Setting up a secure Web Service

I need to set up a web service. Server is in DMZ, so I thought about putting web service in IIS (asmx) cos only port 80 is available to comunicate. But information it provides should be secured. What choices do I have when it comes to what .NET / IIS can offer ?

Or maybe I should dispense with asxm web service and switch to something else. But once again, I only have port 80 avai开发者_如何学编程lable.

Thanks, Pawel

You should checkout WCF

When it comes to securing web services you have to main action paths:

• go for communication over HTTPS and leave the web service messages in plain text (no problem since the data is over HTTPS and you can't see inside): transport level security;
• go for communication over HTTP but secure the messages of the web service (WS-Security fits this role): message level security.

WS-* specifications are not an easy thing to digest (especialy WS-Security which relies on other specs like WS-Policy, WS-Addressing, XML Signature, XML Encryption etc). But since you say you only have port 80 available for communication I think you don't have a choice (don't even think of implementing your own security mechanism :D).

So, if you have to use WS-Security then go for WCF. You have a bunch of communication mechanism you can choose from and WCF takes a lot of the heavy lifting for you, abstracting away the "bare metal" of SOAP and WS-*.

Within IIS, if you wish to only allow a specific IP address to access the web service, do the following:

1. Within IIS, right click on the file with asmx extension. Click “Switch to features view”
2. Click the “IP Address and Domain Restrictions” icon.

   

3. Click “Edit Feature Settings”, Select Deny All, Add Allow Entry.
   

   

4. Type in the IP you want the service to access.