Do I need security between my ASP.net application and a WCF service?

Question

[I know this is quite subjective, and dependant on various considerations, so I'm just finishing for ideas to see what people think on the subject, and what considerations they are taking...]

We have an asp.net application exposed publicly (username/password authentication required), which, in turn, uses a set of WCF services in the back.

I am trying to decide which binding to use for these services, and more specifically - which security elements, if any, we should use.

all applications (web front end and all services) reside on the same server farm, behind a firewall, which blocks all access to the services other than from the web application. Under these circumstances - would you say its acceptable not to have any security elements (and so, presumably, have increased performance?)

For completeness I would say that we do expect to expose some services, externally, at some point, but this will be done via a different endpoint, with a different address, using high security elements including federated identity for authentication

Answer 1

You should make your services too username and password protected like using digest authentication etc. The username and password that will be provided will be internally through your application. Thus you increase a security layer.

Answer 2

Security is like a wall. The more walls the better.

That is why we have secure passwords for databases that are internal but accessed from web app's, and why we encrypt sensitive data in those databases.

If the security isn't going to be a major pain, add it.