Can a Delegate be passed to a Web Service?

[Steve Hiner]

I am currently working on a project and we are trying to overcome some
issues with our network security setup. Basically we want to have database
and application servers on the protected side of a firewall supply data to a
web server on the exposed side of the firewall.

The IT group isn't comfortable with opening a direct port from the web
server to the application and database servers. The firewall is set up so
connections can only be initiated from the protected side of the firewall -
all outside requests are dropped unless they are in response to an internal
request.

We are trying to figure out how to let the web server talk to the database
server without compromising security. The web server can't request data
through the firewall and we don't want to have the app server constantly
polling the web server to find out if it needs data (or has data that needs
to be pulled inside the firewall).

Here's our idea - I'm curious if anyone knows if it will work. We have just
started researching it and haven't tried to implement it.

Might it be possible to have the app server use a web service on the web
server to pass a delegate to a method of an object that resides on the app
server. I realize that sentence might be hard to parse so I will explain it
more.

The web server could run a web service - perhaps like GimmeADelegate(d as
Delegate).
The app server could create an instance of our data access class
The app server then creates a delegate to an ExecuteSQL method on the class
The app server then passes the delegate to the web server's GimmeADelegate
When the web server needs to execute SQL it could use d.invoke(sql)

Two questions:
Is it possible to pass a delegate over the internet and have it invoke a
method on the local system?
If it is possible is it through the same TCP/IP connection such that a
firewall will think it originated on the safe side?

Sorry for the lengthy post, if it was a simple question I wouldn't bother to
ask it. I realize the only way to find out might be to try it - I was just
trying to save some development time on the off chance that someone else has
tried something like this.

Steve Hiner

[Paul Mc]

G'day Steve.

IMO, it would not be feasible to make what you ask work; I am sure that you
can not simply pass a delegate across machine boundaries and have it work;
you need to use either remoting or a webservice, which brings you full circle....

The real problem seems to be in your security setup. It is atypical to have
your webserver outside your firewall. Usually, the firewall is the external
access point, it accepts traffic in port 80 (or whatever ports it is configured
to accept) and routes that traffic to the relevant internal machine - ie
your webserver. Off the top of my head, I cannot think of any reason why
you would put the webserver outside the FW, unless you needed to accept some
unusual port traffic, and were for some reason unable to configure the firewall
to handle it appropriately....


Cheers,
Paul

[Reine Olofsson]

Hi

Another possibility is to put the Web server in a DMZ.
The firewall between the Internet and the DMZ only allowes external requests
to the Web Server on ports 80 and 443. The second firewall between the DMZ
and the LAN only allowes inbound request from the designated web server and
only on one predefined port (not 80 or 443).
Alternative 1:
Web server on the DMZ using Web Service/.Net Remoting to communicate with
the application server through the second firewall.
Alternative 2:
Combined Web/Application server on the DMZ using TCP/IP on the designated
port to communicate with the database server through the second firewall.

If your safety advisors can't accept that, maybe they need to educate them
self in Internet security!

/Reine

"Paul Mc" <paulmc@nospam.thehub.com.au> wrote:
>
>G'day Steve.
>
>IMO, it would not be feasible to make what you ask work; I am sure that
you
>can not simply pass a delegate across machine boundaries and have it work;
>you need to use either remoting or a webservice, which brings you full circle....
>
>The real problem seems to be in your security setup. It is atypical to have
>your webserver outside your firewall. Usually, the firewall is the external
>access point, it accepts traffic in port 80 (or whatever ports it is configured
>to accept) and routes that traffic to the relevant internal machine - ie
>your webserver. Off the top of my head, I cannot think of any reason why
>you would put the webserver outside the FW, unless you needed to accept
some
>unusual port traffic, and were for some reason unable to configure the firewall
>to handle it appropriately....
>
>
>Cheers,
>Paul

[Michael Culley]

