Download Web Services Security: Bells and Thistles

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
Document related concepts

Airport security wikipedia , lookup

Distributed firewall wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Computer security wikipedia , lookup

Mobile security wikipedia , lookup

Security-focused operating system wikipedia , lookup

Cross-site scripting wikipedia , lookup

Transcript 
Web Services Security:
Bells and Thistles
http://www.wideopenwest.com/~kwwall/presentations/
security/cocacm-20030516.ppt
Kevin W. Wall
Staff Software Engineer
Qwest IT
[email protected]
Shuxian Wang
Software Engineer
Qwest IT
[email protected]
Common Needs of Web Services

All web services developed have a common
set of needs:
• Security:
 Authentication, Authorization,
Confidentiality, Data Integrity
• Global availability
• Reliability
• Version management
• Metering, Monitoring and Logging
• Interoperability of applications
Copright © 2003 - Kevin Wall / Shuxian
Wang - All Rights Reserved
Security Business Drivers
Leverage tools and “standards”
 Can’t afford “one-ofs single solution”
to Web Services security.

• Too expensive in terms of maintenance,
deployment, etc.
• Too expensive in terms of security!
Copright © 2003 - Kevin Wall / Shuxian
Wang - All Rights Reserved
Common Concerns of Web
Services Security (1/2)

Administration
• Registration of web services provider /
consumers
• Creation and administration of
security policies & privileges
• Multiple routing scenarios and
versioning
• Manage subscription to web service
consumption
• Managing users and roles
Copright © 2003 - Kevin Wall / Shuxian
Wang - All Rights Reserved
Common Concerns of Web
Services Security (2/2)

Server-side
•
•
•
•

Client authentication and authorization
Secure logging and intrusion detection
Nonrepudiation of sender and of receiver
Confidentiality / data integrity
Client-side
•
•
•
•
Authentication of server
Confidentiality
Data integrity
Nonrepudiation of receiver
Copright © 2003 - Kevin Wall / Shuxian
Wang - All Rights Reserved
Challenges Of Securing Web
Services

Changed security perimeter
• The line between internet and intranet is
dissolving.
• Point-to-point security vs. end-to-end security

P2P interaction
• Computer does not have a feeling on
something going wrong.

System complexity
• More parties involved in the security
management.
• Possibly disparate security policies may result
in lowest common denominator.
Copright © 2003 - Kevin Wall / Shuxian
Wang - All Rights Reserved
Relevant Web Services
Technologies


Basic technologies
•
•
•
•
XML
SOAP
UDDI
WSDL
•
•
•
•
•
XLM Encrypt
XLM Digital Signature
SAML
WS-Security
Others (XKMS, XACLM, etc.)
Security specific technologies
Copright © 2003 - Kevin Wall / Shuxian
Wang - All Rights Reserved
What’s Available?
XML
DSig
Authentication
XML
Encrypt
X
XKMS
SAML
X
Authorization
X
Confidentiality
Data Integrity
X
Nonrepudiation
X
WS-Security
X
X
X
X
X
X
X
X
Copright © 2003 - Kevin Wall / Shuxian
Wang - All Rights Reserved
Attacks On Web Services


Traditional attacks that may still apply:
• Buffer overflows
• HTTP attacks
• Cross-site scripting
• SQL injection
• DoS attack
New attack vectors:
• WSDL
• UDDI
• XML
Copright © 2003 - Kevin Wall / Shuxian
Wang - All Rights Reserved
Typical Web Services Architecture
Service
Registry
Find
(WSDL, UDDI)
Service
Requester
Publish
(WSDL, UDDI)
Bind
(WSDL, SOAP)
Copright © 2003 - Kevin Wall / Shuxian
Wang - All Rights Reserved
Service
Provider
Example: Web Services Scenario
Consumer uses travel portal to plan
trip: select flight and hotel
 Travel portal uses:

• UDDI to dynamically locate web services
• Airline reservation web service(s)
• Hotel reservation web service(s)
• Credit check web service
Copright © 2003 - Kevin Wall / Shuxian
Wang - All Rights Reserved
Travel Portal Example
End User
Travel portal
web server
UDDI server
Credit check
web service
Airline reservation
web service
Copright © 2003 - Kevin Hotel
Wall / Shuxian
reservation
Wang - All Rights Reserved
web service
Common Security Requirements
for Web Services
Unilateral or mutual authentication
 Access control at granularity of web
service method
 “Session-level” confidentiality
 “Session-level” integrity

