web service for accessing db?

TheMSsForum.com: The Microsoft Software Forum

hi,
is web service good solution for accesing (havily) database (remote or not)?
that looks slow, any other methods for secure connection? SOme of coworkers
wants to use web service because they don't want
expose connection string.
thanks fro advise
Top

Re: web service for accessing db? by Cor

Cor
Sat Oct 27 10:38:16 PDT 2007

Andy,

Do you in other words mean that they invented the other solutions than
webservices to support insecure connections.

Cor

Top

Re: web service for accessing db? by Andy

Andy
Sat Oct 27 12:31:46 PDT 2007

yeah, that what I thought :) web service is in its nature insecure. the guy
argues that embeding connetcion string
in a code is not secure enough comparing to web service.


"Cor Ligthert[MVP]" <notmyfirstname@planet.nl> wrote in message
news:90A87BCB-2829-48BE-98EB-E96EB5B7E9DF@microsoft.com...
> Andy,
>
> Do you in other words mean that they invented the other solutions than
> webservices to support insecure connections.
>
> Cor


Top

Re: web service for accessing db? by Jim

Jim
Sat Oct 27 13:44:50 PDT 2007

"s" after http makes the web service very secure with 128 bit SSL encryption

"Andy" <kc2ine@yahoo.com> wrote in message
news:%23bvFEANGIHA.5980@TK2MSFTNGP04.phx.gbl...
> yeah, that what I thought :) web service is in its nature insecure. the
> guy argues that embeding connetcion string
> in a code is not secure enough comparing to web service.
>
>
> "Cor Ligthert[MVP]" <notmyfirstname@planet.nl> wrote in message
> news:90A87BCB-2829-48BE-98EB-E96EB5B7E9DF@microsoft.com...
>> Andy,
>>
>> Do you in other words mean that they invented the other solutions than
>> webservices to support insecure connections.
>>
>> Cor
>
>


Top

Re: web service for accessing db? by Andy

Andy
Sat Oct 27 14:45:07 PDT 2007

yes, but it makes also very slow right?
I mean web service was not meant to be as a main bridge to database as I
understand it.


"Jim Rand" <jimrand@ix.netcom.com> wrote in message
news:O1UC5oNGIHA.5980@TK2MSFTNGP04.phx.gbl...
> "s" after http makes the web service very secure with 128 bit SSL
> encryption
>
> "Andy" <kc2ine@yahoo.com> wrote in message
> news:%23bvFEANGIHA.5980@TK2MSFTNGP04.phx.gbl...
>> yeah, that what I thought :) web service is in its nature insecure. the
>> guy argues that embeding connetcion string
>> in a code is not secure enough comparing to web service.
>>
>>
>> "Cor Ligthert[MVP]" <notmyfirstname@planet.nl> wrote in message
>> news:90A87BCB-2829-48BE-98EB-E96EB5B7E9DF@microsoft.com...
>>> Andy,
>>>
>>> Do you in other words mean that they invented the other solutions than
>>> webservices to support insecure connections.
>>>
>>> Cor
>>
>>
>
>


Top

Re: web service for accessing db? by Jim

Jim
Sun Oct 28 06:29:31 PDT 2007

From testing, the web service is a bit slower than a direct connect.
However, speed is still quite good.

To load 14000 rows over https via the Internet (cable modem) takes 3 to 4
seconds (dataset serialized as xml [3.5 megabytes]). Updates involving 10
rows (round trip to get the autoincrement key and new timestamps is sub
second - snap you finger - the start of the update is the beginning of the
snap sound - the end of the update is the end of the snap sound). Not very
scientific but it works for me.


