High level design question

[Rob]

What is the best way to safely access a companies ERP data (SQL server) from
a website that is hosted outside the firewall ?

 

[John Timney \(MVP\)]

There are lots of approaches like secured web services fronting SQL and
secured broker services. Ideally, your firewall team should be able to
harden the connection so that the only device that can access SQL is the
actual web server. I'm assuming here its your SQL server!

Regards

John Timney (MVP)
http://www.johntimney.com
http://www.johntimney.com/blog

 

[Rob]

Thanks John,

Where might I get info on these approaches ?

Also, I guess I am asking from a coding standpoint and I guess it would
probably be linked to the approach above, but... might I use stored
procedures ? or web services ?

Which would be more likely given that 2 different entities are involved
(company using the service / web hosting company) ?

 

[Scott Roberts]

Stored procs still means you have to give outside access to the SQL Server.
I'm not a security guru, but I would think that something like this would be
best:

Hosted Site -> Firewall -> Internal IIS (Web Services) -> SQL Server

Obviously, the internal IIS and SQL Server should be on different machines.
You may also want to put yet another firewall between your internal IIS and
SQL Server (or put IIS in the DMZ if your firewall/router supports it).

Keep that DB away from the outside world!

 

[Rob]

Thanks, so would that mean Web services would be the way to go ?

 

[John Timney \(MVP\)]

If you use web services, then you only expose some webservice methods that
can access SQL server, whihc themselves can call stored procs - but there is
at least no direct access to SQL, which is more secure and can be done over
SSL.

Regards

John Timney (MVP)
http://www.johntimney.com
http://www.johntimney.com/blog