Can a Delegate be passed to a Web Service?


DevX Home    Today's Headlines   Articles Archive   Tip Bank   Forums   

Results 1 to 8 of 8

Thread: Can a Delegate be passed to a Web Service?

  1. #1
    Steve Hiner Guest

    Can a Delegate be passed to a Web Service?

    I am currently working on a project and we are trying to overcome some
    issues with our network security setup. Basically we want to have database
    and application servers on the protected side of a firewall supply data to a
    web server on the exposed side of the firewall.

    The IT group isn't comfortable with opening a direct port from the web
    server to the application and database servers. The firewall is set up so
    connections can only be initiated from the protected side of the firewall -
    all outside requests are dropped unless they are in response to an internal
    request.

    We are trying to figure out how to let the web server talk to the database
    server without compromising security. The web server can't request data
    through the firewall and we don't want to have the app server constantly
    polling the web server to find out if it needs data (or has data that needs
    to be pulled inside the firewall).

    Here's our idea - I'm curious if anyone knows if it will work. We have just
    started researching it and haven't tried to implement it.

    Might it be possible to have the app server use a web service on the web
    server to pass a delegate to a method of an object that resides on the app
    server. I realize that sentence might be hard to parse so I will explain it
    more.

    The web server could run a web service - perhaps like GimmeADelegate(d as
    Delegate).
    The app server could create an instance of our data access class
    The app server then creates a delegate to an ExecuteSQL method on the class
    The app server then passes the delegate to the web server's GimmeADelegate
    When the web server needs to execute SQL it could use d.invoke(sql)

    Two questions:
    Is it possible to pass a delegate over the internet and have it invoke a
    method on the local system?
    If it is possible is it through the same TCP/IP connection such that a
    firewall will think it originated on the safe side?

    Sorry for the lengthy post, if it was a simple question I wouldn't bother to
    ask it. I realize the only way to find out might be to try it - I was just
    trying to save some development time on the off chance that someone else has
    tried something like this.

    Steve Hiner




  2. #2
    Paul Mc Guest

    Re: Can a Delegate be passed to a Web Service?


    G'day Steve.

    IMO, it would not be feasible to make what you ask work; I am sure that you
    can not simply pass a delegate across machine boundaries and have it work;
    you need to use either remoting or a webservice, which brings you full circle....

    The real problem seems to be in your security setup. It is atypical to have
    your webserver outside your firewall. Usually, the firewall is the external
    access point, it accepts traffic in port 80 (or whatever ports it is configured
    to accept) and routes that traffic to the relevant internal machine - ie
    your webserver. Off the top of my head, I cannot think of any reason why
    you would put the webserver outside the FW, unless you needed to accept some
    unusual port traffic, and were for some reason unable to configure the firewall
    to handle it appropriately....


    Cheers,
    Paul

  3. #3
    Michael Culley Guest

    Re: Can a Delegate be passed to a Web Service?

    Steve,

    Tell your IT guys to lay off the grass, its making them paranoid

    --
    Michael Culley
    www.vbdotcom.com



    "Steve Hiner" <newsgroup@removeme-isiaz.com> wrote in message
    news:3cbf5079$1@10.1.10.29...
    > I am currently working on a project and we are trying to overcome some
    > issues with our network security setup. Basically we want to have

    database
    > and application servers on the protected side of a firewall supply data to

    a
    > web server on the exposed side of the firewall.
    >
    > The IT group isn't comfortable with opening a direct port from the web
    > server to the application and database servers. The firewall is set up so
    > connections can only be initiated from the protected side of the

    firewall -
    > all outside requests are dropped unless they are in response to an

    internal
    > request.
    >
    > We are trying to figure out how to let the web server talk to the database
    > server without compromising security. The web server can't request data
    > through the firewall and we don't want to have the app server constantly
    > polling the web server to find out if it needs data (or has data that

    needs
    > to be pulled inside the firewall).
    >
    > Here's our idea - I'm curious if anyone knows if it will work. We have

    just
    > started researching it and haven't tried to implement it.
    >
    > Might it be possible to have the app server use a web service on the web
    > server to pass a delegate to a method of an object that resides on the app
    > server. I realize that sentence might be hard to parse so I will explain

    it
    > more.
    >
    > The web server could run a web service - perhaps like GimmeADelegate(d as
    > Delegate).
    > The app server could create an instance of our data access class
    > The app server then creates a delegate to an ExecuteSQL method on the

    class
    > The app server then passes the delegate to the web server's GimmeADelegate
    > When the web server needs to execute SQL it could use d.invoke(sql)
    >
    > Two questions:
    > Is it possible to pass a delegate over the internet and have it invoke a
    > method on the local system?
    > If it is possible is it through the same TCP/IP connection such that a
    > firewall will think it originated on the safe side?
    >
    > Sorry for the lengthy post, if it was a simple question I wouldn't bother

    to
    > ask it. I realize the only way to find out might be to try it - I was

    just
    > trying to save some development time on the off chance that someone else

    has
    > tried something like this.
    >
    > Steve Hiner
    >
    >
    >




  4. #4
    Reine Olofsson Guest

    Re: Can a Delegate be passed to a Web Service?


    Hi

    Another possibility is to put the Web server in a DMZ.
    The firewall between the Internet and the DMZ only allowes external requests
    to the Web Server on ports 80 and 443. The second firewall between the DMZ
    and the LAN only allowes inbound request from the designated web server and
    only on one predefined port (not 80 or 443).
    Alternative 1:
    Web server on the DMZ using Web Service/.Net Remoting to communicate with
    the application server through the second firewall.
    Alternative 2:
    Combined Web/Application server on the DMZ using TCP/IP on the designated
    port to communicate with the database server through the second firewall.

