|
dev
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
web service for accessing db?hi,
is web service good solution for accesing (havily) database (remote or not)? that looks slow, any other methods for secure connection? SOme of coworkers wants to use web service because they don't want expose connection string. thanks fro advise Andy,
Do you in other words mean that they invented the other solutions than webservices to support insecure connections. Cor yeah, that what I thought :) web service is in its nature insecure. the guy
argues that embeding connetcion string in a code is not secure enough comparing to web service. Show quote "Cor Ligthert[MVP]" <notmyfirstn***@planet.nl> wrote in message news:90A87BCB-2829-48BE-98EB-E96EB5B7E9DF@microsoft.com... > Andy, > > Do you in other words mean that they invented the other solutions than > webservices to support insecure connections. > > Cor "s" after http makes the web service very secure with 128 bit SSL encryption
Show quote "Andy" <kc2***@yahoo.com> wrote in message news:%23bvFEANGIHA.5980@TK2MSFTNGP04.phx.gbl... > yeah, that what I thought :) web service is in its nature insecure. the > guy argues that embeding connetcion string > in a code is not secure enough comparing to web service. > > > "Cor Ligthert[MVP]" <notmyfirstn***@planet.nl> wrote in message > news:90A87BCB-2829-48BE-98EB-E96EB5B7E9DF@microsoft.com... >> Andy, >> >> Do you in other words mean that they invented the other solutions than >> webservices to support insecure connections. >> >> Cor > > yes, but it makes also very slow right?
I mean web service was not meant to be as a main bridge to database as I understand it. Show quote "Jim Rand" <jimr***@ix.netcom.com> wrote in message news:O1UC5oNGIHA.5980@TK2MSFTNGP04.phx.gbl... > "s" after http makes the web service very secure with 128 bit SSL > encryption > > "Andy" <kc2***@yahoo.com> wrote in message > news:%23bvFEANGIHA.5980@TK2MSFTNGP04.phx.gbl... >> yeah, that what I thought :) web service is in its nature insecure. the >> guy argues that embeding connetcion string >> in a code is not secure enough comparing to web service. >> >> >> "Cor Ligthert[MVP]" <notmyfirstn***@planet.nl> wrote in message >> news:90A87BCB-2829-48BE-98EB-E96EB5B7E9DF@microsoft.com... >>> Andy, >>> >>> Do you in other words mean that they invented the other solutions than >>> webservices to support insecure connections. >>> >>> Cor >> >> > > From testing, the web service is a bit slower than a direct connect.
However, speed is still quite good. To load 14000 rows over https via the Internet (cable modem) takes 3 to 4 seconds (dataset serialized as xml [3.5 megabytes]). Updates involving 10 rows (round trip to get the autoincrement key and new timestamps is sub second - snap you finger - the start of the update is the beginning of the snap sound - the end of the update is the end of the snap sound). Not very scientific but it works for me. Show quote "Andy" <kc2***@yahoo.com> wrote in message news:OfIIlKOGIHA.1204@TK2MSFTNGP03.phx.gbl... > yes, but it makes also very slow right? > I mean web service was not meant to be as a main bridge to database as I > understand it. > > > "Jim Rand" <jimr***@ix.netcom.com> wrote in message > news:O1UC5oNGIHA.5980@TK2MSFTNGP04.phx.gbl... >> "s" after http makes the web service very secure with 128 bit SSL >> encryption >> >> "Andy" <kc2***@yahoo.com> wrote in message >> news:%23bvFEANGIHA.5980@TK2MSFTNGP04.phx.gbl... >>> yeah, that what I thought :) web service is in its nature insecure. the >>> guy argues that embeding connetcion string >>> in a code is not secure enough comparing to web service. >>> >>> >>> "Cor Ligthert[MVP]" <notmyfirstn***@planet.nl> wrote in message >>> news:90A87BCB-2829-48BE-98EB-E96EB5B7E9DF@microsoft.com... >>>> Andy, >>>> >>>> Do you in other words mean that they invented the other solutions than >>>> webservices to support insecure connections. >>>> >>>> Cor >>> >>> >> >> > > Hi Andy,
Of course web service is more secure when used correctly. The best security is when you encrypt and sign at message level. However I don't think you actually need web services at all. Web services are useful when the client is unknown (in your case when client is not ..net). Unless you want to support unknown clients it is better if you avoid web services because they are clumsy and very verbose as they have to support many different scenarios. So, the bottom line is that you should use Windows Communication Foundation with binary transfer or old good remoting. -- Show quoteMiha Markic [MVP C#, INETA Country Leader for Slovenia] RightHand .NET consulting & development www.rthand.com Blog: http://cs.rthand.com/blogs/blog_with_righthand/ "Andy" <kc2***@yahoo.com> wrote in message news:O9MMSW2FIHA.6068@TK2MSFTNGP05.phx.gbl... > hi, > is web service good solution for accesing (havily) database (remote or > not)? that looks slow, any other methods for secure connection? SOme of > coworkers wants to use web service because they don't want > expose connection string. > thanks fro advise > Hi Miha,
