Keeping some web services private and others public

views:

answers:

Keeping some web services private and others public

Not sure of the best way of achieving something...

We've got a number of web services running on asp.net v3.5 on a couple of web servers. They all talk nicely to each other and to the public internet.

Now we'd like to keep some of these web services 'private' ie make them not available to the public internet, whilst leaving others accessible.

AFAICS the simplest way to do this is simply to run the private services on a different port and keep the public ones on port 80. Our firewall only permits internet access via port 80 so would drop any requests from the internet to the private web services. Sorted... I think?

Is this idea a reasonable solution? Or is there some drop dead simple IIS mechanism that I ought to use?

Thanks

SAL

+1 A:

You can put IP access restrictions onto any site/app you want. We have several internal web services that only allow access on the 10.x.x.x range for example.

Lloyd 2009-06-03 13:47:00

Can I ask how you do this (I'm NOT an IIS expert!)? Are you referring to the same thing as flatline?

SAL 2009-06-03 13:53:24

Yes he's on the same lines as me :)

Lloyd 2009-06-03 13:56:16

Don't know if he's referring to the same thing or not, but under directory security there's a panel for "IP Address and domain name restrictions", which lets you specify individual addresses or a range of addresses. I think you can even do DNS lookup but is not advisable for performance reasons.

flatline 2009-06-03 13:57:51

Check out http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/128d26dd-decb-42f9-8efb-30724d1a2f29.mspx?mfr=true

Lloyd 2009-06-03 14:00:31

+2 A:

You can restrict access to a site via a blacklist/whitelist in the IIS control Panel (directory security tab). That's what I've done in the past to filter by IP address.

flatline 2009-06-03 13:48:53

Besides the port, you could use the restriction for the caller (using IP address filtering, for example).

Also you could actually require authentication for the caller of a web-service, which should be easy to configure in case you use ActiveDirectory.

In any case if you have a 'public' web service, which is private as well, you may want to 'publish' it twice: once for public (with nice external URL) and one for internal, so that your other internal services and/or clients do not have to go via 'external' URL. Then you could configure restrictions (client IP, authentication, ..) differently for different publishers of the same service.

van 2009-06-03 13:50:21

+1 A:

AFAICS the simplest way to do this is simply to run the private services on a different port and keep the public ones on port 80. Our firewall only permits internet access via port 80 so would drop any requests from the internet to the private web services.

This is exactly the approach we take. We also have a VPN so that employees can access the site if they're working remotely.

Jason Baker 2009-06-03 13:54:04

+1 A:

It really depends on how secure you want the internal web services.

If you have sensitive data on the internal web services, you need to have them on a completely different server, even if you don't allow access to them from the outside by assigning them a different port.

However, if you don't have an issue with sensitive data then assigning a different port, or IP-address, for internal and external users is a good way to go.

AaronS 2009-06-03 14:01:28

ansaurus

tags:

views:

answers:

Keeping some web services private and others public

related questions