Internet - Intranet Data Dilema

[asdf]

Hi,

Currently, I have one database for Intranet clients on the server behind the
firewall. But I was asked to allow the extranet users to access the same
data. From the security perspective what is the best way to make that data
accessible.

Should we have two databases one for Intranet and one for Extranet? In that
case the second one would be a replica but that would cost us money for the
extra MS SQL license. Maybe it is OK to have only one physical database.
Maybe MySQL is a good idea to use as a replica that would be refreshed
nightly. Or XML data would be OK to server only extranet.

What would be the best idea to do.

We are all MS shop.

Thanks in advance for any help,
Tom

 

[Miha Markic [MVP C#]]

Shouldn't you create a bussiness tier and expose it through webservices, for
example?
Why do they need to access your db?

 

[Cor Ligthert [MVP]]

ASDF,

My first thought "webservice".

And than exposure only those methods that give the information that you want
to give. AFAIK is in all other situations the user able to see in one or the
other way the IP address of your Server and can start digging.

Just my thought,

Cor

 

[asdf]

Can the webservices be used between the old ASP files?

 

[Cor Ligthert [MVP]]

Doh,

I was thinking on windowforms applications in an intranet (LAN) .

If you create just seperate pages (which you extract from your current)
which can not affect the data for your extranet and set those as a seperated
web on a seperate webserver, than you are in fact doing the same as my
thought about webservice. Normally with asp the users see never your
database server.

Just my idea.

Cor

 

[W.G. Ryan - MVP]

ASDF:

I have a similar situation and for one client, we specifically poked a hole
in the firewall to allow access but that's only b/c for that client, we
pretty much had to go that route (the consultants they hired to design the
solution deemed it so and we were just building it for them). The better
solution is to use WebServices and Remoting. Sit a web serivce outside of
your firewall in a DMZ. Then use .NET Remoting to call the business layer
from the web service. Have the business layer hosted on an application
server that can only be accessed from the web server. Then have the App
Server call the db directly or call another server inside the firewall which
talks to the db. Essentially what you're doing is ensuring that your web
server can't talk to anything but the app server and the app server can't
talk to anything but the db. in so doing, there's no link from the web
server to the database.

I know these are vastly different approaches but there isn't one 'security
perspective'. It depends on a lot of things, budget being one of the biggest
considerations. The latter configuration is what we've done for many state
agencies and very security imperative installs. but if you have the cash,
you can certainly get a lot more complex than this. Check out Eric's blog
at http://marvets.com/blog/default.aspx and you may want to run this by him.
He's a Security MVP and usually very willing to help people out - not to
mention he's one of the most knowledgeable people I know when it comes to
security particuarly with respect to databases.

HTH,

Bill