Presentation is loading. Please wait.

Presentation is loading. Please wait.

WebServices, GridServices and Firewalls Matthew J. Dovey Technical Manager Oxford e-Science Centre

Published byAlbert Hudson Modified over 8 years ago

Similar presentations

Presentation on theme: "WebServices, GridServices and Firewalls Matthew J. Dovey Technical Manager Oxford e-Science Centre"— Presentation transcript:

1 WebServices, GridServices and Firewalls Matthew J. Dovey Technical Manager Oxford e-Science Centre http://e-science.ox.ac.uk(matthew.dovey@oucs.ox.ac.uk)

2 WebServices Method of inter-computer communication Initially Remote Procedural Call Initially Remote Procedural Call Uses XML for messages Uses existing “Web”/Internet protocols for transfer e.g. HTTP for synchronous e.g. HTTP for synchronous e.g. SMTP for asynchronous e.g. SMTP for asynchronous

3 WebServices Service defined by endpoint e.g. URL http://myserver.org/myservice e.g. URL http://myserver.org/myservicehttp://myserver.org/myservice m.g. e-mail address myservice@myserver.org m.g. e-mail address myservice@myserver.orgmyservice@myserver.org Operation (and parameters) defined by XML message e.g. … …

4 WebServices and Firewalls SOAP 1.0 (Microsoft) – the ability to transfer information between organisations through the firewall Ability to offer multiple WebServices through a single port Ability to offer multiple WebServices through protocols traditionally allowed through firewalls (http, smtp) No portmappers

5 Securing WebServices Publishing model Internal services behind the firewall Internal services behind the firewall “publish” only safe public services “publish” only safe public services Comparable to public website vs internal intranet for documents Comparable to public website vs internal intranet for documentsBut… Web Services have bugs Web Services have bugs Web Service Infrastructures have bugs Web Service Infrastructures have bugs Web Servers/SMTP Servers have bugs Web Servers/SMTP Servers have bugs

6 Securing WebServices Application Level Firewalls Traditional firewalls assume application defined by port Traditional firewalls assume application defined by port WebServices defined by endpoint (URL) and XML data WebServices defined by endpoint (URL) and XML data Application Firewalls inspect XML data Application Firewalls inspect XML data Check XML conformant with application (determined by endpoint) Check XML conformant with application (determined by endpoint) Block unregistered endpoints/XML data Block unregistered endpoints/XML data Strong linkage between firewall and application (no longer disconnected black boxes) Strong linkage between firewall and application (no longer disconnected black boxes) Issues with encrypted data Issues with encrypted data

7 Securing WebServices Private Networks via SSL WebService encryption either WebService encryption either Sensitive message parts (avoiding cost of encrypting all the message) Transport (e.g. https, smtp over SSL etc.) Use of SSL for private network services Use of SSL for private network services Encrypt and authenticate via x509 certificates No certificate – no access Comparable to VPN solutions for Globus 2 Comparable to VPN solutions for Globus 2

8 GridServices An application framework built on WebServices Differences from traditional “WebServices” State handling State handling NotificationSource and NotificationSink NotificationSource and NotificationSink

9 Notification Events Under OGSA Notification model both source and recipient of a notification must implement a GRID Service interface i.e. GRID clients (typically desktops) must behave as a GRID Service (WebService) server Security of desktop as crucial as security of server Issues with VPNs

10 State handling WebServices handle state via Out of band session id, e.g. HTTP cookie Out of band session id, e.g. HTTP cookie Service defined session id carried in SOAP Envelope Service defined session id carried in SOAP Envelope GRIDServices handle state via factories Factory service returns a URL to a dedicated service for that client Factory service returns a URL to a dedicated service for that client URL acts as session id URL acts as session id Similar to RPC port mapping (“URL mapping”) Similar to RPC port mapping (“URL mapping”)

11 GRIDService Factories - Cons Hijacking URLs transparent when not over SSL URLs transparent when not over SSL (WebServices can selectively encrypt) (WebServices can selectively encrypt) Danger of predictable URLs Danger of predictable URLs (WebServices can generate random and semantic-less keys) (WebServices can generate random and semantic-less keys) May be difficult to use with application level firewalls which rely on fixed endpoints for services

12 GRIDService Factories - Pros Factory could link generated service strongly to client Service linked to given ip address only Service linked to given ip address only Service only allows https/SSL connection from client certificate Service only allows https/SSL connection from client certificate i.e. knock on door system comparable in “dynamic firewall” solution to Globus 2 i.e. knock on door system comparable in “dynamic firewall” solution to Globus 2 Instance could be on another machine Factory on front-end box Factory on front-end box

13 Summary WebServices originally bypassed firewalls WebServices require sophisticated application-aware protection WebServices/GRIDServices potential offer mechanisms for enforcing security (e.g. certificate authentication)

14 Slide number 14 !

Download ppt "WebServices, GridServices and Firewalls Matthew J. Dovey Technical Manager Oxford e-Science Centre"

Similar presentations

Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.

Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.
Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.

Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.
Heroix Longitude - multiplatform, automated application performance monitoring and management software.

Heroix Longitude - multiplatform, automated application performance monitoring and management software.
31242/32549 Advanced Internet Programming Advanced Java Programming

31242/32549 Advanced Internet Programming Advanced Java Programming
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
General introduction to Web services and an implementation example

General introduction to Web services and an implementation example
SOAP Quang Vinh Pham Simon De Baets Université Libre de Bruxelles1.

SOAP Quang Vinh Pham Simon De Baets Université Libre de Bruxelles1.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Copyright © 2001 Qusay H. Mahmoud RMI – Remote Method Invocation Introduction What is RMI? RMI System Architecture How does RMI work? Distributed Garbage.

Copyright © 2001 Qusay H. Mahmoud RMI – Remote Method Invocation Introduction What is RMI? RMI System Architecture How does RMI work? Distributed Garbage.
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger.

The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger.
Presentation 7 part 2: SOAP & WSDL. Ingeniørhøjskolen i Århus Slide 2 Outline Building blocks in Web Services SOA SOAP WSDL (UDDI)

Presentation 7 part 2: SOAP & WSDL. Ingeniørhøjskolen i Århus Slide 2 Outline Building blocks in Web Services SOA SOAP WSDL (UDDI)
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
IT:Network:Applications VIRTUAL DESKTOP INFRASTRUCTURE.

IT:Network:Applications VIRTUAL DESKTOP INFRASTRUCTURE.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Web Services and OGSA Tal Lavian, Phil Wang. What Are Web Services? ● Conventions for program-to-program Communication ● Built on existing Web infrastructure.

Web Services and OGSA Tal Lavian, Phil Wang. What Are Web Services? ● Conventions for program-to-program Communication ● Built on existing Web infrastructure.

Similar presentations

Ads by Google