By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
434,933 Members | 1,243 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 434,933 IT Pros & Developers. It's quick & easy.

webservices - more secure or just more helpful

P: n/a
If I have an application that I send out to users, and the application
interacts with the database (behind the scenes, no direct sql creation by the
users)....do webservices make the app more secure? I always thought of
webservices as just a good way to allow users to have an API for them to
interact with the database, but are webservices useful if the user never
really knows that they are there?
May 7 '07 #1
Share this Question
Share on Google+
6 Replies


P: n/a

"Craig" <Cr***@discussions.microsoft.comwrote in message
news:47**********************************@microsof t.com...
If I have an application that I send out to users, and the application
interacts with the database (behind the scenes, no direct sql creation by
the
users)....do webservices make the app more secure? I always thought of
webservices as just a good way to allow users to have an API for them to
interact with the database, but are webservices useful if the user never
really knows that they are there?
Web Services are a secure method of passing data between tier(s) in N-Tier
architect.

http://msdn2.microsoft.com/en-us/library/ms978384.aspx

From a Windows desktop application using Web services, the more you can
reduce the foot print of the installed application on the workstation that's
using Web services, the more secure said application will be overall.

May 7 '07 #2

P: n/a
"Mr. Arnold" <MR. Ar****@Arnold.comwrote in message
news:8C**********************************@microsof t.com...
>
"Craig" <Cr***@discussions.microsoft.comwrote in message
news:47**********************************@microsof t.com...
>If I have an application that I send out to users, and the application
interacts with the database (behind the scenes, no direct sql creation by
the
users)....do webservices make the app more secure? I always thought of
webservices as just a good way to allow users to have an API for them to
interact with the database, but are webservices useful if the user never
really knows that they are there?

Web Services are a secure method of passing data between tier(s) in N-Tier
architect.

http://msdn2.microsoft.com/en-us/library/ms978384.aspx

From a Windows desktop application using Web services, the more you can
reduce the foot print of the installed application on the workstation
that's using Web services, the more secure said application will be
overall.
I'm afraid that I don't follow your argument. Are you suggesting that,
instead of using, for instance, TCP/IP to send queries from the desktop
application to the database server, you would instead use SOAP over TCP/IP
to first send requests to a web service which would then send the queries to
the database? This will not necessarily be more secure, and could be less
secure depending on how it's implemented.
--
John Saunders [MVP]
May 7 '07 #3

P: n/a

"John Saunders [MVP]" <john.saunders at trizetto.comwrote in message
news:ea**************@TK2MSFTNGP03.phx.gbl...
"Mr. Arnold" <MR. Ar****@Arnold.comwrote in message
news:8C**********************************@microsof t.com...
>>
"Craig" <Cr***@discussions.microsoft.comwrote in message
news:47**********************************@microso ft.com...
>>If I have an application that I send out to users, and the application
interacts with the database (behind the scenes, no direct sql creation
by the
users)....do webservices make the app more secure? I always thought of
webservices as just a good way to allow users to have an API for them to
interact with the database, but are webservices useful if the user never
really knows that they are there?

Web Services are a secure method of passing data between tier(s) in
N-Tier architect.

http://msdn2.microsoft.com/en-us/library/ms978384.aspx

From a Windows desktop application using Web services, the more you can
reduce the foot print of the installed application on the workstation
that's using Web services, the more secure said application will be
overall.

I'm afraid that I don't follow your argument. Are you suggesting that,
instead of using, for instance, TCP/IP to send queries from the desktop
application to the database server, you would instead use SOAP over TCP/IP
to first send requests to a web service which would then send the queries
to the database? This will not necessarily be more secure, and could be
less secure depending on how it's implemented.
I think the less code you have on the client machine, the less the foot
print of said application will be, reducing the attack vector.

From an Internet standpoint, a solution that's coming over the Internet on
HTTP port 80, using a Web service and using encrypted SOAP may be a better
solution than to open up a port on a firewall exposing the port for database
access on a database server using TCP.

The database server when a Web service is accessing it is already behind
the firewall and the database server is not exposed to the Internet.

The only other way I would allow database access for a application over the
Internet would be to use an application server, using .NET Remoting.

The application on the application server would be sending and receiving
data to the client, with the application on the application sever accessing
the database on the database server behind the firewall .

A chosen TCP port would selected for client/server application
communications, using Binary over TCP, encrypted.

If it's an Intranet solution, then may be it's a different approach.

..
May 8 '07 #4

P: n/a
"Mr. Arnold" <MR. Ar****@Arnold.comwrote in message
news:1E**********************************@microsof t.com...
>
"John Saunders [MVP]" <john.saunders at trizetto.comwrote in message
news:ea**************@TK2MSFTNGP03.phx.gbl...
>"Mr. Arnold" <MR. Ar****@Arnold.comwrote in message
news:8C**********************************@microso ft.com...
>>>
"Craig" <Cr***@discussions.microsoft.comwrote in message
news:47**********************************@micros oft.com...
If I have an application that I send out to users, and the application
interacts with the database (behind the scenes, no direct sql creation
by the
users)....do webservices make the app more secure? I always thought of
webservices as just a good way to allow users to have an API for them
to
interact with the database, but are webservices useful if the user
never
really knows that they are there?

