Presentation is loading. Please wait.

Presentation is loading. Please wait.

March 2008, SOURCE Boston© 2008 Eugene Kuznetsov SOA Security SOURCE Boston 2008 Eugene Kuznetsov

Similar presentations


Presentation on theme: "March 2008, SOURCE Boston© 2008 Eugene Kuznetsov SOA Security SOURCE Boston 2008 Eugene Kuznetsov"— Presentation transcript:

1 March 2008, SOURCE Boston© 2008 Eugene Kuznetsov SOA Security SOURCE Boston 2008 Eugene Kuznetsov kuznetso@alum.mit.edu

2 March 2008, SOURCE Boston© 2008 Eugene Kuznetsov Agenda Brief intro to XML/WebServices/SOA –Terms –Why? –Standards XML threats Secure enablement –Validation –Encryption, digital signature –Identity management & FIM –Deployment of SOA security technology A broader view –Positive security model –Message-level security Conclusion

3 March 2008, SOURCE Boston© 2008 Eugene Kuznetsov Some Terms XML (eXtensible Markup Language) –text-based data encoding standard, a relative of SGML & HTML – 201 bar –Unicode & legacy character encoding support SOAP –Standard for using XML-encoded messages in server-to-server communication Web services (WS) WS-* (“WS-star” or “WS-splat”) SOA (Service Oriented Architecture) Resources: –http://www.w3.org/XML/http://www.w3.org/XML/ –http://www.w3.org/TR/soap/http://www.w3.org/TR/soap/ –http://www.oasis-open.org/specs/index.php#wssv1.1http://www.oasis-open.org/specs/index.php#wssv1.1

4 March 2008, SOURCE Boston© 2008 Eugene Kuznetsov Why care about SOA Security? Meant to ease connecting applications Every new technology creates new security concerns Often used to connect critical, back-end applications Not addressed by existing packet-level security infrastructure Increasingly included in larger software packages and services Complex processing model New compliance or regulatory environments More than one part of an organization has to be involved Presents some opportunities for improved security “Implementation of Microsoft SOAP, a protocol running over HTTP precisely so it could bypass firewalls, should be withdrawn. According to the Microsoft documentation: ‘Since SOAP relies on HTTP as the transport mechanism, and most firewalls allow HTTP to pass through, you'll have no problem invoking SOAP endpoints from either side of a firewall.’" – Bruce Schneier, circa 2000

5 March 2008, SOURCE Boston© 2008 Eugene Kuznetsov Key Specs & Standards Foundation –XML –SOAP –XPath/XSLT –XSD (XML Schema) Security Building Blocks –XML Digital Signature –XML Encryption Upper-Layer Protocols/Standards –WS-Security –WS-Trust –WS-SecureConversation –XKMS –SAML –XACML –WS-Policy and WS-SecurityPolicy

6 March 2008, SOURCE Boston© 2008 Eugene Kuznetsov Web Service Message Layout IP SOAP Envelope SOAP Headers SOAP Body HTTP Binary Text XML/Text WS-Security SAML token

7 March 2008, SOURCE Boston© 2008 Eugene Kuznetsov Some XML Threats XML Entity Expansion and Recursion Attacks XML Document Size Attacks XML Document Width Attacks XML Document Depth Attacks XML Wellformedness-based Parser Attacks Jumbo Payloads Recursive Elements MegaTags – aka Jumbo Tag Names Public Key DoS XML Flood Resource Hijack Dictionary Attack Message Tampering Data Tampering Message Snooping XPath Injection SQL injection WSDL Enumeration Routing Detour Schema Poisoning Malicious Morphing Malicious Include – also called XML External Entity (XXE) Attack Memory Space Breach XML Encapsulation XML Virus Falsified Message Replay Attack

8 March 2008, SOURCE Boston© 2008 Eugene Kuznetsov Attacks on WS Engine itself Memory barrier breach –Buffer overruns XDoS –Single-message (incl. crypto) –Multimessage –Asymmetry of XML processing Field injection –Automarshalling External reference attacks –Filesystem –Internal network –External network XDoS Impact on Server Resources resources time Requests overwhelm system resources time Faster detection allows system to resist attack

9 March 2008, SOURCE Boston© 2008 Eugene Kuznetsov XML-SOA Validation 3 major categories: Well-formedness checking (generic) –Is this XML-encoded data? Protocol validation (generic) –Is this SOAP? Schema validation (application-specific) –Does structure of XML document match our expectation? –Does its data conform to data types and constraints? –Specs: DTD, XML Schema, WSDL, RELAX-NG, Schematron Most of the information created as side-effect of app development Key take-away: can validate content of app-specific PDU on the wire Server App Server App …

