Application of XML Schema in Web Services Security Sridhar Guthula W3C XML Schema 1.0 User Experiences

QuickTree Inc.2 About me 10 years in enterprise software business XML focus since 1998 Projects –XML Schema 1.0 validation engine, SOAP security framework, XSLT 1.0 compiler, hardware based XML Parser. –Large XML based language for a declarative constraint engine –Storing XML documents in a RDBMS –XML Schemas for Catalog Services, XML based RPCs and Workflows Systems

QuickTree Inc.3 QuickTree SOAP Security Module (SSM) Designed from the ground up with OEM integration in mind, the SSM hides the complexities of XML processing and allows network equipment like Firewalls, SSL VPN devices and Load Balancers to inspect and secure Web Services traffic

QuickTree Inc.4 SOAP Security in the Network

QuickTree Inc.5 Features XML Denial of Service Prevention - Checking for XML well-formedness, nested element depth, element length, message size, external entities, attribute length, etc WSDL Based Access Control - Limit a user or group's access to particular services or operations defined in the WSDL file SOAP Structural and Parameter Validation - Prevent mal-structured SOAP messages and apply parameter validation using type checking with full support for regex based schema types SQL and Command Injection Protection - Detect and block command injection attacks, commonly hidden as valid parameters Streaming mode interface - XML messages can be forwarded to the QuickTree module as they come in without blocking

QuickTree Inc.6 QuickTree SOAP Security Module (SSM)

QuickTree Inc.7 User Experience

QuickTree Inc.8 WSDL Based validation XML Schema 1.0 validation engine (‘C’ based) Generate schema by combining WSDL, XML Schema and SOAP Streaming and Hardwarized Structural Validation vs Data-type validation ACLs Issues –Schema Specification –XML Schemas with multiple target namespaces –xsi:type and encoding style –Mapping WSDL/SOAP types to XML Schema types (Ex: soapenc:arrayType) –Versioning

QuickTree Inc.9 Compliance Levels Support compliance/conformance levels (like internationalization standards) –Structural validation and/or Data-type validation –Data-centric or Content-centric Lack of different compliance levels causes vendors to claims full XML Schema compliance. Reduced user confusion and reduced cost in investigating vendor compliance.

QuickTree Inc.10 XML Denial of Service Prevention Checking for XML well-formedness, nested element depth, element length, message size, external entities, attribute length, etc Most of the XML Schema designers do not consider security Policies – QuickTree provides global and User-specific Implementation through inheritance, facets

QuickTree Inc.11 Validating Canonical XML Support for validating canonical XML Canonical form of a valid xml instance should be valid

QuickTree Inc.12 Views or Aspects Given XML Schemas viewed in a different light by different users (network admin, application engineer, customer) Support for different aspects on the same XML Schema Example: Security aspect –Conformance/Compliance Levels: only do structural validation –Ignore Order/Canonicalization: canonical form of a valid xml instance should be valid –DoS configuration values –Xsi:type support

QuickTree Inc.13 Contact Info Sridhar Guthula 855 Embedded Way San José, CA USA

QuickTree Inc.14 Q & A