tags:

views:

80

answers:

2
+1  Q: 

.NET How would I build a DAL to meet my requirments?

Assuming that I must deploy an asp.net app over the following 3 servers:

1) DB - not public 2) 'middle' - not public 3) Web server - public

I am not allowed to connect from the web server to the DB directly. I must pass through 'middle' - this is purely to slow down an attacker if they breached the web server.

All db access is via stored procedures. No table access.

I simply want to provide the web server with a ado dataset (I know many will dislike this, but this is the requirement).

Using asmx web services - it works, but XML serialisation is slow and it's an extra set of code to maintain and deploy.

Using a ssh/vpn tunnel so that the one connects to the db 'via' the middle server, seems to remove any possible benefit of maintaining 'middle'.

Using WCF binary/tcp removes the XML problem, but still there is extra code.

Is there an approach that provides the ease of ssh/vpn, but the potential benefit of having the dal on the middle server?

Many thanks.

+1  A: 

You can do this exposing your DAL via web services.

So on your 'middle' server have all the web services exposed that replicate your DAL which hopefully just calls stored procs and has no other access to the DB. Secure the middle server to only have access to only expose the web services to the public web server and no other entry point. You can use SSL if neeeded.

Secure the DB to only accept connections from the 'middle' server and ONLY have access to the stored procs your DAL needs to call.

If someone does compromise the public server they should only have port 80 or 443. You should only have some web service there so your exposure should be limitted if it is compromised. I had to setup a web app with a similar setup and had the same rules that the external web server could only communicate via port 80 or 443 to a 'middle' server in the DMZ and the 'middle' server had only a connection to the database. At each step, each machine was locked down to only the machines that could comminicate to it.

Keep in mind you web service design as well to have some type of authentication or make sure that all calls have checks on them to verify their legitimacy as well.

Kelsey  2010-06-13 01:24:37
A: 

Personally, I would skip the "middle". If the database is not exposed and the web server is, the "middle" buys you nothing. If they can get to one unexposed server, the battle is already lost. Secure the web server, secure the database server, and trust that software will do its job when configured as it is supposed to.

You could always put the database server on a different subnet. This sort of requirement usually is a sign of larger issues - DBA incompetencies, architectural incompetencies, etc. I have worked for major financial companies, and just making sure that the database server was not exposed was more than adequate - mostly due to having a properly secured and non-exposed database server makes it a moot point.

Not trying to come down on you, or question the requirements for the sake of doing so - but I would hope that a more reasonable and maintainable approach could be taken for the sake of your own sanity.

Edit - For the sake of clarification, I am not against using an actual application server. The context of my answer is based on the OP's requirement that it be used as a database proxy layer.

joseph.ferris  2010-06-13 01:26:10
@joseph - I wan't to remove middle entirely, I agree with you 100% - I'm just seeking advice in the event that they cling to keeping 'middle'. Thank you for your input.
Jonno  2010-06-13 01:31:48
Correctly configured, the 'middle' does buy you a lot if the web server is compromised.
slugster  2010-06-13 01:32:51
Understood, but having had to maintain something like this before - *there is no good way*. You've heard of code smells? This is an architectural smell that is dangerous. It will be slower to execute, harder to maintain, and more prone to defects. Unless you are storing government secrets, this is a classic case of design paranoia. I personally would put more energy into showing why it is the wrong choice, as opposed to trying to figure out how to support something bad that might happen. ;-)
joseph.ferris  2010-06-13 01:34:59
@slugster - I will respectfully disagree. It is unneeded and a crutch for bad security and architectural practices. I have worked for a company on a high-profile site with hundreds of thousands of visitors per day, and never had any issues. Adding complexity in lieu of an aggressive and rigorous security policy is *never* the right choice.
joseph.ferris  2010-06-13 01:37:20
@joseph - it is okay to disagree :) I wouldn't endorse this approach for every project, but I argue the opposite of you, especially as the current setup is in this pattern (see the OP's first post). This scenario is very good architecturally because you can also incorporate a BL in with the DAL, and it abstracts away from your data source (which may not be a database). It will slow things down fractionally, but if done correctly it should be marginal and addressable by more hardware (which would be the correct solution for this particular slowdown, rather than changing whole architecture).
slugster  2010-06-13 05:08:36
@Slugster - you provide good reasons to keep it however in this instance - there is no requirment to abstract the data source, in this instance (unusually) we can gurantee that it wont change (not even vendor version). We could employ a BLL with or without 'middle'. Thank you so much for your input.
Jonno  2010-06-13 10:19:48
@Slugster - perhaps I should also add: each project we produce lives at max 5 years, I wish to remove 'middle' for all new projects, leaving the architecture for existing deployed projects.
Jonno  2010-06-13 10:21:17
@Slugster - I agree it is okay when used as an application server, just not a database proxy, which is how it was presented. We are one the same page, but it is more about perspective. ;-)
joseph.ferris  2010-06-13 13:43:38

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?