WCF Security, FSec
Download as PPTX, PDF1 like1,923 views
The document discusses security patterns and practices for Windows Communication Foundation (WCF) services. It begins with an introduction to service-oriented architecture and WCF. It then covers defining web service threats, an overview of basic WCF security concepts like authentication, authorization, and encryption. The document discusses securing the transport channel and message integrity. It provides recommendations for secure configuration, appropriate bindings, and code-based best practices. Throughout, it emphasizes the importance of combining multiple security techniques and technologies to achieve security at the highest level.
![WCF security: patterns & practices
ante.gulam[at]ri-ing.net](https://image.slidesharecdn.com/wcfsecurity-13485590195448-phpapp02-120925025134-phpapp02/85/WCF-Security-FSec-1-320.jpg)
![Overview
• Intro [Service-Oriented Architecture, MS WCF]
• Defining Web Service Threats
• Overview of WCF Security Basics
• Configuration - Starting Point and Ending Point
• Bindings In Depth
• Securing Transport Channel - Integrity and Auth.
• Messages - What I Send is What You Get?
• Few Code-Based WCF Security Best Practices
• Outro [conclusion]](https://image.slidesharecdn.com/wcfsecurity-13485590195448-phpapp02-120925025134-phpapp02/85/WCF-Security-FSec-2-320.jpg)
![Messages - What I Send is What You Get?
• Message integrity check
• Ability to detect and manage invalid data
• Imposition of complete transactions
• Rollbacks
• [Service Behavior] attrib: Transaction Isolation -
Serializable transaction
– protection for consistent data
• Hash calculation on message: xml/json messages
(HMAC, SHA1..)
• ETag (base64 encoding of the md5sum)
• Distributed Transaction Controller
– Single Transaction building
• ‘Global’ Rollback (whole call chain rollback)
– transactionFlow="true"](https://image.slidesharecdn.com/wcfsecurity-13485590195448-phpapp02-120925025134-phpapp02/85/WCF-Security-FSec-10-320.jpg)
![Few Code-Based WCF Security Best Practices
• using() and try/finally keywords in WCF ?
• Why to Avoid Them???
– IL almost identical
– So, where is the problem!?!?
• During Disposal the Channel is NEVER closed!
• Control the catch of Exceptions
• Use a global exception handler to catch
unhandled exceptions
• FaultContract
• FaultContract(typeof(CustomException))]
– throw new FaultException<MathFault>(mf);](https://image.slidesharecdn.com/wcfsecurity-13485590195448-phpapp02-120925025134-phpapp02/85/WCF-Security-FSec-11-320.jpg)
![• using() • try/finally block
• IL_0000: newobj instance void • IL_0012: ldnull
[System.Windows.Forms]System. IL_0013: stloc.1
Windows.Forms.Form::.ctor() .try
IL_0005: stloc.0 {
.try IL_0014: newobj instance
{ void
IL_0006: leave.s IL_0012 [System.Windows.Forms]System.Win
} // end .try dows.Forms.Form::.ctor()
finally IL_0019: stloc.1
{ IL_001a: leave.s IL_0026
IL_0008: ldloc.0 } // end .try
IL_0009: brfalse.s IL_0011 finally
IL_000b: ldloc.0 {
IL_000c: callvirt instance IL_001c: ldloc.1
void IL_001d: brfalse.s IL_0025
[mscorlib]System.IDisposable::Di IL_001f: ldloc.1
spose() IL_0020: callvirt instance void
IL_0011: endfinally [System]System.ComponentModel.C
} // end handler omponent::Dispose()
IL_0025: endfinally
} // end handler](https://image.slidesharecdn.com/wcfsecurity-13485590195448-phpapp02-120925025134-phpapp02/85/WCF-Security-FSec-12-320.jpg)
![• CAS in WCF services
– [assembly: AllowPartiallyTrustedCallers]
– [PermissionSet(SecurityAction.Assert,Name =
"FullTrust")]
– Calling out from the Restricted client Environment
• Security breach – bypass direct connection
– PartialTrustClientBase<T> ??
– GAC on the client side?
• Proxy Assembly Installation
– Raw WCF Demands](https://image.slidesharecdn.com/wcfsecurity-13485590195448-phpapp02-120925025134-phpapp02/85/WCF-Security-FSec-13-320.jpg)
![Outro [conclusion]
• What have we remembered to make our WS more secure?
