Security Concern using restful webservice, sql, port forwarding
Afternoon All,
I have a project that I am trying to accomplish. Goal being, have my iPhone run stored procedures from a SQL database from outside the network.
As I am very new to this I am trying to put together all the pieces conceptually.
From researching and asking around so far I have implemented the following:
A. On my home pc, I setup a Restful WCF service. I've been reading about rest services and don't quite understand the difference but that seems to be what is recommended a lot.
B. Then I have it hosted using IIS. From what I understand on this, you have to host the webservice somehow, so this is what I am using. Correct me if I am wrong, but IIS give others the ability to SEE/ACCESS this webservice.
C. Right now it works INSIDE my home network. All I have setup now is a standard, user types in a http address, like "www.192.xxx.xxx.xx/mywebservice/custommessagegoeshere"
Then the service returns a message like YOU HAVE RETURNED custommessagegoeshere.
D. Next step will be to return data from a local SQL stored procedure, and return that data in xml or json format.
Question #1
Will I be able to Run stored procedures using a http GET or POST like I am using so far in my very standard message above?
Question #2
Eventually when this project is complete I will host on a site like godaddy or something like that. But until then I will have this hosted on my home computer, and goal being able to access from outside my home network.
So... to accomplish having outside users access this local webservice. I think I need to do PORTFORWARDING. I'm still trying to learn about this, but I think anytime my router gets a request at X port, it forwards to my webservice.
- Is this correct? Is port forwarding what I should use?
- Is this safe? By using a port forwarding am I opening up my home pc to the world? Can hackers ruin my home pc doing this?
Sorry for the long post.
I have a project that I am trying to accomplish. Goal being, have my iPhone run stored procedures from a SQL database from outside the network.
As I am very new to this I am trying to put together all the pieces conceptually.
From researching and asking around so far I have implemented the following:
A. On my home pc, I setup a Restful WCF service. I've been reading about rest services and don't quite understand the difference but that seems to be what is recommended a lot.
B. Then I have it hosted using IIS. From what I understand on this, you have to host the webservice somehow, so this is what I am using. Correct me if I am wrong, but IIS give others the ability to SEE/ACCESS this webservice.
C. Right now it works INSIDE my home network. All I have setup now is a standard, user types in a http address, like "www.192.xxx.xxx.xx/mywebservice/custommessagegoeshere"
Then the service returns a message like YOU HAVE RETURNED custommessagegoeshere.
D. Next step will be to return data from a local SQL stored procedure, and return that data in xml or json format.
Question #1
Will I be able to Run stored procedures using a http GET or POST like I am using so far in my very standard message above?
Question #2
Eventually when this project is complete I will host on a site like godaddy or something like that. But until then I will have this hosted on my home computer, and goal being able to access from outside my home network.
So... to accomplish having outside users access this local webservice. I think I need to do PORTFORWARDING. I'm still trying to learn about this, but I think anytime my router gets a request at X port, it forwards to my webservice.
- Is this correct? Is port forwarding what I should use?
- Is this safe? By using a port forwarding am I opening up my home pc to the world? Can hackers ruin my home pc doing this?
Sorry for the long post.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
No points for this, please. Just a couple of links that might be useful.
// COMMONLY USED PORT NUMBERS
// SEE: http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml (SLOW TO LOAD)
// SEE: http://browntips.com/cpanel-and-whm-port-numbers/
// COMMONLY USED PORT NUMBERS
// SEE: http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml (SLOW TO LOAD)
// SEE: http://browntips.com/cpanel-and-whm-port-numbers/
ASKER
thanks for the help everyone
ve3ofa,
sorry for my ignorance... so if I use port forwarding... anyone who tries to access my ipaddress with that port, hits my webservice ONLY? thats the part I'm confused about. meaning, when I use port forwarding and it forwards, can an outside user hit my pc, or they ONLY see a webservice? What does that mean "keep its connections behind a router"?
aaron,
I guess the main thing I just want to make sure is, when I open that port80, will a internet user ONLY see the webservice... or can they hack my pc.
And again, I understand I cannot be 100% secure... I just mean whatever the norm is for security. Don't want to be completely open.
Sorry for the repetitiveness
ve3ofa,
So you add authentication to the web service.. so that people hit the logon prompt and not have a clue what the heck is behind the login. You don't have to expose the sql server database to the world.. keep its connections behind the router. I.e if you have to open port 1433 only allow it within your subnet
sorry for my ignorance... so if I use port forwarding... anyone who tries to access my ipaddress with that port, hits my webservice ONLY? thats the part I'm confused about. meaning, when I use port forwarding and it forwards, can an outside user hit my pc, or they ONLY see a webservice? What does that mean "keep its connections behind a router"?
aaron,
Your website connects to SQL on 1433 but your phone connects to your web service on port 80 like the rest of the web (you can change it to anything you want though). So you reach your computer from your phone not in your wifi, you need to forward port 80 on your router to your pc. (Or whatever port you choose) then use your external ip from your phone. Find this by going to whatismyip.com on your computerThis part I think I understand... webservice connecting to SQL on 1433... and my phone will connect to webservice on port80.
I guess the main thing I just want to make sure is, when I open that port80, will a internet user ONLY see the webservice... or can they hack my pc.
And again, I understand I cannot be 100% secure... I just mean whatever the norm is for security. Don't want to be completely open.
Sorry for the repetitiveness
They should only see the web service. However hacking IS a process in which people try to get access to things they don't have access to.
For your situation it's fine. If you want to be extra careful you can run your we server on a non standard port like 8010 or something
For your situation it's fine. If you want to be extra careful you can run your we server on a non standard port like 8010 or something
ASKER
thank you... I believe that answers my main concern. appreciate the help
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks... so adding authentication to the webservice and using a non-standard port should be enough for my mere webservice.
thanks guys
thanks guys
If you want to never get malware or have security issues, remove the hard drive and never turn on the computer.. this isn't very practical.. sometimes you need to get something done, so you make allowances for it.
So you add authentication to the web service.. so that people hit the logon prompt and not have a clue what the heck is behind the login. You don't have to expose the sql server database to the world.. keep its connections behind the router. I.e if you have to open port 1433 only allow it within your subnet