1. Introduction

E-learning platforms have drastically improved the way people learn today. Users can easily access the learning application on their personal devices at any time, flexibility being one of the main advantages of such an application. Additionally, each user is able to learn according to his preferred strategy and in his own pace and so everyone can benefit from the value added learning process that the platform offers and enjoy learning. In this way, these types of online platforms help increase the productivity of the students and help them find a learning style that suits their needs.

Such an e-learning application model based on Oracle Application Express web platform and Oracle distributed databases was developed in thesis "Distributed databases. A dynamic model fully decentralized and automated" (Ciobanu-Iacob, 2014). But this model requires networks that support big data traffic, and these networks must be scalable to support increasing numbers of users to address the need for greater capacity and performance. As networks grow and support more and more services and applications, they become more vulnerable to security threats. To combat those threats and ensure that electronic applications are not hacked, security techniques (Ciobanu-Defta, 2012; Ciobanu-Defta and Ciobanu-Iacob, 2012) must play a fundamental role in any type of environment.

2. Web and SQL Servers Security Threats

Web applications are exposed to some specific vulnerability due to their method of access (web browsers) and integration with databases in backend. The actual web servers configurations commonly presents to users multiple web applications running on a single server and available through some standard network ports (80 and 443), giving attackers a big area to compromise.

There are many common attacks that can occur against different applications servers and they depend on the installed applications (for example Web, SQL, ERP etc.), operating system running on the server (for example Windows or Linux), and environment (network where the server is running). In this section we will briefly describe some of the generic attacks that can compromise the server (Boyles, 2010).

* Denial of service (DoS) is an attack in which one system attacks another with the intent of consuming all the resources on the system (such as bandwidth or processor cycles), leaving nothing to use for other legitimate requests from normal clients. This is accomplished by increasing traffic on web site so much that the victim's server becomes unresponsive.

* Distributed denial of service (DDoS) is an attack similar with DoS, but at a larger scale, because the attack is orchestrated from multiple systems from many countries around the globe.

The most common DDoS attacks are:

* Port scanning attack. A port scanning attack is performed by systematic scanning of a host using some programs. For example, an attacker can scan a Web server with the intention of finding exposed services or other vulnerabilities that can be further exploited.

* Ping flooding attack. A ping flooding is a classical type of attack where the attacker send sends ICMP echo requests packets as fast as possible without waiting for replies.

* SYN flooding. This attack requires knowledge of the TCP/ IP protocol suite because this is a network protocol targeted type of attack. In SYN flood the attacker sends a SYN packet to target host which then respond with SYN acknowledgement. In the end of communication, the attacker does not send any ACK packet back to the target host and this causes the connection to remain in half open state. TCP connection established to the attacker host is not ending, waiting for the session to expire. The attacker continue sending new SYN packets until TCP SYN queue is filled and cannot accept any new connections.

* IP packet fragmentation attack. In this attack, an attacker change the TCP/IP protocol behavior to break packets up into smaller pieces, or fragments, that bypass most intrusion-detection systems.

* Password attacks. Password attacks can be implemented using different methods, including brute-force attacks and packet sniffers. Although packet sniffers can reveal user accounts and passwords, from network packet captures where an attacker can see in clear or decrypt some passwords, password attacks usually refer to specific attempts to identify a user account, password, or both. A brute-force attack is performed using some programs that run across the network and attempt to log in to the attacked server using various users and passwords. When a user account is compromised and if this account has enough privileges, the attacker can gain access to the system.

* Cross-site scripting or XSS is a technique that makes use of vulnerabilities in web applications. In a cross-site scripting attack, data is entered into an application which is later written back to another user. If the application is not coded is such a way to validate the data correctly, it may simply echo the input back allowing the insertion of malicious code into the web page.

* SQL injection type of attack search for a vulnerability in the database associated with a web application. The malicious code is inserted into strings that are later passed to the SQL server, parsed, and executed.