– Best practice – combine technologies and techniques to get
security on higher level!!!
• Combine Smart Coding with Good Configuration
• Test your WCF’s on various attack techniques
• ServiceThrottlingBehavior class
– MaxConcurrentCalls (default = 16) [Per-message]
– MaxConcurrentInstances (default = Int32.Max)
• InstanceContextMode ServiceBehaviorAttribute PerCalls /
Sessions
– MaxConcurrentSessions (default = 10) [Per-channel]
• Stay in touch with Recent Security Discoveries Related to
Technologies you are using!
• Platforms, OS services, dev technologies, transport/protocol
technologies, encryption algorithms etc.](https://image.slidesharecdn.com/wcfsecurity-13485590195448-phpapp02-120925025134-phpapp02/85/WCF-Security-FSec-16-320.jpg)
WCF Security, FSec
- 1. WCF security: patterns & practices ante.gulam[at]ri-ing.net
- 2. Overview • Intro [Service-Oriented Architecture, MS WCF] • Defining Web Service Threats • Overview of WCF Security Basics • Configuration - Starting Point and Ending Point • Bindings In Depth • Securing Transport Channel - Integrity and Auth. • Messages - What I Send is What You Get? • Few Code-Based WCF Security Best Practices • Outro [conclusion]
- 3. Intro • SOA in general (discovery, description, messaging) – UDDI XML Hierarchy – UDDI Discovery (automated scanning tools) – WSDL and XSD Descriptions – SOAP vs. REST XML Protocols • SOA Security Issues (ASMX, WCF, Java ...) • WCF (Indigo/2006)- .NET Web Service Technology • Endpoints (Transport & Bindings) – ABC (Address/Binding/Contract) – HTTP, TCP, named pipes, MSMQ ... – MEX – Metadata Exchange
- 4. Defining Web Service Threats • Attractive target • Open to the World (rare filtering access scheme) • Direct connection to core application • Direct connection to core data • Discovering and Attacking Web Services • WS-discovery (service behaviorConfiguration="serviceDiscoverable”) probe: 3702 – WSScanner • Footprinting, Discovery, Enumeration, Scanning and Fuzzing tool • WCF Test Harness – flexible tool for quick service tests • Common WApp vulns: SQL injection, session theft, XML DoS ... • XML/SOAP Manipulation (abusing the protocol) – Eavesdropping Message Exchange – Message Protection Methods • Configuration Data Injection (tampering .conf) • Local/UDDI XML Processing attack
- 5. Overview of WCF Security Basics • Logging and Auditing • Debbuging and Attack Detection • Authentication • Identify Clients » Users, Services, Processes, Machines ... » MiTM Attack Mitigation • Transport Security Mode (cert, NTLM, basic ...) • Message Security Mode (cert, token, username ...) • Authorization • Role-based • Identity-based • Resource-based • Confidentiality • Encryption of Traffic client WCF service • Integrity
- 6. Configuration - Starting Point and Ending Point • Web.config start-up • Web-config encryption • section.SectionInformation.ProtectSection • <system.ServiceModel> • Services » Defining Service Endpoints • Bindings » Basic, WS, WSDual, NetTcp ... ... • Behaviors » <throttling> and other custom behaviors • <Credentials /> Stored in Config <credentials passwordFormat="Clear"> <user name="user1" password="pass1"/> </credentials> • Max Message Size ???? (avoid 2147483647) • Encrypting configuration files (CL tools, code-based...)
