web service for accessing db?

[Andy]

hi,
is web service good solution for accesing (havily) database (remote or not)?
that looks slow, any other methods for secure connection? SOme of coworkers
wants to use web service because they don't want
expose connection string.
thanks fro advise

 

[Cor Ligthert[MVP]]

Andy,

Do you in other words mean that they invented the other solutions than
webservices to support insecure connections.

Cor

 

[Andy]

yeah, that what I thought web service is in its nature insecure. the guy
argues that embeding connetcion string
in a code is not secure enough comparing to web service.

 

[Jim Rand]

"s" after http makes the web service very secure with 128 bit SSL encryption

 

[Andy]

yes, but it makes also very slow right?
I mean web service was not meant to be as a main bridge to database as I
understand it.

 

[Jim Rand]

From testing, the web service is a bit slower than a direct connect.
However, speed is still quite good.

To load 14000 rows over https via the Internet (cable modem) takes 3 to 4
seconds (dataset serialized as xml [3.5 megabytes]). Updates involving 10
rows (round trip to get the autoincrement key and new timestamps is sub
second - snap you finger - the start of the update is the beginning of the
snap sound - the end of the update is the end of the snap sound). Not very
scientific but it works for me.

 

[Miha Markic]

Hi Andy,

Of course web service is more secure when used correctly. The best security
is when you encrypt and sign at message level.
However I don't think you actually need web services at all. Web services
are useful when the client is unknown (in your case when client is not
..net).
Unless you want to support unknown clients it is better if you avoid web
services because they are clumsy and very verbose as they have to support
many different scenarios.
So, the bottom line is that you should use Windows Communication Foundation
with binary transfer or old good remoting.

 

[Andy]

Hi Miha,
thanks for response, so how good actually is security with remoting? Problem
is that have to decide what to use from old win32 application for accesing
SQL Srver 2005.
All client are within the network or accesing network through VPN. I decided
to use regular ADO but some argue that exposing connection string is not
safe. But We're already in the network so what's the point would be in using
web service, I don't see benefits at all.

Hi Andy,

Of course web service is more secure when used correctly. The best
security is when you encrypt and sign at message level.
However I don't think you actually need web services at all. Web services
are useful when the client is unknown (in your case when client is not
.net).
Unless you want to support unknown clients it is better if you avoid web
services because they are clumsy and very verbose as they have to support
many different scenarios.
So, the bottom line is that you should use Windows Communication
Foundation with binary transfer or old good remoting.

--
Miha Markic [MVP C#, INETA Country Leader for Slovenia]
RightHand .NET consulting & development www.rthand.com
Blog: http://cs.rthand.com/blogs/blog_with_righthand/

hi,
is web service good solution for accesing (havily) database (remote or
not)? that looks slow, any other methods for secure connection? SOme of
coworkers wants to use web service because they don't want
expose connection string.
thanks fro advise

 

[Miha Markic]

Hi Miha,
thanks for response, so how good actually is security with remoting?
Problem is that have to decide what to use from old win32 application for
accesing SQL Srver 2005.
All client are within the network or accesing network through VPN. I
decided to use regular ADO but some argue that exposing connection string
is not safe. But We're already in the network so what's the point would be
in using web service, I don't see benefits at all.

It doesn't matter whether it is remoting or web services.
The point is (briefly), that if you expose the connection string, a
malicious user can read its content and connect to sql server directly.
So he can do whatever connection string allows him to do, and even worse,
user might exploit some sql server bug, etc.
OTOH if user is accessing through some sort of service, user won't be seeing
sql server at all. User would be allowed to do only what service allows him
to do.
BTW what authentication do you use - sql server or integrated?

 

[Andy]

I use integrated authentication.
I agree with everything but what's the point in this case when clients are
inside the network anyway or using vpn?
Plus I have connection string embeded in to code.

 

[Miha Markic]

I use integrated authentication.
I agree with everything but what's the point in this case when clients
are inside the network anyway

It all depends on how much security you want to put into your application.
What if one of your users is malicious or if somebody steal his/her
credentials?

or using vpn?

VPN only protects the data transport and authentication but it doesn't
protect your application.

Plus I have connection string embeded in to code.

Doesn't matter. If your application can get to the connection string then
any user with same credentials (an user that can run your application) can
get to it.
Putting conneciton string into the application is a weak defence (i.e. take
a look at Reflector). It would be better if you encrypt it. But still the
above sentence is valid anyway.