jonno - Developer IT

What type of security problems are mitigated by this .NET architecture?

- by Jonno

Given the following physical layout for a .NET web application: DB (sql server, windows) - No public route (no table access, only stored procs) Web Service DAL (iis, windows) - No public route (can be accessed by web server via port 80 and 443) Web Server (iis, windows) - Public route (only via port 80 and 443) What type(s) / examples of attack could be used to compromise the public web server but would be blocked by the Web Service DAL? i.e. can you think of concrete attack types that the DAL stops? Please note, I am interested only in the security aspect, not scaling / fault tolerance / performance / etc. In my mind if the web server has been compromised using an attack over port 80/443, then the same attack would work over port 80/443 to the Web Service DAL box.

Read the article

.NET How would I build a DAL to meet my requirments?

- by Jonno

Assuming that I must deploy an asp.net app over the following 3 servers: 1) DB - not public 2) 'middle' - not public 3) Web server - public I am not allowed to connect from the web server to the DB directly. I must pass through 'middle' - this is purely to slow down an attacker if they breached the web server. All db access is via stored procedures. No table access. I simply want to provide the web server with a ado dataset (I know many will dislike this, but this is the requirement). Using asmx web services - it works, but XML serialisation is slow and it's an extra set of code to maintain and deploy. Using a ssh/vpn tunnel so that the one connects to the db 'via' the middle server, seems to remove any possible benefit of maintaining 'middle'. Using WCF binary/tcp removes the XML problem, but still there is extra code. Is there an approach that provides the ease of ssh/vpn, but the potential benefit of having the dal on the middle server? Many thanks.

Read the article

Does using web services to expose a .NET DAL add security?

- by Jonno

Currently my employer deploys a web application over 3 servers. DB - No public route Web Service DAL - No public route Web Server - Public route The reason for this is the theory that if the web server is compromised, they don't arrive at the DB directly, but instead arrive at the DAL box. To my mind, as the DAL box and Web Sever box - both run windows/IIS - if the public box has been compromised, the same exploit would likely work on the DAL box - therefore I do not see this as a real security benefit. I would like to propose we remove the middle machine and allow the web server to connect directly to the database. Is this middle box really a benefit?

Read the article

.NET Deployment of Interface/Classes for Command Pattern Question

- by Jonno

In theory I would like to produce 2 projects: 1) Asp.net (Sever A) 2) DAL running (Server B) I would like to utilise command objects to comunicate with the DAL. ASP.net instantiates a command class e.g. CmdGetAllUsers which impliments IMyCommand interface and sends it to the DAL (using ASMX or WCF). My question is: Would the class definition of CmdGetAllUsers need to exist on the DAL server? Or would having the interface definition be enough? My goal is to reduce the need to redeploy the DAL code, and have it as a fairly simple pass-through layer. Many thanks for your time.

Read the article

Paging Recordsets from SQL Serverside

- by Jonno

I've been banging my head off this one for a while. I want to call 1k records from a SQL database and page them per 100. In classic ASP (where I'm moving from) this was dead easy to do with ADODB but with VB using ADO.net I can't find a single way that doesn't involve stored procs (which I want to avoid for now). It seems really stupid to call all 1k and sort it programmatically. Edit: It's SQL Server 2005 / .net 4.0 / Visual Studio 2010. Edit 2: Just to reiterate, I have Googled extensively and don't want to use stored procedures. There are many ways to get paged data but everything I see involves paging the data in the program rather than from the server.

Developer IT