Do customers trust Web Services? (It runs on top of IIS, right?)
-
I had experiences in enterprise solution deployments, that many customers do not prefer to business logic sitting on the IIS machine. The .NET Web Services run on top of the IIS. Now, while the recent IIS exploit memories are still fresh, does anybody have peculiar experience about the *trust* users are going to put over IIS/.NET based Web Service solutions? I expect some interesting insights from the Microsoft guys and the pattern gurus.
-
I had experiences in enterprise solution deployments, that many customers do not prefer to business logic sitting on the IIS machine. The .NET Web Services run on top of the IIS. Now, while the recent IIS exploit memories are still fresh, does anybody have peculiar experience about the *trust* users are going to put over IIS/.NET based Web Service solutions? I expect some interesting insights from the Microsoft guys and the pattern gurus.
No customer has ever asked me this, but I would answer: 1. What's the alternative? I mean, you have a business need to publish the functionality of some component over the Internet, right? So, if not a Web Service, what would you use? COM+? No, this needs a trusted domain. A custom-made socket? Come on, what makes you think you'll ever code something better than IIS? 2. Web Services (WS) can run on top of any Web Server. WS is just a protocol for receiving/delivering XML over HTTP. It's platform agnostic. If you want, deploy a WS running on Apache or your favorite web server. There's even a module for Apache that allows you to run ASP.NET on it. 3. Your fear is only valid if you don't have a corporate web site. If so, you're already at risk. 4. You're putting a business component on the Internet. You better not trust anyone. You'll be open to attacks. That's a fact. If you have a trusted party and do not want to have all the Internet hassle, choose, e.g., a VPN and use your web server only internally. Yes, even I am blogging now!
-
No customer has ever asked me this, but I would answer: 1. What's the alternative? I mean, you have a business need to publish the functionality of some component over the Internet, right? So, if not a Web Service, what would you use? COM+? No, this needs a trusted domain. A custom-made socket? Come on, what makes you think you'll ever code something better than IIS? 2. Web Services (WS) can run on top of any Web Server. WS is just a protocol for receiving/delivering XML over HTTP. It's platform agnostic. If you want, deploy a WS running on Apache or your favorite web server. There's even a module for Apache that allows you to run ASP.NET on it. 3. Your fear is only valid if you don't have a corporate web site. If so, you're already at risk. 4. You're putting a business component on the Internet. You better not trust anyone. You'll be open to attacks. That's a fact. If you have a trusted party and do not want to have all the Internet hassle, choose, e.g., a VPN and use your web server only internally. Yes, even I am blogging now!
Thanks Daniel... :rose: Well, contrary to your experience, all my customers have raised issues not having any business logic or data on the IIS machine. :omg: So my company had to settle with the following design for our Web based enterprise solution: a. The ASP pages with only the display logic execute from the IIS. b. They in turn call local COM components which act as clients to our Application Server sitting inside the firewall c. The customers become happy because they think they have great control over the security of the system because they keep the IIS in DMZ and App server inside the firewall. They only allow a single particular port for communications between the IIS and the App Server. d. This way if due to some IIS exploit a hacker gets control of the IIS machine he can only get to see the presentation logic sitting on the IIS. No business data. I am aware about the WS theory and understand that they can run on top of any Web Server etc. I am however specifically asking the question in the Microsoft context. Hope this elaborates my question.
-
Thanks Daniel... :rose: Well, contrary to your experience, all my customers have raised issues not having any business logic or data on the IIS machine. :omg: So my company had to settle with the following design for our Web based enterprise solution: a. The ASP pages with only the display logic execute from the IIS. b. They in turn call local COM components which act as clients to our Application Server sitting inside the firewall c. The customers become happy because they think they have great control over the security of the system because they keep the IIS in DMZ and App server inside the firewall. They only allow a single particular port for communications between the IIS and the App Server. d. This way if due to some IIS exploit a hacker gets control of the IIS machine he can only get to see the presentation logic sitting on the IIS. No business data. I am aware about the WS theory and understand that they can run on top of any Web Server etc. I am however specifically asking the question in the Microsoft context. Hope this elaborates my question.
So, what's the difference between your solution and creating a Web Service that does calls to your COM components? No one said that you should put everything on the Web Server. Again, Web Services are simply a standard protocol for receiving delivering XML messages. You can do Web Services in standard, old ASP, if you want to. You only won't have the automatic XML generated, but SOAP (the protocol used by web services) is very easy to generate by hand. Yes, even I am blogging now!
-
I had experiences in enterprise solution deployments, that many customers do not prefer to business logic sitting on the IIS machine. The .NET Web Services run on top of the IIS. Now, while the recent IIS exploit memories are still fresh, does anybody have peculiar experience about the *trust* users are going to put over IIS/.NET based Web Service solutions? I expect some interesting insights from the Microsoft guys and the pattern gurus.
I found this link nice and informative: http://www.15seconds.com/issue/040812.htm[^]