Security and asp

[Jan G. Thorstensen]

Hi. I am a newbie but learning.
Question; If I have a form where people can fill in Name, Address and so on,
do I need a sequre server to prevent hackers to read the data sent to my
database?

The data I receive are confidential and I want to use Access2000 and ASP.

Jan

 

[Jan G. Thorstensen]

Thank you Andrew, for your quick answer.
Do you need another tool to enqrypt the data?

Jan

 

[Andrew Paton]

Well no - you could pick up an encyption algorithm from somewhere like
planetsourcecode.com

search of the RC4 algorithm - make sure you select Vbscript.

Also when you are selecting you key make sure it is large and alphanumeric
e.g.

SJHjhsdbjfhB&*^£JHBD*2663267dgdf

 

[Jan G. Thorstensen]

Thank you. It will be interesting to try this out.
Jan

 

[Peter Hurford]

Make sure that you don't overkill here....

To make the communication between browser and web server secure, use a
digital certificate. Will cost, though not much these days... Will
significantly slow the rate at which you can serve pages, although it's
generally not noticeable to end users.

To make access to your database secure (from external people, e.g.
hackers) you need to lock down your database. Think about things like
firewalls etc. on your web server. Again, will slow the server down, but
that's a price most people will pay.

To make the contents of your database secure (from external and internal
people), encrypt it as has been suggested. This'll significantly slow
data access, though.

If you're worried about confidentiality, I'd argue that points 1 & 2 are
all that's needed in most scenarios.

Point 3 is fine, but I work in this area and to be honest, you very
rarely see this approach in the commercial world. If things are
encrypted it's generally only 1 or 2 fields (e.g. cc no & expiry), not
the whole record. Or it might be because you don't trust your internal
staff, let alone external people, to see the data (internal people won't
necessarily use your web site to look at the data so points 1 & 2 are
useless, though if this is an issue you'll probably need to think about
file system security here too). Or maybe you do trust your internal
people, butthey're simply not allowed legally to see the data (e.g.
restrictions between financial jurisdictions).

If you're going about this as a programming exercise, fine. Cryptography
is great fun to find out about. (Applied Cryptography, by Bruce Schnier,
is one of the best technical books I've ever read and I'd highly
recommend it.) But if you're doing this commercially, think about what
you actually need before you dive in.

 

[Jeff Cochran]

Also when you are selecting you key make sure it is large and alphanumeric

e.g.

SJHjhsdbjfhB&*^£JHBD*2663267dgdf

Dang! That's the key I was going to use!

Jeff
===================================
Jeff Cochran (IIS MVP)
(e-mail address removed) - Munged of Course

I don't get much time to respond to direct email,
so posts here will have a better chance of getting
an answer. Besides, everyone benefits here.

Suggested resources:
http://www.iisfaq.com/
http://www.iisanswers.com/
http://www.iistoolshed.com/
http://securityadmin.info/
http://www.aspfaq.com/
http://support.microsoft.com/
====================================

 

[Jan G. Thorstensen]

Thanks a lot Peter. I have saved your answers to my hard disk for
use in my projects.

Jan

 

[David C Holley]

You may also want to read more about SQL injection attacks...

http://www.sitepoint.com/article/794

David H

 

[Peter Hurford]

No problem...

If you're interested in Bruce Schnier's book, check out
http://www.counterpane.com/applied.html.

For the record, I actually use 3 bits of kit (firewall, web server,
database server) and 2 switches/subnets. The web server sits on its own
in an untrusted dmz, the database server sits on a trusted lan, and the
two communicate using tcp/ip through a pinhole in the firewall. That way
I've made it difficult for anyone sitting outside the firewall (i.e. a
hacker) to get as far as the actual database itself. Even if they manage
to hack as far as the web server, they can't get any actual data.

I'd have to say I'd regard this config as a bare minimum for putting
something on the web, especially if you're taking security seriously.

Having said that, my database server is a full-blown sql server box,
which is easy to set up because you just configure it to listen on the
pinhole port. Not sure how you could do this if you're using an mdb,
suspect you'd need to keep the file on the web server and access it
directly. Compromises the security of the system a bit keeping it on the
web server, but not sure what else you can do in this scenario.

But whatever else you do, get yourself a firewall!

Pete