ITCamp 2012 - Leonard Abu-Saa - WCF Security

520 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
520
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

ITCamp 2012 - Leonard Abu-Saa - WCF Security

  1. 1. WCF Security Abu-Saa Leonard, Software Architect Arobs Transilvania Software Blog: http://net-daylight.blogspot.com/@ itcampro # itcamp12 Premium conference on Microsoft technologies
  2. 2. ITCamp 2012 sponsors Architecture & Best Practices@ itcampro # itcamp12 Premium conference on Microsoft technologies
  3. 3. Agenda Architecture & Best Practices• Overview• Authentication & Authorization• Security Modes• Credential Types• WCF Authentication Service• Custom UserName & Password Authentication• Q&A@ itcampro # itcamp12 Premium conference on Microsoft technologies
  4. 4. Overview Architecture & Best Practices• Online transactions• Do we ignore security ?@ itcampro # itcamp12 Premium conference on Microsoft technologies
  5. 5. Overview – Security fundamentals Architecture & Best Practices• Auditing and Logging• Authentication• Authorization• Configuration Management• Message Protection• Message Validation• Senzitive data• Session Management@ itcampro # itcamp12 Premium conference on Microsoft technologies
  6. 6. Threats, Vulnerabilities and Attacks Architecture & Best Practices• Asset• Threat• Vulnerability• Attack@ itcampro # itcamp12 Premium conference on Microsoft technologies
  7. 7. Authentication != Authorization Architecture & Best Practices• Authentication identifies a user, process• One of the most important aspect of security• We use id daily: ids, user names & passwords, etc.@ itcampro # itcamp12 Premium conference on Microsoft technologies
  8. 8. Authorization Architecture & Best Practices• Verifies what resources can access theitentified party• It happens after authentication• Very close related with Authentication@ itcampro # itcamp12 Premium conference on Microsoft technologies
  9. 9. Authentication in WCF Architecture & Best Practices• None• Basic• NTLM• Windows• Certificate• Username – Custom Provider – SqlMembership Provider• Issued Token@ itcampro # itcamp12 Premium conference on Microsoft technologies
  10. 10. Security Modes Architecture & Best Practices• None – Not recommended• Transport Security – Encrypts the communication channel• Message Security – The message is encrypted@ itcampro # itcamp12 Premium conference on Microsoft technologies
  11. 11. Security Modes - Variations Architecture & Best Practices• Transport Credential Only – Credentials are sent as part of the message but are not encrypted• Transport With Message Credential – Credentials are sent as part of the message and the message protection is done at the transport level@ itcampro # itcamp12 Premium conference on Microsoft technologies
  12. 12. Transport Security Architecture & Best Practices• SSL over HTTP(S)/TCP• Our purpose is to ensure integrity, condidentiality and authentication• Integrity = encryption key• Confidentiality = data encryption• Authentication = credentials• Use a digital certificate to encrypt the channel@ itcampro # itcamp12 Premium conference on Microsoft technologies
  13. 13. Transport Security Architecture & Best Practices• When we use Transport Security ?• Advantages – Better performance – Interoperability• Disadvantages – ‘Point-2-Point’@ itcampro # itcamp12 Premium conference on Microsoft technologies
  14. 14. Message Security Architecture & Best Practices• When we use Message Security?• Encrypts only the message• Advantages – ‘End-2-End’ security – Independent of the communication protocol • Disadvantages – Lower perfomance compared to transport – Does not support interoperability with older ASMX clients@ itcampro # itcamp12 Premium conference on Microsoft technologies
  15. 15. WCF Authentication Service Architecture & Best Practices• Uses ASP.NET membership to authenticate users• It requires cookies• Can customize user login• Can customize authentication cookie@ itcampro # itcamp12 Premium conference on Microsoft technologies
  16. 16. Q&A@ itcampro # itcamp12 Premium conference on Microsoft technologies

×