By :

Ahmed Nazim

Assignment Title :

Client / Server Architecture on Internet Application (Individual in-course assessment)

Client/Server Architecture on Internet Applications

Table of Contents
Contents Introduction --------------------------------------------------------------------Objective of research ---------------------------------------------------------Technologies used in Internet Applications -------------------------------Role of a Client in an Internet Application -------------------------------- Characteristic of a Client --------------------------------------------Page 3 4 4 5 6 6 7 8 9 11 12 13

Role of a Server in an Internet Application -------------------------------- Characteristic of a Server ---------------------------------------------

How client/server architecture works on Internet Applications ---------Security issues in Internet Applications -------------------------------------Security issues for the end-users ---------------------------------------------Conclusion -----------------------------------------------------------------------References ------------------------------------------------------------------------

Asia Pacific Institute of Information Technology

2 of 13

Client/Server Architecture on Internet Applications

Client / Server Architecture on Internet Application

Introduction
This research paper is mainly focused to the client-server architecture which provides a versatile infrastructure that supports insertion of new technology more readily than earlier software designs. In a traditional centralized system, with dumb terminals, it is the operating system in the host computer that performs all the processing necessary for the operation of that system. All the screen handling, program logic, referential integrity checks, verifying the integrity of users wishing to use system resources and similar functions is done on that central computer. The terminals simply provide a view into that computer. What is Client-Server Architecture? The definition of client-server architecture given in Webopedias website says that : -A network architecture in which each computer or process on the network is either a client or a server. Servers are powerful computers or processes dedicated to managing disk drives (file servers), printers (print servers), or network traffic (network servers). Clients are PCs or workstations on which users run applications. Clients rely on servers for resources, such as files, devices, and even processing power. Client-server architecture is used in most of the business organization as division of labor for the computing functions required. Therefore, the information are processed and passed through multiple machines throughout the network. In this regard, the main focus area of this research is the most broadly used client / server architecture today.

Asia Pacific Institute of Information Technology

3 of 13

Client/Server Architecture on Internet Applications

Objective of research
The Internet's global and exponential growth is common knowledge today. The Internet is implemented using a large variety of connections between millions of computers. Internet access is readily available to individuals across the globe. The client/server architecture is a versatile, message-based and modular infrastructure that is intended to improve usability, flexibility, interoperability, and scalability as compared to centralized, mainframe, time sharing computing. The main objective of this research is to study how the client/server architecture works on internet applications and study the limitations and the security issues that may arise when using this technology. Client/server architecture is not only used on internet applications or websites, however this research paper will be mainly focused on the Internet Applications which is the most commonly and popularly used client/server technique used by everyone around the world. This research paper will demonstrate how client/server architecture works on internet and how this technique is implemented in web applications throughout the internet.

Technologies used in Internet Applications

Internet Applications or World Wide Web contains a group of protocols, technologies and techniques that enable it to function. The first of these is HTTP: Hypertext Transfer Protocol. This protocol is used by clients and servers to communicate with other; in other words it is the language spoken between web-servers and web browsers. The second is HTML: Hypertext Markup Language. This language specifies document formats, and allows different clients to display the same document. It also allows a web designer to design his or her web pages. The third one of the Web is the URL: Uniform Resource Locator. This protocol describes the location of the file server being accessed, the location of the file on the file server, and specifies how to access the server and file. The other most commonly used protocols on World Wide Web are FTP (File Transfer Protocol), SMTP (Simple Mail Transfer Protocol) and HTTPS (Secured Hypertext Transfer Protocol).

Asia Pacific Institute of Information Technology

4 of 13

Client/Server Architecture on Internet Applications

Different technologies were then gradually added. To allow for more interactivity, the concept of dynamic pages was added. Web pages can now be constructed on the fly by a program or script running on the Web server. All these different technologies have made the WWW very attractive for many internet applications. Role of a Client in an Internet Application In internet applications, clients are most often web browsers (e.g.: Internet Explorer, Fire Fox, Opera, Safari etc.), although that has not always been the case on Client/Server architecture. Client interacts directly with end-users in the form of an HTML page using graphical representation of data. When a client initiates a request it will be sent to the server (web-server) which will handle the server-side execution to response back to the client (browser). Client-side scripts such as JavaScript is used to validate user inputs and to enhance the interactivity without sending the information to the web-servers. However, these client-side validations can be overridden by advanced users and also due to its compatibility issues among various browsers, most websites or internet applications also uses server-side validation. One of the main drawback faced by the client is the cross-browser compatibility issue. Different browsers (client) render certain HTML tags differently and the JavaScript implemented in the browsers vary from each other. Because of this issue, webdevelopers have to test their application on most popular browsers to make the application cross-browser accommodate. But a lot of websites still expects the endusers to use Internet Explorer because of its popular usage on Internet. A recent survey conducted by www.e-janco.com shows that the Internet Explorer (IE) is still dominating the browser market on the internet community. Following are the trends on browser market share as of March 2007. Internet Explorer : Fire Fox : Netscape : Google desktop : Mozilla : Opera : 70.52% 13.38% 11.85% 1.24 0.95% 0.94%

