Question about Web Service RRS feed

  • Question

  • In a Windows application I want to set up the Web Service for the "External" user (2% of this Windows application's users) outside the company Windows domain. I read about the WSE 3.0 and x.509 Certificate and it will secure the data transport between the client and the Web Service. However my question is the security on the computer hosting the Web Service. This computer will be exposed to the public with the IIS installed on it and it will be located outside the firewall. External users using this Windows application need to connect to the database server (Sql 2005) via the Web Service (i.e. Internet) and how do we safe-guard that unauthorized person (hackers) can not access the database server via the Web Service. I do not believe that the Web Service and the Sql Server should be in the same computer and the database server should not be outside the firewall. Then can Web Service communicate to a remote Sql Server on another computer inside the firewall? If so how do I achieve this execute a Sql store procedure on a remote Sql Server from the Web Service computer. Thanks.
    Wednesday, December 31, 2008 9:44 PM


  • Not sure this is a WCF question per se, but I'll add a little as this is a very common scenario.  

    Having servers communicate across DMZs (firewall boundaries) is a very common requirement and most network administrators/security teams can handle that.  From an application standpoint you don't really do much differently (at least in my experience).

    To guard the web service you should use all the security mechanisms you can within reason; SSL for the connection security and then the certificates for message security.  In addition you may want to use another mechanism for authentication/authorization for the user and those credentials could be secured in the web service message a variety of ways.

    Nothing is fool proof and having your server exposed presents a higher risk since someone could compromise the server and access the database from there without using the web service at all.

    I would consult with your network security team.  If you don't have one I would find a reputable consultant or firm in your area. 
    • Marked as answer by Marco Zhou Friday, January 9, 2009 10:02 AM
    Thursday, January 1, 2009 6:57 PM