Chapter 4 Website design 4.1 General Design of e-Business website 4.1.1 Defining the task Once you have decided to hire [COMPANy], the first step is to define the project very carefully and very thoroughly. It is critical to put down on paper what is and isn't included for the agree-to price. We call this the"Statement of Work"and include it as part of our proposal. For us to prepare this document, we're going to have a lot of questions to ask. If you haven,'t done so already, please review(and fill out) our free estimate form: [URL]. This form collects the basic information we need to begin developing the Statement of Work. Of course, we will have more questions and will want to talk with you about the details. But this form lays out the basics Chapter 12 [COMPANY] will prepare a full proposal for you at no cost or obligation. These are not template documents where we change out the executive summary and fire them off en mass. We often have dozens of hours(sometimes much more! ) into a single proposal because it is this document, and this document alone, that will define our entire relationship. Some section headings you can expect to find in our website design proposals: Executive Summary, Primary Objectives, Statement of Work, Technology Platforms, Maintenance Terms, Search Engin Rankings, Production Process, Timelines, Deliverables, Fee Breakdown, Terms of Service, etc 4.1.2 Negotiating Price As mentioned, there are no set rules as to how we determine price since everything we do is so customized. So yes, the good news is that there is al ways room for negotiation But [COMPANY] isn't into playing pricing games. Our price is primarily based on how much work we have to put into your website, so our idea of negotiation is to discuss how to accomplish the objectives within a budget--not to simply toss around numbers. Sometimes there are sacrifices and compromises that must be made by both[COMPANY] and the client 4.1.3 Beginning Production Once the proposal is agreed to and the price is set, ICOMPANY will begin production. don't ask for a deposit or any kind of advanced payment. We don't ask you to sign a contract will work completely at our own risk so that at every step of the process, we still have to earn your business. We build everything out on our live development servers([URLD so that our clients can monitor our progress in real time. During production, expect to be in contact with[COMPAny]at least every other day(and usually more often than that )We want to make sure were always on the right track, so we'll touch base with you often 4.1.5 Develop the Design Layout. The first phase of production involves building screenshots of what your project will look like. If you ordered a logo, this would be the first thing to produce. The screenshot is a static image that essentially determines the template by which we will build the rest of your website's pages 4.1.6 Build the 'Alpha Site e 'alpha site is a skeleton of your web site. At this point it is no longer static. The navigation works(but only leads to empty pages. This stage gives us a chance to really see how the site will function before we plug in all the content and any bells and whistles
Chapter 4 Website Design 4.1 General Design of E-Business Website For many, the thought of building a web site is a daunting task. But really, it's pretty simple (in terms of the process). Here's what you can expect (in order): 4.1.1 Defining the Task Once you have decided to hire [COMPANY], the first step is to define the project very carefully and very thoroughly. It is critical to put down on paper what is and isn't included for the agree-to price. We call this the "Statement of Work" and include it as part of our proposal. For us to prepare this document, we're going to have a lot of questions to ask. If you haven't done so already, please review (and fill out) our free estimate form: [URL]. This form collects the basic information we need to begin developing the Statement of Work. Of course, we will have more questions and will want to talk with you about the details. But this form lays out the basics. Chapter 12 [COMPANY] will prepare a full proposal for you at no cost or obligation. These are not template documents where we change out the executive summary and fire them off en mass. We often have dozens of hours (sometimes much more!) into a single proposal because it is this document, and this document alone, that will define our entire relationship. Some section headings you can expect to find in our website design proposals: Executive Summary, Primary Objectives, Statement of Work, Technology Platforms, Maintenance Terms, Search Engine Rankings, Production Process, Timelines, Deliverables, Fee Breakdown, Terms of Service, etc. 4.1.2 Negotiating Price As mentioned, there are no set rules as to how we determine price since everything we do is so customized. So yes, the good news is that there is always room for negotiation. But [COMPANY] isn't into playing pricing games. Our price is primarily based on how much work we have to put into your website, so our idea of negotiation is to discuss how to accomplish the objectives within a budget--not to simply toss around numbers. Sometimes there are sacrifices and compromises that must be made by both [COMPANY] and the client. 