.NET Framework 2.0 Security Guidelines - Communication Security

From Guidance Share

Jump to: navigation, search

- J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Chaitanya Bijwe


Consider transport-level encryption to protect secrets on the network

If your servers are not inside a physically secure data center where the network eavesdropping threat is considered insignificant, you need to use an encrypted communication channel to protect data sent between servers. You can use SSL or IPSec to encrypt traffic and help protect communication between servers. Use SSL when you need granular channel protection for a particular application, instead of protection for all applications and services running on a computer. Use IPSec to help protect the communication channel between two servers and to restrict the computers that can communicate with each other. For example, you can help protect a database server by establishing a policy that permits requests only from a trusted client computer, such as an application or Web server. You can also restrict communication to specific IP protocols and TCP/UDP ports.


If you use the TCP channel with .NET remoting, consider System.Net.Security.NegotiateStream

In .NET Framework 1.1, remoting applications that use the TCP channel do not by default perform authentication or encryption. In .NET Framework 2.0, the remoting framework uses the new System.Net.Security.NegotiateStream class to encrypt and sign the data transported over the channel and to authenticate callers. To use this feature, you can configure the <channel> element in the Machine.config file, the Web.config file, or the App.config file, depending on whether you want to apply the setting across all applications on your computer or to a specific application.

The following example shows how a server specifies that authentication is required and that the channel should be protected with encryption.

<channel ref="tcp" port="1234" 
        authenticationMode="IdentifyCallers" secure="true" />
 

To authenticate clients by using their domain credentials, you need to set the useDefaultCredentials attribute of the <channel> in the client configuration to true. The following example shows a sample client configuration.


<channel ref="tcp" useDefaultCredentials="true" secure="true" 
        impersonationLevel="Identify" />
 

To use Kerberos authentication, the client must specify a service principal name (SPN). This can be done programmatically or in the client's configuration file, as shown in the following example.


<channel ref="tcp" 
        useDefaultCredentials="true" 
        impersonationLevel="Identify" 
        spn="someService/somehost.com" />
 

Note Use of .NET remoting is not encouraged for interprocess or server-to-server communication. .NET remoting is for cross-application domain communication within a process.

Personal tools