Certificates? Need guidance...

[Larry David]

Hi,

This is one of those posts where not only do I not know the answer, I
don't fully understand the *question* that I should be asking... but I'll
try my best:

I've designed a web site which authenticates users via a login page. The
users can then access their account information. The types of reports that
the user can run depend upon the user's access level. I'm currently storing
all usernames, passwords, and access levels in a SQL Server database. I've
been told that the web site needs to be made more "secure" in two ways:

1) ALL web requests/responses need to be encrypted via SSL.
2) A certain class of users, those with the highest access level, need
to authenticated in a manner that is more sophisticated than a simple
username/password.

Now #1 was pretty straight-forward. I purchased a digital certificate
from Thawte. I bound it to the ISA listener interface. All SSL connections
are now terminated at the firewall and forwarded to the internal web server
as plain HTTP. Great!

I'm stumped on #2 though. I've done some research and have learned that
there are at least two ways to add EXTRA security to web sites. I can a)
require client certificates and/or b) require the use of a smart card. Can
anyone point me in the right direction on either of these options? Does ISA
need to be configured in a particular way to allow certificate and/or smart
card information to pass through? When ISA "bridges" the connection from SSL
to plain HTTP, will this information be lost in transit? Is my ASP.NET web
site supposed to ask the user to "swipe your smart card now?" If so, since
this action is taking place on the client side, how will my ASP.NET page
know when the swipe has taken place? How is the data transmitted? I'm
utterly confused.

Mr. David

[Granger Godbold]

If you must, go for the client-certificates; less cost, less hassle.
Granted, client-certificates will be their own pain. If you have the
option, push back on the whole idea of "EXTRA" security; it sounds like
someone in upper management learned a new buzzword. If you want extra
security, *don't* use a web-based solution. You're already spending most
of your time dealing with Html limitations. If you have to add
certificates, you're going to have to add even more time figuring out
how to make this new security level maintainable (if you did smart
cards, you've got to track the cards, other hardware, etc.) ---ick.

Larry David wrote:
[snip]

> 2) A certain class of users, those with the highest access level, need
> to authenticated in a manner that is more sophisticated than a simple
> username/password.

[snip]

> I'm stumped on #2 though. I've done some research and have learned that
> there are at least two ways to add EXTRA security to web sites. I can a)
> require client certificates and/or b) require the use of a smart card. Can
> anyone point me in the right direction on either of these options? Does ISA
> need to be configured in a particular way to allow certificate and/or smart
> card information to pass through? When ISA "bridges" the connection from SSL
> to plain HTTP, will this information be lost in transit? Is my ASP.NET web
> site supposed to ask the user to "swipe your smart card now?" If so, since
> this action is taking place on the client side, how will my ASP.NET page
> know when the swipe has taken place? How is the data transmitted? I'm
> utterly confused.
>
> Mr. David
>

[Larry David]

Yeah, this high-level security stuff is a major PITA! ...and I thought
that designing the site would be the hard part.