Thursday, November 21, 2002

PAG ASP.NET Security Beef

I know that a number of folks out there in the wild have been reading this document.  I have been reading it in parts over the last couple of weeks.

I found it extremely strange how insistent they seem to be on encrypting the connection between the application server and the database server.  To the extent that they are talking about running it over IPSec or SSL.  They don't really address their reasoning for this insistence. I can see this being a valuable technique where the communication between your application server and database server must be done over a semi-trusted network. In the case where you totally control the network is this still necessary or just overkill?  I mean today how many non ASP.NET applications communicate with the DB server over internal networks using an encrypted connection?

My second beef is that they show you how to setup an IPSec connection between the application server and database server and then say the technique is only suitable for development servers.  They never address how it should be done in production with an actual example.


7:44:09 AM    


© Copyright 2002 Chris Kinsman .
Last update: 11/21/2002; 7:44:41 AM .

Subscribe to "Chris Kinsman's .NET Musings" in Radio UserLand. Click to see the XML version of this web page. Click here to send an email to the editor of this weblog.