ASP + SQLServer - any advice on security precautions?

Networking/Security Forums -> Programming and More

Author: Chozen1Location: NW, UK PostPosted: Wed Oct 23, 2002 1:59 am    Post subject: ASP + SQLServer - any advice on security precautions?
    ----
Hey all,

I've been asked if its possible for me Confused to develop an online 'Order records uploading' facility.

This is so 15 Depots of a company we do Business with can each, 24h a day, connect remotely and login, then upload their latest orders to a master database located in the main office.

I have to use ASP and SQLServer but the rest of the spec if open, I am assured that we will outrageously charge each depot to make sure they have a DSL connection so upload speed is no problem.

Iím a little fuzzy, being wet behind the ears, on what security precautions I will require and any problems or differences I need to sort out in order to achieve this future goal. I am assured though that for the time being the only data transfer will be orders to the main DB from the depots via some ASP pages I have to create.

I currently have at my disposal:

Dreamweaver Ultradev 4
IIS 5
MSDE 2000
DSL connection
MS Access 2002


Any suggestions or help would be very welcome on how well I could design this system.

Thanks all

Chozen1

Rolling Eyes

Author: enigmanLocation: Sydney PostPosted: Wed Oct 23, 2002 8:31 am    Post subject:
    ----
Have they determined what they need done and what level of security for the data, format etc?

Questions you could ask:

Is there a need for separate logons/passwords for each depot?

Is a single user at each site responsible for data entry or is it possible for multiple people at a site to upload the data? If so, do they need separate logons for each person (for audit purposes and to make life easier if someone leaves - you don't want a disgruntled employee logging in with a generic logon and modifying data.)

Will all sites be using the same format for data uploads? Example .CSV or some other format? Will they all be using the same software at all sites to produce the data for data entry? You don't want one site producing data in one format and another in a different format.

Will the system need to cater for single entries from the depots (where a person manually enters the details). Or will it be in the form of raw data uploaded to your ASP application that will then update the database? Do you need to cater for both situations? There might be cases where a client wants to put in a single entry as part of a rush job rather than upload data normally.

If they are uploading data direct to your system where will validation of the data take place? Client side? Server Side or both? One possibility is to produce a run-time Access database that creates the data in a format ready for your database.

Do you need to use SSL/TLS for the duration of the session or only during the logon process (depends on the confidentiality of the data).
If you are going to use SSL/TLS will a self-signed certificate from one of your servers be acceptable to the third party or will they want one signed by a Certificate Authority?

Hopefully some of this makes a modicum of sense.
------
I'd love to, but I don't want to leave my comfort zone.

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Wed Oct 23, 2002 10:54 am    Post subject:
    ----
Well enigman has asked most of the questions you need to answer just to add a couple more things..

How important is this data that's being transferred?

Why not use Web Services so it can all be automated and causes less load on all systems?

Also for an application that could potentially have a high load, using ASP you will have to use very streamlined code, I suggest not using Ultradev to create this application, code it by hand.

As with any project the hardest part is designed the database, making sure it's fully relational, it's as recursive as it needs to be and it fulfills all the needs of the system (and your needs) and any possible future needs (extensible).

Author: Chozen1Location: NW, UK PostPosted: Wed Oct 23, 2002 12:04 pm    Post subject: Cool.
    ----
Questions you could ask:

Is there a need for separate logons/passwords for each depot?

Each Depot has a single login and password, held by management Ė This is the plan so far.

Is a single user at each site responsible for data entry or is it possible for multiple people at a site to upload the data? If so, do they need separate logons for each person (for audit purposes and to make life easier if someone leaves - you don't want a disgruntled employee logging in with a generic logon and modifying data.)

Good Point, I will bring it up to them.

Will all sites be using the same format for data uploads? Example .CSV or some other format? Will they all be using the same software at all sites to produce the data for data entry? You don't want one site producing data in one format and another in a different format.

I have not as yet used MS SqlServer, but I do know that each site will be provided by a standard set of hardware and software by our company to accomplish these tasks. I assume from this the data will be in whatever format is needed, either entering it on an online form I produce in ASP one record at a time or produced in Access and then uploaded to the site to be converted automatically to be added to the SQLSever DBs on the main host in bulk.

If they are uploading data direct to your system where will validation of the data take place? Client side? Server Side or both? One possibility is to produce a run-time Access database that creates the data in a format ready for your database.

As far as I had thought out I was going to have an online form so the data format would be validated by that client side but the Access DB sounds like a good idea for the bulk upload.

Do you need to use SSL/TLS for the duration of the session or only during the logon process (depends on the confidentiality of the data).
If you are going to use SSL/TLS will a self-signed certificate from one of your servers be acceptable to the third party or will they want one signed by a Certificate Authority?

