CODEWITHSUNDEEP
asp.netweb-servicessecurity
Bullines
Bullines

Reputation: 5696

Securing a Web Service

I have a Web Service (ASMX) with a few Web methods on our production Web server. On a separate internal Web server (which isn't publicly exposed) I have another Web site that will use the ASMX's public web methods. What are some of the best ways to secure the Web service such that only the internal Web server can access the Web Services running on the publicly exposed Web server?

Upvotes: 8

Views: 1440

Answers (10)

Vic Boudolf
Vic Boudolf

Reputation: 134

If it is only the internal server that will be accessing the asmx files? You could set them up in IIS under a separate web site or virtual directory, then place some IP restrictions on the site. In properties, go under Directory Security, then "IP Address and Domain Name Restrictions."

Also, for passwords, WSE 3 is the new go-to, but I did find a simple method in a book from Apress called "Pro ASP.NET 2.0 in C# 2005" Chapter 34. (Note, the newer version of this book omits this chapter.) The section is custom Ticket-based authentication.

Upvotes: 1

Tom Ritter
Tom Ritter

Reputation: 101310

Be aware that there are ways around whitelisting IPs. Don't get me wrong, it's a great idea, and you should definetly do it, but if your budget/resources allow it, you can expand your threat model.

Upvotes: 0

Thomas Wagner
Thomas Wagner

Reputation: 2492

One of the easiest ways is to pass credentials in the soap header of the message. So each call passes along the info needed to determine if the user is authorized. WSE makes some of that easier but one of the most succinct descriptions of this process can be found in Rocky Lhotka's book on Business Objects. I get a lot of books to review by publishers and this one had the best explanation

Upvotes: 3

leppie
leppie

Reputation: 117220

A simple HTTP module will work. Just hardcode (or from config) the allowed IP/host and reject all others.

Upvotes: 1

Hank Gay
Hank Gay

Reputation: 71939

TLS with client certs. See Wikipedia entry to get started.

Upvotes: 0

ila
ila

Reputation: 4724

In this moment what comes to my mind is IP filtering on IIS. Fast to apply, should work in your scenario.

Upvotes: 0

axel_c
axel_c

Reputation: 6796

Maybe I did not understand correctly, but why expose the web methods publicly at all if they're only going to be consumed by the internal server?

Upvotes: 1

blowdart
blowdart

Reputation: 56490

Use IIS's directory security IP address restrictions, and limit access to just that internal web server IP address.

If you can't do that then, and you can't setup a username/password on the directory, then use WSE and add a username/password into the service, or look at certificates if you want some fun grin

Upvotes: 1

RB.
RB.

Reputation: 37172

I would set a firewall rule to restrict access to a whitelist of IP addresses.

Upvotes: 1

ZombieSheep
ZombieSheep

Reputation: 29953

Assuming you don't have the option of using WCF, I'd advocate using WSE 3 (Web Service Enhancements). You can get the toolkit / SDK thingummy at MS's site

To limit the access to only internal machines (as I think your question asked), I'd set up a separate web site in IIS and set it to only respond to the internal IP address of your server.

Upvotes: 1

Related Questions