4.1.3 Beginning Production Once the proposal is agreed to and the price is set, [COMPANY] will begin production. We don't ask for a deposit or any kind of advanced payment. We don't ask you to sign a contract. We will work completely at our own risk so that at every step of the process, we still have to earn your business. We build everything out on our live development servers ([URL]) so that our clients can monitor our progress in real time. During production, expect to be in contact with [COMPANY] at least every other day (and usually more often than that.) We want to make sure we're always on the right track, so we'll touch base with you often. 4.1.5 Develop the Design & Layout. The first phase of production involves building screenshots of what your project will look like. If you ordered a logo, this would be the first thing to produce. The screenshot is a static image that essentially determines the template by which we will build the rest of your website's pages. 4.1.6 Build the 'Alpha Site'. The 'alpha site' is a skeleton of your web site. At this point it is no longer static. The navigation works (but only leads to empty pages.) This stage gives us a chance to really see how the site will function before we plug in all the content and any bells and whistles
4.1.7 Build the'Beta site When everything is approved with the alpha site, we begin adding your content. This is where the web site really takes on its final form and comes together. For ecommerce and other functional sites, many clients opt to begin accepting a few 'beta testers to use their site with the understanding that there may still be some bugs to work out 4.1.8 Final Acceptance. When the beta site is complete, everyone spends some time looking over the site, testing, tweaking, revising, etc. When the client is completely happy with everything, we ask him/her to ign a ' Final Acceptance Agreement'as well as a ' Contract for Professional Services. '(Click to view samples. ) These documents do several things. The Final Acceptance Agreement basically states that the project is completely done and that the client is satisfied and agrees to pay. After igning this document, any additional requests for work must fall under the maintenance agreement or will incur additional fees. The Contract for Professional Services is a very standard legal contract that defines ownership, liability, indemnification, and all that other legal mumbo jumbo that is a necessary ev 4.1.9 Payment Launch Our only rule is quite simple: when we get paid, you get your work. We take a big chance by not requiring any payment or contracts from our clients from the outset. Most of our peers think were nuts to operate this way(though never in our history has a client every taken us up on this unconditional satisfaction guarantee!) So the only protection that we have against mal-intending clients is to own and possess all the work until payment is received. Not invoiced. Not in the mail. Not when contracts are signed. When your money is in our bank, THEN AND ONLY THEN we will turn everything over to you. At that time we upload and install everything on your infrastructure(or whatever infrastructure has been decided upon. )We turn over all development documents to you, including the raw files we used every step of the way. When we're done, you own everything you paid for 4.1.10 Maintaining the website. Every client has different needs when it comes to keeping their web site up-to-date. Some require daily or weekly updates. Some just need typos fixed here and there. Some clients can dabble in their own HTML. Some wouldn 't want to go near the stuff. Whatever your situation is we can accommodate you. Every maintenance contract is custom tailored to your specific needs In general, the way it works is this: We set a minimum number of hours per month that we agree should cover most maintenance work. In exchange for guaranteeing that minimum number of hours, we drop our hourly rates substantial (in half or more!). If you don't use up your full allocation of hours, we spend the balance doing web site promotion( because you can never spend too much time promoting your web site!) If you go over, you're locked into the reduced rate that we,ve agreed to. Anything more than about 5 hours overtime will be quoted as a'mini project with a fixed fee 4.2 Software and Hardware for Website Design 4.2.1 How to choose an Internet service provider (ISP) An Internet Service Provider, or ISP, is a company that provides its customers with access to the Internet. Customers may connect to their ISP through dialup (telephone), broadband (including regional ISPs, and a great many websites exist to help you locate the best one for you ational and DSL, ISdN and cable modem services), or wireless connections. There are countless national and The Internet holds a huge amount of information about any conceivable subject. You can read the daily news, check your bank balance, monitor share prices, listen to the latest music releases or even watch trailers for the latest movies The most common use for the Internet is email. This allows you to write a message on your computer and post it to a friend or relative instantly. It is also possible to use the Internet to chat in real time" with your friends or relatives. This can be by typing, speaking or even videophone Other facilities exist for obtaining updates and information on your software, testing new
