WCF Basics and Security overview
WCF Overview. WCF security model. Attacks and countermeasures. (If Time Permits)
WCF exposes endpoints for clients and services to exchange messages. WCF uses addresses, bindings and contracts (ABC model). Bindings specify protocols, encodings and security. The security model includes transfer security modes (none, transport, message, mixed, both) and credentials (Windows, username/password, certificates, tokens). Common attacks include information disclosure, elevation of privilege, denial of service, and tampering. Countermeasures include configuration, authorization and message inspection.
Slides of the Webinar "SSL, impact and optimisation"
INTRODUCTION
What is SSL?
The purpose of SSL
History of SSL / TLS
Overview of a TLS connection
PART 1
What is the role of an SSL certificate?
Levels of validation
Options for certificates: SAN and Wildcard
The certificate ordering process
Certificate chain
SSL algorithms: encryption & authentication
Examples
PART 2
TLS and IPV4 exhaustion
HAProxy and SNI
TLS impacts
SSL offloading
SEO
Security of the SSL protocol
Taking Your Enterprise to the Next Level with WSO2 Message Broker and WSO2 En...WSO2
In order to cater to the increased demand for reliable and flexible systems, enterprises are leveraging messaging as a solution. In the enterprise integration space, these solutions have evolved into well defined enterprise integration patterns (EIPs). WSO2 Enterprise Service Bus (WSO2 ESB) and WSO2 Message Broker can be used to implement these patterns with ease.
This webinar will discuss how to use WSO2 ESB and WSO2 Message Broker to address the aforementioned needs. The key areas of discussion will include how to
Achieve scalability using point-to-point, publisher/subscriber EIPs and shared subscriptions
Achieve reliability using transactions
Perform request throttling using the store/forward EIP
Integrate between devices in constrained environments (low-bandwidth, unreliable networks, etc.)
This document discusses Apache httpd reverse proxies and Tomcat. It covers why to use a proxy, common proxy protocols like AJP, HTTP/HTTPS, and HTTP/2. It also provides configuration examples for mod_jk, mod_proxy_ajp, and mod_proxy_http when using Apache httpd as a reverse proxy for Tomcat. Performance comparisons are shown between mod_jk, mod_proxy, and Nginx. The document concludes that a proxy is useful for load balancing, protocol upgrades, and SSL termination between the application server and internet.
EMQ is an open source MQTT broker written in Erlang/OTP that can massively scale to over 1 million connections. It supports MQTT 3.1/3.1.1 and 5.0, is highly extensible via plugins, and can authenticate clients through plugins like MySQL. EMQ forms clusters to improve scalability and reliability, routes messages by topic across nodes, and heals network partitions automatically.
This document outlines several network connectivity scenarios involving virtual machines and containers with different grades. The highest grade (A/A+) involves an LXC container, 4 VMs, and both GRE and OpenVPN tunnels that must be established for the container and VMs to have internet access and ping each other. The next grades (B/B+ through D/D+) involve progressively fewer VMs and tunnels but similar connectivity requirements between the VMs and containers.
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Michael Man
Security Rationale For Istio
An introduction to Istio security, looking at how Istio helps to keeps your security team happy by satisfying Kubernetes security requirements for multi-tenancy, and your developers happy by reducing implementation effort. Istio is still an evolving technology, and outstanding issues and impending improvements will be discussed.
The document discusses Project Grizzly Comet, an open source framework for building real-time web applications using Comet techniques. It provides an overview of key Grizzly Comet components like CometContext, CometHandler, NotificationHandler, and how they enable asynchronous communication between a server and browsers. Additional related projects like Grizzly Messages Bus, Bayeux protocol, and Grizzlet interface are also summarized.
The document discusses Kubernetes networking concepts including pods, services, and ingress. It provides examples of how containers within pods communicate via Docker networking. It also explains how Kubernetes networking solves the problems of pod-to-pod, service-to-pod, and external-to-service communications using services, iptables, and kube-proxy. The document demonstrates creating a deployment, service, and ingress to expose an application externally via a load balancer.
Slides of the Webinar "SSL, impact and optimisation"
INTRODUCTION
What is SSL?
The purpose of SSL
History of SSL / TLS
Overview of a TLS connection
PART 1
What is the role of an SSL certificate?
Levels of validation
Options for certificates: SAN and Wildcard
The certificate ordering process
Certificate chain
SSL algorithms: encryption & authentication
Examples
PART 2
TLS and IPV4 exhaustion
HAProxy and SNI
TLS impacts
SSL offloading
SEO
Security of the SSL protocol
Taking Your Enterprise to the Next Level with WSO2 Message Broker and WSO2 En...WSO2
In order to cater to the increased demand for reliable and flexible systems, enterprises are leveraging messaging as a solution. In the enterprise integration space, these solutions have evolved into well defined enterprise integration patterns (EIPs). WSO2 Enterprise Service Bus (WSO2 ESB) and WSO2 Message Broker can be used to implement these patterns with ease.
This webinar will discuss how to use WSO2 ESB and WSO2 Message Broker to address the aforementioned needs. The key areas of discussion will include how to
Achieve scalability using point-to-point, publisher/subscriber EIPs and shared subscriptions
Achieve reliability using transactions
Perform request throttling using the store/forward EIP
Integrate between devices in constrained environments (low-bandwidth, unreliable networks, etc.)
This document discusses Apache httpd reverse proxies and Tomcat. It covers why to use a proxy, common proxy protocols like AJP, HTTP/HTTPS, and HTTP/2. It also provides configuration examples for mod_jk, mod_proxy_ajp, and mod_proxy_http when using Apache httpd as a reverse proxy for Tomcat. Performance comparisons are shown between mod_jk, mod_proxy, and Nginx. The document concludes that a proxy is useful for load balancing, protocol upgrades, and SSL termination between the application server and internet.
