WCF Security
Upcoming SlideShare
Loading in...5
×
 

WCF Security

on

  • 1,210 views

Security basics and tips/tricks for WCF services.

Security basics and tips/tricks for WCF services.

Statistics

Views

Total Views
1,210
Slideshare-icon Views on SlideShare
1,204
Embed Views
6

Actions

Likes
0
Downloads
17
Comments
0

2 Embeds 6

http://www.linkedin.com 4
https://www.linkedin.com 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    WCF Security WCF Security Presentation Transcript

    • WCF security: patterns & practices ante.gulam[at]ri-ing.net
    • Overview• Intro [Service-Oriented Architecture, MS WCF]• Defining Web Service Threats• Overview of WCF Security Basics• Configuration - Starting Point and Ending Point• Bindings In Depth• Securing Transport Channel - Integrity and Auth.• Messages - What I Send is What You Get?• Few Code-Based WCF Security Best Practices• Outro [conclusion]
    • Intro• SOA in general (discovery, description, messaging) – UDDI  XML Hierarchy – UDDI Discovery (automated scanning tools) – WSDL and XSD Descriptions – SOAP vs. REST XML Protocols• SOA Security Issues (ASMX, WCF, Java ...)• WCF (Indigo/2006)- .NET Web Service Technology• Endpoints (Transport & Bindings) – ABC (Address/Binding/Contract) – HTTP, TCP, named pipes, MSMQ ... – MEX – Metadata Exchange
    • Defining Web Service Threats• Attractive target • Open to the World (rare filtering access scheme) • Direct connection to core application • Direct connection to core data• Discovering and Attacking Web Services • WS-discovery (service behaviorConfiguration="serviceDiscoverable”) probe: 3702 – WSScanner • Footprinting, Discovery, Enumeration, Scanning and Fuzzing tool• WCF Test Harness – flexible tool for quick service tests• Common WApp vulns: SQL injection, session theft, XML DoS ...• XML/SOAP Manipulation (abusing the protocol) – Eavesdropping Message Exchange – Message Protection Methods• Configuration Data Injection (tampering .conf)• Local/UDDI XML Processing attack
    • Overview of WCF Security Basics• Logging and Auditing • Debbuging and Attack Detection• Authentication • Identify Clients » Users, Services, Processes, Machines ... » MiTM Attack Mitigation • Transport Security Mode (cert, NTLM, basic ...) • Message Security Mode (cert, token, username ...)• Authorization • Role-based • Identity-based • Resource-based• Confidentiality • Encryption of Traffic client  WCF service• Integrity
    • Configuration - Starting Point and Ending Point• Web.config start-up • Web-config encryption • section.SectionInformation.ProtectSection• <system.ServiceModel> • Services » Defining Service Endpoints • Bindings » Basic, WS, WSDual, NetTcp ... ... • Behaviors » <throttling> and other custom behaviors• <Credentials /> Stored in Config <credentials passwordFormat="Clear"> <user name="user1" password="pass1"/> </credentials>• Max Message Size ???? (avoid 2147483647)• Encrypting configuration files (CL tools, code-based...)
    • Bindings in Depth• System.ServiceModel.Channels.Binding class• Binding types and Security Modes – WSHttpBinding b = new WSHttpBinding(); b.Security.Mode = SecurityMode.?????: • Transport Security • Mixed-Mode Security • Message Security• Considering Scenarios for the right Bindings • Clients accessing through the Internet (wshttp) • Legacy clients (http) • Intranet (netTCP) • Local Machine Clients (netNamedPipeBinding) • Disconnected queued calls support (netMsmqBinding) • bidirectional communication support (wsDualHttp)
    • • System-Provided bindings – BasicHttpBinding: An HTTP protocol binding suitable for connecting to Web services that conforms to the WS-I Basic Profile specification (for example, ASP.NET Web services-based services) – WSHttpBinding: An interoperable binding suitable for connecting to endpoints that conform to the WS-* protocols. – NetNamedPipeBinding: Uses the .NET Framework to connect to other WCF endpoints on the same machine. – NetMsmqBinding: Uses the .NET Framework to create queued message connections with other WCF endpoints.• Custom Bindings – Meet Requirements of Your Service
