Options
Windows Communication Foundation
Bl8ckr0uter
Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
in Off-Topic
Do any of you work with Windows Communication Foundation? Do you feel that it is a worthwhile framework and that it helps increase the security of your web apps?
Comments
-
OptionsRobertKaucher Member Posts: 4,299 ■■■■■■■■■■Bl8ckr0uter wrote: »Do any of you work with Windows Communication Foundation? Do you feel that it is a worthwhile framework and that it helps increase the security of your web apps?
I don't know that *it* increases security by itself so much as the tools I can use to develop the services like LINQ and Entity Framework. At the very least I can rule out any chance of SQL injection. Even if I were not working in SilverLight I would probably still be working with WCF as apposed to ADO.Net to get my data.
But I am a n00b with WCF still. -
OptionsBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□RobertKaucher wrote: »I build WCF services to work with our LOB apps so that we can surface a frontend in SilverLight on the SharePoint site.
I don't know that *it* increases security by itself so much as the tools I can use to develop the services like LINQ and Entity Framework. At the very least I can rule out any chance of SQL injection. Even if I were not working in SilverLight I would probably still be working with WCF as apposed to ADO.Net to get my data.
But I am a n00b with WCF still.
In a hypothetical situation, you would still need (at least) 3 boxes:
Web Server>>WCF Application Server*>>Database Server
*I like to call this box, "Web service(s)"
Depending on what you are serving up of course. Basically what I want to know is if you can (someway) get rid of the WCF Application Server and still use WCF. The developers, other admin and I are having some trouble figuring this out. I am thinking we still need the middle box (but I don't want it as it is another single point of failure) but I am not 100% sure.
Why are you able to get rid of SQL injection attacks**?
**I still need to look at that video you posted on my facebook page ** -
OptionsRobertKaucher Member Posts: 4,299 ■■■■■■■■■■Bl8ckr0uter wrote: »In a hypothetical situation, you would still need (at least) 3 boxes:
Web Server>>WCF Application Server*>>Database Server
*I like to call this box, "Web service(s)"
Depending on what you are serving up of course. Basically what I want to know is if you can (someway) get rid of the WCF Application Server and still use WCF. The developers, other admin and I are having some trouble figuring this out. I am thinking we still need the middle box (but I don't want it as it is another single point of failure) but I am not 100% sure.
Why are you able to get rid of SQL injection attacks**?
**I still need to look at that video you posted on my facebook page **
I do not use Entity SQL:
Preventing SQL Injection with the Entity Framework and Data Services - Public Sector Developer Weblog - Site Home - MSDN Blogs
LINQ to Entities, Entity SQL, Parameterized Store Queries and SQL Injection : Don't Be Iffy
You still have to be careful - but as you are not passing raw SQL queries to the DB there is no chance of an injection. Most of our stuff works on 2 servers. I have the front end and the DB/WCF servers. We are pretty small, so we don't have to worry much about the topology. -
OptionsBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□RobertKaucher wrote: »I do not use Entity SQL:
Preventing SQL Injection with the Entity Framework and Data Services - Public Sector Developer Weblog - Site Home - MSDN Blogs
LINQ to Entities, Entity SQL, Parameterized Store Queries and SQL Injection : Don't Be Iffy
You still have to be careful - but as you are not passing raw SQL queries to the DB there is no chance of an injection. Most of our stuff works on 2 servers. I have the front end and the DB/WCF servers. We are pretty small, so we don't have to worry much about the topology.
I didn't even think about compressing the DB and WCF boxes to one box. Interesting......
So I have been tasked with "designing" the new web sites (basically making recommendations to our developers about which technologies to use, researching security pros and cons, etc. WCF came up since our new sites are going to be .net 4.0 on IIS 7.5 (hells yea, I won that little battle ). I know very, very little about the framework but I have to make a recommendation about which way to go within the next few weeks. I was just curious if anyone worked with WCF regularly. I figured you would be the one to respond.
