I've done a small TCP/IP server which acts quite like an ftp server.
On the client side, I'm using an API to connect and to exchange data against the server.
This server will be on an active-directory ecosystem, so the client.
What kind of API should I use to implement a SSO/AD authentication on my server ?
(Everything is written in C)
I've seen that SqlServer is doing this through the Trusted connection term. Perhaps a simplier to do things ?
Should I lead to SSPI exchange loop ?
Yes, you need to init a security context from the client and accept that contect from the server, loop until the security context has been established. If you are concerned about your private, you can encrypt the entire traffic with Kerberos.
Related
I am trying to establish a secure connection to a SQL Server database over the internet. In the link below a configuration "Encrypting Specific Connections" is described:
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/SQLServer.Concepts.General.SSL.Using.html
I have read elsewhere that mutual authentication (server authenticating the client based on certificate) is not supported by SQL Server. Is the described configuration equivalent to mutual authentication or something completely else?
If it is something else, are there other security features of RDS (apart from ip whitelisting) that can increase security over username and password?
Edit: The connection will be encrypted, so when i say increase security i mean in the sense that would work as a second factor of authentication.
Now an application is connected to a database server in the same LAN and performs selects and inserts.
The database will be moved to a remote location accessible throughout internet. Performance degradation will be addressed reducing the number of operations to the db. It is not possible to use vpn or configure access-in rules based on client IP on the firewall of the net where the database server will be moved. So it seems to me it is necessary to create a database front end in order to protect it. I suppose one way to achieve this goal is to create a web service.
Are there easier alternatives?
I'm new to web services: it should run into Glassfish server while the client would be a c# application.
I read a bit about securing a web service but I'm a confused.
One method I found in internet is to use Glassfish built-in authentication mechanism and configure web.xml limiting the access to the web service URL to a group of users.
It seems an easy approach, are there any drawbacks?
Is it easy to use this type of authentication in the C# client?
Other existing web services wants a parameter key in the request. Then this key is compared with valid ones and if the check is successful the request will be accepted.
Is this approach more secure than the previous one?
Another alternative is to use WSIT but at a first glance it seems over-complicated and all the security mechanisms need a server certificate.
Anyway it looks more secure; does it fit well with JAX-RS and restful web services?
You can use L2TP or PPTP VPN in this case.
Let me show you first Network topology.
Client (accessing firewall with L2TP or PPTP )-----> Firewall (L2TP or PPTP VPN Server)---> Firewall LAN where your Server placed.
In above case all Client come from VPN so its secure and On firewall you have to Configure VPN to LAN rule with client base rule.
I am trying to set up an XMPP server, such that users of my service can communicate with XMPP users of other services. I have two requirements
1) Users of other services must still be able to use whatever client and chat service they are currently using, such as the gmail web client, to talk to my clients.
2) The communication must be encrypted when sent between client and server and server and server. (The later is more difficult)
I setup an XMPP server and federated with gmail, and found that the server to server communications was not encrypted. I next federated my XMPP server with jabber.org, and the connection from my server to jabber.org was encrypted, giving me confidence that my server configuration was correct. Is there any way to encrypt the communication between my XMPP server and Google's Are there any XMPP servers that support TLS with Google Presuming this is not currently supported by Google, are their plans to add TLS on server to server communications in the future? When is it expected?
In lieu of encrypted server to server communications, are there other possibilities (given the above requirements)? Would a Google app engine application have encrypted communication between the gmail server and my Google app engine app and also satisfy the first requirement?
For the communication server to server, you can use AES to encrypt all the communication, and for the password, you can send it with RSA. If you are using python you can use pycrypto, although to test it in the development server have to install that library.
About the client and server comunitacion I'm not sure if you can use the same encryption.
Is there way to make the vb6 desktop application which is not on client network to communicate with sql server which is in the client premises?
A far better option (a necessity if the app is for general distribution) is to use an intermediary service, either over web/HTTP or some other (possibly custom) protocol.
If you app is specific to your company/employer for their internal use, then you will need to use a VPN or similar to allow it to work as if it was on the same internal network.
Note that opening up a database server to the wider internet is asking for trouble and should be avoided at all costs.
Easiest would be to use port forwarding on border router to SQL server.
Better would be to encrypt traffic to/from SQL Server like this: IPSec through NAT: Securing SQL Server remote connections
How can I secure connection or db credentials when directly accessing the DB server over the internet from the client side application.
Use SSL, or encrypt the user/password yourself before sending it.
SSL or some other credential obfuscation (depends on database server) will work in the case where you have a remote client directly talking to the server, but that will require the remote side know the credentials. If you want to prevent them from knowing the DB login information you'll have to write some form of adapter.
This question could use a lot more detail.