Tech Off Thread

5 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

How to call a web services running inside secure network

Back to Forum: Tech Off
  • User profile image
    Avid

    Can some help and give any idea to call a web service running inside secure network (domain) from a DMZ zone.

    I have some idea that we may need to open port 80 for the server inside domain. I want to know is there any security risk? what is intensity? and how can we authenticate to the web service?

    Is there any other better option?

    Thanks

  • User profile image
    ManipUni

    Sorry I'm a little confused... So the web-service is located behind a NAT and you are located outside of it? 

     

    If that is the case then you have three options off the top of my head -
    1) Static Routing (External:80 -> Internal:80)

    2) Dyanmic Routing (If the IP is from the Whitelist then External:80 -> Internal:80)

    3) VPN (Your machine becomes part of the remote intranet)

     

    As far as security goes... #2 is the most secure if you limit it to ports you need and make a logical whitelist. #3 is roughly even with #1 in that it entirely depends on how good your infrastructure is and strong passwords are etc.

     

     

     

     

  • User profile image
    Avid

    ManipUni said:

    Sorry I'm a little confused... So the web-service is located behind a NAT and you are located outside of it? 

     

    If that is the case then you have three options off the top of my head -
    1) Static Routing (External:80 -> Internal:80)

    2) Dyanmic Routing (If the IP is from the Whitelist then External:80 -> Internal:80)

    3) VPN (Your machine becomes part of the remote intranet)

     

    As far as security goes... #2 is the most secure if you limit it to ports you need and make a logical whitelist. #3 is roughly even with #1 in that it entirely depends on how good your infrastructure is and strong passwords are etc.

     

     

     

     

    Thanks for your reply. Lets say if we run our web service in internal server and enable SSL with required client certificate, and setup certificate to the DMZ server, do we need to setup any extra authentication for the web service? if yes how?

     

    I want to make sure that no one should have access to these web service and the internal web server other that the server with client side certificate in DMZ zone. Please shed some light. Is there any thing else that I sould also considering (security point of view)?

  • User profile image
    figuerres

    Avid said:
    ManipUni said:
    *snip*

    Thanks for your reply. Lets say if we run our web service in internal server and enable SSL with required client certificate, and setup certificate to the DMZ server, do we need to setup any extra authentication for the web service? if yes how?

     

    I want to make sure that no one should have access to these web service and the internal web server other that the server with client side certificate in DMZ zone. Please shed some light. Is there any thing else that I sould also considering (security point of view)?

    you can do many things...

     

    one minor example:

     

    in IIS you can configure the web site running the service to only accept connections from a single IP address if you wish to limit what can connect to it.

     

    if you are going to use a client certificate and ssl you will also need to open the SSL / HTTPS port.

    web services and wcf can use certificates, passwords and other methods to secure them.

    but given the case you describe i might just use routing and ip to manage it.

    ssl adds overhead. ssl would be more usefull of the two servers were in different offices and had to cross the internet to reach each other.

    just my opinion.

  • User profile image
    ManipUni

    Avid said:
    ManipUni said:
    *snip*

    Thanks for your reply. Lets say if we run our web service in internal server and enable SSL with required client certificate, and setup certificate to the DMZ server, do we need to setup any extra authentication for the web service? if yes how?

     

    I want to make sure that no one should have access to these web service and the internal web server other that the server with client side certificate in DMZ zone. Please shed some light. Is there any thing else that I sould also considering (security point of view)?

    Why are you putting a server into the DMZ?

     

    Is this certificate one you have generated in-house? And is the security configured to only allow that exact certificate and not, for example, to allow anything generated by that certificate authority? Also have you considered configuring Windows Firewall to only allow connections to your SSL ports from this known server?

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.