| Groups | Blog | Home |
dotnet ado.net : web service for accessing db?
is web service good solution for accesing (havily) database (remote or not)? that looks slow, any other methods for secure connection? SOme of coworkers wants to use web service because they don't want expose connection string. thanks fro advise
yeah, that what I thought :) web service is in its nature insecure. the guy
argues that embeding connetcion string in a code is not secure enough comparing to web service. [quoted text, click to view] "Cor Ligthert[MVP]" <notmyfirstname@planet.nl> wrote in message news:90A87BCB-2829-48BE-98EB-E96EB5B7E9DF@microsoft.com... > Andy, > > Do you in other words mean that they invented the other solutions than > webservices to support insecure connections. > > Cor
"s" after http makes the web service very secure with 128 bit SSL encryption
[quoted text, click to view] "Andy" <kc2ine@yahoo.com> wrote in message news:%23bvFEANGIHA.5980@TK2MSFTNGP04.phx.gbl... > yeah, that what I thought :) web service is in its nature insecure. the > guy argues that embeding connetcion string > in a code is not secure enough comparing to web service. > > > "Cor Ligthert[MVP]" <notmyfirstname@planet.nl> wrote in message > news:90A87BCB-2829-48BE-98EB-E96EB5B7E9DF@microsoft.com... >> Andy, >> >> Do you in other words mean that they invented the other solutions than >> webservices to support insecure connections. >> >> Cor > >
yes, but it makes also very slow right?
I mean web service was not meant to be as a main bridge to database as I understand it. [quoted text, click to view] "Jim Rand" <jimrand@ix.netcom.com> wrote in message news:O1UC5oNGIHA.5980@TK2MSFTNGP04.phx.gbl... > "s" after http makes the web service very secure with 128 bit SSL > encryption > > "Andy" <kc2ine@yahoo.com> wrote in message > news:%23bvFEANGIHA.5980@TK2MSFTNGP04.phx.gbl... >> yeah, that what I thought :) web service is in its nature insecure. the >> guy argues that embeding connetcion string >> in a code is not secure enough comparing to web service. >> >> >> "Cor Ligthert[MVP]" <notmyfirstname@planet.nl> wrote in message >> news:90A87BCB-2829-48BE-98EB-E96EB5B7E9DF@microsoft.com... >>> Andy, >>> >>> Do you in other words mean that they invented the other solutions than >>> webservices to support insecure connections. >>> >>> Cor >> >> > >
Andy,
Do you in other words mean that they invented the other solutions than webservices to support insecure connections. Cor
From testing, the web service is a bit slower than a direct connect.
However, speed is still quite good. To load 14000 rows over https via the Internet (cable modem) takes 3 to 4 seconds (dataset serialized as xml [3.5 megabytes]). Updates involving 10 rows (round trip to get the autoincrement key and new timestamps is sub second - snap you finger - the start of the update is the beginning of the snap sound - the end of the update is the end of the snap sound). Not very scientific but it works for me. [quoted text, click to view] "Andy" <kc2ine@yahoo.com> wrote in message news:OfIIlKOGIHA.1204@TK2MSFTNGP03.phx.gbl... > yes, but it makes also very slow right? > I mean web service was not meant to be as a main bridge to database as I > understand it. > > > "Jim Rand" <jimrand@ix.netcom.com> wrote in message > news:O1UC5oNGIHA.5980@TK2MSFTNGP04.phx.gbl... >> "s" after http makes the web service very secure with 128 bit SSL >> encryption >> >> "Andy" <kc2ine@yahoo.com> wrote in message >> news:%23bvFEANGIHA.5980@TK2MSFTNGP04.phx.gbl... >>> yeah, that what I thought :) web service is in its nature insecure. the >>> guy argues that embeding connetcion string >>> in a code is not secure enough comparing to web service. >>> >>> >>> "Cor Ligthert[MVP]" <notmyfirstname@planet.nl> wrote in message >>> news:90A87BCB-2829-48BE-98EB-E96EB5B7E9DF@microsoft.com... >>>> Andy, >>>> >>>> Do you in other words mean that they invented the other solutions than >>>> webservices to support insecure connections. >>>> >>>> Cor >>> >>> >> >> > >
Hi Miha,
thanks for response, so how good actually is security with remoting? Problem is that have to decide what to use from old win32 application for accesing SQL Srver 2005. All client are within the network or accesing network through VPN. I decided to use regular ADO but some argue that exposing connection string is not safe. But We're already in the network so what's the point would be in using web service, I don't see benefits at all. [quoted text, click to view] "Miha Markic" <miha at rthand com> wrote in message news:eH8GXeYGIHA.5328@TK2MSFTNGP05.phx.gbl... > Hi Andy, > > Of course web service is more secure when used correctly. The best > security is when you encrypt and sign at message level. > However I don't think you actually need web services at all. Web services > are useful when the client is unknown (in your case when client is not > .net). > Unless you want to support unknown clients it is better if you avoid web > services because they are clumsy and very verbose as they have to support > many different scenarios. > So, the bottom line is that you should use Windows Communication > Foundation with binary transfer or old good remoting. > > -- > Miha Markic [MVP C#, INETA Country Leader for Slovenia] > RightHand .NET consulting & development www.rthand.com > Blog: http://cs.rthand.com/blogs/blog_with_righthand/ > > "Andy" <kc2ine@yahoo.com> wrote in message > news:O9MMSW2FIHA.6068@TK2MSFTNGP05.phx.gbl... >> hi, >> is web service good solution for accesing (havily) database (remote or >> not)? that looks slow, any other methods for secure connection? SOme of >> coworkers wants to use web service because they don't want >> expose connection string. >> thanks fro advise >> >