    If your safety advisors can't accept that, maybe they need to educate them
    self in Internet security!

    /Reine

    "Paul Mc" <paulmc@nospam.thehub.com.au> wrote:
    >
    >G'day Steve.
    >
    >IMO, it would not be feasible to make what you ask work; I am sure that

    you
    >can not simply pass a delegate across machine boundaries and have it work;
    >you need to use either remoting or a webservice, which brings you full circle....
    >
    >The real problem seems to be in your security setup. It is atypical to have
    >your webserver outside your firewall. Usually, the firewall is the external
    >access point, it accepts traffic in port 80 (or whatever ports it is configured
    >to accept) and routes that traffic to the relevant internal machine - ie
    >your webserver. Off the top of my head, I cannot think of any reason why
    >you would put the webserver outside the FW, unless you needed to accept

    some
    >unusual port traffic, and were for some reason unable to configure the firewall
    >to handle it appropriately....
    >
    >
    >Cheers,
    >Paul



  5. #5
    Jason Guest

    Re: Can a Delegate be passed to a Web Service?


    Given the security concerns, it might be best to advise the admins to remove
    their system from internet access entirely. People can just write up requests
    and mail them to a data processing center. In a week or two, they will receive
    a reply in the mail containing the data they requested. It may be labor
    intensive, but there will be far fewer loopholes to exploit.

    Yes, that WAS a joke...

  6. #6
    Steve Hiner Guest

    Re: Can a Delegate be passed to a Web Service?

    "Paul Mc" <paulmc@nospam.thehub.com.au> wrote in message
    news:3cbf5925$1@10.1.10.29...
    >
    > G'day Steve.
    >
    > IMO, it would not be feasible to make what you ask work; I am sure that

    you
    > can not simply pass a delegate across machine boundaries and have it work;
    > you need to use either remoting or a webservice, which brings you full

    circle....

    We suspected it wasn't possible but I thought I'd find out. This was our
    long-shot option, if it worked we could have solved a lot of our problems.

    > The real problem seems to be in your security setup. It is atypical to

    have
    > your webserver outside your firewall. Usually, the firewall is the

    external
    > access point, it accepts traffic in port 80 (or whatever ports it is

    configured
    > to accept) and routes that traffic to the relevant internal machine - ie
    > your webserver. Off the top of my head, I cannot think of any reason why
    > you would put the webserver outside the FW, unless you needed to accept

    some
    > unusual port traffic, and were for some reason unable to configure the

    firewall
    > to handle it appropriately....


    The web server is behind a firewall as well. The IT guys like to have any
    publicly accessible system on a separate subnet from the rest of the company
    to make sure that the company data is safe even if the web server is
    compromised. Normally I would put the web server on the same side of the
    firewall as the production computers but it isn't my choice. If absolutely
    necessary they will probably change how it is set up. We are going to tell
    the "powers that be" what features they will loose if they don't let us
    change the architecture and let them make the choice about trading a little
    security for extra features. We were just hoping to give them both.

    Steve




  7. #7
    Steve Hiner Guest

    Re: Can a Delegate be passed to a Web Service?

    "Jason" <jason@creative_nospam_corp.com> wrote in message
    news:3cc02deb$1@10.1.10.29...
    >
    > Given the security concerns, it might be best to advise the admins to

    remove
    > their system from internet access entirely. People can just write up

    requests
    > and mail them to a data processing center. In a week or two, they will

    receive
    > a reply in the mail containing the data they requested. It may be labor
    > intensive, but there will be far fewer loopholes to exploit.
    >
    > Yes, that WAS a joke...


    Funnier because that's basically how some of their business is done. They
    get amazing quantities of mail and faxes. A fair amount of the data my
    software processes ends up getting faxed to someone.

    Steve




  8. #8
    Steve Hiner Guest

    Re: Can a Delegate be passed to a Web Service?

    "Reine Olofsson" <reine@faktab.se> wrote in message
    news:3cbfc2fb$1@10.1.10.29...
    >
    > Hi
    >
    > Another possibility is to put the Web server in a DMZ.
    > The firewall between the Internet and the DMZ only allowes external

    requests
    > to the Web Server on ports 80 and 443. The second firewall between the DMZ
    > and the LAN only allowes inbound request from the designated web server

    and
    > only on one predefined port (not 80 or 443).
    > Alternative 1:
    > Web server on the DMZ using Web Service/.Net Remoting to communicate with
    > the application server through the second firewall.


    We have suggested this and they weren't thrilled with it. It is a workable
    solution though - I think we can convince them that it can be secure. Their
    complaint is that internal security could be compromised if the web server
    was compromised.

    > Alternative 2:
    > Combined Web/Application server on the DMZ using TCP/IP on the designated
    > port to communicate with the database server through the second firewall.


    Similar issues with Alt 1. Also a workable solution. I think they will
    pick one of these once they see the features they will loose by sticking
    with the current architecture.

    Steve

    > If your safety advisors can't accept that, maybe they need to educate them
    > self in Internet security!


    Unfortunately I don't know enough to educate them. I know a bit but not
    nearly enough to argue the technical issues involved. There are some other
    developers on the project that have a lot more internet security experience
    than I do so perhaps they will be good educators.

    Steve




Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center
 
 
FAQ
Latest Articles
Java
.NET
XML
Database
Enterprise
Questions? Contact us.
C++
Web Development
Wireless
Latest Tips
Open Source


   Development Centers

   -- Android Development Center
   -- Cloud Development Project Center
   -- HTML5 Development Center
   -- Windows Mobile Development Center