Asia Pacific Institute of Information Technology

5 of 13

Client/Server Architecture on Internet Applications

Safari : Other browsers :

0.75% 0.36%

* Information taken from www.e-janco.com

Characteristics of a client: Active (master)

Initiates requests Waits for and receives replies Typically interacts directly with end-users using a graphical user interface

Role of a Server in an Internet Application Servers typically include web servers, database servers and mail servers. These servers do not directly interact with the end-users. In web applications all the requests made from the websites using client browsers will be handle by the web-server. And normally these web-servers will have a connection to the database server to retrieve certain information. This technique is also called as three tier architecture and is the most commonly used type of client-server architecture. This will improve overall system performance and reliability, since more of the processing load can be accommodated simultaneously. Server-side programming is used to tell the web-server to handle all the requests sent by the client. Most commonly used server-side languages are ASP Vbscript, ASP JScript, PHP, JSP, CGI and Perl. The usage of programming languages depends on the web-server platform used in the Internet Application. For example ASP pages will be executed only if the web-server platform is Windows and the web-server is Internet Information Services (IIS), whereas PHP pages will run on UNIX or Linux platform with Apache web-server (IIS also supports PHP after installing an add-on but this option is not provided by most of the web hosting companies). In addition to web-servers, almost all the internet applications will have a backend database server. When clients send the request to the web-servers, web-servers will directly communicate with the database server to populate the HTML pages and this page will be rendered to the end-user through the client browser. Most commonly

Asia Pacific Institute of Information Technology

6 of 13

Client/Server Architecture on Internet Applications

used database server on internet applications are MS SQL, MySQL, Oracle and MS Access. Characteristics of a server: Passive (slave)

Waits for requests from clients Upon receipt of requests, processes them and then serves replies Usually accepts connections from a large number of clients Typically does not interact directly with end-users Can be stateless or stateful

Asia Pacific Institute of Information Technology

7 of 13

Client/Server Architecture on Internet Applications

How client/server architecture works on Internet Applications

Internet Applications or websites employs a connection-less protocol, which means that after every client-server interaction the connection between the two is lost. Following two figures will show the most common client-server inter-communication techniques.

Figure 1 : Static HTML Page

The client (browser) requests for an HTML file stored on the remote machine through the server software. The server locates this file and passes it to the client. The client then displays this file on client machine. In this case, the HTML page is static. Static pages do not change until the developer modifies them.

Figure 2 : Server side scripting technologies (dynamic pages)

The scenario is slightly different for Server-side pages. Here the server has to do more work since server-side programs consume the server machine's processing power.
Asia Pacific Institute of Information Technology 8 of 13

Client/Server Architecture on Internet Applications

For example if a searchable form on a web page that runs a server-side program is submitted, the browser will send request to the web-server. The server checks the headers and locates the necessary file and passes the data from the request to the database server. The database server executes the query and sends the dataset to webserver. The server then sends the formatted file in HTML to the browser which in turn displays the HTML page. The second case also involves dynamic response generated by the use of server side technologies. There are many server side technologies used today. Active Server Pages (ASP): A Microsoft technology. ASP pages typically have the extension .asp. Hypertext Preprocessor (PHP): An open source technology. PHP pages typically have .php, .phtml or .php3 file name extensions. Java Server Pages: .jsp pages contain Java code. Server Side Includes (SSI): Involves the embedding of small code snippets inside the HTML page. An SSI page typically has .shtml as its file extension. With these server technologies it has become easier to maintain Web pages especially helpful for a large web site. The developer needs to embed the server-side language code inside the HTML page. This code is passed to the appropriate interpreter which processes these instructions and generates the final HTML displayed by the browser or client.