• Including replay prevention

Web service audit logging and
correlation of events
Copright © 2003 - Kevin Wall / Shuxian
Wang - All Rights Reserved
Providing Web Services Security (1/2)

Authentication
• WS-Security



Password-based
X.509 public key certificates
End-to-end authentication
• Basic / digest authentication over HTTPS

Authorization
• Role-based authorization and business rules
• For HTTP as transport, use web access
management tools such as RSA ClearTrust,
Netegrity SiteMinder, Oblix NetPoint, Entrust
getAccess, etc.
Copright © 2003 - Kevin Wall / Shuxian
Wang - All Rights Reserved
Providing Web Services Security (2/2)

Confidentiality
• WS-Security / XML Encrypt


Symmetric and asymmetric Key Encryption
End-to-end encryption
• HTTPS or IPSec


For clients that don’t speak WS-Security
Data Integrity:
• WS-Security
• XML Digital Signatures
• Tunnel over SSL/TLS or use IPSec
Copright © 2003 - Kevin Wall / Shuxian
Wang - All Rights Reserved
Cautionary Notes

Many new security technologies (WS-Security,
XML Encrypt, SAML, etc.) both hard to use and
have immature / incomplete toolkits.
• Requires understanding of things like replay attacks,
man-in-the-middle attacks, reflection attacks, etc. and
how to prevent them.
• Security taken out of hands of experts and security
decisions now placed into hands of common developers.


New technologies also have major performance /
scalability impacts.
Using XML Signature requires significant PKI
investment.
Copright © 2003 - Kevin Wall / Shuxian
Wang - All Rights Reserved
XML Firewalls / Security Appliances









Microsoft’s ISA XML filters
MultinetSecurity’s iSecureWeb
Reactivity’s XML Firewall
Checkpoint’s VPN-1/FireWall-1 (Next Generation,
Feature Pack 3)
Quadrãsis’ SOAP Content Inspector
Vordel’s VordelSecure
Westbridge Technology’s XML Message Server
Flamenco Networks’ WMS
Forum Systems’ Sentry
Copright © 2003 - Kevin Wall / Shuxian
Wang - All Rights Reserved
Conclusions

Roll out with caution: first internal,
then external
• For external web services, avoid UDDI!
Use traditional transport layer
security where / when applicable
 Train developers in proper security
techniques
 Investigate XML firewall technologies

Copright © 2003 - Kevin Wall / Shuxian
Wang - All Rights Reserved
References
[1] Doug Tidwell, Web Services: The Web's Next Revolution, IBM
web services tutorials,
https://www6.software.ibm.com/developerworks/education/wsbas
ics/index.html
[2] Mark O’Neill, et al, Web Services Security, McGraw-Hill/Osborne,
2003, ISBN 0-07-222471-1.
[3] Murdoch Mactaggart, Enabling XML Security: An Introduction to
XML Encryption and XML Signature, http://www106.ibm.com/developerworks/xml/library/sxmlsec.html/index.html
[4] James Snell, Doug Tidwell, Pavel Kulchenko, Programming Web
Services with SOAP, O’Reilly & Assoc., 2002, ISBN 0-596-000952.
[5] Mark Frato, Application-Level Firewalls: Smaller Net, Tighter
Filter,
http://www.nwc.com/shared/printArticle.jhtml?article=/1405/140
5f3full.html&pub=nwc
Copright © 2003 - Kevin Wall / Shuxian
Wang - All Rights Reserved
Related documents
.NET Framework Overview and Base Classes
.NET Framework Overview and Base Classes
IS605/606: Information Systems Instructor: Dr. Boris Jukic
IS605/606: Information Systems Instructor: Dr. Boris Jukic
Kevin Blechdom Kevin Blechdom is a female originally named
Kevin Blechdom Kevin Blechdom is a female originally named
World Wide Web Conference
World Wide Web Conference
Topological states of matter in correlated electron systems
Topological states of matter in correlated electron systems
XDWE: A prototype to establish XML as a Native Data Source in
XDWE: A prototype to establish XML as a Native Data Source in
Web Services
Web Services
FinalExamReview
FinalExamReview
Production Day Shift Worker
Production Day Shift Worker
A new programming language: what for?
A new programming language: what for?
Slide 1
Slide 1
Streilein
Streilein
ISYS 512/812 Business Application Design and Development
ISYS 512/812 Business Application Design and Development
May 29, 2001
May 29, 2001