thanks for response, so how good actually is security with remoting? Problem is that have to decide what to use from old win32 application for accesing SQL Srver 2005. All client are within the network or accesing network through VPN. I decided to use regular ADO but some argue that exposing connection string is not safe. But We're already in the network so what's the point would be in using web service, I don't see benefits at all. Show quote "Miha Markic" <miha at rthand com> wrote in message news:eH8GXeYGIHA.5328@TK2MSFTNGP05.phx.gbl... > Hi Andy, > > Of course web service is more secure when used correctly. The best > security is when you encrypt and sign at message level. > However I don't think you actually need web services at all. Web services > are useful when the client is unknown (in your case when client is not > .net). > Unless you want to support unknown clients it is better if you avoid web > services because they are clumsy and very verbose as they have to support > many different scenarios. > So, the bottom line is that you should use Windows Communication > Foundation with binary transfer or old good remoting. > > -- > Miha Markic [MVP C#, INETA Country Leader for Slovenia] > RightHand .NET consulting & development www.rthand.com > Blog: http://cs.rthand.com/blogs/blog_with_righthand/ > > "Andy" <kc2***@yahoo.com> wrote in message > news:O9MMSW2FIHA.6068@TK2MSFTNGP05.phx.gbl... >> hi, >> is web service good solution for accesing (havily) database (remote or >> not)? that looks slow, any other methods for secure connection? SOme of >> coworkers wants to use web service because they don't want >> expose connection string. >> thanks fro advise >> > "Andy" <kc2***@yahoo.com> wrote in message It doesn't matter whether it is remoting or web services.news:eB%23tLJaGIHA.700@TK2MSFTNGP05.phx.gbl... > Hi Miha, > thanks for response, so how good actually is security with remoting? > Problem is that have to decide what to use from old win32 application for > accesing SQL Srver 2005. > All client are within the network or accesing network through VPN. I > decided to use regular ADO but some argue that exposing connection string > is not safe. But We're already in the network so what's the point would be > in using web service, I don't see benefits at all. The point is (briefly), that if you expose the connection string, a malicious user can read its content and connect to sql server directly. So he can do whatever connection string allows him to do, and even worse, user might exploit some sql server bug, etc. OTOH if user is accessing through some sort of service, user won't be seeing sql server at all. User would be allowed to do only what service allows him to do. BTW what authentication do you use - sql server or integrated? -- Miha Markic [MVP C#, INETA Country Leader for Slovenia] RightHand .NET consulting & development www.rthand.com Blog: http://cs.rthand.com/blogs/blog_with_righthand/ I use integrated authentication.
I agree with everything but what's the point in this case when clients are inside the network anyway or using vpn? Plus I have connection string embeded in to code. Show quote "Miha Markic" <miha at rthand com> wrote in message news:OgHIVUgGIHA.4712@TK2MSFTNGP04.phx.gbl... > > "Andy" <kc2***@yahoo.com> wrote in message > news:eB%23tLJaGIHA.700@TK2MSFTNGP05.phx.gbl... >> Hi Miha, >> thanks for response, so how good actually is security with remoting? >> Problem is that have to decide what to use from old win32 application for >> accesing SQL Srver 2005. >> All client are within the network or accesing network through VPN. I >> decided to use regular ADO but some argue that exposing connection string >> is not safe. But We're already in the network so what's the point would >> be in using web service, I don't see benefits at all. > > It doesn't matter whether it is remoting or web services. > The point is (briefly), that if you expose the connection string, a > malicious user can read its content and connect to sql server directly. > So he can do whatever connection string allows him to do, and even worse, > user might exploit some sql server bug, etc. > OTOH if user is accessing through some sort of service, user won't be > seeing sql server at all. User would be allowed to do only what service > allows him to do. > BTW what authentication do you use - sql server or integrated? > -- > Miha Markic [MVP C#, INETA Country Leader for Slovenia] > RightHand .NET consulting & development www.rthand.com > Blog: http://cs.rthand.com/blogs/blog_with_righthand/ "Andy" <kc2***@yahoo.com> wrote in message It all depends on how much security you want to put into your application. news:eiilWvpGIHA.4956@TK2MSFTNGP06.phx.gbl... >I use integrated authentication. > I agree with everything but what's the point in this case when clients > are inside the network anyway What if one of your users is malicious or if somebody steal his/her credentials? > or using vpn? VPN only protects the data transport and authentication but it doesn't protect your application. > Plus I have connection string embeded in to code. Doesn't matter. If your application can get to the connection string then any user with same credentials (an user that can run your application) can get to it. Putting conneciton string into the application is a weak defence (i.e. take a look at Reflector). It would be better if you encrypt it. But still the above sentence is valid anyway. -- Miha Markic [MVP C#, INETA Country Leader for Slovenia] RightHand .NET consulting & development www.rthand.com Blog: http://cs.rthand.com/blogs/blog_with_righthand/  |
|||||||||||||||||||||||
Other interesting topics