WCF is a very good platform to implement service oriented architecture. By default, WCF provides secured transactions based on the Binding you choose. Either it would be Transport level security or message level security.
Transport level security:
This will send the message in a secured transport. So, the message will be sent safe between the source and target. Well know transport level security is using SSL. i.e https connection. But there is a drawback in this mode of security. Because, if your message is going to travel in a distribute layer design, all the way it should be supporting secured transport. Otherwise, the message will not be safe. Thats why this method is suitable for Point to point services. That means, there should not be any other layer in between. Advantage of this method is, performance is good and proven technology for a long time.
Message Level Security
In this method, even though the transport is secured or not, the message will be safe because, the message itself encrypted. So, this method of security can be used even if there are multiple layers between source and destination. Drawback on this mode would be performance. Because the message has to be encrypted before it sent in the network and then it has to be decrypted in the destination.
This is a combination of both Transport level and message level security. This mode is also knows as Transport with message credential. In this mode, Transport Security is used to send the message in a secured mode. But one thing to notice is that, the message encrypted when it comes in the transport. So, If, some one hack in between, the message will be in plain text. So, to solve that issue, message security will be used in the mixed mode. In this mixed mode, message security will not encrypt the whole message, instead, it will encrypt only the credential and other information whatever we send in the header section.
NetTcpBinding - By default Transport Level Security
WsHttpBinding - By default Message Level Security.
Simple, all tcp binding by default transport level security.
Only the basicHttpBinding is not secured by default. But we can easily implement security on that as well.
Below is the sample configuration section to turn on or off the Security
In the above configuration, Transport level security is used with Windows credential. So, client will be sent with windows credential through the message header.
Note: Not all type of credentials are supported by all types of binding.