Web Services Security Patterns Alex Mackman CM Group Ltd

Slides:

Advertisements

Similar presentations

GT 4 Security Goals & Plans Sam Meder

Advertisements

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

Core Web Service Security Patterns

Chapter 7 HARDENING SERVERS.

Security and Policy Enforcement Mark Gibson Dave Northey

© 2007 Charteris plc20 June Extending Web Service Security with WS-* Presented by Chris Seary MVP Charteris plc, Bartholomew Close, London.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

X.509 support in WCF Exploring support for X.509 Certificates in Microsoft’s Windows Communication Foundation Paul Cormier UCCS CS591 Fall 2009.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Identity and Access Management

Web services security I

Prashanth Kumar Muthoju

Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Session 11: Security with ASP.NET

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Philadelphia Area SharePoint User Group Building Customer/Partner Extranets Designing a Secure Extranet with Sharepoint 2007 Russ Basiura RJB Technical.

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.

Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.

Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:

SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.

Module 9: Fundamentals of Securing Network Communication.

Security Overview  System protection requirements areas  Types of information protection  Information Architecture dimensions  Public Key Infrastructure.

Harshavardhan Achrekar - Grad Student Umass Lowell presents 1 Scenarios Authentication Patterns Direct Authentication v/s Brokered Authentication Kerberos.

Random Logic l Forum.NET l Web Services Enhancements for Microsoft.NET (WSE) Forum.NET ● October 4th, 2006.

Developing Web Services Using ASP.NET and WSE That Interoperate with the Windows Communications Foundation ("Indigo") Mark Fussell COM432 Lead Program.

Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.

SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Prabath Siriwardena – Software Architect, WSO2. Patterns Standards Implementations Plan for the session.

Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.

Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.

1 Chapter 13: RADIUS in Remote Access Designs Designs That Include RADIUS Essential RADIUS Design Concepts Data Protection in RADIUS Designs RADIUS Design.

1 Chapter 7 WEB Security. 2 Outline Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Electronic Transaction.

4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.

Windows Communications Foundation ("Indigo"): Writing Secure Distributed Applications Martin Gudgin COM312 Program Manager Microsoft Corporation.

Secure Data Access with SQL Server 2005 Doug Rees Associate Technologist, CM Group

What is BitLocker and How Does It Work? Steve Lamb IT Pro Evangelist, Microsoft Ltd

ASP.NET 2.0 Security Alex Mackman CM Group Ltd

1 WS-Security Yosi Taguri Microsoft Israel

Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.

Enabling the Modern Workstyle with Windows 10 & Azure Active Directory Venkatesh Gopalakrishnan 2016 Redmond Summit | Identity Without Boundaries May 25,

Secure Connected Infrastructure

Stop Those Prying Eyes Getting to Your Data

SaaS Application Deep Dive

Module 8: Securing Network Traffic by Using IPSec and Certificates

Goals Introduce the Windows Server 2003 family of operating systems

{ Security Technologies}

Module 8: Securing Network Traffic by Using IPSec and Certificates

Presentation transcript:

Web Services Security Patterns Alex Mackman CM Group Ltd

patterns & practices Guidance

Agenda Background Authentication patterns Message protection patterns Applying patterns to common scenarios

Web Service Threats Client Service Message Tampering Eavesdropping Configuration Information Disclosure Message Replay Unauthorized Access Elevation of Privileges

Countermeasures Authentication User names and passwords X.509 certificates Kerberos tokens, SAML STS tokens Authorization Role based, resource based Encryption Symmetric, asymmetric, transport level, message level Digital signatures Many others!

Why Patterns? Good starting point for investigating specific areas To learn the alternatives within a specific problem domain Navigating the patterns & practices Web service security patterns can be achieved by using Security decision trees Common scenarios Problem / solution matrices

The Technologies Today Web Services Enhancements (WSE) 3.0 Tomorrow Windows Communication Foundation (WCF) The technologies are getting easier to use Standard policy assertions to help meet key customer scenarios with minimal coding Higher levels of abstraction Declarative programming models

Agenda Background Authentication patterns Message protection patterns Applying patterns to common scenarios

Direct Authentication ClientService Identity Store 1. Request 2. Validate credentials 3. Response

Brokered Authentication Service Identity Store 1. Auth Request 2. Validate credentials 6. Service Response Authentication Broker 3. Auth Response 4. Service Request 5. Validate Token

