Asp.net| Security | Program Summary: This article asp.net the concept of application security, introduced a variety of secure communication technologies and compared.
Keywords: Secure communications SSL IPSec RPC asp.net web application
1. Foreword
Any successful application security policy is based on solid authentication and authorization, as well as secure communications that provide confidentiality and integrity of confidential data.
Many applications transmit confidential data between tiers of the application: from the database to the browser, or vice versa. Examples of confidential information include details of bank accounts, credit card numbers and payroll data. In addition, when the logon credentials are transmitted over the network, the application must secure the credential information.
2. Characteristics of Secure communications
2.1. Confidentiality (privacy)
Confidentiality is used to ensure the confidentiality of data and not be seen by eavesdroppers who may have network monitoring software installed. Confidentiality is usually provided through encryption.
2.2 Integrity (Integrity)
Secure communication channels must ensure that data is not intentionally or unintentionally modified during transmission. Integrity is usually provided through a message authentication code (mac,message authentication code).
3. Secure Communication Technology
3.1 Secure Sockets Layer
Secure Sockets Layer (secure Sockets Layer) technology is most commonly used to protect channels between browsers and Web servers. However, it can also be used to protect database servers and Web service messages and traffic that are running back and forth from SQL Server 2000.
When SSL is applied, the client uses the HTTP protocol and specifies a https://URL, and the server listens on TCP port 443.
With SSL, because SSL uses complex encryption to encrypt and decrypt data, it has an impact on the performance of your application, so you should optimize the pages that use SSL.
When you use Basic authentication and form authentication, you should use SSL because the user name and password are passed in clear text. Generally speaking, you should use SSL not only on the login page, but also on subsequent pages.
3.2 Internet Protocol security
Internet Protocol security (IPSEC, Internet Protocol Security) provides a transport-layer secure communication solution that protects between two computers-for example, between an application server and a database server-to pass data back and forth.
IPSec can be used to:
Provides the confidentiality of messages by encrypting all data sent back and forth between the two computers.
Provides message integrity between two computers (no encryption of data).
Provides mutual authentication between two computers (not between users).
Restrict which computers can communicate with each other. You can also restrict traffic to the use of specific IP protocols and TCP/UDP ports.
3.3 Remote Procedure Call encryption
Remote Procedure invocation (Rpc,remote Procedure Call) encryption, a level of authentication provided by the RPC protocol used by Distributed COM (DCOM), that will allow each packet to be sent between the client and the server to be encrypted.
4. The role of the licensing model
The ASP. NET application security Scheme (i)-authentication.
The ASP. NET application security Scheme (ii)-authorization.
