CODEWITHSUNDEEP
c#wcfwcf-bindingwcf-security
twal
twal

Reputation: 7039

which type of security is needed for WCF

Here is my scenario, I have a WCF Service that is hosted on in internal server behind a firewall.

The client is a web application that resides on the web server in the DMZ. The firewall is open on a port between the two nodes so the connection can be made from the client to the server.

What type of binding do I need to be using for security here. Do you know of an example program or tutorial?

When I search for this, all i find is where the service is being used by clients across the internet and using windows authentication or prompting for a user name and password.

I just need our app on the web server to talk to the web service. Any recommendations are appreciated. Thanks!

Also, my web service is running as a console application.

Upvotes: 3

Views: 1077

Answers (2)

Shiraz Bhaiji
Shiraz Bhaiji

Reputation: 65361

If you start with what could be attacked, and then try and protect it. The 3 obvoius was to attack it are:

  • Listen to the traffic between the servers. Use an encrypted protocol, for example ws-httpbinding with message encryption. Nettcp binding also works well here.
  • Call the WCF service directly. Remove MEX so that they cannot get the signature of your service, require authentication on the service.
  • Get the authentication information for the service from the web server. Do not store the user name and password in clear text in the config file. For example use the security context of the service you are running in under.

This fixes some things, there is always more that you could do.

Upvotes: 0

David Hoerster
David Hoerster

Reputation: 28701

If you're in control of both ends of the solution (web server (client) in DMZ and console app (server) behind), then why not go with a NetTcpBinding?

  • It is a .NET-specific binding, so you're not going for interoperability (but since you have control of both ends of the communication, it sounds like that's not an issue).
  • It's performance is faster than the WSHttpBinding binding and results in smaller messages being transmitted.

It sounds like you don't need credentials passed along with the message (besides a user id or some type of identifier passed in the message), so you can use this binding using TcpClientCredentialType.None.

Here's a good description of the security features of each built-in WCF binding. The description of NetTcpBinding is about 1/3 of the way down the page.

I hope this helps.

Upvotes: 1

Related Questions