Recommended way of protecting web service (WCF) with IP?

Question

Hi there,

I need to protect my WCF web services and was thinking what is the best way of doing this. Its not really a ROLE / User situation - more of a "WHO CAN CALL THE WEB SERVICE".

I was thinking that i could use an IP? Is this the recommended way?

Anybody have any experience with this, I was thinking of have a table (sql) with all IPs that can access the web service but i didn't want to reinvent the wheel if something exists already.

I presume there is an event or similar when somebody access the webservice so i can check there ip? - Anybody have an example?

And i presume this can be accomplished with standard HTTP binding ?

I would appreciate any input anybody has

Answer 1

You can pretty easily restrict the calling IP's in your service using a service behavior.

There's an excellent CodeProject article including source code that shows how to do this. Since it's WCF and a WCF behavior, it's pluggable, too - you can add or remove it from your service as needed.

Marc

Answer 2

Really depends on the security level of the service. IP addresses alone are quite easily spoofed by a knowledgeable caller, so if it's a service that deals with sensitive information, I'd recommend something a little harder to break, like transport security (eg SSL) with client certificates. Very well supported by WCF and not as scary or expensive to use as you might think, especially if you control both the client and server (that way you can configure the client to ignore the cert's "trusted" status so you don't have to buy a commercial server cert).