Which transport security or message security?

Question

I have a WCF service that uses net.TCP binding, and this service can be consumed inside the LAN or through internet.

I have read that net.TCP by default use transport level security, but this security is point to point, I think that if I use my client out my LAN, through internet and the communication use many points, perhaps some of this points does not transmit the message without security. Is this correct?

So if I need message security too? I can use a ssl certificate x509 to encrypt the each message and that only can be decrypt by my service that has the private key?

Is there some document that explain how to use certificates with net.TCP binding? Can I use open ssl to create my certificate and use it with WCF?

Thanks.

Answer 1

First of all, both approaches are secure and will suffice for 90% of cases. Transport security secures your channel of communication, but doesn't encrypt your actual message. Message security encrypts your actual message, so servers that the message is passed through can not see the message contents and will need a private key to decrypt your messages. So one could argue message security is safer, at least its more suitable for internet communication. Some good links on WCF security: Message Security in WCF and patterns & practices Improving Web Services Security Guide

netTcpBinding uses Transport security by default, but that doesn't mean you can't use Message security with it. Transport security has less computation overhead than Message security (where each message is encrypted) thus it has better performance. One caveat of using netTcpBinding over the internet is that it may not be guaranteed to work at all times (in the past I have successfully set up netTcpBinding over the internet though) since it uses some ports for message transmission that are not always guaranteed to be left open by network routers and firewalls (over the internet, your messages will be going through many routers and firewalls.) For internet communication, consider one of the HTTP bindings such as basicHttpBinding or wsHttpBinding which also supports message security.

You can use Message security like in other bindings:

<netTcpBinding>
    <binding name="securedBinding">
      <security mode="Message">
      </security>
    </binding>
</netTcpBinding>

and then set the bindingConfiguration on your endpoints to securedBinding.

And on the machine hosting your service (the server):

<behavoirs>
  <serviceBehavior>
    <behavior name="securityBehaviour">
      <serviceCredentials>
        <serviceCertificate
           findValue="serviceCert"
           storeLocation="LocalMachine"
           storeName="My"
           x509FindType="FindBySubjectName" />
      </serviceCredentials>
    </behavoir>
  </serviceBehavior>
</behavoirs>
<services>
  <service name="Service1"  behaviorConfiguration="securityBehaviour">
        <endpoint address="" binding="netTcpBinding" contract="IService1" bindingConfiguration="securedBinding">
        </endpoint>
  </service>
</services>

If you have limited clients and you know who they are, you can use self signed certificates. However if you want optimal security with many unknown clients consuming your service you're best off buying one from a known CA. You then need to install the server certificates on the server machine. Here is an article on how to secure your services with certificates, the blog also has some other useful WCF security articles that you may want to read.