WCF security when trusted bunch of client/servers communicationg over internet

Question

I have some dedicated servers running ASP.NET applications over internet. All servers are fully trusted (all belongs to the same company) and need to communicate to each other in a secure way. They are not part of a domain or work group and should not be.

Each server acts as both client and server of some WCF services. These services are few (1-2 per server) and light (a little data is transferred on each call).

I can use self-signed SSL certificates or X509. I'm looking for some way to make sure nobody from internet can call a WCF service on a server. New server would be added in the future.

I read about WCF but now I'm confused, is it good idea to use self-signed SSL certificates or not (non self-signed is not an option at the moment), which binding to use, which security mode to use, which authentication method to use... I need some hints to start (please provide a link to a sample.

Answer 1

I would use a certificate-based authentication where both client and server are authenticated.

To make things more secure, do not use self sign certificates.

If your company already have a certificate server: issue certificates to each of your server and specify as an authentication configuration that both client and services need to present a certificate issued by your certificate server.

Answer 2

WCF security is a big topic, but there are some other non-WCF specific ways you can secure the service:

• Use IP SEC to secure the communication channel
• Use IP whitelists to grant / deny access to the port that the WCF endpoints operate on
• Use a VPN Solution (particularly convenient if your company already has a site to site VPN)