I have two servers in different locations (not within the same LAN). Both have a WCF client and WCF server. The WCF client on one server connects to the WCF server on the other, and v.v. What would be the best way to secure this communication, other than using SSL and certificates?
pritaeas
2,194
¯\_(ツ)_/¯
Moderator
Featured Poster
Recommended Answers
Jump to PostSite-to- site VPN between both locations created at the edge/perimeter network so the servers are unaware of the tunnel and no configuration is needed by the servers or applications running on those boxes.
Jump to PostThere's a couple of ways.
As well as using TLS (standard SSL solution) you can also use Certificate based authentication (effectively enforcing that both client and server have valid certificates)
You can also use Username and Password based authentication (including domain authentication if you have that available)
The easiest, if …
All 7 Replies
JorgeM
958
Problem Solver
Team Colleague
Featured Poster
Site-to- site VPN between both locations created at the edge/perimeter network so the servers are unaware of the tunnel and no configuration is needed by the servers or applications running on those boxes.
pritaeas
2,194
¯\_(ツ)_/¯
Moderator
Featured Poster
Ok, good point. Thanks Jorge.
What if one of the servers is on a shared host and a VPN/tunneling is not an option? So basically the situation is full control on one server, and next to none on the other.
JorgeM
958
Problem Solver
Team Colleague
Featured Poster
hmm.. unfortunately, i'm not knowledgable on WCF, but I found this article and there is a section on "WCF Security Best Practices and Standards"..
pritaeas
2,194
¯\_(ツ)_/¯
Moderator
Featured Poster
unfortunately, i'm not knowledgable on WCF
Same here. Written plenty of server and client side code for it, but never had any involvement with securing it. That's why I want to know about other techniques than hardware/certificate based. I know those work, but perhaps there's something simpler I can use. I'm not sending over extremely sensitive data.
Ketsuekiame
860
Master Poster
Featured Poster
There's a couple of ways.
As well as using TLS (standard SSL solution) you can also use Certificate based authentication (effectively enforcing that both client and server have valid certificates)
You can also use Username and Password based authentication (including domain authentication if you have that available)
The easiest, if you ask me, is using certificates in a Client/Server auth process. As you're using Server-Server communication, I would recommend this.
Additionally, if you're worried about MITM attacks, you can encrypt and sign your messages in addition to the transport.
I should point out that client/server cert authentication is pretty easy to set up so don't let the idea of using certificates put you off.
pritaeas
2,194
¯\_(ツ)_/¯
Moderator
Featured Poster
Thanks Ket. Am not put off by the certs. That was my first choice too (that's why I excluded it in the OP). Some people I have to convince are usually looking for code based solutions. Since I am new to the configuring part I was just looking for other possibilities.
Ketsuekiame
860
Master Poster
Featured Poster
You could use Username/Password based authentication over TLS, but that's not as secure as having a certificate solution in my opinion. But it's a better solution if money is a problem or you can't establish a valid certificate chain.
WCF can be configured in code or in web.config, so technically speaking, you could implement the certificate solution in code ;)
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.