4.1.7 Build the 'Beta Site'. When everything is approved with the alpha site, we begin adding your content. This is where the web site really takes on its final form and comes together. For ecommerce and other functional sites, many clients opt to begin accepting a few 'beta testers' to use their site with the understanding that there may still be some bugs to work out. 4.1.8 Final Acceptance. When the beta site is complete, everyone spends some time looking over the site, testing, tweaking, revising, etc. When the client is completely happy with everything, we ask him/her to sign a 'Final Acceptance Agreement' as well as a 'Contract for Professional Services.' (Click to view samples.) These documents do several things. The Final Acceptance Agreement basically states that the project is completely done and that the client is satisfied and agrees to pay. After signing this document, any additional requests for work must fall under the maintenance agreement or will incur additional fees. The Contract for Professional Services is a very standard legal contract that defines ownership, liability, indemnification, and all that other legal mumbo jumbo that is a necessary evil. 4.1.9 Payment & Launch. Our only rule is quite simple: when we get paid, you get your work. We take a big chance by not requiring any payment or contracts from our clients from the outset. Most of our peers think we're nuts to operate this way (though never in our history has a client every taken us up on this unconditional satisfaction guarantee!) So the only protection that we have against mal-intending clients is to own and possess all the work until payment is received. Not invoiced. Not in the mail. Not when contracts are signed. When your money is in our bank, THEN AND ONLY THEN we will turn everything over to you. At that time we upload and install everything on your infrastructure (or whatever infrastructure has been decided upon.) We turn over all development documents to you, including the raw files we used every step of the way. When we're done, you own everything you paid for. 4.1.10 Maintaining the Website. Every client has different needs when it comes to keeping their web site up-to-date. Some require daily or weekly updates. Some just need typos fixed here and there. Some clients can dabble in their own HTML. Some wouldn't want to go near the stuff. Whatever your situation is, we can accommodate you. Every maintenance contract is custom tailored to your specific needs. In general, the way it works is this: We set a minimum number of hours per month that we agree should cover most maintenance work. In exchange for guaranteeing that minimum number of hours, we drop our hourly rates substantial (in half or more!). If you don't use up your full allocation of hours, we spend the balance doing web site promotion (because you can never spend too much time promoting your web site!) If you go over, you're locked into the reduced rate that we've agreed to. Anything more than about 5 hours overtime will be quoted as a 'mini project' with a fixed fee. 4.2 Software and Hardware for Website Design 4.2.1 How to choose an Internet service provider (ISP) An Internet Service Provider, or ISP, is a company that provides its customers with access to the Internet. Customers may connect to their ISP through dialup (telephone), broadband (including DSL, ISDN and cable modem services), or wireless connections. There are countless national and regional ISPs, and a great many websites exist to help you locate the best one for you. The Internet holds a huge amount of information about any conceivable subject. You can read the daily news, check your bank balance, monitor share prices, listen to the latest music releases or even watch trailers for the latest movies. The most common use for the Internet is email. This allows you to write a message on your computer and post it to a friend or relative instantly. It is also possible to use the Internet to chat in “real time” with your friends or relatives. This can be by typing, speaking or even videophone. Other facilities exist for obtaining updates and information on your software, testing new
1. What restrictions do Internet service providers (ISPs) have when accessing the Internet? There are four limitations when using an ISP the speed of the connection he reliability of the connection the volume of information you can download, measured in megabytes(MB) per month he time you can be connected to the Internet (hours per month) Each ISP will have a selection of plans and prices from which you can choose the best value for money to suit your needs 2. The difference between isPs Some ISPs will have added advantages, including access to more information, more accessible(user-friendly) information, or parental controls that can shield you from unsavour Some ISPs can be set up immediately with a credit card; others may require visiting a of', Some ISPs expect you to commit for a 12-month period, some three months, but most are Some ISPs have good customer service, others have none or expect you to wait on the telephone for a long time Some ISPs have only a limited number of phone lines, you may try to connect to the Internet and get an engaged tone Some ISPs have only a small connection to the outside world, which restricts the speed at which you can download information Some ISPs have local numbers allowing you to connect from different locations around Australia. Look for 13, 1300 or 1800 numbers. This is useful if you own a portable computer and Some ISPs allow you to check your email online(from any computer) 3. How can