    • Securing Transport Channel• SSL tunneling on WS transport channel• Choosing secure binding or SSL transport?? – More and more on security (end-to-end, part encrypt) – Performances on Message/Transport level – Combining Message and Transport security• Custom Binding and Custom Validator • public override void Validate(string uname, string pass) • <bindingname="CustomBinding“> <securityauthenticationMode="UserNameOverTransport“> </security>
    • Messages - What I Send is What You Get?• Message integrity check • Ability to detect and manage invalid data • Imposition of complete transactions • Rollbacks• [Service Behavior] attrib: Transaction Isolation - Serializable transaction – protection for consistent data• Hash calculation on message: xml/json messages (HMAC, SHA1..)• ETag (base64 encoding of the md5sum)• Distributed Transaction Controller – Single Transaction building • ‘Global’ Rollback (whole call chain rollback) – transactionFlow="true"
    • Few Code-Based WCF Security Best Practices• using() and try/finally keywords in WCF ?• Why to Avoid Them??? – IL almost identical – So, where is the problem!?!?• During Disposal the Channel is NEVER closed!• Control the catch of Exceptions• Use a global exception handler to catch unhandled exceptions• FaultContract • FaultContract(typeof(CustomException))] – throw new FaultException<MathFault>(mf);
    • • using() • try/finally block• IL_0000: newobj instance void • IL_0012: ldnull [System.Windows.Forms]System. IL_0013: stloc.1 Windows.Forms.Form::.ctor() .try IL_0005: stloc.0 { .try IL_0014: newobj instance { void IL_0006: leave.s IL_0012 [System.Windows.Forms]System.Win } // end .try dows.Forms.Form::.ctor() finally IL_0019: stloc.1 { IL_001a: leave.s IL_0026 IL_0008: ldloc.0 } // end .try IL_0009: brfalse.s IL_0011 finally IL_000b: ldloc.0 { IL_000c: callvirt instance IL_001c: ldloc.1 void IL_001d: brfalse.s IL_0025 [mscorlib]System.IDisposable::Di IL_001f: ldloc.1 spose() IL_0020: callvirt instance void IL_0011: endfinally [System]System.ComponentModel.C } // end handler omponent::Dispose() IL_0025: endfinally } // end handler
    • • CAS in WCF services – [assembly: AllowPartiallyTrustedCallers] – [PermissionSet(SecurityAction.Assert,Name = "FullTrust")] – Calling out from the Restricted client Environment • Security breach – bypass direct connection – PartialTrustClientBase<T> ?? – GAC on the client side? • Proxy Assembly Installation – Raw WCF Demands
    • • ChannelFactory class – Used in advanced scenarios – Creation of Multiple Channels for Communication • ChannelFactory<xx> myChannelFactory = new ChannelFactory<xx>(myBinding, myEndpoint); xx wcfClient1 = myChannelFactory.CreateChannel(); – channelFactory.Credentials (username/password) – Avoid Creation of ChannelFactory on each page call (overhead)
    • • Make a port scanner out of WCF – WSDualHttpBinding – “CreateSequence” SOAP request – “ReplyTo” address• https://github.com/GDSSecurity/WCF-WSDualHttpBinding-Port-Scanner
    • Outro [conclusion]• What have we remembered to make our WS more secure? – Best practice – combine technologies and techniques to get security on higher level!!! • Combine Smart Coding with Good Configuration• Test your WCF’s on various attack techniques• ServiceThrottlingBehavior class – MaxConcurrentCalls (default = 16) [Per-message] – MaxConcurrentInstances (default = Int32.Max) • InstanceContextMode  ServiceBehaviorAttribute  PerCalls / Sessions – MaxConcurrentSessions (default = 10) [Per-channel]• Stay in touch with Recent Security Discoveries Related to Technologies you are using! • Platforms, OS services, dev technologies, transport/protocol technologies, encryption algorithms etc.
    • thank you for your attention questions and comments