Presentation is loading. Please wait.

Presentation is loading. Please wait.

Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma"— Presentation transcript:

1 Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma
Standards and Strategies of Security for the Service Oriented Architecture Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma

2 Agenda Overview Current Problems Current Strategies WS Standards
Future Areas of Research References Questions

3 Web Services Definition
From World Wide Web Consortium (W3C) is the programmatic interfaces made available for application to application communication

4 Types of Web Services

5 Overview Key Concepts for Strategies Authentication Authorization
Integrity Non-repudiation Confidentiality Privacy

6 Current Problems SOAP monitoring and regulation

7 Current Strategies IP Blocking XML Firewall SSL/TLS
Virtual Private Networks (VPN) XML Digital Signature WS-Security XACML SAML

8 IP Blocking Process of identifying those IP addresses from which Web requests will be accepted Achieved by specifying a list of acceptable IP addresses Pros Simple and easy to implement Cons Valid users with invalid IP addresses will be blocked Clients will not be able to access any part of the Web site until you have added their IP to the accepted list

9 Traditional Firewalls
Filters out unauthorized requests by IP Address Pros Easy to implement and maintain Cons IP Address can be spoofed Does not perform authentication, authorization, auditing and validation on web service traffic Can not encrypt or decrypt If web service uses Port 80, difficult to implement Not XML aware

10 XML Firewalls Filters out Unauthorized requests by inspecting XML content Pros Can perform authentication, authorization, auditing and validation on web service traffic Protect against buffer overflows and denial of service Message routing, encryption and forwarding are available Includes features of traditional firewall Cons Difficult to setup Limited vendors No standardization

11 SSL/TLS Endpoint to endpoint encryption of web service traffic over TCP Pros Easy to implement Standardized protocols Protects against network sniffing Cons Does not perform authentication, authorization, auditing and validation on web service traffic Messages can not have multiple transports No Element-Wise Signing Data stored on disk before processing can not be protected Not XML aware

12 Virtual Private Networks
Enables the creation of secure data tunnels among remote sites or hosts for web service traffic Pros Uses several technologies Standardized protocols Secure VPNs - IPSec, SSL/TLS, PPTP, L2TP Trusted VPNs – MPLS, L2F Easy to implement Protects against network sniffing Web service can join or leave dynamically A web service can be invoked dynamically Frees web service from managing access control, auditing and encryption Cons Does not perform validation on web service traffic Data stored on disk before processing can not be protected Not XML aware

13 XML Digital Signature Provide Can sign many types of resources
Authentication Data Integrity Non-repudiation support Can sign many types of resources HTML, binary, XML-encoded data Can be applied to specific portions of XML tree rather than complete document

14 Web Services Standards
OASIS Web Services Security Standard SAML XACML

15 OASIS WS Security Standard
Developed by OASIS on April 29, 2004. Revised and republished February 17, 2006 as version 1.1. Currently the most comprehensive guide to Web Service security. Main purpose is to allow the exchange of secure SOAP messages by protecting its confidentiality and integrity

16 WS-Security Focuses on “Tokens” that are added to the SOAP messages to provide different kinds of security. Is built to be extensible and flexible by allowing different types of token formats to be used in the same message.

17 WS-Security: Username Token
The username token provides a way for a sender to present a claimed identity to the receiver:

18 WS Security: Binary Security Tokens
Used to encode non-XML security token, like x.509 and kerberos. e.g. x.509 Encoding Format

19 WS-Security: XML Signature
The WS-Security standard incorporates the use of XML signatures into SOAP messages Begin signature Reference to signature value Algorithms used to form the signature End signature

20 WS-Security: Timestamp
Allows the freshness of the security features to be determined. Time synchronization is not accounted for.

21 WS-Security: The big picture

22 WS-Security: The big picture cont.

23 XACML Covers subjects such as authorization, access control, and privacy policies that is often overlooked in other standards. XACML (Extensible Access Control Markup Language) is an XML-based policy language that allows for the description of access control requirements.

