[I know this is quite subjective, and dependant on various considerations, so I'm just finishing for ideas to see what people think on the subject, and what considerations they are taking...]
[我知道这是非常主观的,并且取决于各种考虑因素,所以我只是想完成一些想法,看看人们对这个主题的看法,以及他们正在考虑的因素......]
We have an asp.net application exposed publicly (username/password authentication required), which, in turn, uses a set of WCF services in the back.
我们有一个公开公开的asp.net应用程序(需要用户名/密码认证),而后者又使用一组WCF服务。
I am trying to decide which binding to use for these services, and more specifically - which security elements, if any, we should use.
我正在尝试决定使用哪种绑定来进行这些服务,更具体地说 - 我们应该使用哪些安全元素(如果有的话)。
all applications (web front end and all services) reside on the same server farm, behind a firewall, which blocks all access to the services other than from the web application. Under these circumstances - would you say its acceptable not to have any security elements (and so, presumably, have increased performance?)
所有应用程序(Web前端和所有服务)都驻留在防火墙后面的同一服务器场上,该防火墙阻止除Web应用程序之外的所有服务访问。在这种情况下 - 你会说它可以接受不具备任何安全要素(因此,可能会提高性能吗?)
For completeness I would say that we do expect to expose some services, externally, at some point, but this will be done via a different endpoint, with a different address, using high security elements including federated identity for authentication
为了完整性,我想说我们确实希望在某些时候从外部公开某些服务,但这将通过具有不同地址的不同端点来完成,使用高安全性元素,包括用于身份验证的联合身份
2 个解决方案
#1
Security is like a wall. The more walls the better.
安全就像一堵墙。墙壁越多越好。
That is why we have secure passwords for databases that are internal but accessed from web app's, and why we encrypt sensitive data in those databases.
这就是为什么我们拥有内部但可从Web应用程序访问的数据库的安全密码,以及为什么我们加密这些数据库中的敏感数据。
If the security isn't going to be a major pain, add it.
如果安全性不是一个主要的痛苦,请添加它。
#2
You should make your services too username and password protected like using digest authentication etc. The username and password that will be provided will be internally through your application. Thus you increase a security layer.
您应该像使用摘要认证等一样使您的服务用户名和密码受到保护。将提供的用户名和密码将在您的应用程序内部。因此,您增加了一个安全层。
#1
Security is like a wall. The more walls the better.
安全就像一堵墙。墙壁越多越好。
That is why we have secure passwords for databases that are internal but accessed from web app's, and why we encrypt sensitive data in those databases.
这就是为什么我们拥有内部但可从Web应用程序访问的数据库的安全密码,以及为什么我们加密这些数据库中的敏感数据。
If the security isn't going to be a major pain, add it.
如果安全性不是一个主要的痛苦,请添加它。
#2
You should make your services too username and password protected like using digest authentication etc. The username and password that will be provided will be internally through your application. Thus you increase a security layer.
您应该像使用摘要认证等一样使您的服务用户名和密码受到保护。将提供的用户名和密码将在您的应用程序内部。因此,您增加了一个安全层。