tags:

views:

27

answers:

1
Q: 

Should I use the NetNamedPipe binding in WCF for security reasons?

The WCF documentation says that the "Net Named Pipe" binding can be used for fast interprocess communication on a single machine. It cannot be used for communication across machines.

I would like to know if using the Net Named Pipe binding will protect my service from being attacked from outside the network. I've been told that the answer is no; that although Net Named Pipe binding is meant to be used for interprocess communication on the same machine, it can be hacked to allow access from other machines. Is that accurate?

WCF experts, please chime in. Does using the Net Named Pipe binding intrinsically protect my service from unauthorized access from other machines?

+1  A: 

Per the name Net Named Pipe this binding uses local named pipes as the transport mechanism. On Windows machines named pipes are treated like files... and as such are accessible remotely like browsing to a machine with \\machinename. Therefore since the transport mechanism is accessible to remote machines the binding is inherently not immune to unauthorized access, although there may be some security advantages to named pipes as opposed to TCP or HTTP.

Mogounus  2010-07-07 21:44:43
@Mogounus: It's not accessible across the Internet, and remote access can be secured with an Access Control List. I hardly think that remote access is much of a concern, given the system is configured correctly.
John Saunders  2010-07-07 21:47:18
His questions was "Does using the Net Named Pipe binding intrinsically protect my service from unauthorized access from other machines". The answer to that is NO. HTTP and TCP bindings are also secure if configured properly, but again that was not the question.
Mogounus  2010-07-07 22:19:07
Sounds like a clear "no" to me.
Rice Flour Cookies  2010-07-08 15:48:11

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security