EMQ is an open source MQTT broker written in Erlang/OTP that can massively scale to over 1 million connections. It supports MQTT 3.1/3.1.1 and 5.0, is highly extensible via plugins, and can authenticate clients through plugins like MySQL. EMQ forms clusters to improve scalability and reliability, routes messages by topic across nodes, and heals network partitions automatically.
This document outlines several network connectivity scenarios involving virtual machines and containers with different grades. The highest grade (A/A+) involves an LXC container, 4 VMs, and both GRE and OpenVPN tunnels that must be established for the container and VMs to have internet access and ping each other. The next grades (B/B+ through D/D+) involve progressively fewer VMs and tunnels but similar connectivity requirements between the VMs and containers.
Control Plane: Security Rationale for Istio (DevSecOps - London Gathering, Ja...Michael Man
Security Rationale For Istio
An introduction to Istio security, looking at how Istio helps to keeps your security team happy by satisfying Kubernetes security requirements for multi-tenancy, and your developers happy by reducing implementation effort. Istio is still an evolving technology, and outstanding issues and impending improvements will be discussed.
The document discusses Project Grizzly Comet, an open source framework for building real-time web applications using Comet techniques. It provides an overview of key Grizzly Comet components like CometContext, CometHandler, NotificationHandler, and how they enable asynchronous communication between a server and browsers. Additional related projects like Grizzly Messages Bus, Bayeux protocol, and Grizzlet interface are also summarized.
The document discusses Kubernetes networking concepts including pods, services, and ingress. It provides examples of how containers within pods communicate via Docker networking. It also explains how Kubernetes networking solves the problems of pod-to-pod, service-to-pod, and external-to-service communications using services, iptables, and kube-proxy. The document demonstrates creating a deployment, service, and ingress to expose an application externally via a load balancer.
Slides der Präsentation von Simeon Bosshard, Citrix, am Citrix Day 2014 von Digicomp.
Das HTML 5 GUI im Release 10.5 des NetScaler ist eine Neuerung, aber nicht die einzige. Erfahren Sie mehr über die wichtigsten Änderungen wie etwa MobileStream, Cisco RISE und ACI Integration sowie die Erweiterungen im Authentication-Bereich. Natürlich kommen die Neuerungen in den Core-Bereichen Loadbalancing, SSL Offloading etc. ebenfalls nicht zu kurz.
Advanced Tools and Techniques for Troubleshooting NetScaler AppliancesDavid McGeough
This session will cover advanced techniques in troubleshooting the Citrix NetScaler Appliance using tools such as Citrix TaaS, IPMI, nsconmsg, wireshark and log analysis. We will review usages of these tools along with case studies showing how to best troubleshoot common issues seen in operating Citrix NetScaler Appliances.
What you will learn
- Various tools available to troubleshoot issues and how to use them to isolate NetScaler Issues
- Common deployment problems and how to isolate the causes
This document describes a swarm cluster with an overlay network containing multiple containers running various Docker services and images. The cluster has one container manager and three worker containers running the dind image. Services like HAProxy, a registry, nginx-proxy, and echo are distributed across the worker containers and load balanced with an overlay network for high availability.
Overview of Publish/Subscribe messaging and comparison of MQTT, AMQP and DDS protocols.
Presented in IoT Bratislava meeting
Recorded session (in Slovak): https://www.youtube.com/watch?v=7wqyriSAqLY
The document introduces EMQ X, an open-source distributed MQTT broker designed for large-scale IoT deployments. EMQ X aims to sustain millions of MQTT connections through a distributed and highly extensible architecture. It provides features such as clustering, authentication, access control, message persistence, bridging, and a plugin system to customize functionality. The document also covers installing, configuring, and optimizing EMQ X.
New Tools and Interfaces for Managing IBM MQMatt Leming
The document provides an overview of new tools and interfaces for managing IBM MQ, including the mqweb server, MQ REST API, and MQ Console. The mqweb server runs the MQ Console and REST API applications using WebSphere Liberty Profile. The MQ REST API allows administering MQ via REST and JSON, providing alternatives to PCF. The MQ Console is a browser-based graphical tool for administering and managing MQ queues, queue managers, and other objects.
Bridges and Tunnels a Drive Through OpenStack Networkingmarkmcclain
This document summarizes OpenStack networking and some of its key components and capabilities. It discusses the motivation for creating Neutron as a networking service, challenges in cloud networking like multi-tenancy and on-demand provisioning, and how Neutron tackles these challenges through network virtualization and SDN. It provides an overview of Neutron's architecture, including its plugin-based model, agents, and common features like security groups. It also describes new capabilities in OpenStack Juno like IPv6 support and distributed virtual routing.
The document discusses OWASP Zed Attack Proxy (ZAP), a free and open source web application security scanner. It can be used by pentesters, developers, and testers to detect vulnerabilities. ZAP passively and actively scans applications to find issues. It can be integrated into CI/CD pipelines and automated with APIs, command line tools, and programming libraries. The document provides examples of using ZAP to perform passive scanning, active scanning, and automation for testers.
This document discusses scaling MQTT to support millions of clients. It outlines challenges in scaling MQTT including huge numbers of TCP connections, security overhead from TLS, statefulness of MQTT sessions, and high availability requirements. It then presents a scalable MQTT reference architecture using HiveMQ clustering to address these challenges by enabling linear scalability, high availability, and elimination of single points of failure through a masterless broker cluster architecture.
OpenStack Paris Summit: Bridges and Tunnels: A Drive Through OpenStack Networ...markmcclain
This document summarizes OpenStack networking and some key improvements in recent releases. It discusses the motivation for creating Neutron as a networking component separate from Nova, challenges in cloud networking like multi-tenancy and scalability, and how Neutron addresses these through network virtualization and SDN. The basics of Neutron's architecture, plugins, agents, and abstraction of network resources are covered. Features like security groups, IPv6 support, distributed virtual routing, and load balancing are also summarized. Upcoming work in areas like metadata service, IPAM, and dynamic routing is mentioned.