24 XACML Request sent to Policy Enforcement Point (PEP).
the Policy Information Point (PIP), will use XACML to describe requestors in terms of attributes. PDP actually makes the decisions. Current policy is retrieved Return response to the PEP and ultimately to the user.]

25 SAML Uses “Assertions” to validity and authenticiy.

26 Service to Service Authentication
Verify if a service should be allowed to communicate with another Authorization Methods: Tokens PK certificates Kerberos tickets SAML assertions SSL certificates Most web services follow the OASIS WS-Security standard for any of these methods

27 Establishing Trust Between Services
Trust relationships need to be established between remote web services in order to be useful on a large scale Involves a Trusted Third Party (TTP) Uses Public Key Infrastructure to pass keys through the TTP

28 Distributed Authorization and Access Management
Web Service Access Controls Role-Based Policy-Based Risk-Adaptive

29 Role-Based Access Control
Associates a set of access privileges with a particular user role Allows access based on membership in a group or by id Simplifies security management by providing a role hierarchy

30 Role Based Example

31 Policy Based Access Control
Enforces strict environmental-level access control policies Use notion of a Policy Authority Focuses on automatically enforcing Mandatory Access Controls

32 Risk Adaptive Access Control
Access control decisions are based on a relative risk profile of the subject Predefined policy rules aren’t as strictly enforced as role based Requires real-time information to base risk assessment on with each authentication request

33 Enforcing Least Privilege Access
Users and services should never be given more than the minimum privileges needed to perform an operation Give privileges only when needed Relinquish privileges immediately upon completion Divide complex functions into simple ones, with separate minimal required privilege for each function

34 End to End Accountability
Auditing essential to ensure operations/transactions occurred as expected Dynamic services make it difficult to implement auditing No auditing standard has been defined Web Server logging most common

35 SOAP Simple Object Access Protocol
A SOAP message is fundamentally a one-way transmission between SOAP nodes, from a SOAP sender to a SOAP receiver, but SOAP messages are expected to be combined by applications to implement more complex interaction patterns ranging from request/response to multiple, back-and-forth "conversational" exchanges. Pros Powerful, can perform RPC. Widespread industry support and acceptance Cons Tunnel’s through other protocols, circumventing security. Application programmer responsible for protocol functionality.

36 REST Representational State Transfer
REST strictly refers to a collection of architectural principles. The term is also often used in a looser sense to describe any simple interface that uses XML (or YAML, JSON, plain text) over HTTP without an additional messaging layer such as SOAP.

37 Block Extensive Exchange Protocol BEEP
DTD and XML aware generic application protocol kernel for connection-oriented asynchronous interactions (web services) using Simple Authentication and Security Layer for authentication and authorization Pros Very extensible and simple Built in profiles for security Provides single application user-identity Gaining popularity Implements standardized technologies Sits at transport layer Cons Limited support Development costs can be expensive Can become complicated quickly

38 Future areas of research
Focus on standardization Performance of Web Services security mechanisms Scale of Web Services security

39 Future Areas of Research cont..
Possible future configuration of a web services security system in which an XML Firewall and EASI framework are both implemented together

40 Summary Overview Current Problems Current Strategies New Strategies
WS Standards including OASIS, SAML, XACML References

41 Questions?

Download ppt "Christopher Irish David Orr Sophya Kheim Adam Lange Daniel Palma"

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
DICOM INTERNATIONAL DICOM INTERNATIONAL CONFERENCE & SEMINAR April 8-10, 2008 Chengdu, China DICOM Security Eric Pan Agfa HealthCare.

DICOM INTERNATIONAL DICOM INTERNATIONAL CONFERENCE & SEMINAR April 8-10, 2008 Chengdu, China DICOM Security Eric Pan Agfa HealthCare.
HIPAA Security Standards What’s happening in your office?

HIPAA Security Standards What’s happening in your office?
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Core Web Service Security Patterns

Core Web Service Security Patterns
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,

Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
Web services security I

Web services security I

Similar presentations

Ads by Google