Recommendations for securing a 'local' webservice.

B

burky

Hi,

We are developing a webservice that will be installed at multiple,
unconnected sites. It is to act as a 'server' to several PocketPC
devices per site. The site PC's are running XP Pro. The PocketPC's are
making calls from a .net application and will access the webservice
via wireless.

Can anyone recommend the best (non-firewall) method for securing calls
from just anyone with wireless access, but allow any device running
the intended application to access it?

Many Thanks
 
D

Dan Rogers

Hi,

You seem to be trying to secure a web service interface to only those
callers that are running the proper application bits, yes? There are
several possible approaches you may want to consider. The problem you face
has some sticky issues - the chief among them being you want to use a
protocol that was intended to be caller agnostic to implement a caller
aware request/response semantic. That said (the irony not-withstanding),
you can check into some options as follows:

1). Client side certificate. Install a special certificate as part of the
application you are deploying and use a protocol that is secured by
encryption and certificate based signing. WS-Security can help you here.

The downside is that this is security by secret, and readily cracked by a
determined caller without some way to cycle the certificates on a periodic
basis and on a per device/per-user/per application basis. This creates
significant overhead - but will thwart the casual "network sniffer".

2.) SSL/TSA on the wire. Since you seem to want to prevent just any
wireless user from seeing the packets in the air, you might just want to
use automatic SSL based wire encryption. In this case, the packets are
secure from decryption as they fly thru the air, but the service endpoints
are still discoverable as normal web service end points. A special
certificate is not required.

3. Combine #2 with token based security. This is WS-Security basic
security. You would end up associating a secret text password with your
application, and have that used in the application to create a security
token. Then the packets to the web service would be encrypted a-la
WS-Security, and the token validate on the other end. This is probably the
place I'd recommend you start, complexity wise.

I hope this helps

Dan Rogers
Microsoft Corporation

--------------------
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top