Securing ASP.Net application using multi-hardware tiers

Question

I have an ASP.Net application which renders sensitive information. The application needs users to log on before viewing the main page of the application. The authentication is done via a web service.

This is simple enough however the hardware design is multi-tiered. 1) Web Server for logon 2) Application server for main application 3) Database

Would one need to write a seperate ASP.net application on Tier 1 which handles the security or could the application stay as a whole somehow?

If a seperate application is needed how would one pass information that is gathered during authentication to Tier 2? I'm not sure session variables would work as the information is on another server?

The Tier 2 to Tier 3 communication is simple enough, its just the security model that I'm stuck on.

There obviously has to be some sort of packet detection so that when a user makes a request Tier 1 has to validate it and if validated pass it onto Tier 2. I'm not sure how that is done?

Thanks

Answer 1

I recommend to use only two tiers - web and server. It'll be much more easier for implementation and less error prone. All you need is to apply right settings to you forms authentication section.
Use SSL. Also consider some security testing of an application - SQL Injections, rights management, illegal data access (via post/get data tempering), XSS, etc.
And check this related question, it'll provide you some useful information.

Answer 2

I decided on Web Server, Application Server with a Web Service and a Database Server. I also went with a security Web Service.