Jim Jagielski discusses improvements to Apache HTTP Server 2.4 including enhanced performance, support for asynchronous I/O, additional multi-processing modules, and improved functionality for reverse proxy servers. Key enhancements to Apache's reverse proxy module mod_proxy include support for additional protocols like FastCGI and SCGI, improved load balancing capabilities, and an embedded administration interface.
SSL Checklist for Pentesters (BSides MCR 2014)Jerome Smith
This document provides a summary of checks that a pentester should perform when evaluating the security of SSL/TLS implementations. It discusses checking for support of outdated and insecure protocols like SSLv2 and SSLv3. It also recommends validating support for newer, more secure versions like TLSv1.1 and TLSv1.2. The document outlines steps to check for vulnerabilities like Heartbleed, BEAST, and CRIME. It also provides guidance on evaluating certificate validity, cipher suites, and renegotiation support. Web application considerations like mixed content and HTTP Strict Transport Security are also covered at a high level. The presenter provides these checks and recommendations from the perspective of a pentester to identify potential issues to consider reporting
This document introduces MQTT, a lightweight messaging protocol for IoT applications. It describes key MQTT concepts like publish/subscribe messaging, topics, quality of service levels, and client/broker communication. It also outlines MQTT control packets, connection handling, message delivery guarantees, and new features in MQTT 5.0 like enhanced scalability and session management.
This document provides an overview of key concepts related to Java networking. It discusses IP addresses, protocols, ports, and the client-server paradigm as basic networking concepts. It then describes Java's networking package, including the ServerSocket and Socket classes for creating server and client sockets, and the MulticastSocket and DatagramPacket classes for multicast communication. Example code is provided to illustrate using the ServerSocket and Socket classes to create a simple echo server and client.
These slides from my talk at the buildingIoT conference discuss how to secure communication with the Internet of Things protocol "MQTT". It discusses Network, Host, Application and Data Security and also covers advanced topics like OAuth 2.0 and X509 client certificate authentication.
EMQ is a global leader in open source IoT messaging software, with over 5000 enterprise users. EMQ X is their fully open source messaging engine for IoT in the 5G era, supporting major IoT protocols and capable of massive scalability and high availability. It provides all-in-one connectivity for any IoT device over any network and can be run anywhere from the edge to the cloud.
USENIX OSDI 2012 Poster "Nested Virtual Machines and Proxies for Easily Implementable Rollback of Secure Communication" by Kuniyasu Suzaki, Kengo Iijima, Akira Tanaka, and Yutaka Oiwa, AIST: National Institute of Advanced Industrial Science and Technology; Etsuya Shibayama, The University of Tokyo
This document discusses Neutron, the networking component of OpenStack. It provides an overview of Neutron and its architecture, explaining that Neutron enables and manages networking between virtual machines using a plugin model. It then introduces the Neutron VEB (Virtual Ethernet Bridge) plugin, which leverages hardware switching through Emulex adapters to provide faster, more efficient networking in clouds compared to software-based L2 switching approaches.
This presentation, DEFEATING THE NETWORK SECURITY INFRASTRUCTURE v1.0.pdf, was made after some brainstorming
with some friends. The techniques used are not new and the tools readily available for download. The purpose of the discussion however
is to debate how internal enterprise resources might be (in)adversely exposed to the internet by in an insider using a combination of common techniques such as SSH and SSL.
This document summarizes a presentation on advanced Netscaler customizations. It discusses how to customize elements like login pages, navigation menus, and detection of operating systems and browsers. It provides information on tools for customizing, examples of customizing login pages and navigation menus, and how to ensure customizations persist after reboots. It also discusses spoofing user-agents for device detection and creating custom pages for virtual servers. Lastly, it covers customizing Netscaler logging.
Presentation from Jan 26, 2009 session of IST 561, Internet and Information Access course. Topics include history of the Internet, the web, and an overview of networks.
The document provides tips for properly displaying artwork in homes. It recommends that homeowners carefully select frames, mats, and locations for hanging art to complement the room's style. Artwork should be displayed in a pattern or grid at eye level and can include paintings, prints, photographs, or collections. When selling a home, less artwork is better so as not to distract buyers from the home's architecture. Artwork should play a secondary role to features like fireplaces.
Slides der Präsentation von Simeon Bosshard, Citrix, am Citrix Day 2014 von Digicomp.
Das HTML 5 GUI im Release 10.5 des NetScaler ist eine Neuerung, aber nicht die einzige. Erfahren Sie mehr über die wichtigsten Änderungen wie etwa MobileStream, Cisco RISE und ACI Integration sowie die Erweiterungen im Authentication-Bereich. Natürlich kommen die Neuerungen in den Core-Bereichen Loadbalancing, SSL Offloading etc. ebenfalls nicht zu kurz.
Advanced Tools and Techniques for Troubleshooting NetScaler AppliancesDavid McGeough
This session will cover advanced techniques in troubleshooting the Citrix NetScaler Appliance using tools such as Citrix TaaS, IPMI, nsconmsg, wireshark and log analysis. We will review usages of these tools along with case studies showing how to best troubleshoot common issues seen in operating Citrix NetScaler Appliances.
What you will learn
- Various tools available to troubleshoot issues and how to use them to isolate NetScaler Issues
- Common deployment problems and how to isolate the causes
This document describes a swarm cluster with an overlay network containing multiple containers running various Docker services and images. The cluster has one container manager and three worker containers running the dind image. Services like HAProxy, a registry, nginx-proxy, and echo are distributed across the worker containers and load balanced with an overlay network for high availability.
Overview of Publish/Subscribe messaging and comparison of MQTT, AMQP and DDS protocols.
Presented in IoT Bratislava meeting
Recorded session (in Slovak): https://www.youtube.com/watch?v=7wqyriSAqLY
The document introduces EMQ X, an open-source distributed MQTT broker designed for large-scale IoT deployments. EMQ X aims to sustain millions of MQTT connections through a distributed and highly extensible architecture. It provides features such as clustering, authentication, access control, message persistence, bridging, and a plugin system to customize functionality. The document also covers installing, configuring, and optimizing EMQ X.
