Security and asp

Thank you Andrew, for your quick answer.
Do you need another tool to enqrypt the data?

Jan

"Andrew Paton" <an**********@nospamplease.nufsaid.net> wrote in message
news:uv**************@TK2MSFTNGP12.phx.gbl...

A secure server would be good - but this would only stop data being
intercepted. You would have to encrypt the data yourself before you insert
it into the database - that way if anyone ever did steal it they would have to try and break encryption on data before they do anything
"Jan G. Thorstensen" <po**@infosupport.no> wrote in message
news:3f********@news.wineasy.se...

Hi. I am a newbie but learning.
Question; If I have a form where people can fill in Name, Address and so

on,

do I need a sequre server to prevent hackers to read the data sent to my
database?

The data I receive are confidential and I want to use Access2000 and ASP.
Jan

Well no - you could pick up an encyption algorithm from somewhere like
planetsourcecode.com

search of the RC4 algorithm - make sure you select Vbscript.

Also when you are selecting you key make sure it is large and alphanumeric
e.g.

SJHjhsdbjfhB&*^£JHBD*2663267dgdf
"Jan G. Thorstensen" <po**@infosupport.no> wrote in message
news:3f******@news.wineasy.se...

Thank you Andrew, for your quick answer.
Do you need another tool to enqrypt the data?

Jan

"Andrew Paton" <an**********@nospamplease.nufsaid.net> wrote in message
news:uv**************@TK2MSFTNGP12.phx.gbl...

A secure server would be good - but this would only stop data being
intercepted. You would have to encrypt the data yourself before you insert

it into the database - that way if anyone ever did steal it they would

have

to try and break encryption on data before they do anything
"Jan G. Thorstensen" <po**@infosupport.no> wrote in message
news:3f********@news.wineasy.se...

Hi. I am a newbie but learning.
Question; If I have a form where people can fill in Name, Address and so

on,

do I need a sequre server to prevent hackers to read the data sent to

my database?

The data I receive are confidential and I want to use Access2000 and

ASP.
Jan

Thank you. It will be interesting to try this out.
Jan
"Andrew Paton" <an**********@nospamplease.nufsaid.net> wrote in message
news:ek**************@TK2MSFTNGP10.phx.gbl...

Well no - you could pick up an encyption algorithm from somewhere like
planetsourcecode.com

search of the RC4 algorithm - make sure you select Vbscript.

Also when you are selecting you key make sure it is large and alphanumeric
e.g.

SJHjhsdbjfhB&*^£JHBD*2663267dgdf
"Jan G. Thorstensen" <po**@infosupport.no> wrote in message
news:3f******@news.wineasy.se...

Thank you Andrew, for your quick answer.
Do you need another tool to enqrypt the data?

Jan

"Andrew Paton" <an**********@nospamplease.nufsaid.net> wrote in message
news:uv**************@TK2MSFTNGP12.phx.gbl...

A secure server would be good - but this would only stop data being
intercepted. You would have to encrypt the data yourself before you insert it into the database - that way if anyone ever did steal it they would have

to try and break encryption on data before they do anything
"Jan G. Thorstensen" <po**@infosupport.no> wrote in message
news:3f********@news.wineasy.se...
> Hi. I am a newbie but learning.
> Question; If I have a form where people can fill in Name, Address

and so on,
> do I need a sequre server to prevent hackers to read the data sent

to

my > database?
>
> The data I receive are confidential and I want to use Access2000 and

ASP.

>
> Jan
>
>

Make sure that you don't overkill here....

To make the communication between browser and web server secure, use a
digital certificate. Will cost, though not much these days... Will
significantly slow the rate at which you can serve pages, although it's
generally not noticeable to end users.

To make access to your database secure (from external people, e.g.
hackers) you need to lock down your database. Think about things like
firewalls etc. on your web server. Again, will slow the server down, but
that's a price most people will pay.

To make the contents of your database secure (from external and internal
people), encrypt it as has been suggested. This'll significantly slow
data access, though.

If you're worried about confidentiality, I'd argue that points 1 & 2 are
all that's needed in most scenarios.

Point 3 is fine, but I work in this area and to be honest, you very
rarely see this approach in the commercial world. If things are
encrypted it's generally only 1 or 2 fields (e.g. cc no & expiry), not
the whole record. Or it might be because you don't trust your internal
staff, let alone external people, to see the data (internal people won't
necessarily use your web site to look at the data so points 1 & 2 are
useless, though if this is an issue you'll probably need to think about
file system security here too). Or maybe you do trust your internal
people, butthey're simply not allowed legally to see the data (e.g.
restrictions between financial jurisdictions).

If you're going about this as a programming exercise, fine. Cryptography
is great fun to find out about. (Applied Cryptography, by Bruce Schnier,
is one of the best technical books I've ever read and I'd highly
recommend it.) But if you're doing this commercially, think about what
you actually need before you dive in.

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

>Also when you are selecting you key make sure it is large and alphanumeric

e.g.

