.net - WCF Security, TCP or http?

Question

I am looking to secure a wcf service that is "self hosted" inside a winforms app.

I have done my research, but I am not sure what "applies" in what I am attempting to do.

I have no preference for http of tcp binding, although I would think tcp would fundamentally be quicker? Regardless of this, if I use TCP, do I still need to setup certificates? I do not wish to create self signed certificates for both client AND server.. or should I?

My basic concept, and help me if I'm off track here, would be:

client <----https/tcp(secured? How?)----> username/password ---><---wcf---><---internal auth---> <--juicy bits-->

I would like to handle my own credential authorization, as I intend to authenticate against an internal system behind the wcf... my only concern here, really, is how to best "transmit" my authentication details over the wire, and there after... keeping round trip messages/data "secure"

Any pointers?

Answer 1

NET.TCP is going to be in general the better performing binding out of the two. The advantage of HTTP is its sheer interoperability. If your service is going to be internal to your application(s), go with NET.TCP. If you're planning on making it public so that other applications can consume it, go with HTTP (or even better in my opinion, a RESTful Web API service).

Assuming that you go with NET.TCP, you have several options for securing your service. The choices boil down to two main methods: message-level security and transport-level security. Message level security is more labour-intensive as it secures each individual message, but is necessary if you are relaying a message across unsecure channels. Transport-level security on the other hand is better performing, and will do the trick if your service is strictly internal, as it essentially works by sending your message from point A to point B via a secure channel.

As WCF security is considerably more complex as can be discussed in a SO response, I strongly recommend that you read further up on it. Here are some links to get you started:

Implement message level security

• http://msdn.microsoft.com/en-us/library/ms733137.aspx
• http://msdn.microsoft.com/en-us/library/ff648863.aspx

Implement transport level security

• http://msdn.microsoft.com/en-us/library/ms729700.aspx

Implement certificates

• http://msdn.microsoft.com/en-us/library/ms731899.aspx
• http://msdn.microsoft.com/en-us/library/ff648360.aspx
• http://msdn.microsoft.com/en-us/library/ff650785.aspx