.Net Remoting and updates in .Net Remoting 2.0
Posted by Steven on May 7th, 2006
Since the advent of .Net, .Net Remoting has been hot topic for all programmers alike. In this article I will try to provide an answer to the questions:
- What is .Net Remoting and how powerful is it?
- What makes it worth all this attention?
- How secure is it in practice
.Net Remoting is a Microsoft product which enables communication across applications. In .Net 1.0 and .Net 1.1, this technology was used to provide applications with a quick and simple means of performing RMI (remote method invocation) calls across applications distributed over a network. This communication is performed over both TCP and HTTP protocols (which support both binary and soap serialization), thus enabling it to be hosted as an independent application or over .Net capable web servers (Such as IIS servers). .Net 2.0 introduces a new channel referred to as the IPC (Inter Process Communication), which allows programmers to publish objects to the current platform (computer) without publishing them over the network (Finally a worthy rival to the System V IPCs on UNIX).
With this technology, programmers have the power of connecting their applications to other applications at runtime through the objects which either of them are publishing. Remoting allows programmers to marshal these objects from one platform (application running on a computer) to another.
Coding of services and providing RMI access to them is no new concept in the realm of programming. What is new though is the fact that not only does remoting allow the programmers to expose a pre-compiled service to a range of applications, but it allows the remoting programmers to migrate functions from their custom assemblies over the internet. This can be useful in a number of scenarios, for example if you need an application to return a set of results once a task has been completed. It is possible to generate an instance of an object and have it marshaled to the server which can then marshal the results back via the object that the client sent to the server.
This unfortunately also means that unless the proper counter measures are taken, there is the chance that a hacker can inject his own code into your server (Code Injection attacks). To avoid this from happening it is imperative that when deploying such applications on an unsecured network (e.g. the Internet), the security is set to allow only strongly typed objects only to be marshaled, to avoid custom objects to be sent across the network. A great deal of information can be found about this topic if one does some further reading about typefilterlevel.
Remoting is a blessing to all .Net programmers, but should be used wisely to avoid leaving loop holes that hackers can exploit. Throughout the last couple of years I have been exposed to a lot of development concerned with remoting and my final thoughts are that it is well worth the trouble of learning to set it up.
Links: