I have a set of RESTful services developed using ASP.Net WebAPI which is a single project. I handle authentication via ASP.Net's built in Forms Authentication (cookie based) mechanism which is also built into the same project. The services need to be publically exposed to the internet as they will be consumed by mobile applications.
One of my team mates suggested keeping authentication separate and hosting it in the DMZ while the services project is hosted inside a firewall like so
Authentication Module (DMZ/Internet) |--FireWall--| (Safe Zone) Load Balancer --> Multiple servers hosting the services website.
- Why and how is this more secure?
- What is the best way to do this? i.e. Do I have to create two projects and place authentication logic in one in order to be placed in the DMZ.
- Are there any standard inbuilt mechanisms in IIS with which I can achieve this (IIS 7)?
- Can the authentication module scale and how? i.e. multiple authentication servers in DMZ
