2. if your Webservice is housed in IIS, you can use IIS to filter out requests based on IP: run Internet Services Manager, right click on your web app to open its Properties page, go to Directory Security tab, click on second "Edit.." button, grant or deny IP access
or
3. write a HttpModule to filter out those requests based on IP