Pages: pp. 10-13
For predominately English-speaking countries, international characters might seem irrelevant, but large-scale changes to the global infrastructure will affect every network whose users communicate internationally. For example, sending email to users in another country might eventually require an upgrade to Internationalized Domain Names (IDNs). Companies selling products or services worldwide might want to register IDNs that accurately represent their wares, and anyone with international clientele must be prepared for support issues. Breaking the Internet's dependency on seven-bit ASCII is a good place to start. Hall describes the move toward IDNs, as proposed last year in IETF RFC 3490, "Internationalizing Domain Names in Applications (IDNA)."
SOAP messages are constructed in human-readable XML, which means message content can easily be observed and possibly modified. To ensure that messages aren't tampered with or that sensitive data (such as credit card numbers or medical information) isn't disclosed, Web Services Security (WS-Security) adds extensions that enable all or part of a SOAP message to be encrypted and digitally signed. The Web services community recently reached a milestone when the Organization for the Advancement of Structured Information Standards (OASIS) ratified the specification as a standard.
Although the IEEE ratified the 802.11i wireless security standard in July 2004, products guaranteed to be compatible with most of the specification have been shipping since May 2003, thanks to Wi-Fi Protected Access (WPA), a testing program from the Wi-Fi Alliance based on the most urgent security fixes in 802.11i. Now, with many Wi-Fi users upset over poor quality of service (QoS), the alliance has decided to do the same for 802.11e, the IEEE's planned QoS standard — taking parts of the standard and packaging them as Wireless Media Extensions (WME). Due to be available in September 2004, WME equipment will help Wi-Fi networks give higher priority to real-time traffic.
Over the next few years, the Metro Ethernet Forum (MEF) plans to develop specific definitions and templates for a robust Ethernet service with any-to-any connectivity. The industry coalition of local exchange carriers, networking companies, Ethernet service providers, and equipment vendors has already completed the first of three specifications aimed at replacing point-to-point frame relay access lines. Collectively, these specifications-based services should make Ethernet a faster, cheaper, and simpler alternative to frame relay in two ways: by beefing up performance levels and security and enabling any-to-any multipoint topology linking sites more dynamically, without the cost of nailed-up connections (completed or authenticated connections). Allen and Dornan discuss the Ethernet Services Model Phase 1, the first technical specification to come out of this effort.
HTTP response splitting enables various attacks, such as Web cache poisoning, cross-user defacement, page hijacking, and cross-site scripting (XSS). It's relevant to most Web environments and is the result of an application's failure to reject illegal user input; in this case, input containing malicious or unexpected characters — the carriage return and line feed characters. Klein and Orrin describe how and why the attacks work, and the relatively simple ways to avoid vulnerability.
Eighteen months ago, developers and users still viewed "Web services security" as an oxymoron, says O'Neill. Now, thanks to standards, Web services are more secure than ever, he claims. He asks what it means to say that an individual XML message is "secure." The answer involves applying well-known security concepts to Web services. O'Neill describes three established security concepts — CIA (confidentiality, integrity, and availability) security, AAA (authentication, authorization, and audit) security, and message-level content analysis — and explains how they apply to Web services.
Farrow says that intrusion-prevention systems (IPSs) are the latest buzz in intrusion detection. He explains why he doesn't believe that IPSs can protect against all those "strangers with candy," despite vendor and analyst claims to the contrary.
As Conry-Murray points out, security vendors regularly claim their products can protect Web, email, and other applications. But what does that mean? Applications can be attacked through the protocols that carry them, or by manipulating the application code's logic itself. Understanding how different types of attacks are carried out can help you assess your risk and better understand how to protect yourself. Conry-Murray explains the methods of application attack and presents steps toward prevention.
22 June 2004
Businesses large and small must be proactive about security, and shopping intelligently now can protect against heavy losses in the future. This buyer's guide has five components: why you need a solid security infrastructure, what the major threats are and how to protect yourself, which features are important when shopping for security solutions, which junctions in your network are vulnerable, and how to pick the products that best fit your business size.
