RE: Recommendations for securing a 'local' webservice.
From: Dan Rogers (danro_at_microsoft.com)
Date: 11/16/04
- Next message: Dan Rogers: "RE: How to send a DIME attachment with SOAP"
- Previous message: Dan Rogers: "RE: webservices: simple question, accessing webservice members"
- In reply to: burky: "Recommendations for securing a 'local' webservice."
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 16 Nov 2004 01:37:54 GMT
Hi,
You seem to be trying to secure a web service interface to only those
callers that are running the proper application bits, yes? There are
several possible approaches you may want to consider. The problem you face
has some sticky issues - the chief among them being you want to use a
protocol that was intended to be caller agnostic to implement a caller
aware request/response semantic. That said (the irony not-withstanding),
you can check into some options as follows:
1). Client side certificate. Install a special certificate as part of the
application you are deploying and use a protocol that is secured by
encryption and certificate based signing. WS-Security can help you here.
The downside is that this is security by secret, and readily cracked by a
determined caller without some way to cycle the certificates on a periodic
basis and on a per device/per-user/per application basis. This creates
significant overhead - but will thwart the casual "network sniffer".
2.) SSL/TSA on the wire. Since you seem to want to prevent just any
wireless user from seeing the packets in the air, you might just want to
use automatic SSL based wire encryption. In this case, the packets are
secure from decryption as they fly thru the air, but the service endpoints
are still discoverable as normal web service end points. A special
certificate is not required.
3. Combine #2 with token based security. This is WS-Security basic
security. You would end up associating a secret text password with your
application, and have that used in the application to create a security
token. Then the packets to the web service would be encrypted a-la
WS-Security, and the token validate on the other end. This is probably the
place I'd recommend you start, complexity wise.
I hope this helps
Dan Rogers
Microsoft Corporation
--------------------
>From: burkinshaw@tiscali.co.uk (burky)
>Newsgroups: microsoft.public.dotnet.framework.aspnet.webservices
>Subject: Recommendations for securing a 'local' webservice.
>Date: 8 Nov 2004 02:58:35 -0800
>Organization: http://groups.google.com
>Lines: 13
>Message-ID: <5276549f.0411080258.2596e87@posting.google.com>
>NNTP-Posting-Host: 80.41.6.90
>Content-Type: text/plain; charset=ISO-8859-1
>Content-Transfer-Encoding: 8bit
>X-Trace: posting.google.com 1099911515 2047 127.0.0.1 (8 Nov 2004 10:58:35
GMT)
>X-Complaints-To: groups-abuse@google.com
>NNTP-Posting-Date: Mon, 8 Nov 2004 10:58:35 +0000 (UTC)
>Path:
cpmsftngxa10.phx.gbl!TK2MSFTFEED02.phx.gbl!tornado.fastwebnet.it!tiscali!new
sfeed1.ip.tiscali.net!news.glorb.com!postnews.google.com!not-for-mail
>Xref: cpmsftngxa10.phx.gbl
microsoft.public.dotnet.framework.aspnet.webservices:26409
>X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices
>
>Hi,
>
>We are developing a webservice that will be installed at multiple,
>unconnected sites. It is to act as a 'server' to several PocketPC
>devices per site. The site PC's are running XP Pro. The PocketPC's are
>making calls from a .net application and will access the webservice
>via wireless.
>
>Can anyone recommend the best (non-firewall) method for securing calls
>from just anyone with wireless access, but allow any device running
>the intended application to access it?
>
>Many Thanks
>
- Next message: Dan Rogers: "RE: How to send a DIME attachment with SOAP"
- Previous message: Dan Rogers: "RE: webservices: simple question, accessing webservice members"
- In reply to: burky: "Recommendations for securing a 'local' webservice."
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