"Andy" <kc2ine@yahoo.com> wrote in message
news:OfIIlKOGIHA.1204@TK2MSFTNGP03.phx.gbl...
> yes, but it makes also very slow right?
> I mean web service was not meant to be as a main bridge to database as I
> understand it.
>
>
> "Jim Rand" <jimrand@ix.netcom.com> wrote in message
> news:O1UC5oNGIHA.5980@TK2MSFTNGP04.phx.gbl...
>> "s" after http makes the web service very secure with 128 bit SSL
>> encryption
>>
>> "Andy" <kc2ine@yahoo.com> wrote in message
>> news:%23bvFEANGIHA.5980@TK2MSFTNGP04.phx.gbl...
>>> yeah, that what I thought :) web service is in its nature insecure. the
>>> guy argues that embeding connetcion string
>>> in a code is not secure enough comparing to web service.
>>>
>>>
>>> "Cor Ligthert[MVP]" <notmyfirstname@planet.nl> wrote in message
>>> news:90A87BCB-2829-48BE-98EB-E96EB5B7E9DF@microsoft.com...
>>>> Andy,
>>>>
>>>> Do you in other words mean that they invented the other solutions than
>>>> webservices to support insecure connections.
>>>>
>>>> Cor
>>>
>>>
>>
>>
>
>


Top

Re: web service for accessing db? by Miha

Miha
Sun Oct 28 10:23:19 PDT 2007

Hi Andy,

Of course web service is more secure when used correctly. The best security
is when you encrypt and sign at message level.
However I don't think you actually need web services at all. Web services
are useful when the client is unknown (in your case when client is not
.net).
Unless you want to support unknown clients it is better if you avoid web
services because they are clumsy and very verbose as they have to support
many different scenarios.
So, the bottom line is that you should use Windows Communication Foundation
with binary transfer or old good remoting.

--
Miha Markic [MVP C#, INETA Country Leader for Slovenia]
RightHand .NET consulting & development www.rthand.com
Blog: http://cs.rthand.com/blogs/blog_with_righthand/

"Andy" <kc2ine@yahoo.com> wrote in message
news:O9MMSW2FIHA.6068@TK2MSFTNGP05.phx.gbl...
> hi,
> is web service good solution for accesing (havily) database (remote or
> not)? that looks slow, any other methods for secure connection? SOme of
> coworkers wants to use web service because they don't want
> expose connection string.
> thanks fro advise
>

Top

Re: web service for accessing db? by Andy

Andy
Sun Oct 28 13:37:01 PDT 2007

Hi Miha,
thanks for response, so how good actually is security with remoting? Problem
is that have to decide what to use from old win32 application for accesing
SQL Srver 2005.
All client are within the network or accesing network through VPN. I decided
to use regular ADO but some argue that exposing connection string is not
safe. But We're already in the network so what's the point would be in using
web service, I don't see benefits at all.


"Miha Markic" <miha at rthand com> wrote in message
news:eH8GXeYGIHA.5328@TK2MSFTNGP05.phx.gbl...
> Hi Andy,
>
> Of course web service is more secure when used correctly. The best
> security is when you encrypt and sign at message level.
> However I don't think you actually need web services at all. Web services
> are useful when the client is unknown (in your case when client is not
> .net).
> Unless you want to support unknown clients it is better if you avoid web
> services because they are clumsy and very verbose as they have to support
> many different scenarios.
> So, the bottom line is that you should use Windows Communication
> Foundation with binary transfer or old good remoting.
>
> --
> Miha Markic [MVP C#, INETA Country Leader for Slovenia]
> RightHand .NET consulting & development www.rthand.com
> Blog: http://cs.rthand.com/blogs/blog_with_righthand/
>
> "Andy" <kc2ine@yahoo.com> wrote in message
> news:O9MMSW2FIHA.6068@TK2MSFTNGP05.phx.gbl...
>> hi,
>> is web service good solution for accesing (havily) database (remote or
>> not)? that looks slow, any other methods for secure connection? SOme of
>> coworkers wants to use web service because they don't want
>> expose connection string.
>> thanks fro advise
>>
>


Top

Re: web service for accessing db? by Miha

Miha
Mon Oct 29 01:21:45 PDT 2007


"Andy" <kc2ine@yahoo.com> wrote in message
news:eB%23tLJaGIHA.700@TK2MSFTNGP05.phx.gbl...
> Hi Miha,
> thanks for response, so how good actually is security with remoting?
> Problem is that have to decide what to use from old win32 application for
> accesing SQL Srver 2005.
> All client are within the network or accesing network through VPN. I
> decided to use regular ADO but some argue that exposing connection string
> is not safe. But We're already in the network so what's the point would be
> in using web service, I don't see benefits at all.

