Breaching security, the easy way

Today I was fiddling around with Azure once more, this time exploring the capabilities of the Service Bus Relay functionality. That sounds more difficult than it actually is.

The scenario comprises of an internal webservice and the wish to make that available through the internet. Many developers will know the troubles this usually gives you. You have to get a DNS name and talk to the guys in charge of firewalls. And those guys usually don’t like opening ports, especially ports from the outside. So they say they won’t do it, you have to go to your manager who goes to their manager. A lot of meetings and time go by and eventually the port is opened up because the business really needs this functionality and has no other option.

Well that other option: it’s here now! Here’s what you do:

  • Create a service (interface and class, simple) and host it in a process (console app or windows service). This service connects itself to Azure and registers as an endpoint.
  • Now you can create a client which connects to the service, but it does that via Azure. So no direct connection is needed and no ports have to be opened up, how great is that.

It’s really easy to set up, check the instructions here.

But that’s also what kind of worries me, cause security loopholes become quite hard to spot with technology like this. From the perspective of a security guy, I wouldn’t be too enthoused about people creating all kinds of webservices and making them available through the entire internet without me knowing.

There’s one thing to mention though; you cannot just call your webservice. You’ll need the namespace of your service bus instance created in Azure, and you’ll need the access key to connect to the servicebus. That’s some relief. As long as you keep those two strings to yourself, you’re good. So make sure you don’t just store them in plain sight where someone else might get to them. Don’t deploy your apps with app.configs where those things are set in plain text. Give it some thought, because your security officer will not like you when he finds out… 😉

Leave a Reply

Your email address will not be published. Required fields are marked *