In this paper, a framework is presented trying to make
the most secure web system out of the available generic and web
security technology which can be used as a guideline for
organizations building their web sites. The framework is designed to
provide necessary security services, to address the known security
threats, and to provide some cover to other security problems
especially unknown threats. The requirements for the design are
discussed which guided us to the design of secure web system. The
designed security framework is then simulated and various quality of
service (QoS) metrics are calculated to measure the performance of
this system.
[1] Netcraft, "Netcraft Web Server Survey," 2005. Available
http://www.netcraft.com/survey
[2] D. Hanson, "ARIS Top Ten 2005 Threats," Security Focus, 2005.
Available http://www.securityfocus.com/corporate/research.
[3] R. Power, "CSI/FBI Computer Crime and Security Survey," Computer
Security Issues & Trends, vol. 8, no.1, 2002.
[4] AusCERT, "Australian Computer Crime and Security Survey," 2002.
Available http://www.auscert.org.au.
[5] Microsoft, "E-Commerce Security," 2000. Available
microsoft.com/technet/itsolutions/ecommerce/maintain/operate/ecomsec.
asp
[6] L. Ganci, "Firewall and Network Configuration," Websphere Commerce
V5.4 Handbook, Architecture and Integration Guide, Appendix A, IBM
Redbooks, 2002, p. 790.
[7] Oracle, "Deploying CRM Applications on the ECO Structure
Architecture," 2001. Available
http://www.eecostructure.com/crmwp.pdf
[8] R. Zalenski, "Firewall Technologies," IEEE Potentials, vol. 21, no. 1,
2002, pp. 24-29.
[9] AusCERT, Windows NT Configuration Guidelines, 2002. Available
http://www.auscert.org.au/render.html?it=1970&cid=1920.
[10] AusCERT, UNIX Security Checklist, v2.0, 2001. Available
http://www.auscert.org.au/render.html?it=1935&cid=1920.
[11] R. Sandhu and S. Samarati, "Authentication, Access Control, and
Audit," ACM Computing Surveys, vol. 28, no. 1, 1996, pp. 241-243.
[12] J. Ellis and T. Speed, The Internet Security Guidebook: from Planning to
Deployment. San Diego: Academic Press, 2001.
[13] R. Duncan, "An Overview of Different Authentication Methods and
Protocols", 2001, unpublished. Available
http://rr.sans.org/authentic/overview.php
[14] E. Spafford, "Observing Reusable Password Choices," UNIX Security
Symposium III Proceedings, 1992.
[15] J. Franks, "RFC-2617 HTTP Authentication: Basic and Digest Access
Authentication," 1999, unpublished.
[16] K. Fu, "Dos and Don'ts of Client Authentication on the Web,"
Proceedings of the 10th USENIX Security Symposium, 2001.
[17] S. Hada and H. Maruyama, "Session Authentication Protocol for Web
Services," Proceedings Symposium on Applications and the Internet
Workshops, Nara, Japan, 2002.
[18] T. Verschure, "Smart Access: Strong Authentication on the Web,
Computer Networks and ISDN Systems, vol. 30, 1998, pp. 1511-1519.
[19] J. Joshi, "Security Models for Web-Based Applications,"
Communications of the ACM, vol. 44, no.2, 2001, pp. 38-44.
[20] J. Park, R. Sandhu, and A. Joon, "Role-Based Access Control on the
Web," ACM Transactions on Information and Systems Security, vol. 4,
no. 1, 2001, pp. 37-71.
[21] Publications and Web Services OWASP, A Guide to Building Secure
Web Applications, 2001. Available http://www.owasp.org/
[22] R. Peteanu, Best Practices for Secure Development, 2001. Available
http://members.rogers.com/razvan.peteanu
[1] Netcraft, "Netcraft Web Server Survey," 2005. Available
http://www.netcraft.com/survey
[2] D. Hanson, "ARIS Top Ten 2005 Threats," Security Focus, 2005.
Available http://www.securityfocus.com/corporate/research.
[3] R. Power, "CSI/FBI Computer Crime and Security Survey," Computer
Security Issues & Trends, vol. 8, no.1, 2002.
[4] AusCERT, "Australian Computer Crime and Security Survey," 2002.
Available http://www.auscert.org.au.
[5] Microsoft, "E-Commerce Security," 2000. Available
microsoft.com/technet/itsolutions/ecommerce/maintain/operate/ecomsec.
asp
[6] L. Ganci, "Firewall and Network Configuration," Websphere Commerce
V5.4 Handbook, Architecture and Integration Guide, Appendix A, IBM
Redbooks, 2002, p. 790.
[7] Oracle, "Deploying CRM Applications on the ECO Structure
Architecture," 2001. Available
http://www.eecostructure.com/crmwp.pdf
[8] R. Zalenski, "Firewall Technologies," IEEE Potentials, vol. 21, no. 1,
2002, pp. 24-29.
[9] AusCERT, Windows NT Configuration Guidelines, 2002. Available
http://www.auscert.org.au/render.html?it=1970&cid=1920.
[10] AusCERT, UNIX Security Checklist, v2.0, 2001. Available
http://www.auscert.org.au/render.html?it=1935&cid=1920.
[11] R. Sandhu and S. Samarati, "Authentication, Access Control, and
Audit," ACM Computing Surveys, vol. 28, no. 1, 1996, pp. 241-243.
[12] J. Ellis and T. Speed, The Internet Security Guidebook: from Planning to
Deployment. San Diego: Academic Press, 2001.
[13] R. Duncan, "An Overview of Different Authentication Methods and
Protocols", 2001, unpublished. Available
http://rr.sans.org/authentic/overview.php
[14] E. Spafford, "Observing Reusable Password Choices," UNIX Security
Symposium III Proceedings, 1992.
[15] J. Franks, "RFC-2617 HTTP Authentication: Basic and Digest Access
Authentication," 1999, unpublished.
[16] K. Fu, "Dos and Don'ts of Client Authentication on the Web,"
Proceedings of the 10th USENIX Security Symposium, 2001.
[17] S. Hada and H. Maruyama, "Session Authentication Protocol for Web
Services," Proceedings Symposium on Applications and the Internet
Workshops, Nara, Japan, 2002.
[18] T. Verschure, "Smart Access: Strong Authentication on the Web,
Computer Networks and ISDN Systems, vol. 30, 1998, pp. 1511-1519.
[19] J. Joshi, "Security Models for Web-Based Applications,"
Communications of the ACM, vol. 44, no.2, 2001, pp. 38-44.
[20] J. Park, R. Sandhu, and A. Joon, "Role-Based Access Control on the
Web," ACM Transactions on Information and Systems Security, vol. 4,
no. 1, 2001, pp. 37-71.
[21] Publications and Web Services OWASP, A Guide to Building Secure
Web Applications, 2001. Available http://www.owasp.org/
[22] R. Peteanu, Best Practices for Secure Development, 2001. Available
http://members.rogers.com/razvan.peteanu
@article{"International Journal of Information, Control and Computer Sciences:58628", author = "J. P. Dubois and P. G. Jreije", title = "A Novel Security Framework for the Web System", abstract = "In this paper, a framework is presented trying to make
the most secure web system out of the available generic and web
security technology which can be used as a guideline for
organizations building their web sites. The framework is designed to
provide necessary security services, to address the known security
threats, and to provide some cover to other security problems
especially unknown threats. The requirements for the design are
discussed which guided us to the design of secure web system. The
designed security framework is then simulated and various quality of
service (QoS) metrics are calculated to measure the performance of
this system.", keywords = "Web Security, Internet Voting, Firewall, QoS,Latency, Utilization, Throughput.", volume = "1", number = "12", pages = "3933-4", }