New Tools and Interfaces for Managing IBM MQMatt Leming
The document provides an overview of new tools and interfaces for managing IBM MQ, including the mqweb server, MQ REST API, and MQ Console. The mqweb server runs the MQ Console and REST API applications using WebSphere Liberty Profile. The MQ REST API allows administering MQ via REST and JSON, providing alternatives to PCF. The MQ Console is a browser-based graphical tool for administering and managing MQ queues, queue managers, and other objects.
Bridges and Tunnels a Drive Through OpenStack Networkingmarkmcclain
This document summarizes OpenStack networking and some of its key components and capabilities. It discusses the motivation for creating Neutron as a networking service, challenges in cloud networking like multi-tenancy and on-demand provisioning, and how Neutron tackles these challenges through network virtualization and SDN. It provides an overview of Neutron's architecture, including its plugin-based model, agents, and common features like security groups. It also describes new capabilities in OpenStack Juno like IPv6 support and distributed virtual routing.
The document discusses OWASP Zed Attack Proxy (ZAP), a free and open source web application security scanner. It can be used by pentesters, developers, and testers to detect vulnerabilities. ZAP passively and actively scans applications to find issues. It can be integrated into CI/CD pipelines and automated with APIs, command line tools, and programming libraries. The document provides examples of using ZAP to perform passive scanning, active scanning, and automation for testers.
This document discusses scaling MQTT to support millions of clients. It outlines challenges in scaling MQTT including huge numbers of TCP connections, security overhead from TLS, statefulness of MQTT sessions, and high availability requirements. It then presents a scalable MQTT reference architecture using HiveMQ clustering to address these challenges by enabling linear scalability, high availability, and elimination of single points of failure through a masterless broker cluster architecture.
OpenStack Paris Summit: Bridges and Tunnels: A Drive Through OpenStack Networ...markmcclain
This document summarizes OpenStack networking and some key improvements in recent releases. It discusses the motivation for creating Neutron as a networking component separate from Nova, challenges in cloud networking like multi-tenancy and scalability, and how Neutron addresses these through network virtualization and SDN. The basics of Neutron's architecture, plugins, agents, and abstraction of network resources are covered. Features like security groups, IPv6 support, distributed virtual routing, and load balancing are also summarized. Upcoming work in areas like metadata service, IPAM, and dynamic routing is mentioned.
Jim Jagielski discusses improvements to Apache HTTP Server 2.4 including enhanced performance, support for asynchronous I/O, additional multi-processing modules, and improved functionality for reverse proxy servers. Key enhancements to Apache's reverse proxy module mod_proxy include support for additional protocols like FastCGI and SCGI, improved load balancing capabilities, and an embedded administration interface.
SSL Checklist for Pentesters (BSides MCR 2014)Jerome Smith
This document provides a summary of checks that a pentester should perform when evaluating the security of SSL/TLS implementations. It discusses checking for support of outdated and insecure protocols like SSLv2 and SSLv3. It also recommends validating support for newer, more secure versions like TLSv1.1 and TLSv1.2. The document outlines steps to check for vulnerabilities like Heartbleed, BEAST, and CRIME. It also provides guidance on evaluating certificate validity, cipher suites, and renegotiation support. Web application considerations like mixed content and HTTP Strict Transport Security are also covered at a high level. The presenter provides these checks and recommendations from the perspective of a pentester to identify potential issues to consider reporting
This document introduces MQTT, a lightweight messaging protocol for IoT applications. It describes key MQTT concepts like publish/subscribe messaging, topics, quality of service levels, and client/broker communication. It also outlines MQTT control packets, connection handling, message delivery guarantees, and new features in MQTT 5.0 like enhanced scalability and session management.
This document provides an overview of key concepts related to Java networking. It discusses IP addresses, protocols, ports, and the client-server paradigm as basic networking concepts. It then describes Java's networking package, including the ServerSocket and Socket classes for creating server and client sockets, and the MulticastSocket and DatagramPacket classes for multicast communication. Example code is provided to illustrate using the ServerSocket and Socket classes to create a simple echo server and client.
These slides from my talk at the buildingIoT conference discuss how to secure communication with the Internet of Things protocol "MQTT". It discusses Network, Host, Application and Data Security and also covers advanced topics like OAuth 2.0 and X509 client certificate authentication.
EMQ is a global leader in open source IoT messaging software, with over 5000 enterprise users. EMQ X is their fully open source messaging engine for IoT in the 5G era, supporting major IoT protocols and capable of massive scalability and high availability. It provides all-in-one connectivity for any IoT device over any network and can be run anywhere from the edge to the cloud.
USENIX OSDI 2012 Poster "Nested Virtual Machines and Proxies for Easily Implementable Rollback of Secure Communication" by Kuniyasu Suzaki, Kengo Iijima, Akira Tanaka, and Yutaka Oiwa, AIST: National Institute of Advanced Industrial Science and Technology; Etsuya Shibayama, The University of Tokyo
This document discusses Neutron, the networking component of OpenStack. It provides an overview of Neutron and its architecture, explaining that Neutron enables and manages networking between virtual machines using a plugin model. It then introduces the Neutron VEB (Virtual Ethernet Bridge) plugin, which leverages hardware switching through Emulex adapters to provide faster, more efficient networking in clouds compared to software-based L2 switching approaches.
This presentation, DEFEATING THE NETWORK SECURITY INFRASTRUCTURE v1.0.pdf, was made after some brainstorming
with some friends. The techniques used are not new and the tools readily available for download. The purpose of the discussion however
is to debate how internal enterprise resources might be (in)adversely exposed to the internet by in an insider using a combination of common techniques such as SSH and SSL.
This document summarizes a presentation on advanced Netscaler customizations. It discusses how to customize elements like login pages, navigation menus, and detection of operating systems and browsers. It provides information on tools for customizing, examples of customizing login pages and navigation menus, and how to ensure customizations persist after reboots. It also discusses spoofing user-agents for device detection and creating custom pages for virtual servers. Lastly, it covers customizing Netscaler logging.