Steve,

Tell your IT guys to lay off the grass, its making them paranoid

--
Michael Culley
www.vbdotcom.com



"Steve Hiner" <newsgroup@removeme-isiaz.com> wrote in message
news:3cbf5079$1@10.1.10.29...
> I am currently working on a project and we are trying to overcome some
> issues with our network security setup. Basically we want to have
database
> and application servers on the protected side of a firewall supply data to
a
> web server on the exposed side of the firewall.
>
> The IT group isn't comfortable with opening a direct port from the web
> server to the application and database servers. The firewall is set up so
> connections can only be initiated from the protected side of the
firewall -
> all outside requests are dropped unless they are in response to an
internal
> request.
>
> We are trying to figure out how to let the web server talk to the database
> server without compromising security. The web server can't request data
> through the firewall and we don't want to have the app server constantly
> polling the web server to find out if it needs data (or has data that
needs
> to be pulled inside the firewall).
>
> Here's our idea - I'm curious if anyone knows if it will work. We have
just
> started researching it and haven't tried to implement it.
>
> Might it be possible to have the app server use a web service on the web
> server to pass a delegate to a method of an object that resides on the app
> server. I realize that sentence might be hard to parse so I will explain
it
> more.
>
> The web server could run a web service - perhaps like GimmeADelegate(d as
> Delegate).
> The app server could create an instance of our data access class
> The app server then creates a delegate to an ExecuteSQL method on the
class
> The app server then passes the delegate to the web server's GimmeADelegate
> When the web server needs to execute SQL it could use d.invoke(sql)
>
> Two questions:
> Is it possible to pass a delegate over the internet and have it invoke a
> method on the local system?
> If it is possible is it through the same TCP/IP connection such that a
> firewall will think it originated on the safe side?
>
> Sorry for the lengthy post, if it was a simple question I wouldn't bother
to
> ask it. I realize the only way to find out might be to try it - I was
just
> trying to save some development time on the off chance that someone else
has
> tried something like this.
>
> Steve Hiner
>
>
>

[Jason]

Given the security concerns, it might be best to advise the admins to remove
their system from internet access entirely. People can just write up requests
and mail them to a data processing center. In a week or two, they will receive
a reply in the mail containing the data they requested. It may be labor
intensive, but there will be far fewer loopholes to exploit.

Yes, that WAS a joke...

[Steve Hiner]

"Paul Mc" <paulmc@nospam.thehub.com.au> wrote in message
news:3cbf5925$1@10.1.10.29...
>
> G'day Steve.
>
> IMO, it would not be feasible to make what you ask work; I am sure that
you
> can not simply pass a delegate across machine boundaries and have it work;
> you need to use either remoting or a webservice, which brings you full
circle....

We suspected it wasn't possible but I thought I'd find out. This was our
long-shot option, if it worked we could have solved a lot of our problems.

> The real problem seems to be in your security setup. It is atypical to
have
> your webserver outside your firewall. Usually, the firewall is the
external
> access point, it accepts traffic in port 80 (or whatever ports it is
configured
> to accept) and routes that traffic to the relevant internal machine - ie
> your webserver. Off the top of my head, I cannot think of any reason why
> you would put the webserver outside the FW, unless you needed to accept
some
> unusual port traffic, and were for some reason unable to configure the
firewall
> to handle it appropriately....

The web server is behind a firewall as well. The IT guys like to have any
publicly accessible system on a separate subnet from the rest of the company
to make sure that the company data is safe even if the web server is
compromised. Normally I would put the web server on the same side of the
firewall as the production computers but it isn't my choice. If absolutely
necessary they will probably change how it is set up. We are going to tell
the "powers that be" what features they will loose if they don't let us
change the architecture and let them make the choice about trading a little
security for extra features. We were just hoping to give them both.

Steve

[Steve Hiner]

"Jason" <jason@creative_nospam_corp.com> wrote in message
news:3cc02deb$1@10.1.10.29...
>
> Given the security concerns, it might be best to advise the admins to
remove
> their system from internet access entirely. People can just write up
requests
> and mail them to a data processing center. In a week or two, they will
receive
> a reply in the mail containing the data they requested. It may be labor
> intensive, but there will be far fewer loopholes to exploit.
>
> Yes, that WAS a joke...

Funnier because that's basically how some of their business is done. They
get amazing quantities of mail and faxes. A fair amount of the data my
software processes ends up getting faxed to someone.

Steve

[Steve Hiner]

"Reine Olofsson" <reine@faktab.se> wrote in message
news:3cbfc2fb$1@10.1.10.29...
>
> Hi
>
> Another possibility is to put the Web server in a DMZ.
> The firewall between the Internet and the DMZ only allowes external
requests
> to the Web Server on ports 80 and 443. The second firewall between the DMZ
> and the LAN only allowes inbound request from the designated web server
and
> only on one predefined port (not 80 or 443).
> Alternative 1:
> Web server on the DMZ using Web Service/.Net Remoting to communicate with
> the application server through the second firewall.

We have suggested this and they weren't thrilled with it. It is a workable
solution though - I think we can convince them that it can be secure. Their
complaint is that internal security could be compromised if the web server
was compromised.

> Alternative 2:
> Combined Web/Application server on the DMZ using TCP/IP on the designated
> port to communicate with the database server through the second firewall.

Similar issues with Alt 1. Also a workable solution. I think they will
pick one of these once they see the features they will loose by sticking
with the current architecture.

Steve

> If your safety advisors can't accept that, maybe they need to educate them
> self in Internet security!

Unfortunately I don't know enough to educate them. I know a bit but not
nearly enough to argue the technical issues involved. There are some other
developers on the project that have a lot more internet security experience
than I do so perhaps they will be good educators.

Steve