10 March 2008, SOURCE Boston© 2008 Eugene Kuznetsov XML Crypto XML Encryption –Encrypt: select, crypt –Decrypt: select, decrypt XML Digital Signature –Sign: select, transform, canonicalize, hash, crypt –Verify: select, transform, canonicalize, hash, crypt, compare Resources: –http://www.w3.org/TR/xmldsig-core/http://www.w3.org/TR/xmldsig-core/ –http://www.w3.org/TR/xmlenc-core/http://www.w3.org/TR/xmlenc-core/ Key takeaway: can sign, verify, encrypt, decrypt messages or portions of messages using a well-specified, interoperable standard

11 March 2008, SOURCE Boston© 2008 Eugene Kuznetsov XML Signature Example - - uooqbWYa5VCqcJCbuymBKqm17vY= KedJuTob5gtvYx9qM3k3gm7kbLBwVbEQRl26S2tmXjqNND7MRGtoew== - /KaCzo4Syrom78z3EQ5SbbB4sF7ey80etKII864WF64B81uRpH5t9jQTxe Eu0ImbzRMqzVDZkVG9xD7nN1kuFw== li7dzDacuo67Jg7mtqEm2TRuOMU= Z4Rxsnqc9E7pGknFFH2xqaryRPBaQ01khpMdLRQnG541Awtx/ XPaF5Bpsy4pNWMOHCBiNU0NogpsQW5QvnlMpA== qV38IqrWJG0V/ mZQvRVi1OHw9Zj84nDC4jO8P0axi1gb6d+475yhMjSc/ BrIVC58W3ydbkK+Ri4OKbaRZlYeRA== https://java.sun.com/webservices/docs/2.0/tutorial/doc/XMLDigitalSignatureAPI7.html

12 March 2008, SOURCE Boston© 2008 Eugene Kuznetsov (Federated) Identity Management Uniquely intertwined Federated identity standards use Web services (XML) protocols Secure SOA and Web services require identity Rebuilding enterprise identity management architecture the SOA way SOA governance requires identity However, the federated identity management and web services security problems are not the same

13 March 2008, SOURCE Boston© 2008 Eugene Kuznetsov Access Control With Federated Identity Protocols XML protocol application HR portal Expense App Support App CRMTravel Desk Server #1 Server #2 Quote App

14 March 2008, SOURCE Boston© 2008 Eugene Kuznetsov Federated Identity Uses lessons from US federal system and application integration Optionally decentralized model XML formats for representing identity and attribute information Set of open XML protocols for requests and responses for access control information One or more access control servers Enable applications by –Use of open web services protocols –Optional use for utility toolkits / APIs Communication between enabled app and server is via open web services wire protocol Resources: –http://www.oasis- open.org/committees/tc_home.php?wg_abbrev=security#samlv20http://www.oasis- open.org/committees/tc_home.php?wg_abbrev=security#samlv20 –http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.htmlhttp://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.html

15 March 2008, SOURCE Boston© 2008 Eugene Kuznetsov XML Security Gateways / XML Firewalls XML (WS) Security Gateway is superset, includes XML Firewall XML Firewall: XML threat protection, filtering WS-Security, WS-Trust, digital signature, encryption Fine-grained access control & security policy enforcement point Service level management Service virtualization Resources: –http://www.ibm.com/software/integration/datapower/http://www.ibm.com/software/integration/datapower/

16 March 2008, SOURCE Boston© 2008 Eugene Kuznetsov SOA Security Deployment XML protocol application Web Service #2 Web Service #1 Access Control (IM) Server UDDI Registry Service Level Monitoring & Management Server Not pictured: PKI server, log server, datacenter mgmt, etc.

17 March 2008, SOURCE Boston© 2008 Eugene Kuznetsov From Packets to Messages “Packet-level” security: filter and control IP packets Limitations –Transition from perimeter to perimeter-less world –Network application security Partial protocol parsing, attack signatures, learning mode, etc. Most applications care about “messages”, not packets To secure an app, must know valid inputs and outputs for the app “Known-good”, “positive” security model 5000 apps  5000 configurations Data-centric security, protecting the actual data and documents Basic technology has been there long before SOA/XML

18 March 2008, SOURCE Boston© 2008 Eugene Kuznetsov Message-Level Security Enabled by software industry’s shift to XML Web Services Mature standards –WSDL –XML Schema –XPath –WS-Security –SAML Creates new capabilities and features for apps (not just for security) Application-specific wire protocols documented in machine- readable, declarative style Security context bound to message Standard policy language A network device can now instantly “grok” a custom application End of manual configuration  positive security model

19 March 2008, SOURCE Boston© 2008 Eugene Kuznetsov Summary To first order, XML=SOAP=WebServices~SOA Why SOA security matters XML threats Security building blocks Federated identity Web services security gateways Message-level security


Download ppt "March 2008, SOURCE Boston© 2008 Eugene Kuznetsov SOA Security SOURCE Boston 2008 Eugene Kuznetsov"

Similar presentations


Ads by Google