The Research And Realization Of MIS2 Security Mechanism Based On ASP.NET Security Architecture

In the information age nowadays, the information networkand information system have been significant means formodern enterprises to intensify management and carry outcontrol. A lot of managers have realized the importance ofthe information system and also that using advancedtechnology to establish Management Information System is thekey mean for the enterprises to acquire the superiority incompetence.The Worksoft MIS2 is designed and developed under thiscircumstance. It is in charge of centralized processing thedaily financial data, reports of the company and divisions,and because the amount of information is huge and is veryimportant which comes down to the confidential business ofthe enterprises. Any loss, damage of the data will causesubstantial lost. At the same time the financial system isnot a closed system, it has to share resources with othersystems through the company's backbone network. So it isnecessary to establish an integrated security defensivesystem which not only ensures the safety, normality and highspeed of the system but also prevents any malice attack ofillegal users and ensures the enterprises'healthy develop-ment.According to the safety goal of the financial system ofthe company, the emphasizes of system safety requirementsare solving identification, access control and authoritymanagement, data security and audit trail, etc. First, thesystem must have strict and effective identification mecha-nism which identifies and certificate user-end entities(including remote and near end) and ensures thatunauthorized users can not access the financial system. Thisis the premises of carrying out the access control andauthority management. Second, because of the field ofapplication of the financial system covers different unitsof every management of the group, the access control andauthority management of application system are the mostimportant point. At last, the most important in the financialsystem is data, ensuring the data security is the root ofthe system safety which includes data transmission security,data storage security and data backup and recovery.In the application of ASP.NET, identification modeincludes:(1)Windows identification: in this mode of identifica-tion, ASP.NET identifies the users according to IIS andcreates Windows access token to represent the marking ofidentification.(2)Forms identification: this method uses the client endto redirect users who are not identified to the appointedHTML forms, users can input certificate in the forms (usuallythe user name and password). Then the system verifies thecertificate, generates identification ticket and returns itto the client. The identification ticket has user's markup,you can have the ticket to list the character of the userin the session.(3)Passport identification: in this mode of identifca-Tion, ASP.NET uses the centralized identification serviceof Microsoft Passport. ASP.NET provides convenient wrap tothe Microsoft Passport (SDK) function which must beinstalled on the Web server.(4)None:"No" denotes that we do not want to verify theusers or we are using custom identification protocol.According to the actual situation of the system, we adoptthe mechanism of form identification which identifies theusers when they access the system. It also uses the MD5algorithm to encrypt the password of the system registration,so we can ensure the data safety.Besides, ASP.NET also provides two basic methods ofauthorization: (1) role-based. The users are divided toapplication defined role. In the application, members ofcertain role will share the same authority. (2) resource-based. Various resources are protected through Windows ACL.The ACL will decide who can access the resources and executewhat kind of operation (read, write, delete, etc).In order to authorize users of different function andauthorization management, the system uses authorizationbased on roles to authorize users. The roles can be dividedinto the following four kinds: .NET role, Enterprise Service(COM+) role, SQL Server user defined database role and SQLServer application role. Combined with the form identifica-tion used before, the system uses .NET role to provideauthorization which can limits the access to the methodsaccording to the main body authority requirement.At last, in order to protect the safe communication ofmass sensitive data in the financial system, we adopt theSSL server authentication which implements safe communi-cation without necessary possessing data certification orkey. SSL is a network security protocol between HTTP and TCPwhich is first adopted by Netscape. It establishes anencrypted channel upon TCP, the security of the channeldepends on the encryption algorithm used in the protocolwhich encrypts/deciphers all the data passing the channel,and implements the safety in the communication of transpor-tation layer. SSL protocol includes two parts: handshakeprotocol and record protocol. The handshake protocol is usedto negotiate the session key of both parts in communication,while the record protocol defines the format of transmi-ssion.The Web page transmission usually adopt the way ofcombining HTTP and SSL, that is the server uses Web serverwhich supports SSL, while the client uses browser supportsSSL to realize secure communication. The advantage of thiskind of configuration is: the client does not need toconfigure, just has the browser which supports SSL, and thisrealizes thin client. Although SSL server cannot verify theidentity of the client, the identification technologymentioned before solves this problem properly. So the serveruses SSL to authenticate and combines the previous identifi-cation technology, we can construct safe, high performancecommunication channel.The MIS2 has been successfully deployed in the companynow, and it has achieved the anticipated goal and require-ments, and it is running well. The various ASP.NET basedsecurity mechanisms used in the system ensure that the systemcan run normally, fast and safe.