WCF - Does Transport Security only work for Intranet Scenario?

3
votes

I would like to secure a WCF service at transport level, however reading this article it says it works for a Intranet scenario: http://msdn.microsoft.com/en-us/library/ff648863.aspx

"Use transport security in the following scenarios:

You are sending a message directly from your application to a WCF service and the message will not be routed through intermediate systems. Both the service and the client are located in an intranet."

For Internet scenario Message Security approach should be used?

"Your WCF clients are accessing the WCF service over the Internet and messages may be routed through intermediate systems."

Please, let me know if transport security only works for intranet scenario?

1
c#wcftransport-security
duplicate of: stackoverflow.com/questions/4270883/…Mark Willsher

1 Answers

3
votes

You can use Transport-level security for services over the internet. Message-level security is generally recommended as it provides a superior level of security. Message-level provides end-to-end security while Transport-level only provides point-to-point, but that doesn't mean you cannot create a secure WCF service without Message security.

There are even scenarios where Message security over the internet is a poor choice such as Streaming Large Data. With Message security you can't stream data in chunks as WCF will buffer all messages into memory before transmission when message security is set. This can lead to scalability issues.

You can secure your WCF Service with Transport security over the internet by using Secure HTTP (HTTPS Protocol). Install a certificate on the server machine, bind the certificate to a specified port on server machine and SSL will provide security.

But I would always use Message security in an internet scenario - unless circumstances did not permit as in the large data scenario above.