3 August 2004
This issue of PC contains four major security-themed articles: "Keep Your PC Safe" (home computing security), "Keep Your Office Safe" (email and enterprise security), "Keep Your Kids Safe" (how to protect children from Web-browsing dangers), and "Is Microsoft to Blame?" (should Microsoft take more responsibility in these other security areas because it provides 95 percent of the world's operating systems?).
Datasets provide a powerful mechanism for storing information. According to Wagner, programmers can even use them to track the changes they make, as long as they make them in the right fashion. In this Q&A, he describes the available options when using XML datasets.
In this excerpt from his book, Introducing Microsoft ASP.NET 2.0 (Microsoft Press), Esposito says a method to build and reuse pages must fulfill three requirements: the pages have to be easy to modify; changes shouldn't require deep recompilation of the source code; and any change must impact the application's overall performance minimally. He claims that ASP.NET 2.0 satisfies these requirements with a new technology — master pages (a kind of supertemplate) — and exploits the new ASP.NET framework's ability to merge a supertemplate with user-defined content replacements.
Location-based Web services will play an increasingly important role as handheld devices add carrier-based and GPS-positioning capabilities. Microsoft, map providers, and cellular carriers will likely offer an expanding array of geo-coded imaging Web services, and Jennings says now's the time to start exploring new VS.NET mapping applications. He describes how to use Microsoft's TerraService and MapPoint Web services to start Visual Studio .NET-based mapping projects.
Tremblett uses a television broadcast simulation to describe the JMX architecture and show how to create managed beans (Mbeans) — the objects used to instrument resources and render them suitable for management.
Although the Microsoft Java virtual machine no longer exists, the Java Com Bridge (Jacob) open-source library essentially duplicates its ability to let Java code running under Windows connect with ActiveX objects. Williams examines how.
Executing "malware" attachments to email is a prime method of spreading viruses, primarily by making changes to application files. Grimes explains the .NET file structure and shows how it prevents such alterations from being performed on .NET assemblies.
According to the author, the U.S. cable industry is making a massive investment in Java technology to escape the quagmire of proprietary network software and APIs. Java is at the core of the standards-based OpenCable Application Platform (OCAP); properly written OCAP applications can run on any OCAP-compliant North American cable network. In this article, the author looks at the strengths and weaknesses of OCAP's java interfaces as they relate to OCAP's goals.
The subject of several books, continuous integration is an automated process that lets teams build and test software multiple times a day. In the first of two articles, Beck examines the building blocks of an open-source continuous integration solution, including descriptions of Java-based tools such as Ant and JUnit, which support it.
Improved Wi-Fi equipment is available now, though it's not suitable for everyone. After all, Wi-Fi was designed to be a LAN technology — it can't match 3G or emerging standards such as 802.16 (WiMAX) and 802.20 (Wi-Mobile) in the wide area, according to Dornan. New wireless WAN technologies are already available in some areas and will slowly be rolled out nationwide over the next decade.
other than denial-of-service (DoS), all attacks have the same goal: to take control of a system. The most publicized attacks involve indiscriminate, self-propagating worms such as Sasser or Blaster, while others target specific computers or networks. All depend on the ability to execute the attacker's code on victim systems. Farrow argues that a host-based intrusion-prevention system (HIPS) might be a better solution to network attacks than any network-based IPS (NIPS). However, users must be willing to pay a price in installation costs and performance.
Approximately 2.5 of the 3 billion e-mails received by Microsoft Hotmail are now spam. However, thanks to a cocktail approach that blends traditional spam filters with cutting-edge technology, spam is becoming a non-issue for corporate mail users. Researchers and vendors have stopped proselytizing individual approaches and found ways to integrate and optimize existing technologies while seeking new solutions, says the author. Machine learning is the hot anti-spam ingredient at the moment, and new products are now integrating it with black lists, content filters, spam signatures, and heuristics for a powerful anti-spam cocktail.
Delaney and Lipschutz describe how to choose the right server for a business by assessing performance, cost, space, and other concerns. They also examine the differences between direct-attached storage (DAS), network-area storage (NAS), storage-area network (SAN), and SCSI devices.
June 2004"Securing the High-Speed Internet," by Simon S.Y. Shim et al.
