I am building a iPhone web based app for our execs to view sales data. The app goes over SSL with a typical login page that sets a cookie for the day.
Since the info is sensitive and we have a VPN at work I was hoping as a double precaution I could send all communications with this app over our VPN.
Is there a way I can route traffic over the VPN only for a specific URL? Does anyone have any more info on the "Send All Traffic" in the VPN configuration
Thanks
The app has very little control over the VPN. A properly configured HTTPS site (particularly employing bi-directional certificates) will give you the kind of protection you re looking for your application.
That said, I strongly advocate that business users send all data over the VPN in all cases. This eliminates a wide variety of attacks and provides the opportunity for additional monitoring and protection. Thus, I generally recommend using the "Send All Traffic" VPN configuration. This would allow you to move the app entirely internal, so that outsiders cannot access the login page.
Properly done HTTPS should be sufficient. Provision the phone with a client certificate (there s a tool for that) and ensure the server checks them... and use a revocation list on the server side in case of stolen phones.
Making settings and managing the VPN routers and servers in iPhone is not easy. You should to make some HTTPS settings for this. After this, the client will be able to access your computer. Otherwise iphone vpn will lose its goal to run the server.
For security reasons, it is desirable to check the integrity of code before execution, avoiding tampered software by an attacker. So, my question is How to sign executable code and run only trusted ...
I run findbugs against all of my code and only tackle the top stuff. I finally got the top stuff resolved and now am looking at the details. I have a simple entity, say a user: public class User ...
Anyone know if jsbin.com implements any protection for XSS or other javascript attacks? I see jsbin links used fairly regularly on sites like this one and I can t find any indication from the site ...
Im making a website that will intergrate with game that only support md5 hashing metod (atm). Which ofc is not especially safe anymore. But how could i make it stronger? Should I just generate long ...
I am trying to find out the difference between difference service account types. I tumbled upon this question. The answer was because it has powerful access to local resources, and Network Service ...
I am trying to write a script to prevent brute-force login attempts in a website I m building. The logic goes something like this: User sends login information. Check if username and password is ...
Three SHA512Managed related questions: Is SHA512Managed considered the best one-way hash available in .NET 3.5 for security? What Salt size should be used with SHA512Managed? The application is for ...
[Update] - I attach also full config files, for service, and for client (outside of here, not to flood the topic) I m having situation pretty much identical to the one outlined in this question, ...
