We have a web service that we will be hosting on a public web server and it will be contacted by web services hosted on web servers within the walls of a hospital. We have written both pieces of the software so we have complete control over what is implemented.
We would like to secure communications between the two web servers. Currently the only thing we have in place is https on the public web server and a guid to identify the clients.
There are network level types of authorization we can support but I don’t like relying on these since not all of our customers (hospitals) will be able to do the same thing. Some will not have the ability to give us a static IP and some will not be able to do a VPN, so we cant solely rely on those methods.
What techniques are you using or do you recommend to authorize communications to your web services? Our main concern is keeping people from getting a hospitals ID (currently just a GUID) and getting data from our web service that is intended for the hospital.
We will employ other networking level security measures to limit the public access to our system but I feel a software solution is necessary as well.
The system is not yet in production but is nearing the completion of development. Its developed in C# on .net 3.5
FWIW I was thinking of some sort of token based authorization because I know a previous employer used something along those lines. However, I do not know specifically what to look for or any other information on the topic.
Edit: While I would like to use WCF, currently no one on the team (including myself) has any experience using it and we've already developed the web services along with the code that interacts with them. All of the web references where added using the .net 2.0 method (from vs.net08, targeted to .net 3.5) and we would prefer to not completely redo that. I wont say that WCF is not an option, but I don't think we will go with that option willingly.