I am trying to understand WCF security.
The issue I am facing is that I find a very high level of abstraction in WCF. I would really liek to know how things work under the wire. Like when I studied netTCPBinding I had a query of how encryption is achieved in this binding.
But it has been really difficult to get that kind of information.
Could you suggest a book or reference material which details the WCF security model ? rather than talking about it at 5000 ft altitude
Related
I read a lot of articles about Falcor and GraphQL. And noone can say how they help in big projects! I use Redux + React for a long time (also RESTAPI), can't understand what BIG problem Falcor and GraphQL solve.
Someone can explain it in very simple way ?
When you try to understand a new thing such as GraphQL, it helps to compare it with something existing, for example, REST, which you already know.
Imagine we have several web and mobile applications that retrieve data from the same server. In RESTful architecture, we design each entity as a resource. When request for fetching a resource is received, the server usually returns everything about that resource. Thus, the clients get redundant and unnecessary data which consumes bandwidth. Depending on the scenario, this can total an amount significant enough for the client's performance (think about mobile clients).
How about the clients specifying exactly which data they need and the server sends only those data? GraphQL enables us to achieve this.
Is GraphQL suitable for BIG projects?
Like pretty much everything in life, it depends. Not all projects, regardless of their sizes, have the same requirements. Determine your project's requirements. Consider the available technologies and their pros and cons. It's a trade-off. There's no silver bullet or one-size fits all solution. Nonetheless, Facebook uses GraphQL and there are strong reasons to consider their project as BIG.
I'm thinking of using an MBaaS such as Firebase or Kinvey for my next app, and am wondering if any exist which encrypt application data end-to-end (i.e. such that the encryption keys are never shared with the service provider). This seems feasible in theory, since the server is not expected to do any computation on the data, only store it and deliver it to clients.
Does such a service exist? I've found ZeroDB and Crypton, but neither are available as services AFAICT, which means I'd have to administer, scale, and back them up myself. I also thought of using something like Firebase and encrypting my app's data before I pass it to the Firebase API, but I'm wary of writing a one-off crypto layer like that unless I have to (i.e. I'd rather use something that's been peer-reviewed).
Alternatively, if no such service currently exists, why not? Is it technically infeasible, or is there just no market for it?
Edit: This seems closest to what I'm looking for, but considering the broken links on their website I'm guessing it's defunct: Adreneline Mobility
The answer to your question is actually available on the market. CloudMine offers end-to-end encryption (disclosure - I work at CloudMine). They have a largely healthcare focused offering so it has to stand up to HIPAA and other government regs around data security.
Here's a good overview video on security featuring CloudMine's CTO. The first 45 sec. provide some more information on our encryption techniques.
I know I'm being the "sales guy" right now but I'm happy to hop on a call to share what we've built and discuss your specific use case. You can email me at nick at cloudmineinc.com if you're interested.
Virgil Security (full disclosure - I work there) has an end-to-end encryption SDK that works for any endpoint, and also has a special integration with Firebase. It's open source, of course. Check it out and feel free to ask any questions of the team here or on Slack - https://e3kit.readme.io/
I am just unsure whether Spring has any mechanism preventing users/malicious bots from spamming for example registration request hundred times on my web app.
Does spring offer this kind of protection under the hood and if does not which direction I am to look? Some magical property in Spring Security?
Also does AWS provide any protection against this kind of brute attack when my application is deployed there?
The short answer to both your questions is no. There is no built-in mechanisms in either Spring or Amazon Web services to prevent this.
You will likely have to provide your own implementation to prevent excessive access to your API.
There are a couple of useful resources that can help:
Jeff Atwood's piece on throttling failed log-in attempts should give you a good starting point on how to implement a good strategy for this.
Spring Security's Authorization architecture is really well designed and you can plug in your own implementations fairly easily. It is well documented too.
There is the official Amazon Web Services documentation for using Security Groups, which again should help you ensure you're running on AWS with least permissions in terms of network access
Finally you could look at a service like Fail2Ban for monitoring log files and blocking malicious requests.
So in short there isn't really a simple ready-to-roll solution, but using the above resources should get you on the road to running something that ensures you're using the best practices possible to prevent malicious attempts to access your system.
I'm working on a WCF service that, at least initially, will only be consumed by an ASP.Net application on the same machine. This may change eventually, but for the time being, all communication with the WCF service will be intra-machine.
Is any sort of security necessary, and indeed, is any sort of authentication necessary? It seems to me that in order to compromise the security, one would have to compromise the security of the machine - nothing from the outside is going to be able to connect in, particularly if I'm using named pipes...
I'm confident in the security of the box - is that good enough?
TIA.
Seems fine to me. However, I think when doing development getting the base stuff (like secure channels, authentication) figured out early is a good idea. Retro fitting can be a pain.
I am planning to write a .net web application using SOA, which means data operations are made using web methods. There will be many, many methods so I got the next questions:
how should i handle security?
should i split them into more services?
call them using reflection?
Any tips will help because i am new to SOA..
I would suggest you use WCF instead of .Net web-services. WCF gives you a lot of flexibility regarding security and many more aspects. Especially: SOA does not equal web-services. With WCF you can configure the channel your data is sent over (i.e. HTTP, TCP, MSMQ, etc.).
Regarding Reflection, I see no reason to use it. Reflection is slow, hard to debug and not really related to SOA at all. Debugging SOA's is challenging enough, so use reflection sparingly.
As you can imagine, that's not a simple subject. So I would partition it this way: minimally, your question comprises two aspects of security:
Authentication: knowing who your calling party is
Authorization: knowing what that calling part is allowed to do
You have different options for both. For ex. you can handle authentication through multiple standards like WS-{Security|Trust|etc} and, in the other end, authorization through AzMan roles (which BTW doesn't scale very well).
With respect to technology, I agree with other posts, you should opt for WCF. That allows you to leverage those standards and present you more options for the different aspects of security, including auditing.