Microsoft .NET Framework Security

Ask ten people “what is information security?” and you’ll get ten answers, most of them probably correct. We have a tendancy in this business to take this vast topic area and paint it with the single color of information security. Here, for example, are a handful of typical answers to the “what is information security?” question:

  • Authentication: The act of validating that a user or system is who they claim to be. This is accomplished most commonly using username and password, but can also be done using, for example, Smart Card or any number of biometric techniques (fingerprint, retinal scan, etc.).

  • Authorization: Once the user is authenticated, authorization determines what they are allowed to do on the system. For example, the user may have special administrator rights on the system or the user may be a member of a group with these rights.

  • Access control: The system that controls access to resources, ensuring that authenticated users are able to access only that functionality for which they are authorized.

  • Privacy: Ensuring that data or communications intended to be private remains private. This is often accomplished through cryptography and communication layers depending on cryptography, such as Secure Sockets Layer (SSL).

  • Integrity: After data is communicated or stored, the reader of the data must be able to have assurance that it has not been modified. Cryptographic hashes and signatures often play a role in this area.

  • Uniqueness: In a message-based system, care must be taken to ensure each message is unique and cannot be “replayed” to the detriment of the system. Often serial numbers or time codes are used to prevent this type of vulnerability.

  • Availability: Systems must remain available to authorized users at the times they are supposed to be available.

  • Non-repudiation: Preventing the system from denying having performed an action related to some data.

  • Software vulnerabilities: Protecting software system against comprimise through the sending of specially formatted data via a network or console.

  • Rogue applications: Viruses, Malware, and the like, which causes damage to a system when executed.

  • Infrastructure: Firewalls, routers, wireless access points, and other hardware that makes up the physical network infrastructure. Without sufficient infrastructure protection, no system can be declared safe.

  • Endpoint protection: Ensuring that workstations, laptops, hand held devices, and other network “endpoints” are hardened against vulnerabilities that might otherwise put the network or system as a whole at risk.

  • Auditing: Logging and cataloging of data so that problems or compromises can be analyzed in progress or postmortem so that they may be corrected in the future.

  • Physical: The proverbial lock and key, preventing unauthorized individuals from physical proximity to a system or network.

I obviously won’t be able to thoroughly cover all of these topics in this paper, but we will certainly touch on the greatest hits. More importantly, we’ll drill down in these important topics to a level of detail that enables you to understand how to implement such security for yourself in the .NET Framework.

No comments yet

Leave a Reply

You must be logged in to post a comment.