which type of security is needed for WCF

views:

answers:

+3 Q:

which type of security is needed for WCF

Here is my scenario, I have a WCF Service that is hosted on in internal server behind a firewall.

The client is a web application that resides on the web server in the DMZ. The firewall is open on a port between the two nodes so the connection can be made from the client to the server.

What type of binding do I need to be using for security here. Do you know of an example program or tutorial?

When I search for this, all i find is where the service is being used by clients across the internet and using windows authentication or prompting for a user name and password.

I just need our app on the web server to talk to the web service. Any recommendations are appreciated. Thanks!

Also, my web service is running as a console application.

+1 A:

If you're in control of both ends of the solution (web server (client) in DMZ and console app (server) behind), then why not go with a NetTcpBinding?

It is a .NET-specific binding, so you're not going for interoperability (but since you have control of both ends of the communication, it sounds like that's not an issue).
It's performance is faster than the WSHttpBinding binding and results in smaller messages being transmitted.

It sounds like you don't need credentials passed along with the message (besides a user id or some type of identifier passed in the message), so you can use this binding using TcpClientCredentialType.None.

Here's a good description of the security features of each built-in WCF binding. The description of NetTcpBinding is about 1/3 of the way down the page.

I hope this helps.

David Hoerster 2010-08-25 21:42:18

Great, thank you I will take a look at this. I appreciate your help!

twal 2010-08-25 21:43:57

Hopefully it works out for you. If there are other issues, add a comment and I'll update my answer accordingly. Good luck!

David Hoerster 2010-08-25 21:57:19

Sorry if these are dumb questions, What security mode would I want to use in this situation? Transport?

twal 2010-08-25 22:11:01

Yes, you should go with Transport. This is best if you don't have intermediate hops between client and server (e.g. service1 calls service2 which then passes the message to service3). If you use intermediaries, you may want to consider Message. But that doesn't seem to be the case with your scenario.

David Hoerster 2010-08-26 00:01:04

you are correct I don't have any intermediate hops.here is my code for my binding: NetTcpBinding myBinding = new NetTcpBinding(); myBinding.Security.Mode = SecurityMode.Transport; myBinding.Security.Transport.ClientCredentialType = TcpClientCredentialType.None;when I run it I get the following error: The service certificate is not provided. Specify a service certificate in ServiceCredentials.Must I use a certificate with this?

twal 2010-08-26 00:53:08

If you start with what could be attacked, and then try and protect it. The 3 obvoius was to attack it are:

Listen to the traffic between the servers. Use an encrypted protocol, for example ws-httpbinding with message encryption. Nettcp binding also works well here.
Call the WCF service directly. Remove MEX so that they cannot get the signature of your service, require authentication on the service.
Get the authentication information for the service from the web server. Do not store the user name and password in clear text in the config file. For example use the security context of the service you are running in under.

This fixes some things, there is always more that you could do.

Shiraz Bhaiji 2010-08-26 07:03:02

ansaurus

tags:

views:

answers:

which type of security is needed for WCF

related questions