you access the internet? inoe Iome-users access through a"modem"(an electronic box that converts your computer signal into a voice signal) down their telephone line. This is known as a"dial-up connection". This is the easiest and cheapest option to connect to the Internet. Consider this option first When you know more about the Internet, you can also use DS L or IsDN, cable or satellite. These are more costly to implement but have faster speeds and do not tie up your phone line. This is only recommended for the more advanced users 4. Which plan should you choose? How regularly do you intend to use the Internet? You can estimate the time you are likely to spend on the Internet, and the volume of information from the following guide Low use: eg, checking bank balances, the weather or specific items every few days Medium use: eg, daily reading of the newspapers, daily checking of email or news groups Heavy use: eg, chatting to friends, downloading a few songs, downloading a few pieces of software, playing online games Very heavy use: eg, downloading videos, video chatting, downloading lots of songs or large pieces of software Low users should consider a plan of 10 or 20 hours per month, 300MB download per month (but be careful of additional charges mentioned below) Medium users should allow more time on the Internet, around 50 hours per month. A 300 MB download limit should still suffice Heavy users who wish to chat online(by typing, not by voice or video), or who are heavily into research should consider a plan where you can stay on the Internet for an unl imited time. A 300 MB download limit should suffice
software . 1.What restrictions do Internet service providers (ISPs) have when accessing the Internet? There are four limitations when using an ISP: ▪ the speed of the connection. ▪ the reliability of the connection. ▪ the volume of information you can download, measured in megabytes (MB) per month. ▪ the time you can be connected to the Internet (hours per month). ▪ Each ISP will have a selection of plans and prices from which you can choose the best value for money to suit your needs. 2.The difference between ISPs ▪ Some ISPs will have added advantages, including access to more information, more accessible (user-friendly) information, or parental controls that can shield you from unsavoury information. ▪ Some ISPs can be set up immediately with a credit card; others may require visiting a shop. ▪ Some ISPs expect you to commit for a 12-month period, some three months, but most are monthly. ▪ Some ISPs have good customer service; others have none or expect you to wait on the telephone for a long time. ▪ Some ISPs have only a limited number of phone lines, you may try to connect to the Internet and get an engaged tone. ▪ Some ISPs have only a small connection to the outside world, which restricts the speed at which you can download information. ▪ Some ISPs have local numbers allowing you to connect from different locations around Australia. Look for 13, 1300 or 1800 numbers. This is useful if you own a portable computer and travel. ▪ Some ISPs allow you to check your email online (from any computer). 3.How can you access the Internet? Home-users access through a “modem” (an electronic box that converts your computer signal into a voice signal) down their telephone line. This is known as a “dial-up connection”. This is the easiest and cheapest option to connect to the Internet. Consider this option first. When you know more about the Internet, you can also use DSL or ISDN, cable or satellite. These are more costly to implement but have faster speeds and do not tie up your phone line. This is only recommended for the more advanced users. 4.Which plan should you choose? How regularly do you intend to use the Internet? You can estimate the time you are likely to spend on the Internet, and the volume of information from the following guide: ▪ Low use: eg, checking bank balances, the weather or specific items every few days. ▪ Medium use: eg, daily reading of the newspapers, daily checking of email or news groups. ▪ Heavy use: eg, chatting to friends, downloading a few songs, downloading a few pieces of software, playing online games ▪ Very heavy use: eg, downloading videos, video chatting, downloading lots of songs or large pieces of software. Low users should consider a plan of 10 or 20 hours per month, 300MB download per month (but be careful of additional charges mentioned below). Medium users should allow more time on the Internet, around 50 hours per month. A 300 MB download limit should still suffice. Heavy users who wish to chat online (by typing, not by voice or video), or who are heavily into research should consider a plan where you can stay on the Internet for an unlimited time. A 300 MB download limit should suffice
