Solved

ASP.NET 3 TIRED APPLICATION Webservice Vs Stored Procedure

Posted on 2010-11-15
3
349 Views
Last Modified: 2012-05-10
Hello Experts:

I am designing a internet facing website that will access data from our sql server database and display it on the web.

There are two machines
MACHINE A is the webserver. It  has IIS and it is facing the internet.
MACHINE B is has SQLServer 2005 Database.
MACHINE A AND MACHINE B ARE IN THE SAME FACILITY.

Option 1:
(A) Install WebService on MACHINE B.
(B) Web Server(MACHINE A) will call webservice.
(C) Webservice will access SQLServer database and return data.

Option 2:
(A) Do not install webservice on MACHINE B.
(B) Web server directly access SQL Server database on MACHINE B exclusively using ONLY STORED PROCS through Data Layer. ( just like in 3 tier application )

Question:
(1) Security wise which option is better. Option 1 or Option 2 or are both equally vulnerable.
(2) What are the relative advantages / disadvantages of both the method.
(3) What method would you recommend?
(4) What is the general industry trend?

THANK YOU FOR ALL YOUR HELP.





0
Comment
Question by:neetu2008
3 Comments
 
LVL 52

Accepted Solution

by:
Carl Tawn earned 167 total points
ID: 34140704
1) Shouldn't make much difference as long as you are careful about how you code your SQL procedures.

2) Depends what you're overall objective is really. Hiding the web app from the details of the data store makes your app more loosely coupled and gives you more options in terms of scalability. Straight app -> DB comms will be quicker to develop.

3) Which I would go with would depend on the app. Either works, you could even go for a combination of the two. If the stuff you are planning to put in a web service is reusable across apps then that will save you time in the future too and allow you to just update the service without having to recode the app if the DB changes.

4) Again a good mixture of the two.
0
 
LVL 21

Assisted Solution

by:Alfred1
Alfred1 earned 167 total points
ID: 34141398
1) Both options have security features that would be almost the same (permissions, logins, etc.).  

2) In my opinion, option 1 is more scalable than option 2 but from experience, it is easier for me to debug or maintain option 2 setup.

3) It really depends on your short, medium, and long term plans.  If you plan to offer services to clients, like consuming raw data for use in third-party portals through the internet, web services would be the one I am going to use (option 1).  If your website is only focused or centralised in your company, meaning all control of data is through web browsers, you might as well stick with option 2.  

You can even have both option 1 and option 2 combined if you want.  You can have both web browser or web service interface accessing the same Business Logic Layer and Data Access Layer.  I am actually implementing this scenario in a project I am doing right now.

4) Both are general industry trend.   As @carl_tawn mentioned in his number 4, a good mixture of the two.
0
 
LVL 10

Assisted Solution

by:wls3
wls3 earned 166 total points
ID: 34142115
Securitywise, you want to keep your datastore on a separate segment (separated by a firewall) from the web server.  Since you don't appear to have multiple tiers (2-tier seems the most logical), isolate the application from the data base server.  This way if the application is compromised, you still have the database outside the DMZ.  Additionally, if you are still concerned about database security, encrypt your data.  It does slow SQL, but, it guarantees that, even if cracked, the data is still not an issue. That being said, option 2, perhaps with .NET 4.0 and strongly typed entity framework datasets and well-written parametrized queries to your stored procs would eliminate all but a small handful of hackers.  As I tend to recommend often, adding custom httphandlers to filter out garbage from the incoming requests can add an extra layer of security.
0

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In .NET 2.0, Microsoft introduced the Web Site.  This was the default way to create a web Project in Visual Studio 2005.  In Visual Studio 2008, the Web Application has been restored as the default web Project in Visual Studio/.NET 3.x The Web Si…
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question