Secure access to a remote application?

[osu9400]

I am green when it comes to security issues, so I need some help.

I have 5 remote users who need access to an application on an internet server. This server is co-loed at a remote data center. This is not a browser-based app. It is a custom front end and accesses a SQL server. The data that is transferred needs to be secured/encrypted due to the patent application process.

The server is running Windows Server 2003 and my clients all run XP. All of my clients use their own ISP (dial up, DSL, cable modem)

How do I ensure that the data transferred is protected during transmission?

Thanks!!!

 

[pansophic]

You definitely want to look into Transport Layer Security (TLS). It uses SSL, but allows you to push any data through the pipe, rather than just browser interaction. Best of all, it should already be installed on all of your clients' machines.

You may also want to look into certificates/PKI for handling authentication. You can be your own CA, and generate certs for free, or you can rely on the more robust architecture of some of the big names like VeriSign, Thawte and Entrust.

What language/development platform are you building in? We might be able to point you to the right libraries/controls.


pansophic

 

[osu9400]

Thanks for the note.

The app is built in .NET and the backend is a SQL Server. Note that this is not a browser-based app.

Any additional info you can provide would much appreciated!!

Thanks again.

 

[dilettante]

One possibility is Windows Terminal Services. This may require some lockdown however, and there is the cost of licensing the product to consider.

The "easy" parts of locking it down involve publishing the service on a non-standard port number, running TsVer.exe to limit the builds of the RDP client you'll allow to connect, and AppSec.exe to limit it to the few applications you really need to have be accessible through it. The latter two tools should be in the Server Resource Kit for the OS (at least they were on Win2K Server). Apply any Microsoft fixes you need to (there are very few out yet for 2003) and of course firewall the machine allowing only the very fewest ports you need through to the server. For Terminal Services you'll probably only need one port open.

The machine running Terminal Services should ideally be a separate server located within a DMZ network. Using your SQL Server box on your internal network as the TS server is almost asking for it (trouble). You pretty much want to use a box locked down and offering only Terminal Services, possibly not even part of your AD domain at all.

You probably should look into using a VPN for access as well, which adds some complication, some cost, and steals performance. It makes things a lot more secure however and addresses the issue of further scrambling the traffic over public networks.

There are also the Citrix add-ons to Terminal Services. These can be pricey but may add extra value here in terms of security and network performance.

At the end of the day it is almost a lot cheaper to develop new applications for the web, whether using web forms or windows forms clients connected via SOAP mesages over SSL. But it sounds like you don't have that luxury at this time.

Other alternatives include products like VNC, but these have their own security vulnerabilities making a VPN necessary once again.

Some things to look into anyway. Economics don't always make "the ultimate setup" possible, so you trade off cost and risk to choose a solution.