 |
|
|
|
Next: easily repeatable index corruption in SQL Server ..
|
| Author |
Message |
External
Since: May 21, 2007
Posts: 6
|
(Msg. 1) Posted: Mon Sep 29, 2008 11:47 am
Post subject: Shopping cart architecture IISSQL
Archived from groups: microsoft>public>sqlserver>security (more info?)
|
|
|
|
| I need a shopping cart like setup where IIS is in a DMZ on the Internet, but
how do I securely have the web server talk to a SQL server where the order
will be kept? If I open the Firewall back to an internal SQL seems like a
port I should not open. Any links to white papers on best practices ?
TIA
|
>> Stay informed about: Shopping cart architecture IISSQL |
|
| Back to top |
|
 | |
External
Since: Apr 21, 2006
Posts: 73
|
(Msg. 2) Posted: Tue Sep 30, 2008 12:26 pm
Post subject: Re: Shopping cart architecture IISSQL [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Ron wrote on Mon, 29 Sep 2008 11:47:33 -0700:
> I need a shopping cart like setup where IIS is in a DMZ on the
> Internet, but how do I securely have the web server talk to a SQL
> server where the order will be kept? If I open the Firewall back to an
> internal SQL seems like a port I should not open. Any links to white
> papers on best practices ?
> TIA
Personally, I have IIS write to a SQL Server in the DMZ which contains the
read only product data and the order data, and use SQL Replication via a
Pull subscription to grab that data to another SQL Server inside my LAN at
which point the order data is "cleaned" to only have data left that is
required for order tracking on the website itself. This way the full order
data exists for only a short time on the DMZ server, and I don't have to
allow the IIS or SQL Server in the DMZ to open connections into the LAN.
--
Dan |
|
| Back to top |
|
| |
External
Since: May 21, 2007
Posts: 6
|
(Msg. 3) Posted: Tue Sep 30, 2008 2:52 pm
Post subject: Re: Shopping cart architecture IISSQL [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Just wondering how big places like Amazon or Dell do it. I'm sure they dont
keep the credit card info on the web even for a few minutes. (Although I do
like your idea).
"Daniel Crichton" <msnews DeleteThis @worldofspack.com> wrote in message
news:e6fDqVxIJHA.4280@TK2MSFTNGP04.phx.gbl...
> Ron wrote on Mon, 29 Sep 2008 11:47:33 -0700:
>
>> I need a shopping cart like setup where IIS is in a DMZ on the
>> Internet, but how do I securely have the web server talk to a SQL
>> server where the order will be kept? If I open the Firewall back to an
>> internal SQL seems like a port I should not open. Any links to white
>> papers on best practices ?
>
>> TIA
>
> Personally, I have IIS write to a SQL Server in the DMZ which contains the
> read only product data and the order data, and use SQL Replication via a
> Pull subscription to grab that data to another SQL Server inside my LAN at
> which point the order data is "cleaned" to only have data left that is
> required for order tracking on the website itself. This way the full order
> data exists for only a short time on the DMZ server, and I don't have to
> allow the IIS or SQL Server in the DMZ to open connections into the LAN.
>
> --
> Dan
> >> Stay informed about: Shopping cart architecture IISSQL |
|
| Back to top |
|
| |
External
Since: Apr 21, 2006
Posts: 73
|
(Msg. 4) Posted: Wed Oct 01, 2008 7:25 am
Post subject: Re: Shopping cart architecture IISSQL [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Most payment providers will handle that cleanly for you - you send the card
details to them, they authorise it, you get back an authorisation token
which you store. You don't need to retain the card details at all. When you
want to get the payment for the order later (for instance you only charge on
despatch like we do) then you send the authorisation token to the payment
provider system along with the amount, they send the request to the merchant
services system and you get back a response - based on that response you
release the order or not. If you need to refund, you send a refund request
with the token and the amount and again the payment provider does all the
work.
Dan
Ron wrote on Tue, 30 Sep 2008 14:52:32 -0700:
> Just wondering how big places like Amazon or Dell do it. I'm sure they
> dont keep the credit card info on the web even for a few minutes.