Presentation from Jan 26, 2009 session of IST 561, Internet and Information Access course. Topics include history of the Internet, the web, and an overview of networks.
The document provides tips for properly displaying artwork in homes. It recommends that homeowners carefully select frames, mats, and locations for hanging art to complement the room's style. Artwork should be displayed in a pattern or grid at eye level and can include paintings, prints, photographs, or collections. When selling a home, less artwork is better so as not to distract buyers from the home's architecture. Artwork should play a secondary role to features like fireplaces.
IST 561 Spring 2007--Session7, Sources of InformationD.A. Garofalo
Presentation provides a brief overview of Internet searching, Boolean operators, and internet resources of use to libraries in providing reference services.
IST 561 Session10, Spring 2009--Student Projects and PresentationsD.A. Garofalo
Each student will give a 10-minute PowerPoint presentation of their project, showing their created web pages live online. They must provide a hardcopy of slides including the project URL. After presentations, students can suggest review topics, ask questions, and discuss items of interest. The final is due by May 11th at 5:15PM and can be returned in person, by mail, or email.
This document summarizes an advanced WCF topics training module. It covers creating WCF services and clients in code, securing WCF services through various transports, bindings and authentication mechanisms, and using the Windows Azure Service Bus for connectivity and messaging between applications. The module includes demonstrations of creating services and clients in code, securing services, and using the Azure Service Bus.
The document discusses security patterns and practices for Windows Communication Foundation (WCF) services. It begins with an introduction to service-oriented architecture and WCF. It then covers defining web service threats, an overview of basic WCF security concepts like authentication, authorization, and encryption. The document discusses securing the transport channel and message integrity. It provides recommendations for secure configuration, appropriate bindings, and code-based best practices. Throughout, it emphasizes the importance of combining multiple security techniques and technologies to achieve security at the highest level.
This document provides an introduction and overview of Windows Communication Foundation (WCF). It discusses what WCF is, how it differs from web services, and some of its key advantages and disadvantages. Development tools for WCF like Visual Studio are also mentioned. The document concludes by outlining some of the fundamental concepts in WCF like endpoints, bindings, contracts, and messages.
This document provides an overview and deep dive into VMware's NSX networking and security virtualization platform. It begins with a brief introduction to NSX's architecture, including its data plane, control plane, and management plane components. The presentation then covers key NSX capabilities like logical switching, distributed routing, microsegmentation using the distributed firewall, and network services. It aims to provide attendees with an in-depth understanding of the NSX platform and how it implements virtual networking and security functions.
Get a technical understanding of the components of NSX, including how switching, routing, firewalling, load-balancing and other services work within NSX.
Secure Multi Tenant Cloud with OpenContrailPriti Desai
Building a secure multi-tenant cloud necessitates proper tenant isolation and access control. Key network and security functions must scale independently based on the dynamic resource requirements across each tenant. Additionally, On-demand and self-service provisioning are required for achieving operational efficiencies. Robust, dynamic and elastic software abstractions are imperative to support applications built to run such complex environments.
This slide deck covers:
• Architectural design choices
• Implementation blueprints
• Operational best practices
that have been made to build OpenStack cloud at Symantec.
Understanding network and service virtualizationSDN Hub
This document discusses network and service virtualization technologies. It begins with an overview of challenges with current network architectures and how virtualization addresses them. It then covers three key trends: 1) network virtualization using SDN to program networks dynamically, 2) service virtualization using NFV to virtualize network functions, and 3) new infrastructure tools like Open vSwitch, OpenDaylight, and Docker networking. Finally, it discusses approaches to deploying network and service virtualization and provides a vendor landscape.
Network and Service Virtualization tutorial at ONUG Spring 2015SDN Hub
Tutorial at ONUG Spring 2015 on Network and Service Virtualization. The tutorial covers three converging trends 1) Network virtualization, 2) Service virtualization, 3) overlay networking for Docker and OpenStack. The talk concludes with pointers to the hands-on portion of the tutorial that uses LorisPack, and the operational lessons learned.
WCF (Windows Communication Foundation) is Microsoft's latest service-oriented architecture technology for building distributed applications. It provides a common platform for all .NET communication and is the successor to previous message distribution technologies. WCF allows developers to build service-oriented applications and exposes endpoints that define the address, binding, and contract for communicating with clients. Endpoints can be configured programmatically or through configuration files and bindings describe how clients will communicate with services. Services in WCF define contracts including service contracts, data contracts, and message contracts. Services can be hosted in different ways including using IIS, self-hosting, Windows Activation Service, or as a Windows service.
This presentation was made by Mangesh Patankar (Developer Advocate - IBM Cloud) as part of Container Conference 2018: www.containerconf.in.
"How do we make microservices resilient and fault-tolerant? How do we enforce policy decisions, such as fine-grained access control and rate limits? How do we enable timeouts/retries, health checks, etc.?
A service-mesh architecture attempts to resolve these issues by extracting the common resiliency features needed by a microservices framework away from the applications and frameworks and into the platform itself. Istio provides an easy way to create this service mesh."
- The ZTE 5G Cloud ServCore provides a standards-compliant, open, service-based 5G core network architecture that supports network slicing and multi-access from 2G, 3G, 4G, and 5G.
- It uses a stateless, microservices-based design with network functions represented as independent, reusable services. These services communicate via service-based interfaces.
- ZTE's carrier DevOps system supports the full lifecycle of network slicing from design and testing to deployment, monitoring, and continuous optimization through closed-loop automation.
(SDD302) A Tale of One Thousand Instances - Migrating from Amazon EC2-Classic...Amazon Web Services
Twilio provides a communications API that enables voice, VoIP, and messaging capabilities for web and mobile apps. They migrated their infrastructure from the isolated EC2-Classic platform to EC2-VPC to enable global routing between regions and services. This reduced complexity, improved performance and latency, and allowed for more frequent and less risky deployments. The migration required bridging traffic between EC2-Classic and EC2-VPC instances and using software routers and service discovery for peering between regions. The new global VPC infrastructure improved customer experience and satisfaction.
