I need to set up a web service. Server is in DMZ, so I thought about putting web service in IIS (asmx) cos only port 80 is available to comunicate. But information it provides should be secured. What choices do I have when it comes to what .NET / IIS can offer ?
Or maybe I should dispense with asxm web service and switch to something else. But once again, I only have port 80 available.
Thanks,
Pawel
You should checkout WCF
When it comes to securing web services you have to main action paths:
go for communication over HTTPS and leave the web service messages in plain text (no problem since the data is over HTTPS and you can't see inside): transport level security;
go for communication over HTTP but secure the messages of the web service (WS-Security fits this role): message level security.
WS-* specifications are not an easy thing to digest (especialy WS-Security which relies on other specs like WS-Policy, WS-Addressing, XML Signature, XML Encryption etc). But since you say you only have port 80 available for communication I think you don't have a choice (don't even think of implementing your own security mechanism :D).
So, if you have to use WS-Security then go for WCF. You have a bunch of communication mechanism you can choose from and WCF takes a lot of the heavy lifting for you, abstracting away the "bare metal" of SOAP and WS-*.
Within IIS, if you wish to only allow a specific IP address to access the web service, do the following:
Within IIS, right click on the file with asmx extension. Click “Switch to features view”
Click the “IP Address and Domain Restrictions” icon.
Click “Edit Feature Settings”, Select Deny All, Add Allow Entry.
Type in the IP you want the service to access.
Related
I've a server which authenticates clients applications and allows them to execute or not. I want to have a secure channel between server and clients. I've written my server with both ssl and ssh protocols but I don't know which one must be used in these scenario and which one is more logical.
both client and server has been written in Qt,c++.
ssl is mostly used in https and web based application and ssh is used for remote administration, so I think that ssh is more appropriate for my server. also I think it's not a good design if I release my application with certificates(exe file along with a certificate.)
Both ssl and ssh use the same, fundamental, cryptographic technologies. Looks like you understand the practical differences between the two, so use whichever one is convenient for your application. As long as you follow proper security practices (keeping your certificates and/or private keys under a watchful eye, etc etc etc), either one will give you the same, basic, level of security.
Im working on some JSON-based web service that is supposed to work with Android application.
I would like to encrypt data transport between client (android) and server (virtual server in datacenter).
I don't have to make sure that my server is my server, just data encryption.
I have no idea how to use HTTPS.
Do I just put my PHP files in private_html and use https://example.com url?
To use HTTPS, you don't have to do anything in the coding of your web service - it's all in your hosting. Here the are steps you can follow. The specific instructions differ in your hosting (IIS, Apache, AWS/Azure, etc), but you can google specifics on how to accomplish any of these steps for whatever host and application framework you decide.
Buy an SSL certificate (there are many different vendors, but expect between $75-$200 for the certificate) based on the vendor, reputation, and level of security you need.
Generate a certificate signing request (CSR) from the server you'll be hosting.
Upload the CSR to the SSL vendor who will validate and provide the certificate for your use.
Import the SSL certificate into your application server, and configure the site to use the certificate. For instance, if you're hosting Microsoft IIS, you'd import the SSL certificate and then add HTTPS bindings on 443 to the specific website hosting your web service.
Another point of security. Since you are deploying SSL, you don't have to do any application level encryption (assuming you are not putting sensitive information in query strings - use POST if you think you need to). You probably would want to implement some security to restrict access to your web service so only your app can access it. Best practice is some level of OAuth, but at a minimum some type of pre-shared key in the header of the request is a lot better than nothing.
Here are some additional sites for more information:
https://www.digicert.com/ssl-certificate-installation.htm
https://support.godaddy.com/help/category/742/ssl-certificates-installing-ssl-certificates?prog_id=GoDaddy
If you don't want to pay for a certificate, you can use certificate signet by your own CA and add the root certificates into your application using HTTPClient and keystores
Here there's some guides
http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/
http://developer.android.com/reference/org/apache/http/client/HttpClient.html
KeyStore, HttpClient, and HTTPS: Can someone explain this code to me?
http://blog.antoine.li/2010/10/22/android-trusting-ssl-certificates/
You can limit users to use JUST and only HTTPS in apache, IIS or whatever do you use. If your client connects to your server, his communications will be likely to encrypted, because he is already using HTTPS. And for responsing in HTTPS you virtually cannot send HTTPS responses, as far as I know, unless that other side isn't also a website (for example, if you have your website, you could send such a response e.g. to Google). You should be okay to send data like http status codes (OK, NotModified, PageNotFound, ...), or if you want something more, or if it is a requirement, then there you still have JSON and you could encode it as well, with some encoding algorithms, or use binary JSON format.