> (Although I do like your idea).
> "Daniel Crichton" <msnews.TakeThisOut@worldofspack.com> wrote in message news:e6fDqVxIJHA.4280@TK2MSFTNGP04.phx.gbl...
>> Ron wrote on Mon, 29 Sep 2008 11:47:33 -0700:
>>> I need a shopping cart like setup where IIS is in a DMZ on the
>>> Internet, but how do I securely have the web server talk to a SQL
>>> server where the order will be kept? If I open the Firewall back to
>>> an internal SQL seems like a port I should not open. Any links to
>>> white papers on best practices ?
>>> TIA
>> Personally, I have IIS write to a SQL Server in the DMZ which
>> contains the read only product data and the order data, and use SQL
>> Replication via a
>> Pull subscription to grab that data to another SQL Server inside my
>> LAN at which point the order data is "cleaned" to only have data
>> left that is required for order tracking on the website itself. This
>> way the full order data exists for only a short time on the DMZ
>> server, and I don't have to allow the IIS or SQL Server in the DMZ
>> to open connections into the LAN.
>> --
>> Dan >> Stay informed about: Shopping cart architecture IISSQL |
|
| Back to top |
|
| |
External
Since: May 21, 2007
Posts: 6
|
(Msg. 5) Posted: Wed Oct 01, 2008 11:05 am
Post subject: Re: Shopping cart architecture IISSQL [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
Sounds good. Since you have so much experience there, can you recommend a
Payment processor? (or two).
"Daniel Crichton" <msnews.RemoveThis@worldofspack.com> wrote in message
news:OOnQFW7IJHA.2156@TK2MSFTNGP05.phx.gbl...
> Most payment providers will handle that cleanly for you - you send the
> card details to them, they authorise it, you get back an authorisation
> token which you store. You don't need to retain the card details at all.
> When you want to get the payment for the order later (for instance you
> only charge on despatch like we do) then you send the authorisation token
> to the payment provider system along with the amount, they send the
> request to the merchant services system and you get back a response -
> based on that response you release the order or not. If you need to
> refund, you send a refund request with the token and the amount and again
> the payment provider does all the work.
>
> Dan
>
> Ron wrote on Tue, 30 Sep 2008 14:52:32 -0700:
>
>> Just wondering how big places like Amazon or Dell do it. I'm sure they
>> dont keep the credit card info on the web even for a few minutes.
>> (Although I do like your idea).
>
>
>> "Daniel Crichton" <msnews.RemoveThis@worldofspack.com> wrote in message
>> news:e6fDqVxIJHA.4280@TK2MSFTNGP04.phx.gbl...
> >> Ron wrote on Mon, 29 Sep 2008 11:47:33 -0700:
>
> >>> I need a shopping cart like setup where IIS is in a DMZ on the
> >>> Internet, but how do I securely have the web server talk to a SQL
> >>> server where the order will be kept? If I open the Firewall back to
> >>> an internal SQL seems like a port I should not open. Any links to
> >>> white papers on best practices ?
>
> >>> TIA
>
> >> Personally, I have IIS write to a SQL Server in the DMZ which
> >> contains the read only product data and the order data, and use SQL
> >> Replication via a
> >> Pull subscription to grab that data to another SQL Server inside my
> >> LAN at which point the order data is "cleaned" to only have data
> >> left that is required for order tracking on the website itself. This
> >> way the full order data exists for only a short time on the DMZ
> >> server, and I don't have to allow the IIS or SQL Server in the DMZ
> >> to open connections into the LAN.
>
> >> --
> >> Dan
>
>
> >> Stay informed about: Shopping cart architecture IISSQL |
|
| Back to top |
|
| |
External
Since: Apr 21, 2006
Posts: 73
|
(Msg. 6) Posted: Fri Oct 03, 2008 10:27 am
Post subject: Re: Shopping cart architecture IISSQL [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
|
|
|
I'm in the UK, so I doubt these will help, but I'm currently using both
DataCash and Protx. DataCash seem to have a more robust system and are
better at keeping on top of issues, but Protx are cheaper and don't charge
ridiculous amounts for what should be core features (eg. DataCash want about
£1500 to enable 3D Secure processing, Protx include this at no additional
cost).