Very heavy users downloading large files(music, video etc)should consider a plan allowing about 1000 MB(called 1 gigabyte)or unlimited downloads. Plans of 100-150 hours per month should suffice 5. Be careful of“ additional charges.” Most plans, regardless of the agreed usage, allow you unlimited access. The ISP will charge ou for any additional time over your agreed limits. Be careful of choosing a plan that is too small as additional charges may soon increase your bill. For example, you may take a plan at $10 for five hours use with an additional $3 for each hour you step over the limit. Another plan may exist for $15 allowing you 50 hours per month If you take the first plan, you may accidentally leave your computer connected when you go to sleep, or get embroiled in a good chat and be unaware of time passing. The charges will soon mount. After seven hours usage, you are paying more than the 50-hour plan If you can afford it consider the slightly larger plan Some ISPs will allow you to convert the plan mid-month if you realise you are overstepping the mark Other ISPs will allow you to rollover the unused hours to the following month. Be sure to check before signing up 6. Free trials: are they worth it? Sometimes you will obtain a plan offering"free trial,, usually for a month. This is an excellent way of testing how much you may like to use the Internet. Be careful of two items Firstly, check how you cancel if you do not like the Internet Do not provide payment information without knowing a telephone number for customer service. (Some ISPs ask for an email to confirm your cancellation, but if you never managed to get email working this is not really a good option Secondly, you will get an email address for everyone to contact you. When you change your ISP, this address will change. Avoid sending out this address to your friends before you know you are happy with the service 7. Should you use a large 11 If you are likely to get frustrated when the Internet is not available, you may need to consider a major supplier. Your ISP's computers may require maintenance and your connection to the Internet will not be available all the time. A major supplier will keep this"down-time"to a minimum but you may experience longer delays with a smaller ISP. There is also the small risk that you can lose email Larger companies will be able to offer a higher quality of service in terms of reliability an connection speed, allowing you to browse faster. Usually, however, they charge more or have more restrictions for their plans Customer support is vital. If you have a problem, you may need to know how to restore access to the Internet. A local supplier or one with a reputable customer support department would be better placed to help you 4.2.2 Web-based database application services This is the newest--and perhaps the most intriguing--type of database product, these are database programs that reside entirely on the servers of an"Application Service Provider"(ASP) company. There are several nonprofit-oriented donor/member database services that have started up in the past year. The one with which were most familiar is e-Tapestry You purchase e-Tapestry as a service rather than as a product. There's no software to purchase or install on your machines--all you need is a Web browser and an Internet connection (56k works fine, al though obviously a high-speed connection is better ) The cost depends on the number of records in your database and starts at FrEe for databases with 1000 records or less For groups with 1000-5000 records, the cost is $99/month. There are a number of additional services that can be added as well. While the program can be customized quite a bit, the fundamental workflow can't be modified as extensively as ebase can permit. However, becaus e- Tapestry is a hosted application, it is upgraded often, and upgrades are automatically and seamlessly rolled out to all users
Very heavy users downloading large files (music, video etc) should consider a plan allowing about 1000 MB (called 1 gigabyte) or unlimited downloads. Plans of 100-150 hours per month should suffice. 5.Be careful of “additional charges.” Most plans, regardless of the agreed usage, allow you unlimited access. The ISP will charge you for any additional time over your agreed limits. Be careful of choosing a plan that is too small, as additional charges may soon increase your bill. For example, you may take a plan at $10 for five hours use with an additional $3 for each hour you step over the limit. Another plan may exist for $15 allowing you 50 hours per month. If you take the first plan, you may accidentally leave your computer connected when you go to sleep, or get embroiled in a good chat and be unaware of time passing. The charges will soon mount. After seven hours usage, you are paying more than the 50-hour plan. If you can afford it, consider the slightly larger plan. Some ISPs will allow you to convert the plan mid-month if you realise you are overstepping the mark. Other ISPs will allow you to rollover the unused hours to the following month. Be sure to check before signing up. 6.Free trials: are they worth it? Sometimes you will obtain a plan offering “free trial”, usually for a month. This is an excellent way of testing how much you may like to use the Internet. Be careful of two items. Firstly, check how you cancel if you do not like the Internet. Do not provide payment information without knowing a telephone number for customer service. (Some ISPs ask for an email to confirm your cancellation, but if you never managed to get email working this is not really a good option.) Secondly, you will get an email address for everyone to contact you. When you change your ISP, this address will change. Avoid sending out this address to your friends before you know you are happy with the service. 