Search code examples
asp.netwcfsecuritydedicated-server

WCF security when trusted bunch of client/servers communicationg over internet


I have some dedicated servers running ASP.NET applications over internet. All servers are fully trusted (all belongs to the same company) and need to communicate to each other in a secure way. They are not part of a domain or work group and should not be.

Each server acts as both client and server of some WCF services. These services are few (1-2 per server) and light (a little data is transferred on each call).

I can use self-signed SSL certificates or X509. I'm looking for some way to make sure nobody from internet can call a WCF service on a server. New server would be added in the future.

I read about WCF but now I'm confused, is it good idea to use self-signed SSL certificates or not (non self-signed is not an option at the moment), which binding to use, which security mode to use, which authentication method to use... I need some hints to start (please provide a link to a sample.


Solution

  • I would use a certificate-based authentication where both client and server are authenticated.

    To make things more secure, do not use self sign certificates.

    If your company already have a certificate server: issue certificates to each of your server and specify as an authentication configuration that both client and services need to present a certificate issued by your certificate server.