Agenda.

• • •
WCF

WCF Basics and Security overview Yaron Hakon
Application Security Consultant 2Bsecure yaron@2bsecure.co.il

WCF Overview. WCF Security model. Attacks and countermeasures. (If Time Permits)

WCF is.

The Imperative to Connect
MOBILE EMPLOYEE APP Existing J2EE Application Call Center Asp.net App CUSTOMERS - Application VARIOUS PLATFORMS MOBILE EMPLOYEES - JAVA

• WCF services expose endpoints that clients and services use to exchange messages.

J2EE APP SERVER

Enterprise Services

J2E APP OTHERS

IDM

.NET framework

.NET framework

HTTP \ HTTPS\TCP\IP \ WSE .. .. .. .. HTTPS\TCP\

Windows Communication Foundation

Unified Programming Model

ASMX

.NET Remoting

INTEROPERABILITY

PRODUCTIVITY

SERVICE-ORIENTED DEVELOPMENT

Interop with other platforms AttributeAttributeBased Programming
Enterprise Services

Extensibility Location transparency MessageMessageOriented Programming
System.Messaging

• Unifies today’s distributed technologies • Visual Studio 2005 integration

• loosely-coupled services • Config-based communication

WS-* WSProtocol Support
WSE

WS-* Protocol Support

WCF – A B C
• • Metadata A Service Endpoint has an Address, a Binding, and a Contract Address, Binding, (ABC). An Address is a network address indicates where the service is located. A Binding specifies how a client can communicate with the endpoint including transport protocol, encoding, and security requirements. A Contract identifies what operations are available to the clients.
A C B A A A B B B C C C

Security

Reliable Messaging

Transactions

• •
Client

Messaging

Service

XML

Address
Where?

Binding
How?

Contract
What?

WCF – Architecture & channel stack
Service Interface
Method A Method B

Understanding Bindings option
WCF Run Time

WCF Service code


Client Code
Proxy Class A B Security Reliability Protocol

Protocols:
• Security, Reliable messaging capability, Transaction . Xml Text, MTOM, Binary. TCP, HTTP/S, Name Pipes , Custom.

.Net Assembly contract Data, Message, Service contracts ….

C

Dispatcher Security Reliability

• •

Encoding:
• •

Transport:

Configuration: Bindings: Protocol Encoding Transport Security

B

Protocol

Send

Channel Stack

incoming request

Channel Stack

A( address)

Understanding Standard Bindings
System.ServiceModel namespace includes the fallowing predefined Bindings: Binding BasicHttpBinding WSHttpBinding WSDualHttpBinding WSFederationBinding NetTcpBinding NetPeerTcpBinding NetNamedPipeBinding NetMsmqBinding MsmqIntegrationBinding
TCP P2P IPC MSMQ MSMQ Binary Binary Binary Binary Binary

Transport Encoding security
Http\s Http\s Http text text\MTO M text\MTO M

transaction InteroperaWS-I WS-* WS-* WSF .NET Peer .NET .NET MSMQ

None, Transport, no Message, Mixed None, Transport, yes Message, Mixed None, Message yes

None, Message, yes Mixed None, Transport, no Message, Mixed None, Message, yes Transport, Mixed None, Transport yes

None, Message, yes Transport Both None, Transport yes

1.Building Windows Communication Foundation Service

WCF - Hosting
• • • • User Application - Custom host app. IIS host (WS). Window service app. + IIS version 7.0, - Windows Activation Services WAS.
• • •

Self Host.
• configure the endpoints…
• • • • Add endpoint information for the Web service in App.config . Address (http\https…. ) Binding Contract

Configuration Sharing. Application pool – Sandboxing Support for non-HTTP transport protocols
Read more :http://msdn2.microsoft.com/enus/library/ms733109.aspx

• •

create listener objects for each address. listening for requests : productsServiceHost.Open(); \ Close()

IIS Host
• • • Project assemblies are built in the bin folder. Add a service definition file – svc (name of the class that IIS will execute and the name of the assembly holding this class ). Add endpoint information for the Web service in Web.config .
• • • Address (iis and SVC address ) Binding Contract Add new site for the service.

Deploy the service in iis

2.Building Self Host For WCF Service

Consuming WCF Service
• • • • Select preferred client. Service Reference. Configuration - ABC Consume.

3.Hosting WCF Service in IIS

Good to know
• •

Multiple Service Endpoint.
• Expose Service in different endPoint for different Clients.

Configuring Service Instance Context Modes:
[ServiceBehavior(InstanceContextMode = InstanceContextMode.PerSession)]
• • • • PerSession :open new session for etch client, close the session when client abort. Default (max-10 connection) , Cant share data between service instance. PerCall- create new instance etch time the client invokes an operation and the service close after the call finish. Hard to implement state.

4.Consuming WCF service from console application


• •

Single – open one instant of the service for all.
Open in the first time service call come. Close by the server. Sharing Data between +- ? .

Using MSMQ and Transaction.

Agenda.
• • • WCF Overview. WCF Security model. Attacks and countermeasures. (If Time Permits)

5.Consuming WCF service in self host With 2 endpoint from different clients. console application & ASP.net

security in every WCF operation call
• • • • • • • • Service contract Operation contract- Fault contract s\c behavior- Client credentials, Service credentials. Operation behavior Host configuration Method configuration and code Proxy configuration Binding configuration-

Transfer security Concepts
• • Message integrity.
• • • Tampering. Sensitive data. Confidentiality. Client \ server Authentication.
• • Replay attacks. Denial of service attacks.

Message privacy.

mutual authentication.

