I am creating a WCF web service using wsHttpBinding and a corresponding application that calls this web service. The idea behind the application that calls the WS is that it will be installed and run from multiple client sites as a background process. The background processes will periodically send information from it’s respective client back to the host by calling the WCF service. What kind of WCF security model should I implement to make sure that only service calls from the processes installed at the individual sites can call methods on the web service?
Note: The web service will be behind a firewall; however, this extra information may be irrelevent to the question at hand.
Without firewall mentioned I would suggest two approaches:
Advanced approaches can use supporting token like mutal certificates for securing messages and supporting user name token for authentication.
All these approaches can require installing certificates on client machines.
But in your case the firewall can change the solution. Is it possible to connect to your service from client using HTTP port 80? If not check that your IT opens incomming communication to your service. If not you will have to use Azure .NET Services (cloud) to relay communication between your service and clients. This can change security scenario.