Instrument web site security and architecture questions

Question

Hello, I’m developing a .NET/C# application software for an instrument which has a built-in PC (Core 2 CPU/2.66GZ/4GB RAM) and will have access to the Internet from behind the facility IT firewall. The software is made up of two parts: a rich client desktop app for UI and device control and a web app (silverlight) for providing remote maintenance such as device configuration and calibration via internet using browser. This device web site will be hosted using IIS locally on the instrument. My questions are:

1. What is the risk of running an IIS hosted web site on a device?
2. What does it take to make it secure so that data and operation of the instrument is immune to potential hackers.
3. Is it a better design to provide web services (or WCF services) as the interface for remote maintenance? In this case, I’ll create a rich client service utility program that can consume the web services over Internet for remote maintenance purpose.

Answer 1

Wow, thats an interesting project!

Personally I would take a different approach and have the device/instrument pull the maintenance info from a centralized server instead of hosting the service that performs it.

Do you really want to worry about the maintenance of updates & patches on that device.

but Ill try to answer like you didn't have any choice. 1) the risks are the same as any website. you have to deal with authentication, in your case I would have allowed IP ranges.. etc.

2) Nothing is immune. But just google WCF security for a start.

3) Yes that is a better approach if the services are hosted outside the "instrument"

good luck, sounds like a fun one.

Answer 2

See the WCF Developer Center for much information on WCF.

One feature of WCF is that it's possible to host a WCF service in almost any kind of program. In particular, you could host a secure WCF service on your device - without needing to run IIS or any other web server at all.