[ServiceContract (ProtectionLevel = ProtectionLevel.Sign)] public interface IMyContract { [OperationContract] void SignMethod(…); } [OperationContract(ProtectionLevel = ProtectionLevel.EncryptAndSign)] void EncryptAndSignMethod(…); }

Transfer security modes
• • None.
• • • No client credentials are provided to the service. Clear Text Messages over non secure Transport layer.
• •

Explain the Mode scenario - Transport

Transport security - integrity, privacy, and mutual authentication.
Secure transport protocols - https, tcp, ipc ,msmq. point-to-point,
all communication on the channel encrypted. client's credentials are encrypted along with the rest of the message,

SSL Security

SSL Security

Message security- integrity, privacy, and mutual authentication.
• • • • encrypts the message itself. end-to-end security. communicate securely over nonsecure transports.

Mixed.
• •

Both - integrity, privacy, and mutual authentication.
• both Transport security and Message security

Transport security for message integrity , privacy & service authentication. Message security for securing the client credentials. point-to-point security.

• • •

Encrypts the entire message Sender must trust all intermediaries Restricts protocols that can be used

Explain the Mode scenario Message Security Context

Transfer Security Mode
• Bindings. Programmatically or Administratively.
None
Y (default) Y Y Y Y Y Y Y

Binding BasicHttpBinding NetTcpBinding NetPeerTcpBinding NetNamedPipeBinding NetMsmqBinding WSHttpBinding WSFederationBinding WSDualHttpBinding

Transport Message
Y Y (default) Y (default) Y (default) Y (default) Y N N Y Y Y N Y Y (default) Y (default) Y (default)

Mixed
Y Y Y N N yes yes N

Both
N N N N Y N N N

•End to end message security independent of transport •Supports multiple protocols and multiple encryption technologies •Encrypt only parts of the message

Programmatically securing the basic binding
BasicHttpBinding binding2 = new BasicHttpBinding( ); binding2.Security.Mode = BasicHttpSecurityMode.Message;

Administratively securing the basic binding
<bindings> <basicHttpBinding> <binding name = "SecuredBasic"> <security mode = "Message"> </security> </binding> </basicHttpBinding> </bindings>

Transport Security and Credentials
• WCF lets you select from a number of possible client credentials types. • NTLM or Kerberos • classic username and password. • Windows security token. • X509 certificate, • Anonymous.

•6. Use of transfer security – basicHttpBinding ->> WSHttpBinding. WCF Trace view with Microsoft service Trace Viewer. Before and after

Transport security client credentials
WCF lets you select from a number of possible client credentials types. None Windows UserName Certificate Binding Y (default) Y Y Y BasicHttpBinding Y Y (default) N Y NetTcpBinding NetPeerTcpBinding NetNamedPipeBinding NetMsmqBinding WSHttpBinding WSFederationBinding WSDualHttpBinding
N N Y Y N/A N/A N Y (default) Y (default) Y (default) N/A N/A Y (default) N Y Y N/A N/A Y N N Y N/A N/A

Message Security and Credentials
• • The same type of credentials as with Transport security. + Issued token credential type.
• http://msdn2.microsoft.com/en-us/library/ms731161.aspx

Message Security and Credentials

Authentication \ Authorization
• Authentication:
• • • ASP.NET Membership Provider Custom Username and Password Validator Identity and Authentication Restrict Access With the PrincipalPermissionAttribute ASP.NET Role Provider with a Service ASP.NET Authorization Manager Role Provider with a Service Claims and Authorization with the Identity Model

Binding BasicHttpBinding NetTcpBinding NetPeerTcpBinding NetNamedPipeBinding NetMsmqBinding WSHttpBinding WSFederationBinding WSDualHttpBinding

None
N Y N/A N/A Y Y N/A Y

Windows
N Y (default) N/A N/A Y (default) Y (default) N/A Y (default)

UserName Certificate Token
N Y N/A N/A Y Y N/A Y Y Y N/A N/A Y Y N/A Y N Y N/A N/A Y Y N/A Y

Authorization
• • • •

Delegation and Impersonation

•7.Implement Message security – netTcpBinding. 8.Using X509 certificate unable https communication to service.- server authentication

•9.Implement Authorization – using PrincipalPermission.

WCF Relevant Attacks
• • • • • Information Disclosure
• Http Headers. Metadata , logs/exception . Authentication / Authorization Check Authorization, Token Caches. Memory Consumption, max Secure Session. WS Addressing. WS Addressing , transport security.

Elevation of Privilege
• • • •

Denial of Service Tampering Replay Attacks

?

Summary
• WCF Overview.
• • Unified existing technology . Standards wide support. Security by default. Can be done using configuration\code. configuration\ Credentials – X509, SAML, Kerberos, Card Spaces, custom. Miss - configuration can lead to vulnerability exposure . Read more bout WCF Attacks from the references.

References
• • Books
• • • Microsoft Windows Communication Foundation Step by StepbyJohn Sharp. WCF Home - http://msdn2.microsoft.com/enus/library/ms735119.aspx Security programming - http://msdn2.microsoft.com/enus/library/ms731925.aspx Card space - http://cardspace.netfx3.com/ Message inspector http://msmvps.com/blogs/paulomorgado/archive/2007/04/27 /wcf-building-an-http-user-agent-message-inspector.aspx WCF Security http://blogs.msdn.com/alikl/archive/2007/07/26/wcf-securityin-intranet-scenario-thoughts-on-cons-and-pros.as UG Page: http://www.microsoft.com/israel/communities/usergroups/se curedev.mspx UG Presentation Page: http://www.2bsecure.co.il/NetSecGroup.aspx

MSDN:

WCF Security model.
• • •

Blogs
• •

WCF countermeasures for common attack vectors.
• •

User group.
• •

Thank you !
Yaron Hakon
Application Security Consultant 2Bsecure yaron@2bsecure.co.il