It doesn't matter whether it is remoting or web services.
The point is (briefly), that if you expose the connection string, a
malicious user can read its content and connect to sql server directly.
So he can do whatever connection string allows him to do, and even worse,
user might exploit some sql server bug, etc.
OTOH if user is accessing through some sort of service, user won't be seeing
sql server at all. User would be allowed to do only what service allows him
to do.
BTW what authentication do you use - sql server or integrated?
--
Miha Markic [MVP C#, INETA Country Leader for Slovenia]
RightHand .NET consulting & development www.rthand.com
Blog: http://cs.rthand.com/blogs/blog_with_righthand/

Top

Re: web service for accessing db? by Andy

Andy
Mon Oct 29 19:23:17 PDT 2007

I use integrated authentication.
I agree with everything but what's the point in this case when clients are
inside the network anyway or using vpn?
Plus I have connection string embeded in to code.


"Miha Markic" <miha at rthand com> wrote in message
news:OgHIVUgGIHA.4712@TK2MSFTNGP04.phx.gbl...
>
> "Andy" <kc2ine@yahoo.com> wrote in message
> news:eB%23tLJaGIHA.700@TK2MSFTNGP05.phx.gbl...
>> Hi Miha,
>> thanks for response, so how good actually is security with remoting?
>> Problem is that have to decide what to use from old win32 application for
>> accesing SQL Srver 2005.
>> All client are within the network or accesing network through VPN. I
>> decided to use regular ADO but some argue that exposing connection string
>> is not safe. But We're already in the network so what's the point would
>> be in using web service, I don't see benefits at all.
>
> It doesn't matter whether it is remoting or web services.
> The point is (briefly), that if you expose the connection string, a
> malicious user can read its content and connect to sql server directly.
> So he can do whatever connection string allows him to do, and even worse,
> user might exploit some sql server bug, etc.
> OTOH if user is accessing through some sort of service, user won't be
> seeing sql server at all. User would be allowed to do only what service
> allows him to do.
> BTW what authentication do you use - sql server or integrated?
> --
> Miha Markic [MVP C#, INETA Country Leader for Slovenia]
> RightHand .NET consulting & development www.rthand.com
> Blog: http://cs.rthand.com/blogs/blog_with_righthand/


Top

Re: web service for accessing db? by Miha

Miha
Tue Oct 30 01:55:17 PDT 2007


"Andy" <kc2ine@yahoo.com> wrote in message
news:eiilWvpGIHA.4956@TK2MSFTNGP06.phx.gbl...
>I use integrated authentication.
> I agree with everything but what's the point in this case when clients
> are inside the network anyway

It all depends on how much security you want to put into your application.
What if one of your users is malicious or if somebody steal his/her
credentials?

> or using vpn?

VPN only protects the data transport and authentication but it doesn't
protect your application.

> Plus I have connection string embeded in to code.

Doesn't matter. If your application can get to the connection string then
any user with same credentials (an user that can run your application) can
get to it.
Putting conneciton string into the application is a weak defence (i.e. take
a look at Reflector). It would be better if you encrypt it. But still the
above sentence is valid anyway.
--
Miha Markic [MVP C#, INETA Country Leader for Slovenia]
RightHand .NET consulting & development www.rthand.com
Blog: http://cs.rthand.com/blogs/blog_with_righthand/

Top