We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byAnika Akerley
Modified about 1 year ago
March 2008, SOURCE Boston© 2008 Eugene Kuznetsov SOA Security SOURCE Boston 2008 Eugene Kuznetsov email@example.com
March 2008, SOURCE Boston© 2008 Eugene Kuznetsov Agenda Brief intro to XML/WebServices/SOA –Terms –Why? –Standards XML threats Secure enablement –Validation –Encryption, digital signature –Identity management & FIM –Deployment of SOA security technology A broader view –Positive security model –Message-level security Conclusion
March 2008, SOURCE Boston© 2008 Eugene Kuznetsov Some Terms XML (eXtensible Markup Language) –text-based data encoding standard, a relative of SGML & HTML – 201 bar –Unicode & legacy character encoding support SOAP –Standard for using XML-encoded messages in server-to-server communication Web services (WS) WS-* (“WS-star” or “WS-splat”) SOA (Service Oriented Architecture) Resources: –http://www.w3.org/XML/http://www.w3.org/XML/ –http://www.w3.org/TR/soap/http://www.w3.org/TR/soap/ –http://www.oasis-open.org/specs/index.php#wssv1.1http://www.oasis-open.org/specs/index.php#wssv1.1
March 2008, SOURCE Boston© 2008 Eugene Kuznetsov Why care about SOA Security? Meant to ease connecting applications Every new technology creates new security concerns Often used to connect critical, back-end applications Not addressed by existing packet-level security infrastructure Increasingly included in larger software packages and services Complex processing model New compliance or regulatory environments More than one part of an organization has to be involved Presents some opportunities for improved security “Implementation of Microsoft SOAP, a protocol running over HTTP precisely so it could bypass firewalls, should be withdrawn. According to the Microsoft documentation: ‘Since SOAP relies on HTTP as the transport mechanism, and most firewalls allow HTTP to pass through, you'll have no problem invoking SOAP endpoints from either side of a firewall.’" – Bruce Schneier, circa 2000
March 2008, SOURCE Boston© 2008 Eugene Kuznetsov Key Specs & Standards Foundation –XML –SOAP –XPath/XSLT –XSD (XML Schema) Security Building Blocks –XML Digital Signature –XML Encryption Upper-Layer Protocols/Standards –WS-Security –WS-Trust –WS-SecureConversation –XKMS –SAML –XACML –WS-Policy and WS-SecurityPolicy
March 2008, SOURCE Boston© 2008 Eugene Kuznetsov Web Service Message Layout IP SOAP Envelope SOAP Headers SOAP Body HTTP Binary Text XML/Text WS-Security SAML token
March 2008, SOURCE Boston© 2008 Eugene Kuznetsov Some XML Threats XML Entity Expansion and Recursion Attacks XML Document Size Attacks XML Document Width Attacks XML Document Depth Attacks XML Wellformedness-based Parser Attacks Jumbo Payloads Recursive Elements MegaTags – aka Jumbo Tag Names Public Key DoS XML Flood Resource Hijack Dictionary Attack Message Tampering Data Tampering Message Snooping XPath Injection SQL injection WSDL Enumeration Routing Detour Schema Poisoning Malicious Morphing Malicious Include – also called XML External Entity (XXE) Attack Memory Space Breach XML Encapsulation XML Virus Falsified Message Replay Attack
March 2008, SOURCE Boston© 2008 Eugene Kuznetsov Attacks on WS Engine itself Memory barrier breach –Buffer overruns XDoS –Single-message (incl. crypto) –Multimessage –Asymmetry of XML processing Field injection –Automarshalling External reference attacks –Filesystem –Internal network –External network XDoS Impact on Server Resources resources time Requests overwhelm system resources time Faster detection allows system to resist attack
March 2008, SOURCE Boston© 2008 Eugene Kuznetsov XML-SOA Validation 3 major categories: Well-formedness checking (generic) –Is this XML-encoded data? Protocol validation (generic) –Is this SOAP? Schema validation (application-specific) –Does structure of XML document match our expectation? –Does its data conform to data types and constraints? –Specs: DTD, XML Schema, WSDL, RELAX-NG, Schematron Most of the information created as side-effect of app development Key take-away: can validate content of app-specific PDU on the wire Server App Server App …
March 2008, SOURCE Boston© 2008 Eugene Kuznetsov XML Crypto XML Encryption –Encrypt: select, crypt –Decrypt: select, decrypt XML Digital Signature –Sign: select, transform, canonicalize, hash, crypt –Verify: select, transform, canonicalize, hash, crypt, compare Resources: –http://www.w3.org/TR/xmldsig-core/http://www.w3.org/TR/xmldsig-core/ –http://www.w3.org/TR/xmlenc-core/http://www.w3.org/TR/xmlenc-core/ Key takeaway: can sign, verify, encrypt, decrypt messages or portions of messages using a well-specified, interoperable standard