- WCF controls concurrency through InstanceContextMode and ConcurrencyMode behaviors
- InstanceContextMode determines how service instances are created - per session, per call, or singleton
- ConcurrencyMode controls how multiple requests are handled by an instance - single, multiple, or reentrant
- Choosing the right combination depends on service requirements for performance, scalability, and thread-safety
What is a Service Mesh and what can it do for your MicroservicesMatt Turner
e’ll explore what a service mesh is and what it can do for your microservices. Are the claims of observability, resiliency, and WAF features real? Are they useful during development, production, or both? Using pictures and demos, we’ll find out!
This session will also briefly cover how a service mesh works, giving us a mental model with which to explore and evaluate after the talk. Matt will show a simple installation and demo, giving us all the knowledge to go home and try for ourself.
Overview of Windows Vista Devices and Windows Communication Foundation (WCF)Jorgen Thelin
The document discusses Windows Communication Foundation (WCF) and how it provides a unified programming model for building service-oriented applications. WCF enables development of loosely-coupled services through features like support for WS-* specifications, compatibility with existing Microsoft distributed application technologies, and integration with Visual Studio 2005. It also discusses how WCF improves productivity over previous technologies and promotes interoperability and service-orientation.
The document discusses various topics related to WCF services including service binding, hosting WCF services, instance management, and exception handling. It describes different bindings like basicHttpBinding, wsHttpBinding, and netTcpBinding. It covers hosting WCF services in IIS, self-hosting, WAS hosting, and Windows service hosting. It defines the different instance context modes of per-call, per-session, and singleton. Finally, it discusses using fault contracts to better handle exceptions in WCF services.
As more OpenStack clouds move into production, the limits of scale and performance of the cloud need to be known as a pre-requisite to building a predictable operations plan. PLUMgrid ONS is based on a fully distributed architecture that is built for scale. Since forwarding decisions are distributed and made at each individual server, every new server added to the cloud increases the cloud’s forwarding capacity. This unique distributed architecture allows any OpenStack cloud built using the PLUMgrid Open Networking Suite to scale to tens of thousands of workloads across multiple racks. This joint PLUMgrid and Ixia session between will highlight the latest scale and performance numbers for PLUMgrid ONS. In addition, it will cover the various scale targets that were achieved, the testing methodology plus the Ixia IxChariot product used to measure them.
This document provides an agenda and overview for a presentation on software services, including Windows Communication Foundation (WCF) and RESTful WCF. The presentation covers topics such as WCF architecture, endpoints, bindings, contracts, hosting, metadata exchange, instance management, transfer modes, REST principles, and comparisons between SOAP and REST. Code examples are provided to illustrate key WCF concepts.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
20 Comprehensive Checklist of Designing and Developing a WebsitePixlogix Infotech
Dive into the world of Website Designing and Developing with Pixlogix! Looking to create a stunning online presence? Look no further! Our comprehensive checklist covers everything you need to know to craft a website that stands out. From user-friendly design to seamless functionality, we've got you covered. Don't miss out on this invaluable resource! Check out our checklist now at Pixlogix and start your journey towards a captivating online presence today.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Introducing Milvus Lite: Easy-to-Install, Easy-to-Use vector database for you...Zilliz
Join us to introduce Milvus Lite, a vector database that can run on notebooks and laptops, share the same API with Milvus, and integrate with every popular GenAI framework. This webinar is perfect for developers seeking easy-to-use, well-integrated vector databases for their GenAI apps.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
1. WCF Basics and Security overview
Yaron Hakon
Application Security Consultant
2Bsecure
yaron@2bsecure.co.il
WCFWCF
Agenda.Agenda.
•• WCF Overview.WCF Overview.
• WCF Security model.
• Attacks and countermeasures. (If Time Permits)
2. WCF is.WCF is.
• WCF services expose endpoints that
clients and services use to exchange
messages.
Call CenterCall Center
Asp.netAsp.net AppApp MOBILE EMPLOYEESMOBILE EMPLOYEES
-- JAVAJAVA
CUSTOMERSCUSTOMERS
-- ApplicationApplication
VARIOUS PLATFORMSVARIOUS PLATFORMS
The Imperative to ConnectThe Imperative to Connect
J2EE APP
SERVER
J2E APP
OTHERS
.NET
framework
ExistingExisting
J2EE ApplicationJ2EE ApplicationMOBILEMOBILE
EMPLOYEE APPEMPLOYEE APP
.NET
framework
IDM
HTTPHTTP HTTPSHTTPSTCPTCPIPIP WSE .. .. .. ..WSE .. .. .. ..
Enterprise
Services
3. Windows Communication FoundationWindows Communication Foundation
INTEROPERABILITY PRODUCTIVITY
SERVICE-ORIENTED
DEVELOPMENT
• Unifies today’s
distributed
technologies
• Visual Studio
2005 integration
• loosely-coupled
services
• Config-based
communication
4. WSWS--* Protocol Support* Protocol Support
XMLXML
MessagingMessaging
SecuritySecurity TransactionsTransactionsReliableReliable
MessagingMessaging
MetadataMetadata
WCFWCF –– A B CA B C
•• A ServiceA Service EndpointEndpoint has anhas an AddressAddress, a, a BindingBinding, and a, and a ContractContract
(ABC).(ABC).
•• AnAn AddressAddress is a network address indicatesis a network address indicates wherewhere the service isthe service is
located.located.
•• AA BindingBinding specifiesspecifies howhow a client can communicate with thea client can communicate with the
endpoint including transport protocol, encoding, and securityendpoint including transport protocol, encoding, and security
requirements.requirements.
•• AA ContractContract identifiesidentifies whatwhat operations are available to the clients.operations are available to the clients.
ClientClient ServiceService
AABBCC
AddressAddress
Where?Where?
ContractContract
What?What?
BindingBinding
How?How?