- 7. Bindings in Depth • System.ServiceModel.Channels.Binding class • Binding types and Security Modes – WSHttpBinding b = new WSHttpBinding(); b.Security.Mode = SecurityMode.?????: • Transport Security • Mixed-Mode Security • Message Security • Considering Scenarios for the right Bindings • Clients accessing through the Internet (wshttp) • Legacy clients (http) • Intranet (netTCP) • Local Machine Clients (netNamedPipeBinding) • Disconnected queued calls support (netMsmqBinding) • bidirectional communication support (wsDualHttp)
- 8. • System-Provided bindings – BasicHttpBinding: An HTTP protocol binding suitable for connecting to Web services that conforms to the WS-I Basic Profile specification (for example, ASP.NET Web services-based services) – WSHttpBinding: An interoperable binding suitable for connecting to endpoints that conform to the WS-* protocols. – NetNamedPipeBinding: Uses the .NET Framework to connect to other WCF endpoints on the same machine. – NetMsmqBinding: Uses the .NET Framework to create queued message connections with other WCF endpoints. • Custom Bindings – Meet Requirements of Your Service
- 9. Securing Transport Channel • SSL tunneling on WS transport channel • Choosing secure binding or SSL transport?? – More and more on security (end-to-end, part encrypt) – Performances on Message/Transport level – Combining Message and Transport security • Custom Binding and Custom Validator • public override void Validate(string uname, string pass) • <bindingname="CustomBinding“> <securityauthenticationMode="UserNameOverTransport“> </security>
- 10. Messages - What I Send is What You Get? • Message integrity check • Ability to detect and manage invalid data • Imposition of complete transactions • Rollbacks • [Service Behavior] attrib: Transaction Isolation - Serializable transaction – protection for consistent data • Hash calculation on message: xml/json messages (HMAC, SHA1..) • ETag (base64 encoding of the md5sum) • Distributed Transaction Controller – Single Transaction building • ‘Global’ Rollback (whole call chain rollback) – transactionFlow="true"
- 11. Few Code-Based WCF Security Best Practices • using() and try/finally keywords in WCF ? • Why to Avoid Them??? – IL almost identical – So, where is the problem!?!? • During Disposal the Channel is NEVER closed! • Control the catch of Exceptions • Use a global exception handler to catch unhandled exceptions • FaultContract • FaultContract(typeof(CustomException))] – throw new FaultException<MathFault>(mf);
- 12. • using() • try/finally block • IL_0000: newobj instance void • IL_0012: ldnull [System.Windows.Forms]System. IL_0013: stloc.1 Windows.Forms.Form::.ctor() .try IL_0005: stloc.0 { .try IL_0014: newobj instance { void IL_0006: leave.s IL_0012 [System.Windows.Forms]System.Win } // end .try dows.Forms.Form::.ctor() finally IL_0019: stloc.1 { IL_001a: leave.s IL_0026 IL_0008: ldloc.0 } // end .try IL_0009: brfalse.s IL_0011 finally IL_000b: ldloc.0 { IL_000c: callvirt instance IL_001c: ldloc.1 void IL_001d: brfalse.s IL_0025 [mscorlib]System.IDisposable::Di IL_001f: ldloc.1 spose() IL_0020: callvirt instance void IL_0011: endfinally [System]System.ComponentModel.C } // end handler omponent::Dispose() IL_0025: endfinally } // end handler
- 13. • CAS in WCF services – [assembly: AllowPartiallyTrustedCallers] – [PermissionSet(SecurityAction.Assert,Name = "FullTrust")] – Calling out from the Restricted client Environment • Security breach – bypass direct connection – PartialTrustClientBase<T> ?? – GAC on the client side? • Proxy Assembly Installation – Raw WCF Demands
- 14. • ChannelFactory class – Used in advanced scenarios – Creation of Multiple Channels for Communication • ChannelFactory<xx> myChannelFactory = new ChannelFactory<xx>(myBinding, myEndpoint); xx wcfClient1 = myChannelFactory.CreateChannel(); – channelFactory.Credentials (username/password) – Avoid Creation of ChannelFactory on each page call (overhead)
- 15. • Make a port scanner out of WCF – WSDualHttpBinding – “CreateSequence” SOAP request – “ReplyTo” address • https://github.com/GDSSecurity/WCF-WSDualHttpBinding-Port-Scanner
- 16. Outro [conclusion] • What have we remembered to make our WS more secure? – Best practice – combine technologies and techniques to get security on higher level!!! • Combine Smart Coding with Good Configuration • Test your WCF’s on various attack techniques • ServiceThrottlingBehavior class – MaxConcurrentCalls (default = 16) [Per-message] – MaxConcurrentInstances (default = Int32.Max) • InstanceContextMode ServiceBehaviorAttribute PerCalls / Sessions – MaxConcurrentSessions (default = 10) [Per-channel] • Stay in touch with Recent Security Discoveries Related to Technologies you are using! • Platforms, OS services, dev technologies, transport/protocol technologies, encryption algorithms etc.
- 17. thank you for your attention questions and comments