Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeArchived Discus...Archived Discus...Developing Under Previous Versions of .NETDeveloping Under Previous Versions of .NETASP.Net 2.0ASP.Net 2.0Application Server & DNN?Application Server & DNN?
Previous
 
Next
New Post
4/27/2009 10:46 AM
 
Keith Stone


Joined: 3/5/2004
Posts: 165

Michael Washington wrote

You're gonna take a hit in performance using web services. I don't agree wit the security argument. If someone hacks your DNN site that is REALLY REALLY bad. If they hack your website they will also have the keys (the passwords) to your web services.

Not that big of a hit depending on the implementation, and a web services implementation can greatly enhance scaling. I'm currently working on .Net web services implementations that are intended to scale to 10-14,000 TPS. One major advantage from a performance side is load balancing your requests across multiple instances, so 1-N DNN instances running the GUI portion could reference 1-N business services. A standard installtion causes the business logic to execute on the server hosting the GUI, not always desirable in a large scale implementaion.

Also, from a security standpoint if they hack your DNN site they have the passwords for your web services, but they don't encessarliy have the passwords for the databases that are behind them.

If someone has Host access to your site they can upload a module that will show them the source code to every file and they can read all the connection strings in the web.config. Even if connection strings and passwords are encrypted they can upload modules that will allow them to still make calls against anything the DNN site has access to.

True, but their opportunities for mischeif will be limited to what's provided by the web service API's, and a well designed site wouldn't allow you to call those API's from the outside world. They would have to get code onto the DNN site to call those services. Possible if they get host access, but that means learning the WS APIs (something somewhat difficult without access to the code), developing a module, installing it, etc.

Obviosuly the web services solution is not for typical isntallations. There's little point in doing it for anything but the largest scale inplementations.
 
New Post
4/27/2009 11:09 AM
 
Michael Washington


Michael Washington's Avatar

www.LightSwitchHelpWebsite.com
Joined: 7/17/2004
Posts: 3526

Keith Stone wrote
 

True, but their opportunities for mischeif will be limited to what's provided by the web service API's, and a well designed site wouldn't allow you to call those API's from the outside world. They would have to get code onto the DNN site to call those services. Possible if they get host access, but that means learning the WS APIs (something somewhat difficult without access to the code), developing a module, installing it, etc.

But can't you also achieve this by simply not allowing dynamic SQL? The DNN Core already only uses Stored Procedures. However these stored procedures still allow a hacker to destroy your site if they had Host Access.

Even if you had the web services, they would have to mimic the DNN Stored procedures so if a Hacker had access they would know what they do because they would know what stored procedures they are mapped to.

One thing we have done is only allow people inside our network to get to the Host admin pages (using network filtering). So you simply cannot upload any code through DNN without being at certain machines.


Michael Washington
http://ADefWebserver.com
www.ADefHelpDesk.com
A Free Open Source DotNetNuke Help Desk Module
 
New Post
4/27/2009 12:09 PM
 
Keith Stone


Joined: 3/5/2004
Posts: 165

 

Michael Washington wrote

But can't you also achieve this by simply not allowing dynamic SQL? The DNN Core already only uses Stored Procedures. However these stored procedures still allow a hacker to destroy your site if they had Host Access.

if you segregate the business data from the data running the GUI then the hacker could destroy the site, but not still not gain access to the business data. Access to the business data would be through only the defined service interfaces, no SQL possible from the GUI instance, even with host access.

Even if you had the web services, they would have to mimic the DNN Stored procedures so if a Hacker had access they would know what they do because they would know what stored procedures they are mapped to.

They would have to return individual objects or collections of them, and mimic parameterized calls for updates and deletes. Since they may or may not even be generating SQL on the other side it'll be a lot more difficult to inject. For example our data access layer uses a web services manager that routes based on the authentication token. They may retrieve data from different databases depending on who they are. In any case hacking is more difficult because the isolation means someone ca'tn just log in as host and start running commands to look at what's there in the SQL window. They would have to determine what to call, and what the WSDL was.

One thing we have done is only allow people inside our network to get to the Host admin pages (using network filtering). So you simply cannot upload any code through DNN without being at certain machines.

That is an excellent idea.

 
New Post
12/14/2010 1:25 PM
 
Jason Engel

Joined: 4/25/2005
Posts: 2
Are there any examples of how I would do this? Change the standard DNN Data provider to a custom provider that would call web services?
 
New Post
12/14/2010 1:28 PM
 
Jason Engel

Joined: 4/25/2005
Posts: 2
Michael Washington wrote:

You can replace the standard DNN database provider with a custom provider. Instead of the standard SQL provider you can pass all the calls from the business layer to a database using custom code. You can use WCF, web services, remoting, ect. I 

 Are there any examples of how to do this?
 
 Page 2 of 3
Previous123Next 
Previous
 
Next
HomeHomeArchived Discus...Archived Discus...Developing Under Previous Versions of .NETDeveloping Under Previous Versions of .NETASP.Net 2.0ASP.Net 2.0Application Server & DNN?Application Server & DNN?


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out