<![CDATA[Novalys - Visual Guard HelpDesk]]> <![CDATA[Password Encryption]]> We would need username and password to never be sent in plain text over the wire to the server and should not be stored in unencrypted form on the client machine.

Passwords of users name/password accounts are encrypted (256 bits) in the VG repository.
Windows accounts passwords are not visible/accessible at anytime within VG.

Visual Guard - Version 3.1.912.08 - TBR

]]> <![CDATA[Access within ASP.Net applications]]> At what point within the ASP.Net request pipeline and the page life cycle does Visual Guard .Net come in? This is relevant for all requests in general and the user login page in particular.

On HttpApplication_AuthenticatRequest event:
Visual Guard .Net gets the current identity (WindowsIdentity for site based on Windows authentication, FormsIdentity for site based on Forms authentication).

Visual Guard .Net checks against its repository whether the current user can access or not to the application and provides the principal that will be used by ASP.Net (Context.User).

If the current user cannot access the dotnet application, Visual Guard .Net checks whether the application supports or not anonymous sessions. If the application does not support anonymous session, Visual Guard .Net set the Http Status Code to 401 (Access denied). If anonymous sessions are supported, Visual Guard .Net provides a default principal containing permission for anonymous sessions.



On Page_Init (for Page and MasterPage only):
Visual Guard .Net applies security actions defined for the page. It is also possible to secure other classes of the application, but you should implicitly call Visual Guard .Net to secure these classes.


Visual Guard .NET - Version 2.7.802.29

]]> <![CDATA[encryption and digital authentication]]> We have an application which encrypts the information in a column (this information is highly confidential), we are thinking to have a digital authentication for this part. Can Visual Guard support this kind of tools (to decrypt the information when it is the good user, then to manage digital authentication)?

We may need more specifications about your need to give you an accurate answer.
In the meantime, below is some information:
Visual Guard can work together with 3rd party encryption and/or authentication solutions.

For instance:
You application can call another authentication system (SmartCard, Biometrics, Token...) and then call Visual Guard with the ID of the user once authenticated. In this case, Visual Guard is independent from the authentication system. Visual Guard can then retrieve and enforce the user permissions as usual. This 3rd party authentication may happen anytime you need it: when loging in to the application, when running a sensitive operation... Your application decides when to use the 3rd party authentication and when to call Visual Guard to perform the tasks it is in charge of.
Same for encryption solutions: you may use such a system to encrypt/decrypt source code or data. You application will call Visual Guard whenever it is appropriate to call it - for instance after a data is decrypted.
You may also use Visual Guard permissions to decide when to execute the encryption or authentication solution. For instance, some user may have the required privilege to access encrypted data, in which case you activate the decryption mechanism.

]]> <![CDATA[What if VG Database goes down?]]> What would happen if the Visual Guard .Net data base controlling permissions goes down?

By default users do not have access to your applications when the repository is not available.

It is possible to check availability of the database in your application and retry another authentication on an alternate database. Some database provides FailOver database mechanism.


Visual Guard .NET - Version 2.7.802.29

]]> <![CDATA[Interception of client/DB Server communications ?]]> What if someone intercepts communications between the client and the DB Server on the company network?

If VG repository is stored in a SQL server DB or Oracle DB, VG is compatible with the standard mechanisms provided with the DBMS to encrypt the data transferred between the client and the server.
It will prevent the data from being read.


Visual Guard .NET - Version 2.8.812.19

]]> <![CDATA[Security breach between .NET components inside the app?]]> Can communications between .NET components inside the application be intercepted?

Visual Guard .Net relies on Microsoft Proxy System (Marshall) to manage such communications.
Thanks to this tight integration with the DotNet Framework, most of the security issues are covered by Microsoft itself.
We also run a very large list of security tests for each new version of Visual Guard .Net.
]]> <![CDATA[vulnerability to cyber attacks?]]> Are there any guarantees that Visual Guard .Net does not have a "back door" leaving our systems vulnerable to cyber attacks?

