I have some dedicated servers running ASP.NET applications over internet. All servers are fully trusted (all belongs to the same company) and need to communicate to each other in a secure way. They are not part of a domain or work group and should not be.
Each server acts as both client and server of some WCF
services. These services are few (1-2 per server) and light (a little data is transferred on each call).
I can use self-signed SSL
certificates or X509
. I'm lo开发者_StackOverflowoking for some way to make sure nobody from internet can call a WCF
service on a server. New server would be added in the future.
I read about WCF
but now I'm confused, is it good idea to use self-signed SSL certificates or not (non self-signed is not an option at the moment), which binding to use, which security mode to use, which authentication method to use...
I need some hints to start (please provide a link to a sample.
I would use a certificate-based authentication where both client and server are authenticated.
To make things more secure, do not use self sign certificates.
If your company already have a certificate server: issue certificates to each of your server and specify as an authentication configuration that both client and services need to present a certificate issued by your certificate server.
WCF security is a big topic, but there are some other non-WCF specific ways you can secure the service:
- Use IP SEC to secure the communication channel
- Use IP whitelists to grant / deny access to the port that the WCF endpoints operate on
- Use a VPN Solution (particularly convenient if your company already has a site to site VPN)
精彩评论