WCF security considerations

When it comes to securing WCF security it comes down to Message security or Transport security. There are hybrid approaches of the two but they are not often used. The type of security to use can also be influenced by the binding that will be used.

ApplicationOverviewSecurity

So what does the different types of security options provide you with and where to use them?

Message security

Provides
Integrity – All communications over the channel is encrypted.
Privacy – Nobody other than recipient can read the message.
Mutual Authentication – Only the intended recipient can read the message.

Where to use?
1. Internet Application
2. Where transport security is not secure or provided.
3. Where number of intermediaries (hops) are not known. (Internet traffic)

Pros
1. End-to-end Security (Multiple hops)
2. Can be used to secure messages over non-secured transport layers.

Cons
1. May introduce call latency

Transport security

Where to use?
1. Typically for Intranet applications.
2. Used where there is a single hop between Client and Service.
3. A controlled environment.
4. Point to Point Security.

Pros

1.Best Performance
2.Use hardware acceleration.
|3.Easiest to setup

Cons

Can only guarantee security point-to-point.

Both (Transfer + Message Security)

Pros
Overkill security

Cons
Overkill for most applications
Latency

Mixed transfer security mode

Uses transport security mode to do message integrity and privacy. Uses message security to secure client credentials.

Pros
Combines the benefits of both Transport and Message security.

Cons
Only secure point-to-point – same as transport security.

The decision to take between which type of security to use is easy as demonstrated by the diagram below.

WCF transport security with delegation

WCF transport security with impersonation

WCF Multi-Domain certificate bug