Brokered Authentication Patterns Transport Layer with Windows Integrated Message Layer with Kerberos and WSE Transport Layer with SSL Message Layer with X.509 and WSE Message Layer with SAML Tokens X.509 Kerberos Brokered Authentication Architecture Design Implementation SAML STS

Direct Authentication Patterns Username Token Directory Service Username Token Data Store HTTP Basic Username Token Windows Auth Direct Authentication Architecture Design Implementation

Direct Authentication: User name token over transport with WSE 3.0

Agenda Background Authentication patterns Message protection patterns Applying patterns to common scenarios

Message Protection Patterns Architecture Design Data Origin Authentication Message Validator Message Layer X.509 Certs in WSE Transport Layer Confidentiality with HTTPS DataConfidentiality Implementation

Message layer security with X.509 certificates in WSE 3.0

Agenda Background Authentication patterns Message protection patterns Applying patterns to common scenarios

Public Web Service Scenario Merchant Web Application Example Merchant Web Application Distributor Service Catalog Data

Public Web Service Scenario Security Decisions FactorConsiderationDecision Authentication Merchant accounts are stored in a custom database or directory service UsernameToken can be used with custom auth, Windows auth or any other directory service Authentication Merchants accessing the Web service must be authenticated UsernameToken provides the ability to authenticate merchants Message Protection Message data is sensitive and must be protected HTTPS protects the message data while in transit between merchant and distributor

Public Web Service Scenario Recommended Patterns Direct authentication pattern Direct authentication: Username token over HTTPS pattern Data confidentiality pattern Trusted subsystem pattern

Public Web Service Scenario Security Solution Merchant Web Application Distributor Web Service Catalog Data Identity Store Trusted Subsystem Username token with HTTPS

Intranet Web Service Scenario Banking Application Example Banking Application Withdrawal Web Service Customer Account Database

Intranet Web Service Scenario Security Decisions FactorConsiderationDecision Authentication Customer service reps are located in AD on a computer running Windows Server 2003 Active Directory supports Kerberos protocol Authentication Application must support SSO capabilities Kerberos supports SSO capabilities Authentication Mutual authentication is required KerberosToken contains both requestor and service information Auditing Account activities carried out by customer service reps must be audited Kerberos supports impersonation/delegation which enables downstream auditing Message protection Message data is sensitive. Must be protected against unauthorized access and tampering KerberosToken can be used to encrypt a message and sign a message

Intranet Web Service Scenario Recommended Patterns Brokered authentication pattern Brokered authentication: Kerberos pattern Data confidentiality pattern Data origin authentication pattern Composite implementation pattern Message layer security with Kerberos in WSE 3.0 pattern Authenticates, signs and encrypts

Intranet Web Service Scenario Security Solution Banking Application Withdrawal Web Service Customer Account Database Active Directory / KDC Kerberos Token Impersonation / Delegation

Internet B2B Scenario Manufacturing Company Example Supply Chain Application Procurement Web Service Ordering Web Service Internet Supplier Manufacturing Company

Internet B2B Scenario Security Decisions FactorConsiderationDecision Authentication Supply chain application users are in AD on Windows Server 203 Kerberos is support by AD on intranet Authentication Application must support SSO capabilities Kerberos supports SSO capabilities Authentication External Web service is hosted in an unknown environment Interaction between internal and external Web service does not require credentials. X.509 certs can be used Authentication External Web service is hosted in an unknown environment X.509 certs represent a well known protocol that supports interop with other platforms Message protection Message data is sensitive. Must be protected against unauthorized access and tampering X.509 certs can be used to encrypt a message and sign a message

Intranet B2B Scenario Recommended Patterns Brokered authentication pattern Brokered authentication: X.509 certificates pattern Brokered authentication: Kerberos pattern Data confidentiality pattern Data origin authentication pattern Composite implementation pattern Message layer security with Kerberos in WSE 3.0 pattern Authenticates, signs and encrypts

Internet B2B Scenario Security Solution Supply Chain Application Procurement Web Service Ordering Web Service Internet Active Directory / KDC X.509 Cert Service Perimeter Router Manufacturing Company Supplier

More Information Web Service Security: Scenarios, Patterns and Implementation Guidance for Web Services Enhancements (WSE) Encrypting part of a message nugget ggets.aspx ggets.aspx WSE 3.0 Download vices/building/wse/default.aspx vices/building/wse/default.aspx Mail me with questions

© 2004 Microsoft Limited. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.