7.Should you use a large or small company? If you are likely to get frustrated when the Internet is not available, you may need to consider a major supplier. Your ISP’s computers may require maintenance and your connection to the Internet will not be available all the time. A major supplier will keep this “down-time’’ to a minimum but you may experience longer delays with a smaller ISP. There is also the small risk that you can lose email. Larger companies will be able to offer a higher quality of service in terms of reliability and connection speed, allowing you to browse faster. Usually, however, they charge more or have more restrictions for their plans. Customer support is vital. If you have a problem, you may need to know how to restore access to the Internet. A local supplier or one with a reputable customer support department would be better placed to help you. 4.2.2 Web-based database application services This is the newest--and perhaps the most intriguing--type of database product, these are database programs that reside entirely on the servers of an "Application Service Provider" (ASP) company. There are several nonprofit-oriented donor/member database services that have started up in the past year. The one with which we're most familiar is e-Tapestry. You purchase e-Tapestry as a service rather than as a product. There's no software to purchase or install on your machines--all you need is a Web browser and an Internet connection (56k works fine, although obviously a high-speed connection is better). The cost depends on the number of records in your database, and starts at FREE for databases with 1000 records or less. For groups with 1000-5000 records, the cost is $99/month. There are a number of additional services that can be added as well. While the program can be customized quite a bit, the fundamental workflow can't be modified as extensively as ebase can permit. However, because e-Tapestry is a hosted application, it is upgraded often, and upgrades are automatically and seamlessly rolled out to all users
E-Tapestry is a very new product, but we 've been very impressed by what we,ve seen. It's particularly attractive to groups with <1000 members, as it's completely free to small groups, and requires absolutely no hardware or software purchase, and no database expertise to administer or maintain. Another significant benefit of ASP-hosted database products are that they can be accessed by multiple users in multiple locations--something that is quite tricky with any other type of database solution has, for groups with more than 1000 members, the cost of e- Tapestry is significant, but that cost has to be weighed against the time and expense of developing your own sy stem or even that of customizing a low up-front cost system such as ebase. If you don't need the total customizability of ebase or a custom solution, and would rather spend some cash than your precious time, then e-Tapestry might be worth investigating Another prominent ASP-type database product is Social Ecologv's DonorLinkIT product e-Tapestry, and a similar pricing model($99/month for organizations with under 5000 records o While we haven't reviewed it in-depth, it has features and functions that are roughly similar 4.2.3 Web Site Security Successful attacks on websites can result in a great deal of bad publicity, especially when an official site is replaced by pages presenting the host organisation in an unflattering light Damage to political and government web sites has made the national news, but defacing any website is likely to harm its owner. Internet image increasingly influences attitudes in the real world too especially for organisations with customers around the world. For many prospective students or sponsors your web site will be their first, and in some cases only, contact with your institution All web managers should therefore be concerned with security to ensure that the content and conduct of their site remains under control Attacks against web servers are not usually motivated by dislike of the owner organisation Some people just wish to publish their own views and will use any well-connected server for this, others are simply looking for powerful computers with good connectivity to distribute pirated software or to mount attacks on other Internet sites. A web server on a high-speed network like JaNEt is likely to be a good choice for either er type of activ or vulnerabilities in the underlying operating system. There is no point in securing the web function if the rest of the machine offers open doors to intruders. There are three basic rules fo securing any system Offer as few services, to as few people, as possible. Extra services will, in any case, affect the machine's performance as a web server as well as providing possible routes for break-ins Keep the system up to date. New vulnerabilities are discovered every week, and are exploited soon afterwards Check log files for warning signs Each of these should continue throughout the life of the server. Although this requires effort, the procedures are well known. Few people have the ability to discover and exploit new vulnerabilities so the vast majority of security breaches result from well-known problems that could have been avoided. Prevention may seem expensive until you consider the alternative cost of repairing the damage after a breach has occurred There are three categories of damage that may result from a security breach: loss of servic loss of information and loss of control. Loss of service generally happens either by accident or through hostile intent, and is usually caused by overloading the server with requests Unfortunately it is very hard to protect a public web server against this kind of" denial of service attack: a web servers function is to respond to requests from browsers and it is almost impossible to distinguish between a busy day and an attack. No vulnerability is being exploited except the finite capacity of any system, so no amount of preventative work can help. The best solution is to ensure that your system still has spare capacity when"normally loaded and hope you can handle requests faster than your attacker can generate them. An attack at this level will be highly unpopular with the originating network, as well as your own, so should be stopped at source before too long. JANET-CERT can help in tracing the origin of attacks, and can also advise on blocking problem hosts