Hi Andy,
Of course web service is more secure when used correctly. The best security is when you encrypt and sign at message level. However I don't think you actually need web services at all. Web services are useful when the client is unknown (in your case when client is not ..net). Unless you want to support unknown clients it is better if you avoid web services because they are clumsy and very verbose as they have to support many different scenarios. So, the bottom line is that you should use Windows Communication Foundation with binary transfer or old good remoting. -- Miha Markic [MVP C#, INETA Country Leader for Slovenia] RightHand .NET consulting & development www.rthand.com Blog: http://cs.rthand.com/blogs/blog_with_righthand/ [quoted text, click to view] "Andy" <kc2ine@yahoo.com> wrote in message
news:O9MMSW2FIHA.6068@TK2MSFTNGP05.phx.gbl... > hi, > is web service good solution for accesing (havily) database (remote or > not)? that looks slow, any other methods for secure connection? SOme of > coworkers wants to use web service because they don't want > expose connection string. > thanks fro advise >
[quoted text, click to view] "Andy" <kc2ine@yahoo.com> wrote in message news:eB%23tLJaGIHA.700@TK2MSFTNGP05.phx.gbl... > Hi Miha, > thanks for response, so how good actually is security with remoting? > Problem is that have to decide what to use from old win32 application for > accesing SQL Srver 2005. > All client are within the network or accesing network through VPN. I > decided to use regular ADO but some argue that exposing connection string > is not safe. But We're already in the network so what's the point would be > in using web service, I don't see benefits at all. It doesn't matter whether it is remoting or web services. The point is (briefly), that if you expose the connection string, a malicious user can read its content and connect to sql server directly. So he can do whatever connection string allows him to do, and even worse, user might exploit some sql server bug, etc. OTOH if user is accessing through some sort of service, user won't be seeing sql server at all. User would be allowed to do only what service allows him to do. BTW what authentication do you use - sql server or integrated? -- Miha Markic [MVP C#, INETA Country Leader for Slovenia] RightHand .NET consulting & development www.rthand.com Blog: http://cs.rthand.com/blogs/blog_with_righthand/
I use integrated authentication.
I agree with everything but what's the point in this case when clients are inside the network anyway or using vpn? Plus I have connection string embeded in to code. [quoted text, click to view] "Miha Markic" <miha at rthand com> wrote in message news:OgHIVUgGIHA.4712@TK2MSFTNGP04.phx.gbl... > > "Andy" <kc2ine@yahoo.com> wrote in message > news:eB%23tLJaGIHA.700@TK2MSFTNGP05.phx.gbl... >> Hi Miha, >> thanks for response, so how good actually is security with remoting? >> Problem is that have to decide what to use from old win32 application for >> accesing SQL Srver 2005. >> All client are within the network or accesing network through VPN. I >> decided to use regular ADO but some argue that exposing connection string >> is not safe. But We're already in the network so what's the point would >> be in using web service, I don't see benefits at all. > > It doesn't matter whether it is remoting or web services. > The point is (briefly), that if you expose the connection string, a > malicious user can read its content and connect to sql server directly. > So he can do whatever connection string allows him to do, and even worse, > user might exploit some sql server bug, etc. > OTOH if user is accessing through some sort of service, user won't be > seeing sql server at all. User would be allowed to do only what service > allows him to do. > BTW what authentication do you use - sql server or integrated? > -- > Miha Markic [MVP C#, INETA Country Leader for Slovenia] > RightHand .NET consulting & development www.rthand.com > Blog: http://cs.rthand.com/blogs/blog_with_righthand/
[quoted text, click to view] "Andy" <kc2ine@yahoo.com> wrote in message news:eiilWvpGIHA.4956@TK2MSFTNGP06.phx.gbl... >I use integrated authentication. > I agree with everything but what's the point in this case when clients > are inside the network anyway It all depends on how much security you want to put into your application. What if one of your users is malicious or if somebody steal his/her credentials? [quoted text, click to view] > or using vpn? VPN only protects the data transport and authentication but it doesn't protect your application. [quoted text, click to view] > Plus I have connection string embeded in to code. Doesn't matter. If your application can get to the connection string then any user with same credentials (an user that can run your application) can get to it. Putting conneciton string into the application is a weak defence (i.e. take a look at Reflector). It would be better if you encrypt it. But still the above sentence is valid anyway. -- Miha Markic [MVP C#, INETA Country Leader for Slovenia] RightHand .NET consulting & development www.rthand.com Blog: http://cs.rthand.com/blogs/blog_with_righthand/
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
| home · blog · groups | Questions? Comments? Contact the dn |