ASP.NET 2.0 Security Practices - Secure Communication

From Guidance Share

Jump to: navigation, search

How to choose between IPSec and SSL

Use Secure Sockets Layer (SSL) to protect the communication channel between specific client applications and a server. For example, you could use SSL to secure the channel between a specific Web application and a remote SQL Server. Use SSL when you need granular channel protection for a particular application instead of for all applications and services running on a computer.


Use Internet Protocol Security (IPSec) to secure the communication channel between two servers and to restrict which computers can communicate with one another. For example, you can help secure a database server by establishing a policy that permits requests only from a trusted client computer, such as an application or Web server. You can also restrict communication to specific IP protocols and TCP/UDP ports.


How to secure communication between browser clients and Web server

Use SSL to create a secure encrypted communication channel between browser clients and Web server.


To use SSL:

  1. Install a server certificate on the Web server.
  2. Install the root certificate authority (CA) certificate from the same authority into the local computer's Trusted Root Certification Authorities certificate store.
  3. Use IIS to configure the server to force the use of encryption while accessing Web pages.
  4. Design your pages with SSL in mind to minimize performance overhead. Optimize pages that use SSL by including less text and simple graphics and partition your site and ensure that only those pages than contain sensitive data use SSL.


How to secure communication between servers

Use IPSec to secure the communication channel between two servers and to place restrictions on which client computers can communicate with the server. For example, you can configure IPSec policy to only allow a specific application server to communicate with a database server. Also use IPSec to restrict which TCP port is used for communication and to encrypt all IP traffic that flows between the two servers.


Note that if you restrict all communication, the database server will be unable to communicate with a domain controller. In this scenario, you must use mirrored local accounts (with the same user name and password) on both computers.

Personal tools