Presentation is loading. Please wait.

Presentation is loading. Please wait.

CTO Office Reliability & Security Distinctions and Interactions Hal Lockhart BEA Systems.

Similar presentations

Presentation on theme: "CTO Office Reliability & Security Distinctions and Interactions Hal Lockhart BEA Systems."— Presentation transcript:

1 CTO Office Reliability & Security Distinctions and Interactions Hal Lockhart BEA Systems

2 CTO SOA; Slide 2 Topics Similarities and differences Denial of Service Layering Principles Security Services Reliability Services Combining Security and Reliability

3 CTO SOA; Slide 3 Are Security & Reliability Different? Some Security Objectives  Service availability  Error detection  Prevent data loss  Prevent data duplication or reordering Some Reliability Objectives  Service availability  Error detection  Prevent data loss  Prevent data duplication or reordering

4 CTO SOA; Slide 4 Information Security Definition Technologies and procedures intended to implement organizational policy in spite of human efforts to the contrary. Suggested by Authorization Applies to all security services Protection against accidents is incidental Suggests four areas of attention

5 CTO SOA; Slide 5 Information Security Areas Policy determination  Expression: code, permissions, ACLs, Language  Evaluation: semantics, architecture, performance Policy enforcement  Maintain integrity of Trusted Computing Base (TCB)  Enforce variable policy

6 CTO SOA; Slide 6 Reliability Service Protects against accidental errors Services available in spite of random failures Many distinct guarantees possible  Data complete  Data in order  No duplication  End to end transactions  Queue to queue transactions Can be combined with security mechanisms

7 CTO SOA; Slide 7 Different Assumptions Reliability: messages come from cooperating entity Security: network is untrusted  Any message can be read by attackers  Any message can be modified by attackers  Assume some Trusted Computing Base (TCB) Reliability  Check CRC – retransmit  Ignore low probability events Security  Use secure hash function, e.g. SHA1  Assume any event sequence is possible

8 CTO SOA; Slide 8 Denial of Service Commonly misunderstood Attacker modifies every message  Even if modifications are detected – zero throughput  Attack is easily detected and source located  No benefit to attack Must assume “enough” messages get through

9 CTO SOA; Slide 9 Types of Denial of Service Type 1 – Silver Bullet  Some message(s) cause crash  Example: Ping O’ Death  Clearly a bug, not in specification or design Type 2 – Amplifier Attack  Small attacker effort - big effect  Example: Smurf  Harder to fix, possibly alter specification or design Type 3 – Flood Attack  Overload slows server to a crawl  Examples: Distributed attack against public web servers  May be indistinguishable from legitimate usage  May be no real way to fix  Important to identify and locate source

10 CTO SOA; Slide 10 Layering Layer 3 Layer 2 Layer 1 Layer 3 Layer 2 Layer 1

11 CTO SOA; Slide 11 Layering Principles A form of encapsulation Corresponding layers communicate via peer protocol Messages pass through all active layers Guidelines  Layers must operate sequentially  Layers must operate on distinct data  Layers should not duplicate each other Composability  Stronger condition  Layers may be omitted

12 CTO SOA; Slide 12 Composable Services WS Consumer Travel Agency Web Service Airline Reservation Web Service Hotel Reservation Web Service Rental Car Reservation Web Service

13 CTO SOA; Slide 13 Composable Layers Routing Reliability Security Routing Security Routing Reliability or

14 CTO SOA; Slide 14 Basic Security Services Not relevant to Reliability  Authentication  Confidentiality (encryption)  Authorization Integrity service  Check signature  Discard invalid Non-duplication service  Integrity service  Include nonce and timestamp under signature  Discard if nonce is duplicated or message too old

15 CTO SOA; Slide 15 Basic Reliability Service Reliability in face of network failures Implementation  Number all messages  Request retransmission if out of order message received  Discard duplicate messages  Present data in order  Care must be taken when ending session – flush data  Efficiency considerations TCP does this  HTTP can start and stop TCP sessions  SOAP can travel over multiple protocols, not just HTTP

16 CTO SOA; Slide 16 End to End Reliability Ensure consistency and recovery in face of node failures as well as network failures Two levels  Distributed transactions  ACID properties  Application rollback on error  Not feasible for loosely coupled systems  Queue to queue transactions  Acid properties from queue to queue (no loss, no duplicates)  Rollback by compensating transactions only (hard)  Desirable approach for public web services

17 CTO SOA; Slide 17 Combining Security & Reliability Security should be below Reliability  Discard invalid messages  Reliability (if present) will retransmit  SSL/TLS are “broken” in this regard Security should be below other layers  Validate signatures  Decrypt data  Issue: must pass along metadata with message (e.g. what was signed, who was authenticated) Security & Reliability could be intertwined  Loss of composibility

18 CTO SOA; Slide 18 Summary Security and Reliability share some goals, but  Reliability assumes random errors  Security assumes human attacks Several distinct types of Denial of Service Denial of service is not necessarily bad, if we know it is happening and can locate the source Composability of services is desirable Security can detect modified and duplicated data Reliability can protect against network failures alone or network and system failures Queue to queue transactions are useful for B2B Security should be the bottom layer

Download ppt "CTO Office Reliability & Security Distinctions and Interactions Hal Lockhart BEA Systems."

Similar presentations

Ads by Google