Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / ASP.NET / Web Services / February 2006

Tip: Looking for answers? Try searching our database.

Multiple perimeter service routers?

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Chris - 13 Feb 2006 23:07 GMT
I've been reading up on perimeter service routers in the WSE 3.0 docs. It
seems to me that a PSR, which normally would reside in a DMZ, is not the
place to do message validation because the message must be decrypted to
perform the validation. Presumably you would want to validation in a secure
zone. So I wonder if you could have two PSRs, one of which resides on the
inside network to do validation and maybe something like exception shielding.
So a perimeter service router actually routs to an internal service router.
Otherwise, it's up to each service to perform routine validation and other
things that I would like to abstract from service developers. Two PSRs, even
if possible to configure using WSE 3.0, could be too much of a bottleneck,
however.

Does anyone have any thoughts on this?

Thanks,
Chris
Reply to this Message
Pablo Cibraro - 14 Feb 2006 13:21 GMT
Hi Chris,
Have you read the "Web services security patterns" published by the Patterns
& Practices team ?. One of these patterns explains an scenario similar to
yours but using only one PSR.

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/wssp.asp

Chapter 6: Implementing Perimeter Service router in WSE 3.0 (Extension 1).

Regards,
Pablo Cibraro
http://weblogs.asp.net/cibrax
http://www.lagash.com

> I've been reading up on perimeter service routers in the WSE 3.0 docs. It
> seems to me that a PSR, which normally would reside in a DMZ, is not the
[quoted text clipped - 16 lines]
> Thanks,
> Chris
Reply to this Message
Chris - 14 Feb 2006 15:03 GMT
Hi Pablo. Thanks for the response. Yes, I've read the pattern and find it
very interesting. However, one particular extension seems to be in
contradiction with another best practice. The PSR pattern notes that you can
perform message validation at the PSR. However, the PSR normally would reside
in a DMZ. Since performing message validation requires decryption of the
message, doing this in the DMZ is inherently insecure, is it not? If so, the
only other options I see for performing validation would be at the service
level or at another intermediary within your secure domain (an "internal
service router," if you will). If this is true, then my question is whether
WSE 3.0 supports multiple service routers between the client and the service,
and if such an approach is feasible from a performance standpoint.

I'd be very interested to get some feedback on this from the community and MS.

Thanks,
Chris

> Hi Chris,
> Have you read the "Web services security patterns" published by the Patterns
[quoted text clipped - 30 lines]
> > Thanks,
> > Chris
Reply to this Message

 Rate this thread:







Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.