2. ITCamp 2012 sponsors Architecture &
Best Practices
@ itcampro # itcamp12 Premium conference on Microsoft technologies
3. Agenda Architecture &
Best Practices
• Overview
• Authentication & Authorization
• Security Modes
• Credential Types
• WCF Authentication Service
• Custom UserName & Password
Authentication
• Q&A
@ itcampro # itcamp12 Premium conference on Microsoft technologies
4. Overview Architecture &
Best Practices
• Online transactions
• Do we ignore security ?
@ itcampro # itcamp12 Premium conference on Microsoft technologies
5. Overview – Security fundamentals Architecture &
Best Practices
• Auditing and Logging
• Authentication
• Authorization
• Configuration Management
• Message Protection
• Message Validation
• Senzitive data
• Session Management
@ itcampro # itcamp12 Premium conference on Microsoft technologies
6. Threats, Vulnerabilities and Attacks Architecture &
Best Practices
• Asset
• Threat
• Vulnerability
• Attack
@ itcampro # itcamp12 Premium conference on Microsoft technologies
7. Authentication != Authorization Architecture &
Best Practices
• Authentication identifies a user, process
• One of the most important aspect of
security
• We use id daily: ids, user names &
passwords, etc.
@ itcampro # itcamp12 Premium conference on Microsoft technologies
8. Authorization Architecture &
Best Practices
• Verifies what resources can access the
itentified party
• It happens after authentication
• Very close related with Authentication
@ itcampro # itcamp12 Premium conference on Microsoft technologies
9. Authentication in WCF Architecture &
Best Practices
• None
• Basic
• NTLM
• Windows
• Certificate
• Username
– Custom Provider
– SqlMembership Provider
• Issued Token
@ itcampro # itcamp12 Premium conference on Microsoft technologies
10. Security Modes Architecture &
Best Practices
• None
– Not recommended
• Transport Security
– Encrypts the communication channel
• Message Security
– The message is encrypted
@ itcampro # itcamp12 Premium conference on Microsoft technologies
11. Security Modes - Variations Architecture &
Best Practices
• Transport Credential Only
– Credentials are sent as part of the message but are not
encrypted
• Transport With Message Credential
– Credentials are sent as part of the message and the
message protection is done at the transport level
@ itcampro # itcamp12 Premium conference on Microsoft technologies
12. Transport Security Architecture &
Best Practices
• SSL over HTTP(S)/TCP
• Our purpose is to ensure integrity,
condidentiality and authentication
• Integrity = encryption key
• Confidentiality = data encryption
• Authentication = credentials
• Use a digital certificate to encrypt the
channel
@ itcampro # itcamp12 Premium conference on Microsoft technologies
13. Transport Security Architecture &
Best Practices
• When we use Transport Security ?
• Advantages
– Better performance
– Interoperability
• Disadvantages
– ‘Point-2-Point’
@ itcampro # itcamp12 Premium conference on Microsoft technologies
14. Message Security Architecture &
Best Practices
• When we use Message Security?
• Encrypts only the message
• Advantages
– ‘End-2-End’ security
– Independent of the communication protocol
• Disadvantages
– Lower perfomance compared to transport
– Does not support interoperability with older ASMX
clients
@ itcampro # itcamp12 Premium conference on Microsoft technologies
15. WCF Authentication Service Architecture &
Best Practices
• Uses ASP.NET membership to authenticate
users
• It requires cookies
• Can customize user login
• Can customize authentication cookie
@ itcampro # itcamp12 Premium conference on Microsoft technologies
16. Q&A
@ itcampro # itcamp12 Premium conference on Microsoft technologies