Solved

Anyone a security guru out there WCF question.

Posted on 2014-03-17
2
283 Views
Last Modified: 2014-04-13
Hello all,

I need some opinions on this and education really as I continue to research.    I work at a company where we have sensitive data in a core Intranet based application in-house of course.   The backend is a SQL Server database.    There is a need to expose externally to some vendors some of the data within the core system as well as 'provide' us some data we would be inserting or updating to a few tables.   We created a service layer to eventually be able to expose some of our service call methods such as gets etc. external to our application.  So I have a few questions I am concerned about and need to understand better:

- Is it good practice to have a second database that only has data relevant to the external based system to have that separation.  My thinking is this is kind of getting away with secure WCF messaging so this would be a waste of time.   If they can compromise a second database why not the first etc.   Then the idea would be replication etc. to move data back and forth to our core database.   This is the main question that came up as the core database has a lot of sensitive data.  

- Not sure where we would be 'hosting' this external application but of course it would be on the DMZ so it can be exposed.   Any thoughts or use case scenarios on this is it WCF with certificate based security etc.

Anyway I know this is a loaded question but looking to understand it better because of the personal data we need to be careful is not exposed.   I am not a WCF guru and have used in the past here and there.

Thanks for any information, links etc. you can provide.
0
Comment
Question by:sbornstein2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 25

Accepted Solution

by:
apeter earned 500 total points
ID: 39936628
From the application side using below would secure your request coming in.

*  Request comes over https
*  Each request comes with a custom authentication in the header which you can share with your clients


From db level you can have this setting. This way it is like a second database, logically.
*You can create separate views for this application to get data.
* Also create a separate database user that will used in above application and they have permission only to these views.

same thing can be done in "asp.net web api"(Rest based HTTP Call), just in case if you are just starting...

Hope this gives a start.
0
 
LVL 96

Expert Comment

by:Bob Learned
ID: 39937450
With 4.5, the Windows Identity Foundation (WIF) was fully integrated into the framework.  The WCF Security Token Service works with certificates to sign the tokens.

WCF Security Token Service
http://msdn.microsoft.com/en-us/library/ee748498.aspx

Here is some good reading material on WCF security:

Fundamentals of WCF Security
http://www.codemag.com/article/0611051
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Probable TCP NULL scan detected 10 380
To Use Sandbox in VMware 6 166
WCF Rest Service Timeout Exception 3 196
Noob question:this site is sql vulns? 2 116
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question