a process called the SQL*Net
Listener so that you and your users can communicate with the database
from a client machine. As you get more skilled with doing the
configuration tasks, you are more successful at getting a listener process
up and running quickly.
You may be aware that in later versions of Oracle, there is a second
listener process called a bequeath adapter, which helps you connect
to the database directly from an operating system account when you are not
using the SQL*Net listener. You might know about the underlying network
protocol, usually TCP/IP, that you are running to support your listener
processes and your SQL*Net traffic. (Chapter
8 contains a brief discussion of SQL*Net and security.)
From there, things may get a bit fuzzy. You may hear buzzwords about
things like routers, gateways, bridges, and bandwidth, and have a
less-than-clear understanding of what they are. To ensure that we are all
"singing from the same page," the following sections give an overview of
some basic Internet and web concepts. These sections explain (in the
simplest terms) how a basic network functions and supply some of the
terminology that will help you understand how the Internet and web sites
work. Consult some of the references in Appendix
A for more technical information.
16.1.1.1 LANs and WANs
If you connect a group of computers together — both
logically (with identifying names) and physically (with cables or fiber
optic lines) — in order to exchange information, you have created a
computer network. If the computers within the network are connected
to each other within a short distance (say, a few hundred meters), the
network is called a Local Area Network, or LAN. On the other hand,
if the computers are separated by a substantial distance (several to
hundreds of miles), the network is said to be a Wide Area Network,
or WAN. The Internet is composed of many computer networks. We'll look
more closely at the terms Internet and intranet in a moment. For now,
let's look at how information is moved over the network from one computer
to another.
16.1.1.2 Moving data around a network
If you were going to design a mechanism to move
data from one computer to another, what would your approach be? Realizing
that there is a finite amount of information which can flow through a
network cable at a time, what would be the best way to enable many people
to move data at the same time? You would realize very quickly that if one
user were moving a really large file as one complete transaction, no one
else would be able to interact with that network line until the file had
been completely moved. If the computer receiving the file had a limit on
how much data could be received, the file transfer might fail before
completion. The approach that makes the most sense would be to break the
transmission into many small pieces and send each of the pieces
separately. Many people could send information at the same time since
there would be room for many pieces to travel across a network at once. If
each piece of data contained information about its name and sequence
number, the receiving computer could easily reorganize the pieces into
their original order.
When you write an electronic mail (email) message and press the "send"
button, your email software takes your message and breaks it into many
small pieces called packets . At the beginning of each packet, there is information,
called header data, which tells the receiving software how to put
the packets back together again in their proper order so that the message
you sent will be readable by the person who receives it. The standard used
to describe how the messages will be divided up and reassembled is called
the Internet Protocol (IP). There are two basic types of protocols which
are used to transport information over a network:
Those that send information in streams — for example, TCP/IP
(Transmission Control Protocol/Internet Protocol)
Those that send information in a series of packets — for example, UDP
(User Datagram Protocol)
16.1.1.3 Internet and intranet terminology
The word Internet is derived from the words
"interconnect" and "network" and is a worldwide conglomerate of computer
networks. No one person or organization owns the Internet; it's a
cooperative interconnection of computers around the world with many
different types of computers and different technologies. If the Internet
is made up of so many diverse computers, how do they all talk to one
another? The problem of interconnecting all of the diverse computers to
form one network is overcome by using a common communications protocol —
TCP/IP. By establishing a standard and ensuring that every organization
that wants to participate in the network follows that standard, the dream
of being able to communicate with someone you've never met, who lives
thousands of miles away from you, has become a reality.
The basic technology of the World Wide Web was developed in 1990 by Tim
Berners-Lee while he was at the European Laboratory
for Particle Science (CERN) in Switzerland. The web is essentially the
combination of an authoring language, a distribution system, and a web
browser ; the first browser,
Mosaic, originated at the National Center for Supercomputing Applications
(NCSA) at the University of Illinois, Urbana-Champaign.
