I have a Client & Server application set, both written in C# but some client versions might be distributed in other languages in the future. I want to protect my applications.
I was looking for some kind of advice to stop just random people sending messages to a server and acting like a client, what kind of validation can I put in place?
My client applications I distribute will be obfuscated but is this enough? I'm just looking for some advice in this situation, is it wise for me to add some kind of encryption other than SSL, or am I just being over protective and over curious? Any input is welcomed & accepted.
It is impossible to determine if you are communicating remotely with "your client" or another piece of software that also knows how to communicate in the way that your client does.
What you can do is ensure that you are communicating with someone that is authorized to communicate with you by using client certificates for your SSL session.
The server proves who it is to the client and the client proves who it is to your server. The security then rests in whoever holds the private key to the client certificate (and the password for this key file).
The C# SslStream Class has support for this. Namely the AuthenticateAsClient method is relevant here.
In summary, if your software is only secure when communicating with a client you wrote, then your software isn't secure period. Instead, design your server in such a way that you can serve client requests securely. Using authentication is one of these ways.
You would want to do two things....one is look up certificate pinning. Your app will validate your SSL cert to thwart man in the middle attacks and it makes it hard to circumvent. The other is when making requests to the server have some type of user name / password block on the server side script before the server side does anything so the requests will simply be discarded by the server if they are from an unknown source.
I have a .NET client that needs to connect to a remote SQL Server over the WAN, is it possible to compress SQL traffic between the client and the server?
I am using .NET 3.5 and SQL Server 2005 and greater.
Looking at the connectionstrings.com here for SQL Server 2008, the database providers do not have some kind of compression scheme...You may need to write a wrapper on a different port, that compresses the data, by using the front end, send the data across that port, from there, compress it, send it across to the remote endpoint, decompress it, and forward it on to the real tcp/ip port where the server is sitting on.
Usually SQL Server sits on port 1433...
Since a picture is worth a thousand words....
+--------+ +--------+
| CLIENT | | SERVER |
+--------+ +--------+
Port 1234 Port 1433 <+--+
| |
| |
+={Module}= <=> TX/RX <=> ={Module}= -+-----------+
The module will sit there on both ends compressing/decompressing...
To be quite honest, it sounds like there will be work involved as the Firewall's holes would have to be punctured to allow the compressed data in and out...throw in NAT/SNAT could make things complicated...
Have a look at this article that I wrote on Codeproject, that code acts as a traffic redirector and could easily be modified to use the compression/decompression scheme..
As others have said there is no compression built in to the SQL Server TDS Protocol. It's also worth saying that by default there is no encryption either. To enable encryption you must use certificates and specify it in the connection strings.
The easiest solution to solve both issues is to open up a VPN tunnel with encryption and compression enabled. Simple Microsoft PPTP solves both issues and is easy to setup.
I don't think there is compression implemented in SQL server connection - if you are in need of compressing data, you should use web service and HTTP compression when communication with the service.
I know this question is over a year old but I found myself looking for this so I thought I would share what I found. There is this (quite expensive) software that compresses SQL server traffic. I am testing it at the moment for one of my clients, it works very well, achieving 60% compression ratios on average.
http://www.nitrosphere.net/store/nitroaccelerator
It is also compatible with clients that don't have this service installed.
if you want to create a tunnel with compression and encryption (can be disabled to save process) without having to create a vpn and also is cross plataform for your delight, here you have one that functions as a client server and using listening ports all life also functions as a firewall as a tunnel to have a single port as a channel to manage remote connections and ports), this tools exists 10 years ago: http://www.winton.org.uk/zebedee/
I'm doing experiments to compress (at level 3) a connection unencrypted SQL Server and I 'm getting good ratios tuneando the level of compression, let the intention that children spend large queries possible data for the limited channel...
updated in: https://sourceforge.net/projects/zebedee/
In this case I suggest to use web services or WCF to send the data instead of using connection to the database.
Check this out : http://www.toonel.net/tcpany.htm
Btw, I also think that SQL Server itself cannot compress trafic, but, with a network tier within application - you can do the compression there.
We are currently also testing the NitroSphere software over our WAN network, and we have a 73% compression rate, and a big speed improvement.
My opinion is that the software is actually cheap compared to SQL Server licensing, Riverbed devices and MPLS WAN connections. So for sure have a look if you have bandwidth troubles. It also support encryption but we do not plan on using this since everything will stay on internal MPLS network.
I have a specialist web app written in C# - my C# code acts as a web server, accepts connections from browsers, and presents the app as web pages.
The existing app uses SSL to secure the connection from the browser, but I am concerned about BEAST, which renders many of the older SSL ciphers insecure. I therefore want to ensure that I only accept connections using TLS1.1 or later, and/or secure cyphers like RC4.
I have already accepted that I will have to ditch the SSL library I was using, and probably switch to .NET 4.5 with SslStream.
Although I see how I can check the cypher for a stream using SslProtocol and CipherAlgorithm, I cannot find a way to force a connection to prefer one of the more secure algorithms. Am I missing something?
For the avoidance of doubt, this is nothing to do with ASP - this server is written in raw C#. I need a programatic way of making SslStream prefer particular ciphers. It is unlikely that I will have the necessary permissions to alter ssl registry settings on the host server.
I want to add some security to a client(iPhone) - server(c#) application I'm working on, mainly to encrypt messages sent between client and server.
I know i should use SSL but not really sure what the steps i need to do in both client and server to implement it.
Can someone please give me some guidance?
I don't use HTTP protocol, i use my own textual protocol, but any way with HTTP or my own protocol how do i add ssl support? i know that in c# there is SSLStream instead of regular Stream. And on ios there is some stream settings i need to configure, i just don't know how to do it.
Host the application using SSL in IIS, then use HTTPS as the service point. [edit] Don't forget you'll need a cert.
Take the easy approach, which is allowed to go on the App Store without having to go through all the encryption law stuff. Simply use a HTTP server and a client.
C# runs the HTTP server (maybe use IIS to handle that? Maybe C# has its own software for that) and the iPhone simply uses NSURLRequest.
Easy to implement and safe, since you'll benefit from patches from Apple and Microsoft.
Update for the updated question: I did some quick research and this kept popping up: kCFStreamPropertySSLSettings - maybe it helps you. It's apparently something for NSStream that allows it to create SSL connections, or something. I'm afraid I can't help you more than that.
I am maintaining a C# app that's been cracked by people creating spoof auth servers.
I want to encrypt all the communications between the client and server to prevent this happening to my next release.
I can see that PHP has a way to secure stuff.
http://www.php.net/manual/en/function.openssl-private-decrypt.php
What I can't find is the C# that will allow me to use the same built in libraries.
Can anyone help?
Did you look into SslStream?