CCBBAA
CCBBAA
CCBBAA
5. WCF Run Time
WCFWCF –– Architecture & channel stackArchitecture & channel stack
Configuration:
Bindings:
Protocol
Encoding
Transport
Security
Dispatcher
Send
incoming
requestChannel Stack
Service Interface
Method A Method B
WCF Service
code
.Net Assembly
contract
Data, Message,
Service contracts
….
Client Code
Channel Stack
Proxy Class
A B
Protocol
Reliability
Security
Protocol
Reliability
Security
C
B
A( address)
Understanding Bindings optionUnderstanding Bindings option
• Protocols:
• Security, Reliable messaging capability, Transaction .
• Encoding:
• Xml Text, MTOM, Binary.
• Transport:
• TCP, HTTP/S, Name Pipes , Custom.
6. Binding Transport Encoding security transaction Interopera-
BasicHttpBinding Https text None, Transport,
Message, Mixed
no WS-I
WSHttpBinding Https textMTO
M
None, Transport,
Message, Mixed
yes WS-*
WSDualHttpBinding Http textMTO
M
None, Message yes WS-*
WSFederationBinding None, Message,
Mixed
yes WSF
NetTcpBinding TCP Binary None, Transport,
Message, Mixed
no .NET
NetPeerTcpBinding P2P Binary None, Message,
Transport, Mixed
yes Peer
NetNamedPipeBinding IPC Binary None, Transport yes .NET
NetMsmqBinding MSMQ Binary None, Message,
Transport Both
yes .NET
MsmqIntegrationBinding MSMQ Binary None, Transport yes MSMQ
Understanding Standard BindingsUnderstanding Standard Bindings
System.ServiceModel namespace includes the fallowing predefined Bindings:
1.Building1.Building
WindowsWindows
CommunicationCommunication
FoundationFoundation
ServiceService
7. WCFWCF -- HostingHosting
• User Application - Custom host app.
• IIS host (WS).
• Window service app.
• + IIS version 7.0, - Windows Activation Services -
WAS.
• Configuration Sharing.
• Application pool – Sandboxing
• Support for non-HTTP transport protocols
• Read more :http://msdn2.microsoft.com/en-
us/library/ms733109.aspx
Self Host.Self Host.
• configure the endpoints…
• Add endpoint information for the Web service in App.config .
• Address (httphttps…. )
• Binding
• Contract
• create listener objects for each address.
• listening for requests : productsServiceHost.Open();
Close()
8. IIS HostIIS Host
• Project assemblies are built in the bin folder.
• Add a service definition file – svc (name of the class that
IIS will execute and the name of the assembly holding
this class ).
• Add endpoint information for the Web service in
Web.config .
• Address (iis and SVC address )
• Binding
• Contract
• Deploy the service in iis
• Add new site for the service.
2.Building2.Building
Self Host For WCFSelf Host For WCF
ServiceService
9. 3.Hosting WCF Service3.Hosting WCF Service
in IISin IIS
Consuming WCF ServiceConsuming WCF Service
• Select preferred client.
• Service Reference.
• Configuration - ABC
• Consume.
10. 4.Consuming WCF service4.Consuming WCF service
from console applicationfrom console application
Good to knowGood to know
• Multiple Service Endpoint.
• Expose Service in different endPoint for different Clients.
• Configuring Service Instance Context Modes:
• [ServiceBehavior(InstanceContextMode =
InstanceContextMode.PerSession)]
• PerSession :open new session for etch client, close the session when client
abort.
• Default (max-10 connection) , Cant share data between service instance.
• PerCall- create new instance etch time the client invokes an operation and the
service close after the call finish.
• Hard to implement state.
• Single – open one instant of the service for all.
• Open in the first time service call come. Close by the server.
• Sharing Data between +- ? .
• Using MSMQ and Transaction.
11. 5.Consuming WCF service in5.Consuming WCF service in
self host With 2 endpoint fromself host With 2 endpoint from
different clients.different clients.
console application &console application & ASP.netASP.net
Agenda.Agenda.
• WCF Overview.
•• WCF Security model.WCF Security model.
• Attacks and countermeasures. (If Time Permits)
12. security in every WCF operation callsecurity in every WCF operation call
• Service contract
• Operation contract- Fault contract
• sc behavior- Client credentials, Service credentials.Client credentials, Service credentials.
• Operation behavior
• Host configuration
• Method configuration and code
• Proxy configuration
• Binding configuration-
[ServiceContract (ProtectionLevel = ProtectionLevel.Sign)]
public interface IMyContract
{
[OperationContract]
void SignMethod(…);
}
[OperationContract(ProtectionLevel = ProtectionLevel.EncryptAndSign)]
void EncryptAndSignMethod(…);
}
[ServiceContract (ProtectionLevel = ProtectionLevel.Sign)]
public interface IMyContract
{
[OperationContract]
void SignMethod(…);
}
[OperationContract(ProtectionLevel = ProtectionLevel.EncryptAndSign)]
void EncryptAndSignMethod(…);
}
Transfer security ConceptsTransfer security Concepts
• Message integrity.
• Tampering.
• Message privacy.
• Sensitive data.
• Confidentiality.
• mutual authentication.
• Client server Authentication.
• Replay attacks.
• Denial of service attacks.
13. Transfer security modesTransfer security modes
• None.
• No client credentials are provided to the service.
• Clear Text Messages over non secure Transport layer.
• Transport security - integrity, privacy, and mutual authentication.
• Secure transport protocols - https, tcp, ipc ,msmq. point-to-point,
• all communication on the channel encrypted.
• client's credentials are encrypted along with the rest of the message,
• Message security- integrity, privacy, and mutual authentication.
• encrypts the message itself.
• end-to-end security.
• communicate securely over nonsecure transports.
• Mixed.
• Transport security for message integrity , privacy & service
authentication.
• Message security for securing the client credentials.
• point-to-point security.
• Both - integrity, privacy, and mutual authentication.