Donít know, I was hoping I could receive some good advise on the security part of the project, not really covered any in detail so far so any advise or help would be greatly appreciated.

Hopefully some of this makes a modicum of sense. Yes thanks.

How important is this data that's being transferred?

The data will be customers name and address details (probably important to the customer, data protection and all that) and some order details i.e. Delivery date, cost, part numbers (not too ĎTop Secret).


Why not use Web Services so it can all be automated and causes fewer loads on all systems?

Explain further please ?

Also for an application that could potentially have a high load, using ASP you will have to use very streamlined code, I suggest not using Ultradev to create this application, code it by hand.

Thanx.

As with any project the hardest part is designed the database, making sure it's fully relational, it's as recursive as it needs to be and it fulfils all the needs of the system (and your needs) and any possible future needs (extensible).

Iíve been told the DBs are already made and where setup by the original company that had a less high-tech solution in place, they Dbs as far as I know are outta my control as far as design and structure and relationships, I will just be completing the data transfer.

I do have some further queries

I have never just added a number of records to a DB automated, how do things like an AUTONUMBER_ID for example customer record ID, get entered as the data does?

How much will multiple users accessing the system slow it down, Im assuming this is based upon the main office systems which should be top of the line, so I cant think it will be much as the maximum will be 16 users on system concurrently.

Does SQLServer have an auto-backup of the DB function or will I have to create something so that each night at a certain time a script is activated to backup the DB cos I canít trust the staff at the main office?

Thanks all.

Chozen1

Author: enigmanLocation: Sydney PostPosted: Wed Oct 23, 2002 12:57 pm    Post subject: Re: Cool.
    ----
Chozen1 wrote:
Questions you could ask:

Do you need to use SSL/TLS for the duration of the session or only during the logon process (depends on the confidentiality of the data).
If you are going to use SSL/TLS will a self-signed certificate from one of your servers be acceptable to the third party or will they want one signed by a Certificate Authority?

Donít know, I was hoping I could receive some good advise on the security part of the project, not really covered any in detail so far so any advise or help would be greatly appreciated.

How important is this data that's being transferred?

The data will be customers name and address details (probably important to the customer, data protection and all that) and some order details i.e. Delivery date, cost, part numbers (not too ĎTop Secret).


I do have some further queries

I have never just added a number of records to a DB automated, how do things like an AUTONUMBER_ID for example customer record ID, get entered as the data does?

How much will multiple users accessing the system slow it down, Im assuming this is based upon the main office systems which should be top of the line, so I cant think it will be much as the maximum will be 16 users on system concurrently.

Does SQLServer have an auto-backup of the DB function or will I have to create something so that each night at a certain time a script is activated to backup the DB cos I canít trust the staff at the main office?


Load issues will depend on the roles of the server(s) play. If you have one server doing double duty as the DB server and as the web server for the application the users access it will have a lower threshold than a setup where they are accessing one web server which then connects to a separate DB server (SQL Server is a very resource hungry beast).

For adding records (Autonumber etc) this is where you will need to parse the data uploaded. If a single record, it's easy enough as you are doing an append operation of a single record. If however, you are uploading multiple records, your ASP code will have to parse the records and append them in the appropriate order.

I'm assuming that the backup software employed at your office has a module for backing up SQL databases installed. This is a separate issue from backing up the database within SQL server but is sometimes overlooked.

You could check out Beginning ASP Databases from Wrox press www.wrox.com or you could download the code for the book from their site and have a look at the code to see if it helps. The book is somewhat basic but is a good starting point.

You may also need to include facilities such as reporting successful/unsuccessful uploads, modifying a record (in case they made a mistake) and also including logic so that one site can't modify records for another site (unless this is a required option).

Security issues could include:

Making sure that if a person is entering a record that they don't try and insert SQL commands in fields to subvert the database (SQL Injection).

Login process: If you aren't using SSL/TLS etc then you run the risk of logins/passwords being sent 'in the clear' depending on the client environment and your authentication method.

Order process: Better to have the session secured via SSL/TLS so that your data is less vulnerable to being sniffed in transit. Look at it this way, how valuable would the information be to your competitors? Even if the solution is using self-signed certificates (you use one of your own servers as a certificate server) that will at least be more secure then no protection at all.

Equipment/Software: If your company is supplying the hardware/software who is responsible for ensuring that appropriate patches are in place? As an example, say you standardise on Internet Explorer as the browser to access your site. Then a few months down the track, a vulnerability surfaces in IE that could expose your database in some way. Who then makes sure that the OS and or browser is patched at the client sites? Your organisation or the client? Can you trust them to update the browser or do you end up doing it yourself. More importantly will they trust you to update the browser should it come down to it. You might want to make sure that this potential issue is highlighted and appropiate agreement made between both organisations.



Networking/Security Forums -> Programming and More


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group