Website Security.

Zero

We have an intranet here in the office that is closed off from external access. We have been asked to set it up for external access but with security on certain sensitive pages contained in the site.

I was wondering which is the best way of setting it up. I have to hear back from the clients what level they want, but was wondering what you would generally use, i.e. standard asp login seems too lax for their purpose, but SSL seems like overkill. I dont know a whole lot about it in fairness, so what do you lads suggest?

Zero.

MiCr0

something fancy with acl's perhaps?

ecksor

Not enough information.

Going with an "asp login" as you suggested suggests that you are going to give the capability to view the restricted pages on a per-user basis, whereas your management seems to be of the opinion that anyone on the private network should be able to view the restricted pages regardless of who they are? If you go with a per-user solution, you will need to check that the user is authenticated and authorised on each relevant page on the site.

Why is one site doing two jobs? If both of them must share a database or a similar resource, can you link a cut down version of the site to the same backend and put it in a DMZ like bedlam suggested? I'd be very wary of taking an application that was designed to be secure enough in a relatively trusted environment and exposing it to the Internet.

As for SSL, I don't see how that solves this problem at all (unless you're going to distribute certificates to all of your clients, which sounds like too much hassle for this application). Having said that, if you're going to send secret information across the Internet then it might be wise (although, this is what you want to avoid in the first place, right?)

So, uh, I dunno. I don't even know what you have the infrastructure or budget to support

I don't know what Micr0 is suggesting, but it sounds fancy.