Dan
Ron wrote on Wed, 1 Oct 2008 11:05:34 -0700:
> Sounds good. Since you have so much experience there, can you recommend
> a Payment processor? (or two).
> "Daniel Crichton" <msnews.TakeThisOut@worldofspack.com> wrote in message news:OOnQFW7IJHA.2156@TK2MSFTNGP05.phx.gbl...
>> Most payment providers will handle that cleanly for you - you send
>> the card details to them, they authorise it, you get back an
>> authorisation token which you store. You don't need to retain the
>> card details at all.
>> When you want to get the payment for the order later (for instance
>> you only charge on despatch like we do) then you send the
>> authorisation token to the payment provider system along with the
>> amount, they send the request to the merchant services system and
>> you get back a response -
>> based on that response you release the order or not. If you need to
>> refund, you send a refund request with the token and the amount and
>> again the payment provider does all the work.
>> Dan
>> Ron wrote on Tue, 30 Sep 2008 14:52:32 -0700:
>>> Just wondering how big places like Amazon or Dell do it. I'm sure
>>> they dont keep the credit card info on the web even for a few
>>> minutes.
>>> (Although I do like your idea).
>>> "Daniel Crichton" <msnews.TakeThisOut@worldofspack.com> wrote in message
>>> news:e6fDqVxIJHA.4280@TK2MSFTNGP04.phx.gbl...
>>>> Ron wrote on Mon, 29 Sep 2008 11:47:33 -0700:
>>>>> I need a shopping cart like setup where IIS is in a DMZ on the
>>>>> Internet, but how do I securely have the web server talk to a SQL
>>>>> server where the order will be kept? If I open the Firewall back
>>>>> to an internal SQL seems like a port I should not open. Any links
>>>>> to white papers on best practices ?
>>>>> TIA
>>>> Personally, I have IIS write to a SQL Server in the DMZ which
>>>> contains the read only product data and the order data, and use
>>>> SQL
>>>> Replication via a
>>>> Pull subscription to grab that data to another SQL Server inside my
>>>> LAN at which point the order data is "cleaned" to only have data
>>>> left that is required for order tracking on the website itself.
>>>> This way the full order data exists for only a short time on the
>>>> DMZ server, and I don't have to allow the IIS or SQL Server in the
>>>> DMZ to open connections into the LAN.
>>>> --
>>>> Dan >> Stay informed about: Shopping cart architecture IISSQL |
|
| Back to top |
|
| |
| Related Topics: | Multi-Tenant Data Architecture: Separate Schema Approach - In the article about Multi-Tenant Data Architecture (http://msdn2.microsoft.com/en-us/library/aa479086.aspx), the following recommendation is made: "The separate schema approach is appropriate for applications that use a relatively small number of...
Some question about FixServerRoleMember - Hello Everyone i am sorry to send this mail again, i need a hand, thanks everyone i meet a stranger problem when i use sqlserver fix ServerRoleMember. For example: first i login sqlserver as SA,and add a new login EXEC..
Convert SQL logins to Windows authentication - I was wondering if anyone knew if it's possible to easily convert existing SQL Server logins and passwords to Windows Authentication logins and passwords for a SQL Server 2000 database? If so, does anyone know of a script or utility that does this?
Database ownership best practice - Does it matter much who owns a database? I'm reviewing security on our SQL installation and find a number of different owners: sa, Domain administrators and some others. I want to tidy this up. Is it best to make an NT administrator the owner of all..
LocalSystem account does not start SQLAgent - All, Running SQL 2000 SP4 on a Windows 2003 server. I'm having some trouble getting SQL Agent service to start using the LocalSystem account. The MSSQLSERVER starts ok with the account? After setup I removed the builtin admin's group - something I do on... |
|
You can post new topics in this forum
You can reply to topics in this forum
You can edit your posts in this forum
You can delete your posts in this forum
You can vote in polls in this forum
|
|
|
|
|
|
|
FAQ
Profile
Private Messages
Log in
