I m Already Protected. I m Using a Firewall. | Security for Microsoft Visual Basic .NET

“I’m Already Protected. I’m Using a Firewall.”

Locking down Windows, IIS, and .NET is like protecting a king inside a castle in medieval times. Let’s suppose the king is protected by royal guards inside a castle that is surrounded by a moat. The moat separates the castle from surrounding land and encourages people to use the front gate to enter the castle. In computer security terms, the moat is similar to using a firewall, which turns off unneeded services and protects the computer’s disk and network to ensure that only people who get through the front gate can access the system’s resources. The front gate is similar to the computer’s password system—only people who are properly authenticated can get inside. After entering the castle, castle security (guards and locked doors) ensures that you can venture only where you are permitted to go; this is similar to role-based security within an application and code-access security in .NET. The king himself, in our fantasy castle, is protected by royal guards. In computer security terms, the king represents what intruders are ultimately after—data in a database, or a process that performs some action. The royal guards are the innermost protection for the king—hand picked, fiercely loyal, and schooled in every martial art known to man. These guards are similar to a Windows-enforced access control list (ACL), which ensures only people who were authenticated at the front gate and who are authorized to see the king get the royal treatment.

Writing secure code is only part of a secure application. A solid authentication system is the castle gate. Role-based and code-access security give you a fine castle security unit. Locking down Windows, IIS, and .NET gives you the final two pieces—a deep moat, and fiercely loyal royal guards. When all these safeguards are working together, the system becomes very hard to penetrate because there is no single point of failure. For example, if an intruder gets through the firewall and bypasses the authentication system, he still won’t be able to access the database because he hasn’t been authenticated. Of course, we don’t want intruders to get through even the first layer of security; the objective is to keep them outside the moat.