Visual Guard .Net relies on Microsoft Proxy System (Marshall) to manage the communication between DotNet components. Thanks to this tight integration with the DotNet Framework, most of the security issues are covered by Microsoft itself. We also run a very large list of security tests for each new version.

]]> <![CDATA[Could Microsoft disable Visual Guard?]]> Are there any guarantees that at some point in time the method that Visual Guard .Net uses to "hook" into the application will not be altered by Microsoft by a security patch, thus suddenly disabling the application security?

Visual Guard .Net relies on Microsoft Proxy System (Marshall) to manage the communication between DotNet components. In case a Microsoft security patch blocks this low-level technology, not only Visual Guard .Net will stop working, but also all DotNet applications, which is quite unlikely. More generally, there is a very tight integration with the DotNet security framework (certified by Microsoft).

]]> <![CDATA[Can permissions be overwritten ?]]> If Visual Guard applies security settings when the form is loaded, can these control settings be overwritten with other code? For example, if cmdSave is disabled when a form loads for a specific user, can another procedure re-enable this button if it's coded within the form? Or is there a way to ensure that the permissions set in the console application are not circumvented? Our goal is to make sure that ALL application security is controlled through Visual Guard and password protected.
You can run the permission after the change done by the application: you can decide to apply a permission on an event of the application rather than on the initialization of the object.
For example, you can disable (or enable) a control on the event 'EnabledChange' of the control(WinForm application) or on the 'PreRender' event (WebForm)application) or on an event which indicates that the state of the control has to be calculated again.
or
You are able to test directly in your application if the user has a permission and integrate this test in the logic of your application to determine if the control should be enabled or disabled.

Example: If <MYLogic> = true and VGSecurityManager.Principal.HasPermission("MyPermission") then mybutton.Enabled = true



Visual Guard .NET - Version 2.8.812.19
]]> <![CDATA[Interception of Windows / AD communications?]]> What about interception of communications between Windows and Active Directory on the company network?

Visual Guard .Net uses the.NET framework standard mechanisms to communicate between Windows and Active Directory.
These mechanisms secure the communications between Windows and Active Directory.

Visual Guard .NET - Version 2.8.812.19

]]> <![CDATA[Interception of browser / web server communications?]]> How is Visual Guard .Net protected against interception of communications between the browser and the web server on the internet network?

VG is compatible with the SSL/HTTPS protocol to encrypt the information transferring between the browser and the web server (for a web app).

Visual Guard .NET - Version 2.8.812.19

]]> <![CDATA[Is the link between .NET components inside the app secured?]]> Is Visual Guard protected against interception of communications between .NET components inside the application?

Visual Guard .Net relies on Microsoft Proxy System (Marshall) to manage such communications.
Thanks to this tight integration with the DotNet Framework, most of the security issues are covered by Microsoft itself.
We also run a very large list of security tests for each new version of Visual Guard.

]]> <![CDATA[Access to the source code of the application in production]]> Could someone access the source code of the application in production?

VG is compatible with the existing solutions to encrypt the source code of the application and decrypt it when the application is running (i.e.: safenet).

Visual Guard .NET - Version 2.8.812.19

]]> <![CDATA[forbid access to the source code of the app in production?]]> Can we forbid access to the source code of the application in production?

VG is compatible with the existing solutions to encrypt the source code of the application and decrypt it when the application is running (i.e.: safenet).

Visual Guard .NET - Version 2.8.812.19

]]> <![CDATA[Direct access to the tables of the repository]]> Can someone have a direct access to the tables of the repository, and see or modify confidential data?

The main part of the data in VG repository is serialized, so it is unreadable.
A user who connects to the database will not be able to use this information.
Moreover, the very sensitive data, as passwords, will be encrypted by Visual Guard using the algorithm SHA256.

]]> <![CDATA[Vsual Guard .Net and firewalls]]> Can Visual Guard .Net go across several firewalls?

If your firewalls are already configured so that your application can go through, Visual Guard .Net will not be blocked.Also, Visual Guard .Net relies on IIS and ASP.Net to supports https and ssl protocols.

Visual Guard .NET - Version 2.7.802.29

]]>