SJHjhsdbjfhB&*^£JHBD*2663267dgdf

Dang! That's the key I was going to use! :)

Jeff
===================================
Jeff Cochran (IIS MVP)
jc*************@naplesgov.com - Munged of Course

I don't get much time to respond to direct email,
so posts here will have a better chance of getting
an answer. Besides, everyone benefits here.

Suggested resources:
http://www.iisfaq.com/
http://www.iisanswers.com/
http://www.iistoolshed.com/
http://securityadmin.info/
http://www.aspfaq.com/
http://support.microsoft.com/
====================================

Thanks a lot Peter. I have saved your answers to my hard disk for
use in my projects.

Jan
"Peter Hurford" <an*******@devdex.com> wrote in message
news:OS**************@tk2msftngp13.phx.gbl...

Make sure that you don't overkill here....

To make the communication between browser and web server secure, use a
digital certificate. Will cost, though not much these days... Will
significantly slow the rate at which you can serve pages, although it's
generally not noticeable to end users.

To make access to your database secure (from external people, e.g.
hackers) you need to lock down your database. Think about things like
firewalls etc. on your web server. Again, will slow the server down, but
that's a price most people will pay.

To make the contents of your database secure (from external and internal
people), encrypt it as has been suggested. This'll significantly slow
data access, though.

If you're worried about confidentiality, I'd argue that points 1 & 2 are
all that's needed in most scenarios.

Point 3 is fine, but I work in this area and to be honest, you very
rarely see this approach in the commercial world. If things are
encrypted it's generally only 1 or 2 fields (e.g. cc no & expiry), not
the whole record. Or it might be because you don't trust your internal
staff, let alone external people, to see the data (internal people won't
necessarily use your web site to look at the data so points 1 & 2 are
useless, though if this is an issue you'll probably need to think about
file system security here too). Or maybe you do trust your internal
people, butthey're simply not allowed legally to see the data (e.g.
restrictions between financial jurisdictions).

If you're going about this as a programming exercise, fine. Cryptography
is great fun to find out about. (Applied Cryptography, by Bruce Schnier,
is one of the best technical books I've ever read and I'd highly
recommend it.) But if you're doing this commercially, think about what
you actually need before you dive in.

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

You may also want to read more about SQL injection attacks...

http://www.sitepoint.com/article/794

David H

Jan G. Thorstensen wrote:

Thanks a lot Peter. I have saved your answers to my hard disk for
use in my projects.

Jan
"Peter Hurford" <an*******@devdex.com> wrote in message
news:OS**************@tk2msftngp13.phx.gbl...

Make sure that you don't overkill here....

To make the communication between browser and web server secure, use a
digital certificate. Will cost, though not much these days... Will
significantly slow the rate at which you can serve pages, although it's
generally not noticeable to end users.

To make access to your database secure (from external people, e.g.
hackers) you need to lock down your database. Think about things like
firewalls etc. on your web server. Again, will slow the server down, but
that's a price most people will pay.

To make the contents of your database secure (from external and internal
people), encrypt it as has been suggested. This'll significantly slow
data access, though.

If you're worried about confidentiality, I'd argue that points 1 & 2 are
all that's needed in most scenarios.

Point 3 is fine, but I work in this area and to be honest, you very
rarely see this approach in the commercial world. If things are
encrypted it's generally only 1 or 2 fields (e.g. cc no & expiry), not
the whole record. Or it might be because you don't trust your internal
staff, let alone external people, to see the data (internal people won't
necessarily use your web site to look at the data so points 1 & 2 are
useless, though if this is an issue you'll probably need to think about
file system security here too). Or maybe you do trust your internal
people, butthey're simply not allowed legally to see the data (e.g.
restrictions between financial jurisdictions).

If you're going about this as a programming exercise, fine. Cryptography
is great fun to find out about. (Applied Cryptography, by Bruce Schnier,
is one of the best technical books I've ever read and I'd highly
recommend it.) But if you're doing this commercially, think about what
you actually need before you dive in.

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

No problem...

If you're interested in Bruce Schnier's book, check out
http://www.counterpane.com/applied.html.

For the record, I actually use 3 bits of kit (firewall, web server,
database server) and 2 switches/subnets. The web server sits on its own
in an untrusted dmz, the database server sits on a trusted lan, and the
two communicate using tcp/ip through a pinhole in the firewall. That way
I've made it difficult for anyone sitting outside the firewall (i.e. a
hacker) to get as far as the actual database itself. Even if they manage
to hack as far as the web server, they can't get any actual data.

I'd have to say I'd regard this config as a bare minimum for putting
something on the web, especially if you're taking security seriously.

Having said that, my database server is a full-blown sql server box,
which is easy to set up because you just configure it to listen on the
pinhole port. Not sure how you could do this if you're using an mdb,
suspect you'd need to keep the file on the web server and access it
directly. Compromises the security of the system a bit keeping it on the
web server, but not sure what else you can do in this scenario.

But whatever else you do, get yourself a firewall!

Pete

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!