 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / ASP.NET / Web Services / November 2004Recommendations for securing a 'local' webservice.
Hi, We are developing a webservice that will be installed at multiple, unconnected sites. It is to act as a 'server' to several PocketPC devices per site. The site PC's are running XP Pro. The PocketPC's are making calls from a .net application and will access the webservice via wireless. Can anyone recommend the best (non-firewall) method for securing calls from just anyone with wireless access, but allow any device running the intended application to access it? Many Thanks Hi, You seem to be trying to secure a web service interface to only those callers that are running the proper application bits, yes? There are several possible approaches you may want to consider. The problem you face has some sticky issues - the chief among them being you want to use a protocol that was intended to be caller agnostic to implement a caller aware request/response semantic. That said (the irony not-withstanding), you can check into some options as follows: 1). Client side certificate. Install a special certificate as part of the application you are deploying and use a protocol that is secured by encryption and certificate based signing. WS-Security can help you here. The downside is that this is security by secret, and readily cracked by a determined caller without some way to cycle the certificates on a periodic basis and on a per device/per-user/per application basis. This creates significant overhead - but will thwart the casual "network sniffer". 2.) SSL/TSA on the wire. Since you seem to want to prevent just any wireless user from seeing the packets in the air, you might just want to use automatic SSL based wire encryption. In this case, the packets are secure from decryption as they fly thru the air, but the service endpoints are still discoverable as normal web service end points. A special certificate is not required. 3. Combine #2 with token based security. This is WS-Security basic security. You would end up associating a secret text password with your application, and have that used in the application to create a security token. Then the packets to the web service would be encrypted a-la WS-Security, and the token validate on the other end. This is probably the place I'd recommend you start, complexity wise. I hope this helps Dan Rogers Microsoft Corporation -------------------- >From: burkinshaw@tiscali.co.uk (burky) >Newsgroups: microsoft.public.dotnet.framework.aspnet.webservices [quoted text clipped - 7 lines] >Content-Transfer-Encoding: 8bit >X-Trace: posting.google.com 1099911515 2047 127.0.0.1 (8 Nov 2004 10:58:35 GMT) >X-Complaints-To: groups-abuse@google.com >NNTP-Posting-Date: Mon, 8 Nov 2004 10:58:35 +0000 (UTC) >Path: cpmsftngxa10.phx.gbl!TK2MSFTFEED02.phx.gbl!tornado.fastwebnet.it!tiscali!new sfeed1.ip.tiscali.net!news.glorb.com!postnews.google.com!not-for-mail >Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.framework.aspnet.webservices:26409 >X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet.webservices > [quoted text clipped - 11 lines] > >Many Thanks Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.