* Malware is a malicious software. It consist of viruses, bots, spyware, worms, trojans, rootkits, and any other software intended to disrupt normal user activity and collect personal data.

3. E-Learning Platforms Security

In the diagram below (Figure 1), we figured a typical network and systems architecture for an e-learning platform (Baron et al, 2014), consisting of a database server and a web server to serve client requests. We choose an Adaptive Security Appliance from Cisco to defend servers from various security threats. Cisco ASA provide an end to end security solution, offering protection from OSI (Open Systems Interconnection model) layer 2 to 7. The built in IPS (Intrusion Prevention System) enhance firewall protection by looking deeper into the packets to provide real-time ip protection against worms, trojans, and exploits against application and operating systems vulnerabilities (Iacob, 2014).

We will present two types of security techniques related to two types of web services attacks:

1) Proactive technique (we threat a problem before it become an issue) used against distributed denial of service attacks on web services using tcp syn type of attack;

2) Reactive technique (we threat the problem as it arrives) used against distributed denial of service attacks using http applications resource exhaustion.

1) TCP SYN attack is a type of DoS attack in which a sender transmits a volume of connections that cannot be completed. This causes the connection queues to fill up, in this way denying service to legitimate TCP users.

When a normal TCP connection starts, a destination host receives a SYN packet from a source host and sends back a synchronize acknowledge (SYN ACK). The destination host must then hear an ACK of the SYN ACK before the connection is established. This is referred to as the TCP three-way handshake. In this type of attack the last part of the "three-way handshake" is never completed and the entry remains in the connection queue until a timer expires, typically for about one minute. By generating TCP SYN packets from random IP addresses at a rapid rate, it is possible to fill up the connection queue and deny TCP services (such as web services) to legitimate users.

A proactive approach for this type of attack means to configure the Adaptive Security Appliance to be ready to mitigate tcp syn attack before this will happen.

In order to identify the traffic, we will create a policy map that will match http type of traffic (to protect internal web server) and define the necessary connection limits. The policy map will be applied to the outside interface:

An embryonic connection is a TCP connection request that has not finished the necessary handshake between source and destination. When embryonic connections are configured on ASA, the security appliance intercepts the initial SYN from going to the backend server and forwards the connection only when the 3-way handshake is complete.

2) As a basic security measure, we configured an access list on appliance that permits to enter in local area network only http traffic destined for the web server and have applied this access list on outside interface (the interface facing Internet). All other traffic will be dropped at the outside interface by the security appliance. By using such an inbound ip packet filter, the sql server is not exposed to the internet and web server is exposed only on port 80 (required to server http requests to students using e-learning web platform). If a packet is denied by the access list, the security appliance discards the packet and generates a syslog message indicating that such an event has occurred.

access-list WEBTRAFFIC extended permit tcp any host 4.4.4.4 eq www //where 4.4.4.4 is the ip address of the web server

But this type of access list does not help us to deal with application resource exhaustion Dos attack, which means that the attacking servers/botnets create thousands of application requests (http requests) to our web server, thus consuming the application resources. Http application attacks usually have a pattern or string which may help distinguish the attacking http requests from other legitimate requests. Analyzing http attacking packets, we might find such a common parameter or string, which can be for example a common POST or GET URI request. With the ASA HTTP inspection feature we can match on this common pattern in the HTTP packet and in this way we can filter the attacking packets and drop them.

We will use the access list WEBTRAFFIC that match all traffic destined to our webserver and add to this http inspection:

4. Conclusions

Securing any type of server that run in a network environment is not an easy task. Web and sql servers are one of the most critical type of servers, because of the sensitive data they usually host. Appropriate security practices are essential to operating and maintaining a secure server, because security practices help ensure the confidentiality, integrity and availability of information system resources. All the security techniques described in this article help assure a very good protection for information systems and are the baseline for searching the perfect protection.