I have two servers in different locations (not within the same LAN). Both have a WCF client and WCF server. The WCF client on one server connects to the WCF server on the other, and v.v. What would be the best way to secure this communication, other than using SSL and certificates?

Recommended Answers

All 7 Replies

Site-to- site VPN between both locations created at the edge/perimeter network so the servers are unaware of the tunnel and no configuration is needed by the servers or applications running on those boxes.

Ok, good point. Thanks Jorge.

What if one of the servers is on a shared host and a VPN/tunneling is not an option? So basically the situation is full control on one server, and next to none on the other.

hmm.. unfortunately, i'm not knowledgable on WCF, but I found this article and there is a section on "WCF Security Best Practices and Standards"..

WCF Security in the Real World

unfortunately, i'm not knowledgable on WCF

Same here. Written plenty of server and client side code for it, but never had any involvement with securing it. That's why I want to know about other techniques than hardware/certificate based. I know those work, but perhaps there's something simpler I can use. I'm not sending over extremely sensitive data.

There's a couple of ways.

As well as using TLS (standard SSL solution) you can also use Certificate based authentication (effectively enforcing that both client and server have valid certificates)

You can also use Username and Password based authentication (including domain authentication if you have that available)

The easiest, if you ask me, is using certificates in a Client/Server auth process. As you're using Server-Server communication, I would recommend this.

Additionally, if you're worried about MITM attacks, you can encrypt and sign your messages in addition to the transport.

I should point out that client/server cert authentication is pretty easy to set up so don't let the idea of using certificates put you off.

Thanks Ket. Am not put off by the certs. That was my first choice too (that's why I excluded it in the OP). Some people I have to convince are usually looking for code based solutions. Since I am new to the configuring part I was just looking for other possibilities.

You could use Username/Password based authentication over TLS, but that's not as secure as having a certificate solution in my opinion. But it's a better solution if money is a problem or you can't establish a valid certificate chain.

WCF can be configured in code or in web.config, so technically speaking, you could implement the certificate solution in code ;)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, learning, and sharing knowledge.