Web Services are a secure method of passing data between tier(s) in
N-Tier architect.

http://msdn2.microsoft.com/en-us/library/ms978384.aspx

From a Windows desktop application using Web services, the more you can
reduce the foot print of the installed application on the workstation
that's using Web services, the more secure said application will be
overall.

I'm afraid that I don't follow your argument. Are you suggesting that,
instead of using, for instance, TCP/IP to send queries from the desktop
application to the database server, you would instead use SOAP over
TCP/IP to first send requests to a web service which would then send the
queries to the database? This will not necessarily be more secure, and
could be less secure depending on how it's implemented.

I think the less code you have on the client machine, the less the foot
print of said application will be, reducing the attack vector.
All else being equal, that might be the case, but one would need to define
"footprint" and then enumerate the attack vectors and then see which, if any
of them, matter in the particular situation. In any case, I don't think it's
clear enough to make a blanket statement.
....
If it's an Intranet solution, then may be it's a different approach.
As the OP didn't state whether this was an Internet or Intranet application,
nor whether he sends it to internal or external users, I made the assumption
that this was an Intranet application. That may just be my age talking. ;-)
--
John Saunders [MVP]
May 8 '07 #5

P: n/a
Hi Guys,

As far as I know, .NET remoting is more secure than web services althought
you can do a lot to enhance security on the web services like using a secure
port or even a different port and other features that may be implemented.
However, my decision whether to use or not use web services really depends on
the enviroment I am developing in. If it is heteregons and data is going to
pass firewalls, I would definitly use Web Services....Else I would use .NET
remoting if the whole enviroment is built on .NET.

In the end, Web Services and .NET Remoting are as secure as you can make
them....However, Web Services are better for Reuse than .NET Remoting as well
as more easy to implement....

So go ahead...Use Web Services and change the default port, make internal
directories on your IIS, change defaults, etc...

"John Saunders [MVP]" wrote:
"Mr. Arnold" <MR. Ar****@Arnold.comwrote in message
news:1E**********************************@microsof t.com...

"John Saunders [MVP]" <john.saunders at trizetto.comwrote in message
news:ea**************@TK2MSFTNGP03.phx.gbl...
"Mr. Arnold" <MR. Ar****@Arnold.comwrote in message
news:8C**********************************@microsof t.com...

"Craig" <Cr***@discussions.microsoft.comwrote in message
news:47**********************************@microso ft.com...
If I have an application that I send out to users, and the application
interacts with the database (behind the scenes, no direct sql creation
by the
users)....do webservices make the app more secure? I always thought of
webservices as just a good way to allow users to have an API for them
to
interact with the database, but are webservices useful if the user
never
really knows that they are there?

Web Services are a secure method of passing data between tier(s) in
N-Tier architect.

http://msdn2.microsoft.com/en-us/library/ms978384.aspx

From a Windows desktop application using Web services, the more you can
reduce the foot print of the installed application on the workstation
that's using Web services, the more secure said application will be
overall.

I'm afraid that I don't follow your argument. Are you suggesting that,
instead of using, for instance, TCP/IP to send queries from the desktop
application to the database server, you would instead use SOAP over
TCP/IP to first send requests to a web service which would then send the
queries to the database? This will not necessarily be more secure, and
could be less secure depending on how it's implemented.
I think the less code you have on the client machine, the less the foot
print of said application will be, reducing the attack vector.

All else being equal, that might be the case, but one would need to define
"footprint" and then enumerate the attack vectors and then see which, if any
of them, matter in the particular situation. In any case, I don't think it's
clear enough to make a blanket statement.
....
If it's an Intranet solution, then may be it's a different approach.

As the OP didn't state whether this was an Internet or Intranet application,
nor whether he sends it to internal or external users, I made the assumption
that this was an Intranet application. That may just be my age talking. ;-)
--
John Saunders [MVP]
May 15 '07 #6

P: n/a

"naraby" <na****@discussions.microsoft.comwrote in message
news:53**********************************@microsof t.com...
Hi Guys,

As far as I know, .NET remoting is more secure than web services althought
you can do a lot to enhance security on the web services like using a
secure
port or even a different port and other features that may be implemented.
However, my decision whether to use or not use web services really depends
on
the enviroment I am developing in. If it is heteregons and data is going
to
pass firewalls, I would definitly use Web Services....Else I would use
.NET
remoting if the whole enviroment is built on .NET.

In the end, Web Services and .NET Remoting are as secure as you can make
them....However, Web Services are better for Reuse than .NET Remoting as
well
as more easy to implement....

So go ahead...Use Web Services and change the default port, make internal
directories on your IIS, change defaults, etc...
You do know that you can use Binary over HTTP and Web services together with
the Web Server acting as an application gateway for ASP.NET or a Windows
Desktop solution.
May 15 '07 #7

This discussion thread is closed

Replies have been disabled for this discussion.