Solved

ASP.NET 3 TIRED APPLICATION Webservice Vs Stored Procedure

Posted on 2010-11-15
3
346 Views
Last Modified: 2012-05-10
Hello Experts:

I am designing a internet facing website that will access data from our sql server database and display it on the web.

There are two machines
MACHINE A is the webserver. It  has IIS and it is facing the internet.
MACHINE B is has SQLServer 2005 Database.
MACHINE A AND MACHINE B ARE IN THE SAME FACILITY.

Option 1:
(A) Install WebService on MACHINE B.
(B) Web Server(MACHINE A) will call webservice.
(C) Webservice will access SQLServer database and return data.

Option 2:
(A) Do not install webservice on MACHINE B.
(B) Web server directly access SQL Server database on MACHINE B exclusively using ONLY STORED PROCS through Data Layer. ( just like in 3 tier application )

Question:
(1) Security wise which option is better. Option 1 or Option 2 or are both equally vulnerable.
(2) What are the relative advantages / disadvantages of both the method.
(3) What method would you recommend?
(4) What is the general industry trend?

THANK YOU FOR ALL YOUR HELP.





0
Comment
Question by:neetu2008
3 Comments
 
LVL 52

Accepted Solution

by:
Carl Tawn earned 167 total points
ID: 34140704
1) Shouldn't make much difference as long as you are careful about how you code your SQL procedures.

2) Depends what you're overall objective is really. Hiding the web app from the details of the data store makes your app more loosely coupled and gives you more options in terms of scalability. Straight app -> DB comms will be quicker to develop.

3) Which I would go with would depend on the app. Either works, you could even go for a combination of the two. If the stuff you are planning to put in a web service is reusable across apps then that will save you time in the future too and allow you to just update the service without having to recode the app if the DB changes.

4) Again a good mixture of the two.
0
 
LVL 21

Assisted Solution

by:Alfred1
Alfred1 earned 167 total points
ID: 34141398
1) Both options have security features that would be almost the same (permissions, logins, etc.).  

2) In my opinion, option 1 is more scalable than option 2 but from experience, it is easier for me to debug or maintain option 2 setup.

3) It really depends on your short, medium, and long term plans.  If you plan to offer services to clients, like consuming raw data for use in third-party portals through the internet, web services would be the one I am going to use (option 1).  If your website is only focused or centralised in your company, meaning all control of data is through web browsers, you might as well stick with option 2.  

You can even have both option 1 and option 2 combined if you want.  You can have both web browser or web service interface accessing the same Business Logic Layer and Data Access Layer.  I am actually implementing this scenario in a project I am doing right now.

4) Both are general industry trend.   As @carl_tawn mentioned in his number 4, a good mixture of the two.
0
 
LVL 10

Assisted Solution

by:wls3
wls3 earned 166 total points
ID: 34142115
Securitywise, you want to keep your datastore on a separate segment (separated by a firewall) from the web server.  Since you don't appear to have multiple tiers (2-tier seems the most logical), isolate the application from the data base server.  This way if the application is compromised, you still have the database outside the DMZ.  Additionally, if you are still concerned about database security, encrypt your data.  It does slow SQL, but, it guarantees that, even if cracked, the data is still not an issue. That being said, option 2, perhaps with .NET 4.0 and strongly typed entity framework datasets and well-written parametrized queries to your stored procs would eliminate all but a small handful of hackers.  As I tend to recommend often, adding custom httphandlers to filter out garbage from the incoming requests can add an extra layer of security.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

ASP.Net to Oracle Connectivity Recently I had to develop an ASP.NET application connecting to an Oracle database.As I am doing it first time ,I had to solve several problems. This article will help to such developers  to develop an ASP.NET client…
A quick way to get a menu to work on our website, is using the Menu control and assign it to a web.sitemap using SiteMapDataSource. Example of web.sitemap file: (CODE) Sample code to add to the page menu: (CODE) Running the application, we wi…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now