What are good educational resources for setting up .Net Webservice on a DMZ connecting to SQL Server?

Question

We are going to begin implementing a web service that will be hosted on a DMZ server. This web server will post data to a SQL server and we're trying to determine the best methodology to handle this. Things that concern us are web service authentication, SOAP, and whether or not to store the database on the DMZ or the local network. This same scenario will apply to ASP.Net apps.

Trust me, I've already searched the web, but as usual, the online resources I've found either talk about just authentication, or just about SOAP, or etc, but does not show or suggest how the entire system can work together.

Can you give me a list of resources such as links that I've missed, books, classes, or etc that would help?

Thank You.

Answer 1

What I usually recommend is look towards regulatory compliance resources for things like this even if they don't apply to your scenario. The reason for this is because many will setup the guidelines that you'll need to be aware of regardless of the infrastructure you apply it towards.

With that said it sounds like your scenario has a dedicated web server and dedicated database server (dedicated with in the context of the post at least). What I'd probably recommend is that you have a configuration something like this:

The Internet
----------------------------
Firewall
----------------------------
Web Server
----------------------------
Firewall
----------------------------
Database Server
----------------------------
Firewall
----------------------------
Internal Private Network

This configuration, similar to architectural tiers recommended for PCI compliance, allows firewall configurations between every level so that you can allow just the ports you need and in the directions you need. For example, I wouldn't have any traffic allowed from the DB server or Web server into the internal network. This should be outgoing traffic into the DMZ only.

Now this is simplified a little since it doesn't go into the dmz network configuration and any router settings that you may need with such nor load balancing; however, hopefully this will get you pointed in the proper direction a bit. You may want to re-ask this question over at ServerFault.com as well; it may provide more insight than just this.

Answer 2

I would place a reverse SOAP proxy into DMZ that routes SOAP requests to internal web services. A server located at the DMZ that hosts the web services may be a target to hackers and bots. You should place not more than necessary into the DMZ. Small application level gateways and proxys are good citizens of a DMZ.

It is important that the URL of the endpoint and the URLs of all schema locations referenced from the WSDL are rewritten to the address of the reverse proxy. Membrane Monitor/Router is an free open source software that is set up in 5 minutes and that can rewrite WSDL documents. See the SOAP firewall tutorial for details.