Check if your hosting company provides a free public shared https address. Most of them do.
If you want to understand how to do it right, follow this thread
Warning: Don't stick with the solution below for production.
If you plan o use an https endpoint without a certificate you have to make sure to disable peer verification, check this answer
Say we have hosted a few webservices over over https://mycompany.com/Service
e.g.
https://mycompany.com/Service/Service1
https://mycompany.com/Service/Service2
https://mycompany.com/Service/Service3
As you can see on mycompany.com we have hosted 3 webservices each having their distinct urls.
What we have is a Jboss instance with 3 different web wars deployed in it. When someone hits the service it gets past our firewall and then teh load balancer redirects to Jboss on port 8080 on the requried path and it gets serviced.
the 3 services are consumed by 3 different clients. My question if say Client1 using Service 1 is only given out the url corresponding to it can they use some kind of scanner that can also inform them that Service2 and Service3 are alaso available on mycompany.com/Service?
Irrespective of clients - can anyone simply use some scanner tool to identify what Service Endpoints are exposed on the host?
Kindly note they are a mix of SOAP (WSDL) and Rest based services deployed on same instance of Jboss.
Yes, someone can scan for those endpoints. Their scanner would generate a bunch of 404s in your logs, because it would have to guess the other URLs. If you have some kind of rate limiting firewall, it might take them quite a long time. You should be checking the logs regularly anyway.
If you expose your URL to the public internet, relying on people not finding it is just security via obscurity. You should secure each URL using application-level security, and assume that the bad guys already have the URL.
You may want to consider adding subdomains for the separate applications (e.g. service1.mycompany.com, service2.mycompany.com) - this will make firewalling easier.
The application application I'm currently working on is required to interface with a web service using SOAP. The service providers want to restrict access to the service via a firewall using BOTH an IP address and a Port. I'm using VS 2010 and the service has been added as a .NET 2.0 Web Service.
Right now the firewall rule for my connection's port is set to 'ANY' and the service team wants to tighten it down to a specific port. I can't seem to find any way to set a specific outgoing port (port used when exiting my web server) in my service.
Is it even possible to do this?
It is possible to do this, but it's a non-trivial customization.
See Ways to Customize your ASMX Client Proxy for the general techniques. Near the bottom, you'll find "Heavy-Duty Customization".
By overriding the GetWebRequest method, you can gain access to the HttpWebRequest instance being used by the request.
HttpWebRequest has a ServicePoint property.
ServicePoint has a BindIPEndPointDelegate property.
Set this property to point to a method that will decide which IP address and port to use.
I am pretty new to security aspect of application. I have a C++ window service (server) that listens to a particular port for http requests. The http requests can be made via ajax or C# client. Due to some scope change now we have to secure this communication between the clients and custom server written in C++.
Therefore i am looking for options to secure this communication. Can someone help me out with the possible approaches i can take to achieve this.
Thanks
Dpak
Given that you have an existing HTTP server (non-IIS) and you want to implement HTTPS (which is easy to screw up and hard to get right), you have a couple of options:
Rewrite your server as a COM object, and then put together an IIS webservice that calls your COM object to implement the webservice. With this done, you can then configure IIS to provide your webservice via HTTP and HTTPS.
Install a proxy server (Internet Security and Acceleration Server or Apache with mod_proxy) on the same host as your existing server and setup the proxy server to listen via HTTPS and then reverse proxy the requests to your service.
The second option requires little to no changes to your application; the first option is the better long-term architectural move.
Use HTTPS.
A good toolkit for securing your communication channel is OpenSSL.
That said, even with a toolkit, there are plenty of ways to make mistakes when implementing your security layer that can leave your data open to attack. You should consider using an existing https server and having it forward the requests to your server on the loopback channel.
It's reasonably easy to do this using either OpenSSL or Microsoft's SChannel SSPI interface.
How complex it is for you depends on how you've structured your server. If it's a traditional style BSD sockets 'select' type server then it should be fairly straight forward to take the examples from either OpenSSL or SChannel and get something working pretty quickly.
If you're using a more complex server design (async sockets, IOCP, etc) then it's a bit more work as the examples don't tend to show these things. I wrote an article for Windows Developer Magazine back in 2002 which is available here which shows how to use OpenSSL with async sockets and this code can be used to work with overlapped I/O and IOCP based servers if you need to.