March 2008, SOURCE Boston© 2008 Eugene Kuznetsov XML Signature Example - - uooqbWYa5VCqcJCbuymBKqm17vY= KedJuTob5gtvYx9qM3k3gm7kbLBwVbEQRl26S2tmXjqNND7MRGtoew== - /KaCzo4Syrom78z3EQ5SbbB4sF7ey80etKII864WF64B81uRpH5t9jQTxe Eu0ImbzRMqzVDZkVG9xD7nN1kuFw== li7dzDacuo67Jg7mtqEm2TRuOMU= Z4Rxsnqc9E7pGknFFH2xqaryRPBaQ01khpMdLRQnG541Awtx/ XPaF5Bpsy4pNWMOHCBiNU0NogpsQW5QvnlMpA== qV38IqrWJG0V/ mZQvRVi1OHw9Zj84nDC4jO8P0axi1gb6d+475yhMjSc/ BrIVC58W3ydbkK+Ri4OKbaRZlYeRA== https://java.sun.com/webservices/docs/2.0/tutorial/doc/XMLDigitalSignatureAPI7.html
March 2008, SOURCE Boston© 2008 Eugene Kuznetsov (Federated) Identity Management Uniquely intertwined Federated identity standards use Web services (XML) protocols Secure SOA and Web services require identity Rebuilding enterprise identity management architecture the SOA way SOA governance requires identity However, the federated identity management and web services security problems are not the same
March 2008, SOURCE Boston© 2008 Eugene Kuznetsov Access Control With Federated Identity Protocols XML protocol application HR portal Expense App Support App CRMTravel Desk Server #1 Server #2 Quote App
March 2008, SOURCE Boston© 2008 Eugene Kuznetsov Federated Identity Uses lessons from US federal system and application integration Optionally decentralized model XML formats for representing identity and attribute information Set of open XML protocols for requests and responses for access control information One or more access control servers Enable applications by –Use of open web services protocols –Optional use for utility toolkits / APIs Communication between enabled app and server is via open web services wire protocol Resources: –http://www.oasis- open.org/committees/tc_home.php?wg_abbrev=security#samlv20http://www.oasis- open.org/committees/tc_home.php?wg_abbrev=security#samlv20 –http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.htmlhttp://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.html
March 2008, SOURCE Boston© 2008 Eugene Kuznetsov XML Security Gateways / XML Firewalls XML (WS) Security Gateway is superset, includes XML Firewall XML Firewall: XML threat protection, filtering WS-Security, WS-Trust, digital signature, encryption Fine-grained access control & security policy enforcement point Service level management Service virtualization Resources: –http://www.ibm.com/software/integration/datapower/http://www.ibm.com/software/integration/datapower/
March 2008, SOURCE Boston© 2008 Eugene Kuznetsov SOA Security Deployment XML protocol application Web Service #2 Web Service #1 Access Control (IM) Server UDDI Registry Service Level Monitoring & Management Server Not pictured: PKI server, log server, datacenter mgmt, etc.
March 2008, SOURCE Boston© 2008 Eugene Kuznetsov From Packets to Messages “Packet-level” security: filter and control IP packets Limitations –Transition from perimeter to perimeter-less world –Network application security Partial protocol parsing, attack signatures, learning mode, etc. Most applications care about “messages”, not packets To secure an app, must know valid inputs and outputs for the app “Known-good”, “positive” security model 5000 apps 5000 configurations Data-centric security, protecting the actual data and documents Basic technology has been there long before SOA/XML
March 2008, SOURCE Boston© 2008 Eugene Kuznetsov Message-Level Security Enabled by software industry’s shift to XML Web Services Mature standards –WSDL –XML Schema –XPath –WS-Security –SAML Creates new capabilities and features for apps (not just for security) Application-specific wire protocols documented in machine- readable, declarative style Security context bound to message Standard policy language A network device can now instantly “grok” a custom application End of manual configuration positive security model
March 2008, SOURCE Boston© 2008 Eugene Kuznetsov Summary To first order, XML=SOAP=WebServices~SOA Why SOA security matters XML threats Security building blocks Federated identity Web services security gateways Message-level security
Web services security I Uyen Dang & Michel Foé. Agenda Context – Architectural considerations of security issues in WS – Security threats in Web services.
WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.
Copyright 2009 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Faculty of Information Technology 31242/32549 Advanced Internet Programming Advanced Java Programming Web services Intro.
Kemal Baykal Rasim Ismayilov. Web Services(1) A software system which connects the machines over a network in an interoperable manner The main idea is.
International Telecommunication Union Geneva, 9(pm)-10 February 2009 ITU-T Security Standardization on Mobile Web Services Lee, Jae Seung Special Fellow,
W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks.
Siebel Web Services March, Siebel Web Services From INFOKEYS INC.
Security in Service Oriented and REST architectures SiliconIndia Java Conference, Nimhans, Bangalore 29 Oct 2010 Srinivas Padmanabhuni, Ph.D. Principal.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Enterprise Computing: Web Services. Exercise What is wrong with JEE? Why would you not use it for web-based application integration? Why would you not.
April 18, 2006 Shared Services Tools and Technologies.
Web Services Nasrullah. Motivation about web service There are number of programms over the internet that need to communicate with other programms over.
© 2009 IBM Corporation Integrating WSRR and DataPower Andrew White – Software Developer 18 March 2010.
EIDE Design Considerations 1 EIDE Design Considerations Brian Wright Portland General Electric.
S imple O bject A ccess P rotocol Karthikeyan Chandrasekaran & Nandakumar Padmanabhan.
T Network Application Frameworks and XML Web Services and WSDL Sasu Tarkoma Based on slides by Pekka Nikander.
Web Services CS651/551 Federated Trust Systems Alfred C. Weaver.
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
Web Services Kanda Runapongsa Dept. of Computer Engineering Khon Kaen University.
ΗΛΕΚΤΡΟΝΙΚΟ ΕΜΠΟΡΙΟ Web Services Overview Mary Grammatikou 9/06/2009.
XML Technologies and Applications Rajshekhar Sunderraman Department of Computer Science Georgia State University Atlanta, GA 30302
Web Services Presented By : Noam Ben Haim. Agenda Introduction What is a web service Basic Architecture Extended Architecture WS Stacks.
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
Presentation 7 part 2: SOAP & WSDL. Ingeniørhøjskolen i Århus Slide 2 Outline Building blocks in Web Services SOA SOAP WSDL (UDDI)
1 Core Web Services Standards. 2 (Simplified) Web Service Architecture Registry 1. Service Registers PUBLISH 3. Client calls Service BIND 2. Client Request.
Web Services Security Mike Shaw Architectural Engineer.
© 2015 Akana. All Rights Reserved. Deconstructing API Security Ian
17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.
Web Services Security Kerry Champion CTO, Westbridge Technology June 8, 2004.
Web Service Standards, Security & Management Chris Peiris
Web Services (Nuts and Bolts) ITEC 625 Web Development Fall 2006 Reference: Building Web Services with Java (Making sense of XML, SOAP, WSDL, and UDDI),
Aalborg University – Department of Production XML Extensible Markup Language Kaj A. Jørgensen Aalborg University, Department of Production XML – Extensible.
SOAP. What is SOAP? The de facto standard for Web Service communication that provides support for: –Remote procedure call (RPC) to invoke methods on servers.
Web Service Architecture Chiyoung Seo Dept. of Computer Science University of Southern California.
WEB SERVICES DAVIDE ZERBINO. Summary: Introduction Introduction Definition Definition Web Service Model Web Service Model Web Service Architecture Web.
Latest techniques and Applications in Interprocess Communication and Coordination Xiaoou Zhang.
Security fundamentals Topic 10 Securing the network perimeter.
Application of XML Schema in Web Services Security Sridhar Guthula W3C XML Schema 1.0 User Experiences
1 WS-Security Yosi Taguri Microsoft Israel
INTER-OPERABILITY IN THE NEW ZEALAND EDUCATION SECTOR USING A SECTOR DATA MODEL DRIVEN METHODOLOGY Presented on April at the New Zealand State.
WS-Security Protocol Ramkumar Chandrasekharan CS 265.
© 2017 SlidePlayer.com Inc. All rights reserved.