March 20, 2008 at 10:22 am
Dear guys
I'm developing a web site that subscribers will directly connect to sql express and send results of their desktop application to database.
So every body, including hackers can easily obtain a login. ofcourse I will restrict each login to execute only one stored procedure specially created for himself and do nothing else.
But, I'm worried about frequency of running that stored procedure buy bad users. I also don't know what if a user tries to broute force server with incorrect user names and passwords repeatedly. does it lead to slowing down the server?
does firewall help?
In fact this problem persists even if I want to redirect user communications to web service instead of direct connection to data base or even using emails. Anyhow hackers can do the same thing but only some more complexity is added to my project.
Can any one please help me?
March 20, 2008 at 12:49 pm
I would go with a webservice.
1)It provides abstraction in case
*you want to alter the stored procedure, change db, ...
2)No login "visible", the security context of the webservice calling the stored procedure is defined.
3)flexibility
March 22, 2008 at 5:38 am
Jo Pattyn (3/20/2008)
I would go with a webservice.1)It provides abstraction in case
*you want to alter the stored procedure, change db, ...
2)No login "visible", the security context of the webservice calling the stored procedure is defined.
3)flexibility
Thanks Jo
But I doubt could I understand your meaning or not?
1) you mean adding logins by asp.net application needs administrative privileges therfore not recommended? I agree.
2) You mean instead of new logins for each user, defining a new mechanism for identifying web service users? What if I define the same mechanism inside of db using stored procedures without adding new logins for each user? anyhow one step of datatransfer less (web service step) seems better.
3) I can't have any specific interpretation.
and at the end, I could not understand how to defend Denial of service attacks either inside of DB or in web service. could you please advise? as far as I know, web service does not have any defence mechanisms against such attacks.
thnaks
March 22, 2008 at 8:38 am
Please disregard my previous post, i have no experience with web security.
You could build minor security checks (login valid,..) in the stored procedures before they do their intented job to minimize strain.
Some things I've found during my web surfing:
Logic flaws: http://www.whitehatsec.com/home/assets/WP_bizlogic092407.pdf
Dos-attacks: http://en.wikipedia.org/wiki/Denial-of-service_attack
March 22, 2008 at 9:26 am
Thanks alot for your cooperation.
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply