Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Client Server socket security

Assuming we have a server S and a few Clients (C) and whenever a client update a server, an internal database on the server is updated and replicated to the other clients. This is all done using sockets in an intranet environment. I believe that an attacker can fairly easily sniff this plain text traffic. My colleagues believe I am overly paranoid because we are behind a firewall.

Am I being overly paranoid? Do you know of any exploit (link please) that took advantage of a situation such as this and what ca be done differently. Clients were rewritten in Java but server is still using C++. Any thing in code can protect against an attack?

like image 624
ritu Avatar asked Nov 24 '09 21:11

ritu


People also ask

How do you secure connection between client and server?

SSL is a security protocol that secures communication between entities (typically, clients and servers) over a network. SSL works by authenticating clients and servers using digital certificates and by encrypting/decrypting communication using unique keys that are associated with authenticated clients and servers.

What is a client server socket?

Sockets are commonly used for client and server interaction. Typical system configuration places the server on one machine, with the clients on other machines. The clients connect to the server, exchange information, and then disconnect. A socket has a typical flow of events.

How secure is socket programming?

Just using sockets doesn't give you any security at all. The right choice depends on the application, the systems you're using, and how much the users understand about what they need to do to use it. For example, if you're interacting with a web server in a secure way, you'll probably end up using TLS/SSL for it.


1 Answers

Inside your company's firewall, you're fairly safe from direct hack attacks from the outside. However, statistics that I won't trouble to dig out claim that most of the damage to a business' data is done from the INside. Most of that is simple accident, but there are various reasons for employees to be disgruntled and not found out; and if your data is sensitive they could hurt your company this way.

There are also boatloads of laws about how to handle personal ID data. If the data you're processing is of that sort, treating it carelessly within your company could also open your company up to litigation.

The solution is to use SSL connections. You want to use a pre-packaged library for this. You provide private/public keys for both ends and keep the private keys well hidden with the usual file access privileges, and the problem of sniffing is mostly taken care of.

like image 139
Carl Smotricz Avatar answered Sep 30 '22 07:09

Carl Smotricz