Professional Web Applications Themes

Certificates? Need guidance... - ASP.NET Security

Hi, This is one of those posts where not only do I not know the answer, I don't fully understand the *question* that I should be asking... but I'll try my best: I've designed a web site which authenticates users via a login page. The users can then access their account information. The types of reports that the user can run depend upon the user's access level. I'm currently storing all usernames, passwords, and access levels in a SQL Server database. I've been told that the web site needs to be made more "secure" in two ways: 1) ALL web ...

  1. #1

    Default Certificates? Need guidance...

    Hi,

    This is one of those posts where not only do I not know the answer, I
    don't fully understand the *question* that I should be asking... but I'll
    try my best:

    I've designed a web site which authenticates users via a login page. The
    users can then access their account information. The types of reports that
    the user can run depend upon the user's access level. I'm currently storing
    all usernames, passwords, and access levels in a SQL Server database. I've
    been told that the web site needs to be made more "secure" in two ways:

    1) ALL web requests/responses need to be encrypted via SSL.
    2) A certain class of users, those with the highest access level, need
    to authenticated in a manner that is more sophisticated than a simple
    username/password.

    Now #1 was pretty straight-forward. I purchased a digital certificate
    from Thawte. I bound it to the ISA listener interface. All SSL connections
    are now terminated at the firewall and forwarded to the internal web server
    as plain HTTP. Great!

    I'm stumped on #2 though. I've done some research and have learned that
    there are at least two ways to add EXTRA security to web sites. I can a)
    require client certificates and/or b) require the use of a smart card. Can
    anyone point me in the right direction on either of these options? Does ISA
    need to be configured in a particular way to allow certificate and/or smart
    card information to pass through? When ISA "bridges" the connection from SSL
    to plain HTTP, will this information be lost in transit? Is my ASP.NET web
    site supposed to ask the user to "swipe your smart card now?" If so, since
    this action is taking place on the client side, how will my ASP.NET page
    know when the swipe has taken place? How is the data transmitted? I'm
    utterly confused.

    Mr. David






    Larry David Guest

  2. #2

    Default Re: Certificates? Need guidance...

    If you must, go for the client-certificates; less cost, less hassle.
    Granted, client-certificates will be their own pain. If you have the
    option, push back on the whole idea of "EXTRA" security; it sounds like
    someone in upper management learned a new buzzword. If you want extra
    security, *don't* use a web-based solution. You're already spending most
    of your time dealing with Html limitations. If you have to add
    certificates, you're going to have to add even more time figuring out
    how to make this new security level maintainable (if you did smart
    cards, you've got to track the cards, other hardware, etc.) ---ick.

    Larry David wrote:
    [snip]
    > 2) A certain class of users, those with the highest access level, need
    > to authenticated in a manner that is more sophisticated than a simple
    > username/password.
    [snip]
    > I'm stumped on #2 though. I've done some research and have learned that
    > there are at least two ways to add EXTRA security to web sites. I can a)
    > require client certificates and/or b) require the use of a smart card. Can
    > anyone point me in the right direction on either of these options? Does ISA
    > need to be configured in a particular way to allow certificate and/or smart
    > card information to pass through? When ISA "bridges" the connection from SSL
    > to plain HTTP, will this information be lost in transit? Is my ASP.NET web
    > site supposed to ask the user to "swipe your smart card now?" If so, since
    > this action is taking place on the client side, how will my ASP.NET page
    > know when the swipe has taken place? How is the data transmitted? I'm
    > utterly confused.
    >
    > Mr. David
    >
    Granger Godbold Guest

  3. #3

    Default Re: Certificates? Need guidance...

    Yeah, this high-level security stuff is a major PITA! ...and I thought
    that designing the site would be the hard part.


    Larry David Guest

  4. #4

    Default Re: Certificates? Need guidance...

    On Tue, 8 Feb 2005 12:24:55 -0800, "Larry David"
    <org> wrote:
     

    Yes it is a PITA, but necessary. Opposed to what Granger said, it is
    entirely reasonable to require that some users have expanded, or
    different, security than others. I have such a situation myself.
    There is more than 1 class of users and some will only be able to get
    reports, while others will be able to create and post data. And some
    will be able to edit some kinds of data that others cannot. This is a
    valid business requirement.

    I handle it by the use of client certificates. The certificate
    contains identifying information as to the client and his class. The
    Web App examines the certificate to determine what level of access to
    give him. It sounds simple but was a lot of work to finally
    understand how to do it and implement.

    Hope this helps, Russ
    Russ Guest

Similar Threads

  1. guidance
    By binojjohn in forum Macromedia Flash Flashcom
    Replies: 0
    Last Post: February 27th, 05:57 AM
  2. Need Guidance, please
    By lucy_lastic@adobeforums.com in forum Adobe Indesign Windows
    Replies: 4
    Last Post: May 24th, 11:21 AM
  3. ASP Guidance
    By Brad M. in forum ASP.NET Web Services
    Replies: 1
    Last Post: January 2nd, 10:49 PM
  4. SSL and certificates
    By Kevin in forum ASP.NET Security
    Replies: 2
    Last Post: December 24th, 08:54 PM
  5. Need help with SSL and Certificates
    By Matthew Hood in forum ASP.NET Security
    Replies: 0
    Last Post: July 22nd, 06:07 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139