Security issues in Internet Applications

Now web-based applications are the preferred environment for a multitude of e-services: e-commerce, e-banking, e-government, etc. Security for these applications is an important enabler. It is possible for an attacker to eavesdrop the communication between an end-user's browser and a Web-server; sensitive information, such as a credit card number, or any other confidential data, could thus be obtained. In client/server systems where the data may be distributed across multiple servers and sites, each with its own administrators, centralized security

Asia Pacific Institute of Information Technology

9 of 13

Client/Server Architecture on Internet Applications

services are impractical as they do not scale well and more opportunities are available for intruders to access the system. This research paper will give a summary of the common security flaws found on Internet Applications. SQL Injection SQL injection attacks represent a serious threat to any database-driven internet application. The methods behind an attack are easy to learn and the damage caused can range from considerable to complete system compromise. Unencrypted confidential data passed from HTML forms (eg: Password, PIN number etc.) Encryption of data can solve the problem of attackers sniffing the network for data. Encryption involves converting the readable data into unreadable data. Only those knowing the decryption key can read the data. A problem here is that some network operating systems don't start encryption until the user has been authenticated (i.e. the password is sent unencrypted). Spam detection techniques (eg: CAPTCHA) for the input forms A CAPTCHA is a type of challenge-response test used in computing to determine whether the user is human. "CAPTCHA" is an acronym for "Completely Automated Public Turing test to tell Computers and Humans Apart", trademarked by Carnegie Mellon University. CAPTCHAs are used to prevent automated software from performing actions which degrade the quality of service of a given system, whether due to abuse or resource expenditure. Firewalls Firewalls are tools that are used to enhance the security of computers connected to a network, such as a Local Area Network or the Internet. Firewalls deny or accept all messages and sites based on a list that is stored in the system. This is usually decided by a system administrator.

Asia Pacific Institute of Information Technology

10 of 13

Client/Server Architecture on Internet Applications

Security issues for the end-users

In internet applications, security is not only an issue for the application developer or at the server side. It is a serious issue for the end-users who utilizes these services or applications. Most of us are not aware of these security issues at the client-side. The vulnerabilities in browsers can lead to memory corruption, spoofing and execution of arbitrary scripts. SANS Institute did a research on these security issues on browsers, and in their website (www.sans.org) regarding older versions of Internet Explorer it was mentioned

The most critical issues are the ones that lead to remote code execution

without any user interaction when a user visits a malicious webpage or reads an email. Exploit code for many of the critical Internet Explorer flaws are publicly available. In addition, Internet Explorer has been leveraged to exploit vulnerabilities in other core Windows components such as HTML Help and Graphics Rendering Engine. Vulnerabilities in ActiveX controls installed by Microsoft or other vendor software are also being exploited via Internet Explorer

To overcome these issues, it is advised to always update the browser to the most recent version and apply patches. Most of these browsers will release security patches or an update when they find out any security vulnerabilities.

Asia Pacific Institute of Information Technology

11 of 13

Client/Server Architecture on Internet Applications

Conclusion
Based on my research on client / server architecture on internet application, it is clear that Web security is much more than secure communications only. It involves many security issues which moreover depend on each other. On one hand, the necessary technology already exists with which e-services on the WWW can be made secure to some extent. To make the internet applications more secure you have to have the knowledge of how the technology is implemented in these applications and how the client communicates with the server to retrieve information. As I have outlined in this research paper, the role of the client and the role of the server should be understood by the application developers and end-users, since there are various vulnerabilities at the browser side as well. These vulnerabilities may cause the end-user to expose his/her computer to the internet or confidential data might be carried out by spyware etc. In my opinion, most of the internet applications are designed by considering these security issues and also the webmasters and owners of these applications pay a high amount of money to make their application more secure. However, since the World Wide Web is used by millions of people, there is no guarantee for the security personnel to make the application 100% secure. Even though the application cannot be 100% secure, the security issues that I have covered in this research paper are utilized to make the application more secure. While the World Wide Web has already reached a certain level of maturity, there is definitely still some progress to be made before all real-life services can be securely provided in an electronic way. As far as the web is concerned, internet security isn't a luxury, it's a necessity.

Asia Pacific Institute of Information Technology

12 of 13

Client/Server Architecture on Internet Applications

References
Webopedia website - www.webopedia.com PEER Reviewed Journal on Internet - www.firstmonday.org SANS Institute - Network, Security, Computer, Audit Information www.sans.org World Wide Web Consortium (W3C) - www.w3.org Janco Associates Inc. Website - www.e-janco.com ebusiness Solutions and Ecommerce Web Solutions - www.web-enable.com Wikipedia, the free encyclopedia - http://en.wikipedia.org/

Asia Pacific Institute of Information Technology

13 of 13