Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Web Services Security: Bells and Thistles http://www.wideopenwest.com/~kwwall/presentations/ security/cocacm-20030516.ppt Kevin W. Wall Staff Software Engineer Qwest IT [email protected] Shuxian Wang Software Engineer Qwest IT [email protected] Common Needs of Web Services All web services developed have a common set of needs: • Security: Authentication, Authorization, Confidentiality, Data Integrity • Global availability • Reliability • Version management • Metering, Monitoring and Logging • Interoperability of applications Copright © 2003 - Kevin Wall / Shuxian Wang - All Rights Reserved Security Business Drivers Leverage tools and “standards” Can’t afford “one-ofs single solution” to Web Services security. • Too expensive in terms of maintenance, deployment, etc. • Too expensive in terms of security! Copright © 2003 - Kevin Wall / Shuxian Wang - All Rights Reserved Common Concerns of Web Services Security (1/2) Administration • Registration of web services provider / consumers • Creation and administration of security policies & privileges • Multiple routing scenarios and versioning • Manage subscription to web service consumption • Managing users and roles Copright © 2003 - Kevin Wall / Shuxian Wang - All Rights Reserved Common Concerns of Web Services Security (2/2) Server-side • • • • Client authentication and authorization Secure logging and intrusion detection Nonrepudiation of sender and of receiver Confidentiality / data integrity Client-side • • • • Authentication of server Confidentiality Data integrity Nonrepudiation of receiver Copright © 2003 - Kevin Wall / Shuxian Wang - All Rights Reserved Challenges Of Securing Web Services Changed security perimeter • The line between internet and intranet is dissolving. • Point-to-point security vs. end-to-end security P2P interaction • Computer does not have a feeling on something going wrong. System complexity • More parties involved in the security management. • Possibly disparate security policies may result in lowest common denominator. Copright © 2003 - Kevin Wall / Shuxian Wang - All Rights Reserved Relevant Web Services Technologies Basic technologies • • • • XML SOAP UDDI WSDL • • • • • XLM Encrypt XLM Digital Signature SAML WS-Security Others (XKMS, XACLM, etc.) Security specific technologies Copright © 2003 - Kevin Wall / Shuxian Wang - All Rights Reserved What’s Available? XML DSig Authentication XML Encrypt X XKMS SAML X Authorization X Confidentiality Data Integrity X Nonrepudiation X WS-Security X X X X X X X X Copright © 2003 - Kevin Wall / Shuxian Wang - All Rights Reserved Attacks On Web Services Traditional attacks that may still apply: • Buffer overflows • HTTP attacks • Cross-site scripting • SQL injection • DoS attack New attack vectors: • WSDL • UDDI • XML Copright © 2003 - Kevin Wall / Shuxian Wang - All Rights Reserved Typical Web Services Architecture Service Registry Find (WSDL, UDDI) Service Requester Publish (WSDL, UDDI) Bind (WSDL, SOAP) Copright © 2003 - Kevin Wall / Shuxian Wang - All Rights Reserved Service Provider Example: Web Services Scenario Consumer uses travel portal to plan trip: select flight and hotel Travel portal uses: • UDDI to dynamically locate web services • Airline reservation web service(s) • Hotel reservation web service(s) • Credit check web service Copright © 2003 - Kevin Wall / Shuxian Wang - All Rights Reserved Travel Portal Example End User Travel portal web server UDDI server Credit check web service Airline reservation web service Copright © 2003 - Kevin Hotel Wall / Shuxian reservation Wang - All Rights Reserved web service Common Security Requirements for Web Services Unilateral or mutual authentication Access control at granularity of web service method “Session-level” confidentiality “Session-level” integrity • Including replay prevention Web service audit logging and correlation of events Copright © 2003 - Kevin Wall / Shuxian Wang - All Rights Reserved Providing Web Services Security (1/2) Authentication • WS-Security Password-based X.509 public key certificates End-to-end authentication • Basic / digest authentication over HTTPS Authorization • Role-based authorization and business rules • For HTTP as transport, use web access management tools such as RSA ClearTrust, Netegrity SiteMinder, Oblix NetPoint, Entrust getAccess, etc. Copright © 2003 - Kevin Wall / Shuxian Wang - All Rights Reserved Providing Web Services Security (2/2) Confidentiality • WS-Security / XML Encrypt Symmetric and asymmetric Key Encryption End-to-end encryption • HTTPS or IPSec For clients that don’t speak WS-Security Data Integrity: • WS-Security • XML Digital Signatures • Tunnel over SSL/TLS or use IPSec Copright © 2003 - Kevin Wall / Shuxian Wang - All Rights Reserved Cautionary Notes Many new security technologies (WS-Security, XML Encrypt, SAML, etc.) both hard to use and have immature / incomplete toolkits. • Requires understanding of things like replay attacks, man-in-the-middle attacks, reflection attacks, etc. and how to prevent them. • Security taken out of hands of experts and security decisions now placed into hands of common developers. New technologies also have major performance / scalability impacts. Using XML Signature requires significant PKI investment. Copright © 2003 - Kevin Wall / Shuxian Wang - All Rights Reserved XML Firewalls / Security Appliances Microsoft’s ISA XML filters MultinetSecurity’s iSecureWeb Reactivity’s XML Firewall Checkpoint’s VPN-1/FireWall-1 (Next Generation, Feature Pack 3) Quadrãsis’ SOAP Content Inspector Vordel’s VordelSecure Westbridge Technology’s XML Message Server Flamenco Networks’ WMS Forum Systems’ Sentry Copright © 2003 - Kevin Wall / Shuxian Wang - All Rights Reserved Conclusions Roll out with caution: first internal, then external • For external web services, avoid UDDI! Use traditional transport layer security where / when applicable Train developers in proper security techniques Investigate XML firewall technologies Copright © 2003 - Kevin Wall / Shuxian Wang - All Rights Reserved References [1] Doug Tidwell, Web Services: The Web's Next Revolution, IBM web services tutorials, https://www6.software.ibm.com/developerworks/education/wsbas ics/index.html [2] Mark O’Neill, et al, Web Services Security, McGraw-Hill/Osborne, 2003, ISBN 0-07-222471-1. [3] Murdoch Mactaggart, Enabling XML Security: An Introduction to XML Encryption and XML Signature, http://www106.ibm.com/developerworks/xml/library/sxmlsec.html/index.html [4] James Snell, Doug Tidwell, Pavel Kulchenko, Programming Web Services with SOAP, O’Reilly & Assoc., 2002, ISBN 0-596-000952. [5] Mark Frato, Application-Level Firewalls: Smaller Net, Tighter Filter, http://www.nwc.com/shared/printArticle.jhtml?article=/1405/140 5f3full.html&pub=nwc Copright © 2003 - Kevin Wall / Shuxian Wang - All Rights Reserved