This article is an introduction to Computer's multi-article section on Internet security. The guest editors present an overall picture of how fast the wired and wireless Internet has grown—in worldwide and commercial use, technical complexity, and connection speeds. The articles represent a sample of how academia is responding to the need for better Internet security, and include: "Computer Security in the Real World," "Worm Epidemics in High-Speed Networks," "Making the Gigabit IPsec VPN Architecture Secure," and "A Quantitative Study of Firewall Configuration Errors."
June 2004"Issues in High-Speed Internet Security," by Peder Jungck and Simon S.Y. Shim.
Using the SQL Slammer flash worm as an example of how quickly damage can be inflicted on today's Internet, Jungck and Shim suggest that protecting networks against such fast-moving threats requires new security solutions that offer flexibility, high performance, and speed. They discuss various alternatives and improvements that could be made using existing technologies."Seamless Mobile Computing on Fixed Infrastructure," by Michael Kozuch et al.
Kozuch and colleagues describe their work with Internet suspend/resume (ISR), a pervasive computing technology for rapidly personalizing and depersonalizing anonymous hardware for transient use. They define mobile computing not in terms of wireless-connected laptops, PDAs, and such, but rather the ability to use existing "thick client" computers as portals to our data, applications, and connections wherever we go.Computing in Science & Engineering, www.computer.org/cise/
July/August 2004"Web Engineering: The Evolution of New Technologies," by Athena I. Vakali and Georgios I. Papadimitriou.
This special section brings together articles that focus on understanding and emphasizing engineering topics as they're applied in today's Web environment and infrastructure. They cover a wide range of topics under the broad categories of Web data representation, access, and effective information retrieval. Articles include "Managing XML Data: An Abridged Overview," "Information Retrieval Techniques for Peer-to-Peer Networks," "Trust Negotiations: Concepts, Systems, and Languages," "Intelligent Agents on the Web: A Review," "Web Searching and Information Retrieval," "Web Mining: Research and Practice," and "Caching and Prefetching for Web Content Distribution."IEEE Intelligent Systems, www.computer.org/intelligent/
July/August 2004"Semantic Web Services," by Terry Payne and Ora Lassila.
Articles in this special section include "Automatically Composed Workflows for Grid Environments," "ODE SWS: A Framework for Designing and Composing Semantic Web Services," "KAoS Policy Management for Semantic Web Services," "Filtering and Selecting Semantic Web Services with Interactive Composition Techniques," and several more.IT Professional, www.computer.org/itpro/
May/June 2004"SOLA: Lightweight Security for Access Control in IEEE 802.11," by Felix Wu, Henric Johnson, and Arne Nilsson.
Currently an academic research prototype, Statistical One-Bit Lightweight Authentication (SOLA) is a robust, layer-2, one-bit-identity authentication protocol. The authors argue that SOLA might provide sufficient security at the first hop in a wireless network, assuming more robust security exists down the line, to obviate relatively more expensive link-layer authentication mechanisms.
This is because the first hop primarily authenticates origin identity rather than payload."The Basics of Reliable Distributed Storage Networks," by Thomas C. Jepsen
Besides efficiency, enterprises need the increased reliability that distributed storage systems offer. Using storage networks to manage access to data increases performance and survivability while helping control costs. Jepsen presents a comprehensive view of distributed storage: what it is, its benefits, how enterprises implement it, and its future manifestation (IP storage).IEEE Multimedia, www.computer.org/multimedia/
July–September 2004"QoS Specification Languages for Distributed Multimedia Applications: A Survey and Taxonomy," by Jingwen Jin and Klara Nahrstedt
Jin and Nahrstedt provide an extensive taxonomy of existing QoS specification languages. This article pays particular attention to issues derived from research into QoS-aware API design and QoS language development for multimedia systems.IEEE Security & Privacy, www.computer.org/security/
July/August 2004"Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns," by Jonathan Pincus and Brandon Baker.
Pincus and Baker, both Microsoft security and research developers, say that vulnerabilities related to buffer overruns account for the largest share of CERT advisories. In this article, they discuss three powerful general-purpose families of exploits that go beyond traditional "stack smashing" attacks and invalidate traditional assumptions about buffer overruns.