WCF, DataPower integration - secure binding necessary?

Question

I have been developing a WCF service using basic HTTP binding. This has been integrated with DataPower. I want to follow best practice by enabling secure binding. Is this necessary?

Referring to slide 8 in DataPower WCF integration :

DataPower is designed to off-load the security for the WCF services.

Thank you.

Answer 1

Only your security architects can really tell you if it is needed for your case. Remember, whatever you are sending over the wire is unsecured when using basic HTTP. Within the enterprise, maybe, that isn't a problem. But anyone that was sniffing the trafic could intercept your messages and easily get to the data within.

At Tellago, we have done WCF-Data Power integration using a custom federated security (almost identical to Geneva aka WIF) for our clients. But, odds are, if you are asking if you need security, you probably are not using federated security.