I am developing a admin interface to do CRUD on sensitive data on a remote server over the internet that need the best security protection. I have 2 choices in hand, but I could not figure out which is the better way to do it.
-
Create a web application using LAMP+SSL and control access using methods such as IP filter, password etc.
-
Create a native server/client application and communicate using TCP socket with SSL-like encryption and control access using password.
I am fully aware that there is nothing safe after putting on the web, and I have considered the option of tunneling into the server and run as a local application.
However, that would be quite difficult to use from the user perspective IMHO, so other than that any better options that is user friendly?
Not very familiar with security stuff, so any advice will be helpful. Thanks.
Neither approach you list is inherently more secure than the other. If you go with a TCP socket then the danger is that someone notices that the server is listening for TCP connections, connects to it, and works out your data exchange protocol. If you go with the web-application approach then the danger is that someone discovers the website URL, makes it past your filtering, and is able to establish (or hijack) an authenticated session.
Either one requires the attacker to execute the same basic steps (discover that the service exists, connect/access the service, convince the service that they have rights to perform protected operations). Either one also requires that you either know what you are doing or thoroughly do your homework in order to create a system that is truly secure.
So in that sense, I’d suggest going with whichever approach you are more familiar with. Of course, it’s worth considering that there is probably a wider range of prebuilt security libraries and tools to choose from if you go the web application route. For instance, there are probably a number of Java Filter implementations that can let you specify IP-based blacklist and whitelist parameters, and many servers will include a prebuilt framework for handling user authentication, and so on.