E-Tapestry is a very new product, but we've been very impressed by what we've seen. It's particularly attractive to groups with <1000 members, as it's completely free to small groups, and requires absolutely no hardware or software purchase, and no database expertise to administer or maintain. Another significant benefit of ASP-hosted database products are that they can be accessed by multiple users in multiple locations--something that is quite tricky with any other type of database solution. For groups with more than 1000 members, the cost of e-Tapestry is significant, but that cost has to be weighed against the time and expense of developing your own system or even that of customizing a low up-front cost system such as ebase. If you don't need the total customizability of ebase or a custom solution, and would rather spend some cash than your precious time, then e-Tapestry might be worth investigating. Another prominent ASP-type database product is Social Ecology's DonorLinkIT product. While we haven't reviewed it in-depth, it has features and functions that are roughly similar to e-Tapestry, and a similar pricing model ($99/month for organizations with under 5000 records). 4.2.3 Web Site Security Successful attacks on websites can result in a great deal of bad publicity, especially when an official site is replaced by pages presenting the host organisation in an unflattering light. Damage to political and government web sites has made the national news, but defacing any website is likely to harm its owner. Internet image increasingly influences attitudes in the real world too, especially for organisations with customers around the world. For many prospective students or sponsors your web site will be their first, and in some cases only, contact with your institution. All web managers should therefore be concerned with security to ensure that the content and conduct of their site remains under control. Attacks against web servers are not usually motivated by dislike of the owner organisation. Some people just wish to publish their own views and will use any well-connected server for this; others are simply looking for powerful computers with good connectivity to distribute pirated software or to mount attacks on other Internet sites. A web server on a high-speed network like JANET is likely to be a good choice for either type of activity. Although running a web server may make a machine a more attractive target for attackers, it is unlikely to make it significantly easier to break into. Web server software is generally reasonably secure already: successful attacks are usually achieved through errors in configuration or vulnerabilities in the underlying operating system. There is no point in securing the web function if the rest of the machine offers open doors to intruders. There are three basic rules for securing any system: ▪ Offer as few services, to as few people, as possible. Extra services will, in any case, affect the machine’s performance as a web server as well as providing possible routes for break-ins. ▪ Keep the system up to date. New vulnerabilities are discovered every week, and are exploited soon afterwards. ▪ Check log files for warning signs. Each of these should continue throughout the life of the server. Although this requires effort, the procedures are well known. Few people have the ability to discover and exploit new vulnerabilities so the vast majority of security breaches result from well-known problems that could have been avoided. Prevention may seem expensive until you consider the alternative cost of repairing the damage after a breach has occurred. There are three categories of damage that may result from a security breach: loss of service, loss of information and loss of control. Loss of service generally happens either by accident or through hostile intent, and is usually caused by overloading the server with requests. Unfortunately it is very hard to protect a public web server against this kind of “denial of service” attack: a web server’s function is to respond to requests from browsers and it is almost impossible to distinguish between a busy day and an attack. No vulnerability is being exploited except the finite capacity of any system, so no amount of preventative work can help. The best solution is to ensure that your system still has spare capacity when “normally” loaded and hope you can handle requests faster than your attacker can generate them. An attack at this level will be highly unpopular with the originating network, as well as your own, so should be stopped at source before too long. JANET-CERT can help in tracing the origin of attacks, and can also advise on blocking problem hosts