At any rate, all this stuff is really making me enjoy windows for the time being. -
OptionsRobertKaucher Member Posts: 4,299 ■■■■■■■■■■WCF really rocks. In a large environmnet with serious SLAs I would be concerned about condensing the WCF and SQL Server boxes. We have a 24 hr SLA on all our stuff, so it's not a big deal for us. But if you have smaller window I'd try not to host them on the same server as it just complicates the restore process.
You can redirect a WCF service to a mirror or spare DB as quickly as it takes to restore the db. But if your web services and DB are all on teh same box it really complicates things... -
OptionsBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□RobertKaucher wrote: »WCF really rocks. In a large environmnet with serious SLAs I would be concerned about condensing the WCF and SQL Server boxes. We have a 24 hr SLA on all our stuff, so it's not a big deal for us. But if you have smaller window I'd try not to host them on the same server as it just complicates the restore process.
You can redirect a WCF service to a mirror or spare DB as quickly as it takes to restore the db. But if your web services and DB are all on teh same box it really complicates things...
We are a smaller environment but our sla is like idk, 5-15 minutes of downtime lol.
I have found a ton of info on WCF but what I cannot find is alternatives to using WCF. I don't mean opensource alternatives (that will NOT fly with our developers) and a decent pros and cons list for using WCF or not.
Paydirt: http://jai-on-asp.blogspot.com/2010/04/difference-between-web-services-and-wcf.html -
OptionsRobertKaucher Member Posts: 4,299 ■■■■■■■■■■I think this graphic from tha article says it all:
http://1.bp.blogspot.com/_T-syN1Neuz8/S87TBcf3I_I/AAAAAAAAAFw/XNIKQo36GQA/s1600/wcf.jpg -
OptionsBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□RobertKaucher wrote: »I think this graphic from tha article says it all:
http://1.bp.blogspot.com/_T-syN1Neuz8/S87TBcf3I_I/AAAAAAAAAFw/XNIKQo36GQA/s1600/wcf.jpg
Yea I saw that. Lol I was like wow, owned. Well at least I know now which way we are going... -
OptionsBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□Ok so how do you pass complex data streams without hosting WCF on IIS?
REST?
http://stackoverflow.com/questions/204032/complex-data-types-in-wcf -
OptionsRobertKaucher Member Posts: 4,299 ■■■■■■■■■■Well, WCF can do REST. REST is more of a style of development.
ASMX Web Services can do complex types - where WCF kicks @$$ though is with the ability to tell the clients about errors that occured. There are other areas as well, but that's what sticks out in my mind.
http://harmful.cat-v.org/software/xml/soap/simple
I really think the 3 server topology is probably best given your SLAs. It is far more scalable and placing both the DB and the WCF service on a single server is like using RAID 0 (without the performance increase) - it is a true single point of failure. In a 3 tier you can do clustering and other types of high availability. Putting everything on the same box is truely placing all your eggs in one basket. -
OptionsBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□This is some complicated $h1T. I am going to spend some time over at msdn.microsoft.com/webservices so I can get a better idea of what they will be doing, so I can know how to configure my WAFs and secure IIS 7.5.
I am looking at webknight and threat sentry but I am learning towards webknight (FOSS FTW). -
OptionsRobertKaucher Member Posts: 4,299 ■■■■■■■■■■Bl8ckr0uter wrote: »This is some complicated $h1T.
And that's why I feel like an idiot most of the time... -
OptionsBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□RobertKaucher wrote: »And that's why I feel like an idiot most of the time...
I started looking at the videos, death by terms. Endpoints. Data Contracts. Service Contracts. Service Host. Service Projects.
I think I might play with this, during this weekend. I thought this was going to be a simple cut and dry type of thing. Guess not lol..
Ok endpoints just made sense. I guess I wasn't getting the whole "exposing endpoints" things. -
OptionsRobertKaucher Member Posts: 4,299 ■■■■■■■■■■You make it sound so dirty...
Gotta' know your ABCs. -
OptionsBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□RobertKaucher wrote: »You make it sound so dirty...
Gotta' know your ABCs.
Lol I was so pissed off when the guy on the video said, "These are the ABCs of WCF" I was sitting there like he did not just say that.
I need to install a windows VM on my laptop then I'll grab visual studio express and start to play with it. That might be tomorrow though.