Silverlight calling webapi behind firewall - silverlight

Silverlight application is sitting on a server which is accessible from internet and WebApi is sitting on a server behind firewall which is not accessible via internet but can be accessible via intranet. Both Silverlight Application Server and WebApi Server can talk in intranet. Is it possible for Silverlight application which is accessed from internet to talk to WebApi?

You simply need to add a firewall rule that allows Green Server to access Red Server at a given port. You can add MAC filters, IP filters, use an ad-hoc IP in a different subnet in the Red Server, expose the API in an unusual port (not 80), use client certificates, expose the API through SSL, and many other things to protect the server inside the firewall and the communication between servers.
That's the mission of the firewall. If not, you'd simply didn't connect the networks through the firewall.

Related

HOW TO ACCESS ORACLE APEX APPLICATION OVER A LOCAL NETWORK

I just want my ORACLE APEX APPLICATION along with Database installed in PC-1, and then rest of PC's just access this application via LAN cable or Wi-Fi. How can i do it without using any hosting service!?
And also want to know about the ORDS Restful Services
how to configure it for the other client systems and for the server side!?
Thanks in advance!
Oracle Apex doesn't differ to any other wesite from this point of view.
You need to setup Apex/ORDS listeners, and then you can access it from your local network like :
IpOfThePCWhereApexIsInstalled:PortConfiguredWithApex/Apex
for Example
192.178.160.1:443/Apex (if Apex is configured on port 443)
192.178.160.1:80/Apex (if Apex is configured on port 80)
This way, the browser will search for the ip inside your local network and access it.

How to security access onprem database from Azure AppService

Is there a way to securely access a on-prem Sql Server, from an AppService?
The IT guys are nervious about letting an App Service which needs access to our on-premise database.
I am not a networking guy, and am trying to come up with a solution.
The only thing I have thought of is creating a new database (CDS_API). The AppService is then given a connection string to this database. This database would then have access to the primary database (CDS).
If the AppService has only execute permissions to CDS_API, this seems secure to me. Am I missing something?
Is there a better way to do this?
The simple solution is to use an App Service Hybrid Connection
Hybrid Connections can be used to access application resources in any
network that can make outbound calls to Azure over port 443. Hybrid
Connections provides access from your app to a TCP endpoint and does
not enable a new way to access your app. As used in App Service, each
Hybrid Connection correlates to a single TCP host and port
combination. This enables your apps to access resources on any OS,
provided it is a TCP endpoint. The Hybrid Connections feature does not
know or care what the application protocol is, or what you are
accessing. It simply provides network access.
Alternatively, you can Integrate your app with an Azure virtual network which is connected securely to your on-prem networks either with a Site-to-Site VPN or over ExpressRoute.

Wireguard - How to restrict VPN access to applications which do not have static IPs using Wireguard VPN split tunnel?

I want to restrict a few business applications hosted on cloud, to only our employees using Wireguard VPN (client server setup, with split tunnel for their private browsing).
For the applications running on standalone server with static IP, we can achieve this easily, by adding their IPs in wireguard "Allowed IPs" and creating a firewall rule in the application server to only accept connections from our VPN server (also hosted on cloud). Please note that Wireguard routes this in layer 4.
But for applications using a application load balancer or serverless setup, which do not have a static IP, we use a proxy server like Cloudflare which has a IP range, which we then add in Wireguards allowed IPs. This is a layer 7, solution.
Is there a better way (preferably on layer 4), to restrict access to applications without static IPs using Wireguard VPN.
Also, we have a private DNS in the VPN server, which may be used in designing the solution.
Thanks
Vivek

Are we doing DMZ correctly?

We are building a client solution that will be hosted on servers in a data-centre. It consists of several servers all related to providing the client solution. There is no internal network to protect but for some reason our UAT environment has the notion of a DMZ in the server diagram.
We have an IIS box which will have a public IP. Then we have two servers DB(Sql Server) and APP that are only on the internal lan with no public IPs. You can only RDP to these servers via VPN. Our IIS server needs sql access so port 1433 is open from IIS box(DMZ) to the sql server. We are also opening several ports from the IIS server to the APP server which hosts WCF services.
My understanding was that a DMZ was meant to protect internal private networks and that these networks should not be accessible from the DMZ but we are now opening up ports to both our APP and DB servers so they are accessible from the DMZ. In the end most of our servers are accessible from the IIS server via certain ports.
We originally wanted to setup our SQL server for AD authentication only but since our IIS server is in the DMZ and has no AD access we will be forced to enable mixed mode authentication in SQL server. This might be another security issue in it's own since we are now forced to store passwords somewhere on the IIS server to be able to auth against sql server.
Are we not perhaps missing the idea of a DMZ?
So with a system where you have a DMZ, there is also a firewall involved.
So your system should look like this I think:
SQL-server hosting internal data
Other servers needed for the company
---- firewall ----
SQL-server hosting data for web solution
AD-server (if needed)
Web-server
FTP-server (could be on the web server also)
With this setup you don't expose company-sensitive database to the outside world and you also don't open up a port in the firewall making it possible for attackers to (maybe) get access to the internal database which has company sensitive data...
Just my suggestion based on the information provided.

How to secure a database using web services?

Now an application is connected to a database server in the same LAN and performs selects and inserts.
The database will be moved to a remote location accessible throughout internet. Performance degradation will be addressed reducing the number of operations to the db. It is not possible to use vpn or configure access-in rules based on client IP on the firewall of the net where the database server will be moved. So it seems to me it is necessary to create a database front end in order to protect it. I suppose one way to achieve this goal is to create a web service.
Are there easier alternatives?
I'm new to web services: it should run into Glassfish server while the client would be a c# application.
I read a bit about securing a web service but I'm a confused.
One method I found in internet is to use Glassfish built-in authentication mechanism and configure web.xml limiting the access to the web service URL to a group of users.
It seems an easy approach, are there any drawbacks?
Is it easy to use this type of authentication in the C# client?
Other existing web services wants a parameter key in the request. Then this key is compared with valid ones and if the check is successful the request will be accepted.
Is this approach more secure than the previous one?
Another alternative is to use WSIT but at a first glance it seems over-complicated and all the security mechanisms need a server certificate.
Anyway it looks more secure; does it fit well with JAX-RS and restful web services?
You can use L2TP or PPTP VPN in this case.
Let me show you first Network topology.
Client (accessing firewall with L2TP or PPTP )-----> Firewall (L2TP or PPTP VPN Server)---> Firewall LAN where your Server placed.
In above case all Client come from VPN so its secure and On firewall you have to Configure VPN to LAN rule with client base rule.

Resources