Re: IIS / Web Services Security threats
- From: "Stephany Young" <noone@localhost>
- Date: Tue, 5 Apr 2005 16:45:36 +1200
Sounds more like office politics to me.
You use the phrase 'My security team'. does this mean the the security team
at your company or does this mean that the security team at your company
reports to you. If it is the latter then simply issue them with an
instruction to 'make this so'. If it is is the former then it is probably a
matter of political wrangling depending on who the senior management are
more likely to listen to.
I have seen, at first hand, a company where the senior management took
everything the security team said as gospel but they made the applications
team justify everything they said to the nth degree. As you can imagine,
everything was locked down tighter than a gnats backside and productivity
was almost non-existent.
Another unfortunate development in modern life is that at the mere mention
of the word security, people start wringing their hands and running around
like a chicken with it's head cutoff, rather than sitting down and analysing
the issue at hand.
Personally, I would see the role of your security team as advising you on
how you can do it 'safely' and/or providing an environment where you can do
it 'safely', rather than putting blocks in your way, especially when those
blocks are often based on ignorance or mis-information.
"Magdelin" <magdelinsuja@xxxxxxxxxxxxxxxxx> wrote in message
news:CBAB91C3-58F6-490C-A080-98998478B626@xxxxxxxxxxxxxxxx
> Hi,
>
> My security team thinks allowing communication between the two IIS
> instances
> leads to severe security risks. Basically, we want to put our presentation
> tier on the perimeter network and the business tier inside the fire wall
> or
> internal network. The biz tier will be developed and deployed as web
> services
> on IIS.
>
> I know microsoft recommends this architecture but I am not able to
> convince
> my security team. They say IIS is vulnerable to viruses and worms even
> though
> the communication between the web and app servers are secure with a
> firewall/SSL/IPSec. Even though we will open specific ports for accessing
> the
> web services, is it true that IIS is not a secure environment to access it
> from the perimeter network.
>
> If my security team is true, I wonder what would be the alternative to
> IIS.
> If they are not, how should we protect our network while allowing web
> service
> to run on IIS.
>
> I have read all security related recommendations published by Micrososft
> but
> no luck with my security team yet. Esp. the entire document from patterns
> &
> pratices:
> Improving Web Application Security - Threats and Countermeasures
>
> How are secure .NET enterprise applications developed and hosted in IIS?
> Are
> there any companies out there which uses this MS recommended architecture
> and
> yet have a secure network?
>
> Thanks,
> Magdelin
.
- Follow-Ups:
- Re: IIS / Web Services Security threats
- From: Magdelin
- Re: IIS / Web Services Security threats
- From: Henk Verhoeven
- Re: IIS / Web Services Security threats
- References:
- IIS / Web Services Security threats
- From: Magdelin
- IIS / Web Services Security threats
- Prev by Date: Re: HTML Tags in WebMethod Description
- Next by Date: System.InvalidCastException: Cannot assign object of type System.Xml.XmlNode[] to an object of type System.String.
- Previous by thread: IIS / Web Services Security threats
- Next by thread: Re: IIS / Web Services Security threats
- Index(es):
Relevant Pages
|
