Webservices and Internet security

[UJ]

I've got a network engineer who is absolutely anal about network security.
He is questioning how secure web services are and I can't answer him with
definitive answers. Do web services run over port 80? How about port 443?
Are they secure? He's also paranoid about loginning in - is there a primer
somewhere where I can look at how to make my process connect with
authentication and make sure to keep it secure?

TIA - Jeff.

 

[Michael]

Humm....to answer your questions

Yes asp.net web services use port 80, if wish to add security to your web
services you should consider using WS-Security (aka WSE 3.0). WS-Security
will secure your data on a message level.

 

[CESAR DE LA TORRE [MVP]]

With ASP.NET you CAN, for sure, use SSL (HTTPS - TCP Port 443) which is a
quite secure method, specially using a 128 bit Server Certificate.
You can use SSL just for encrypting all the XML-WebService communications.
Using SSL under WebServices is OK for simple scenarios, but take into account
that it is based on a end-to-end trust (because it is a transport-protocol
security method)

BUT, I agree with Michael in the fact that using WSE 3.0 you have a much
better control of WebServices Security because it is made at Message-Level.
And you can use WSE 3.0 not only for Encrypting but also for Signing and
Authentication (most of the WS-Security specifications, which is part of the
whole WS-* standard specifications).
--
CESAR DE LA TORRE
Software Architect
[Microsoft MVP - XML Web Services]
[MCSE] [MCT]

Renacimiento
[Microsoft GOLD Certified Partner]

 

[CESAR DE LA TORRE [MVP]]

BTW, here you have how to call a Web Service Using SSL
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT14.asp
--
CESAR DE LA TORRE
Software Architect
[Microsoft MVP - XML Web Services]
[MCSE] [MCT]

Renacimiento
[Microsoft GOLD Certified Partner]

With ASP.NET you CAN, for sure, use SSL (HTTPS - TCP Port 443) which is a
quite secure method, specially using a 128 bit Server Certificate.
You can use SSL just for encrypting all the XML-WebService communications.
Using SSL under WebServices is OK for simple scenarios, but take into account
that it is based on a end-to-end trust (because it is a transport-protocol
security method)

BUT, I agree with Michael in the fact that using WSE 3.0 you have a much
better control of WebServices Security because it is made at Message-Level.
And you can use WSE 3.0 not only for Encrypting but also for Signing and
Authentication (most of the WS-Security specifications, which is part of the
whole WS-* standard specifications).
--
CESAR DE LA TORRE
Software Architect
[Microsoft MVP - XML Web Services]
[MCSE] [MCT]

Renacimiento
[Microsoft GOLD Certified Partner]

Humm....to answer your questions

Yes asp.net web services use port 80, if wish to add security to your web
services you should consider using WS-Security (aka WSE 3.0). WS-Security
will secure your data on a message level.