A web server may be a computer that contains
web pages. A web server may also be a program that receives and forwards
information or fulfills requests for data. A web server may also:
Run programs to act as an electronic mail server or news server
Support downloadable files (act as an FTP, or File Transfer Protocol,
site)
Support database query facilities
The term intranet is used to describe an
internal, corporate network that uses web technologies such as web servers
and browsers to provide company employees with easy access to internal
data among departments. Web browsers are available for most of the
platforms a company might use. Thus, development of web applications can
be done on a much more cost-effective basis since the applications do not
need to be ported from one platform to another. The information you need
can be located in a room down the hall or across the country or halfway
around the world — you won't care or need to know the data's physical
location. Unlike the Internet, which is not owned by a single person or
organization, an intranet is owned by the corporation that creates and
supports it. An intranet is not usually available for access by people
outside of the business which owns it.
The term HTTP is short
for HyperText Transport Protocol. HTTP is a set of rules and standards.
Client programs use HTTP to read hypertext files on host computers. Along
the same lines, the term HTML (HyperText Markup Language) is used
to describe the authoring language that lets you connect to web sites and
communicate with them.
A cookie is a block of
ASCII text used to keep track of a web user's preferences. A cookie can
either be stored in a user's web browser memory or, in the case of
persistent cookies, on a user's disk. Although cookies were originally
used to help track a user through several HTTP requests, cookies are
sometimes used to help validate a user's identity to a web site. We'll
discuss cookies further in the "Cookies" section later in this
chapter.
The term firewall is generally used to
describe a hardware and/or software system used to implement and enforce a
security policy between two networks. The firewall software selectively
forwards information to one or the other of the networks. A firewall may
require that users authenticate themselves through the use of a
certificate of authority, through an electronically-generated passcode, or
possibly through the use of biometrics like fingerprints or retinal scans.
We discuss firewalls further in the "Firewalls" section later on.
The World Wide Web is made up of intelligent servers, sometimes called
HTTP servers, which perform several different functions:
Receive, forward, and process information and requests from client
machines
Store vast amounts of information
Protect information from being accessed by unauthorized users
Are aware of information stored on other servers
Log network activity
Several forms of software are used to aid in making information
available. HTML, Simple Mail Transfer Protocol (SMTP), web browsers, and
other Internet standards are used to enable you to access and transfer
data. Because of the potential security advantages offered by the Java
language (described in the next section), more and more companies are
implementing their applications in Java applets. (Applets are
mini-applications, typically designed to be run by a web browser.)
16.1.1.4 The Java language and security
Java is similar to C++ and is an object-oriented
language. One of the major advantages of using Java is that, instead of
being compiled for a specific computer operating system, Java is compiled
into machine-independent bytecode. After a Java program is compiled, the
bytecode is downloaded to an operating system that has a Java Class
Loader. The loader is used to upload the bytecode into the computer's
memory. A Java Virtual Machine is used to run the bytecode. The bytecode
can be run either directly from the operating system using an interpreter
or from inside a web browser using a just-in-time compiler to convert the
bytecode to the native machine code for that particular computer.
One of the major security advantages of using the Java language is that
restraints have been placed on what a downloaded Java program can do.
Since Java programs run in a virtual machine, they cannot directly
manipulate a computer's hardware. So, if you download a Java script from
the Internet, you will not have to worry that the code you download will
run a program that will reformat your hard drive or erase files from one
of your directories. Java programs are prohibited from making calls to a
computer's operating system and are run with limited system privileges.
You won't have to worry about a Java script running a program and giving
itself enough system privileges to damage your system. Java scripts are
not allowed to read the contents of a file or directory on a client
machine and cannot make calls to the computer from which the Java applet
was downloaded. Since they can't read the contents of files on your system
and can't make calls back to their parent machine, you don't have to worry
that a Java script is reporting back sensitive information to whoever owns
the web site from which you got the Java program you are running.
The way Java script rules are enforced is through the use of an
object-oriented class called the Security Manager. The
Security Manager class is called before any potentially dangerous
operations are executed. The Security Manager class then determines if the
operation should or should not be permitted to execute. To ensure that a
program is not attempting to tamper with or redefine the Security Manager
class, the Class Loader is used to examine each class which is being
used.
border=0>
| 
No comments:
Post a Comment