• both Transport security and Message security
Explain the Mode scenarioExplain the Mode scenario -- TransportTransport
• Encrypts the entire message
• Sender must trust all intermediaries
• Restricts protocols that can be used
SSL SecuritySSL Security SSL SecuritySSL Security
14. Explain the Mode scenario MessageExplain the Mode scenario Message
Security ContextSecurity Context
•End to end message security independent of transport
•Supports multiple protocols and multiple encryption
technologies
•Encrypt only parts of the message
Transfer Security Mode
• Bindings. Programmatically or Administratively.
Binding None Transport Message Mixed Both
BasicHttpBinding Y (default) Y Y Y N
NetTcpBinding Y Y (default) Y Y N
NetPeerTcpBinding Y Y (default) Y Y N
NetNamedPipeBinding Y Y (default) N N N
NetMsmqBinding Y Y (default) Y N Y
WSHttpBinding Y Y Y (default) yes N
WSFederationBinding Y N Y (default) yes N
WSDualHttpBinding Y N Y (default) N N
15. Programmatically securing the basic binding
BasicHttpBinding binding2 = new BasicHttpBinding( );
binding2.Security.Mode =
BasicHttpSecurityMode.Message;
Administratively securing the basic binding
<bindings>
<basicHttpBinding>
<binding name = "SecuredBasic">
<security mode = "Message">
</security>
</binding>
</basicHttpBinding>
</bindings>
16. ••6. Use of transfer security6. Use of transfer security
–– basicHttpBindingbasicHttpBinding -->>>> WSHttpBinding.
WCF Trace view with Microsoft serviceWCF Trace view with Microsoft service
Trace Viewer.Trace Viewer. Before and afterBefore and after
Transport Security and CredentialsTransport Security and Credentials
• WCF lets you select from a number of possible client
credentials types.
• NTLM or Kerberos
• classic username and password.
• Windows security token.
• X509 certificate,
• Anonymous.
17. Transport security client credentialsTransport security client credentials
• WCF lets you select from a number of possible client credentials
types.
Binding None Windows UserName Certificate
BasicHttpBinding Y (default) Y Y Y
NetTcpBinding Y Y (default) N Y
NetPeerTcpBinding N N Y (default) Y
NetNamedPipeBinding N Y (default) N N
NetMsmqBinding Y Y (default) Y N
WSHttpBinding Y Y (default) Y Y
WSFederationBinding N/A N/A N/A N/A
WSDualHttpBinding N/A N/A N/A N/A
Message Security and CredentialsMessage Security and Credentials
• The same type of credentials as with Transport security.
• + Issued token credential type.
• http://msdn2.microsoft.com/en-us/library/ms731161.aspx
18. Message Security and CredentialsMessage Security and Credentials
Binding None Windows UserName Certificate Token
BasicHttpBinding N N N Y N
NetTcpBinding Y Y (default) Y Y Y
NetPeerTcpBinding N/A N/A N/A N/A N/A
NetNamedPipeBinding N/A N/A N/A N/A N/A
NetMsmqBinding Y Y (default) Y Y Y
WSHttpBinding Y Y (default) Y Y Y
WSFederationBinding N/A N/A N/A N/A N/A
WSDualHttpBinding Y Y (default) Y Y Y
AuthenticationAuthentication AuthorizationAuthorization
• Authentication:
• ASP.NET Membership Provider
• Custom Username and Password Validator
• Identity and Authentication
• Authorization
• Restrict Access With the PrincipalPermissionAttribute
• ASP.NET Role Provider with a Service
• ASP.NET Authorization Manager Role Provider with a Service
• Claims and Authorization with the Identity Model
• Delegation and Impersonation
19. ••7.Implement Message security7.Implement Message security ––
netTcpBinding.
8.Using X509 certificate unable https
communication to service.- server
authentication
••9.Implement Authorization9.Implement Authorization –– usingusing
PrincipalPermission.
20. WCF Relevant AttacksWCF Relevant Attacks
• Information Disclosure
• Http Headers. Metadata , logs/exception . Authentication /
Authorization
• Elevation of Privilege
• Check Authorization, Token Caches.
• Denial of Service
• Memory Consumption, max Secure Session.
• Tampering
• WS Addressing.
• Replay Attacks
• WS Addressing , transport security.
??
21. SummarySummary
•• WCF Overview.WCF Overview.
•• Unified existing technology .Unified existing technology .
•• Standards wide support.Standards wide support.
•• WCF Security model.WCF Security model.
•• Security by default.Security by default.
•• Can be done using configurationCan be done using configurationcode.code.
•• CredentialsCredentials –– X509, SAML, Kerberos, Card Spaces, custom.X509, SAML, Kerberos, Card Spaces, custom.
•• WCF countermeasures for common attack vectors.WCF countermeasures for common attack vectors.
•• MissMiss -- configuration can lead to vulnerability exposureconfiguration can lead to vulnerability exposure ..
•• Read more bout WCF Attacks from the references.Read more bout WCF Attacks from the references.
ReferencesReferences
• Books
• Microsoft Windows Communication Foundation Step by
StepbyJohn Sharp.
• MSDN:
• WCF Home - http://msdn2.microsoft.com/en-
us/library/ms735119.aspx
• Security programming - http://msdn2.microsoft.com/en-
us/library/ms731925.aspx
• Card space - http://cardspace.netfx3.com/
• Blogs
• Message inspector -
http://msmvps.com/blogs/paulomorgado/archive/2007/04/27
/wcf-building-an-http-user-agent-message-inspector.aspx
• WCF Security -
http://blogs.msdn.com/alikl/archive/2007/07/26/wcf-security-
in-intranet-scenario-thoughts-on-cons-and-pros.as
• User group.
• UG Page:
http://www.microsoft.com/israel/communities/usergroups/se
curedev.mspx
• UG Presentation Page:
http://www.2bsecure.co.il/NetSecGroup.aspx
22. Thank you !Thank you !
Yaron Hakon
Application Security Consultant
2Bsecure
yaron@2bsecure.co.il