Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Services Security Patterns Alex Mackman CM Group Ltd

Published byHarvey Bradley Modified over 8 years ago

Similar presentations

Presentation on theme: "Web Services Security Patterns Alex Mackman CM Group Ltd"— Presentation transcript:

1 Web Services Security Patterns Alex Mackman CM Group Ltd alexm@cm-consulting.com

2 patterns & practices Guidance http://go.microsoft.com/fwlink/?LinkId=55348

3 Agenda Background Authentication patterns Message protection patterns Applying patterns to common scenarios

4 Web Service Threats Client Service Message Tampering Eavesdropping Configuration Information Disclosure Message Replay Unauthorized Access Elevation of Privileges

5 Countermeasures Authentication User names and passwords X.509 certificates Kerberos tokens, SAML STS tokens Authorization Role based, resource based Encryption Symmetric, asymmetric, transport level, message level Digital signatures Many others!

6 Why Patterns? Good starting point for investigating specific areas To learn the alternatives within a specific problem domain Navigating the patterns & practices Web service security patterns can be achieved by using Security decision trees Common scenarios Problem / solution matrices

7 The Technologies Today Web Services Enhancements (WSE) 3.0 Tomorrow Windows Communication Foundation (WCF) The technologies are getting easier to use Standard policy assertions to help meet key customer scenarios with minimal coding Higher levels of abstraction Declarative programming models

8 Agenda Background Authentication patterns Message protection patterns Applying patterns to common scenarios

9 Direct Authentication ClientService Identity Store 1. Request 2. Validate credentials 3. Response

10 Brokered Authentication Service Identity Store 1. Auth Request 2. Validate credentials 6. Service Response Authentication Broker 3. Auth Response 4. Service Request 5. Validate Token

11 Brokered Authentication Patterns Transport Layer with Windows Integrated Message Layer with Kerberos and WSE Transport Layer with SSL Message Layer with X.509 and WSE Message Layer with SAML Tokens X.509 Kerberos Brokered Authentication Architecture Design Implementation SAML STS

12 Direct Authentication Patterns Username Token Directory Service Username Token Data Store HTTP Basic Username Token Windows Auth Direct Authentication Architecture Design Implementation

13 Direct Authentication: User name token over transport with WSE 3.0

14 Agenda Background Authentication patterns Message protection patterns Applying patterns to common scenarios

15 Message Protection Patterns Architecture Design Data Origin Authentication Message Validator Message Layer X.509 Certs in WSE Transport Layer Confidentiality with HTTPS DataConfidentiality Implementation

16 Message layer security with X.509 certificates in WSE 3.0

17 Agenda Background Authentication patterns Message protection patterns Applying patterns to common scenarios

18 Public Web Service Scenario Merchant Web Application Example Merchant Web Application Distributor Service Catalog Data

19 Public Web Service Scenario Security Decisions FactorConsiderationDecision Authentication Merchant accounts are stored in a custom database or directory service UsernameToken can be used with custom auth, Windows auth or any other directory service Authentication Merchants accessing the Web service must be authenticated UsernameToken provides the ability to authenticate merchants Message Protection Message data is sensitive and must be protected HTTPS protects the message data while in transit between merchant and distributor

20 Public Web Service Scenario Recommended Patterns Direct authentication pattern Direct authentication: Username token over HTTPS pattern Data confidentiality pattern Trusted subsystem pattern

21 Public Web Service Scenario Security Solution Merchant Web Application Distributor Web Service Catalog Data Identity Store Trusted Subsystem Username token with HTTPS

22 Intranet Web Service Scenario Banking Application Example Banking Application Withdrawal Web Service Customer Account Database

23 Intranet Web Service Scenario Security Decisions FactorConsiderationDecision Authentication Customer service reps are located in AD on a computer running Windows Server 2003 Active Directory supports Kerberos protocol Authentication Application must support SSO capabilities Kerberos supports SSO capabilities Authentication Mutual authentication is required KerberosToken contains both requestor and service information Auditing Account activities carried out by customer service reps must be audited Kerberos supports impersonation/delegation which enables downstream auditing Message protection Message data is sensitive. Must be protected against unauthorized access and tampering KerberosToken can be used to encrypt a message and sign a message

24 Intranet Web Service Scenario Recommended Patterns Brokered authentication pattern Brokered authentication: Kerberos pattern Data confidentiality pattern Data origin authentication pattern Composite implementation pattern Message layer security with Kerberos in WSE 3.0 pattern Authenticates, signs and encrypts

25 Intranet Web Service Scenario Security Solution Banking Application Withdrawal Web Service Customer Account Database Active Directory / KDC Kerberos Token Impersonation / Delegation

26 Internet B2B Scenario Manufacturing Company Example Supply Chain Application Procurement Web Service Ordering Web Service Internet Supplier Manufacturing Company

27 Internet B2B Scenario Security Decisions FactorConsiderationDecision Authentication Supply chain application users are in AD on Windows Server 203 Kerberos is support by AD on intranet Authentication Application must support SSO capabilities Kerberos supports SSO capabilities Authentication External Web service is hosted in an unknown environment Interaction between internal and external Web service does not require credentials. X.509 certs can be used Authentication External Web service is hosted in an unknown environment X.509 certs represent a well known protocol that supports interop with other platforms Message protection Message data is sensitive. Must be protected against unauthorized access and tampering X.509 certs can be used to encrypt a message and sign a message

28 Intranet B2B Scenario Recommended Patterns Brokered authentication pattern Brokered authentication: X.509 certificates pattern Brokered authentication: Kerberos pattern Data confidentiality pattern Data origin authentication pattern Composite implementation pattern Message layer security with Kerberos in WSE 3.0 pattern Authenticates, signs and encrypts

29 Internet B2B Scenario Security Solution Supply Chain Application Procurement Web Service Ordering Web Service Internet Active Directory / KDC X.509 Cert Service Perimeter Router Manufacturing Company Supplier

30 More Information Web Service Security: Scenarios, Patterns and Implementation Guidance for Web Services Enhancements (WSE) 3.0 http://go.microsoft.com/fwlink/?LinkId=55348 Encrypting part of a message nugget http://www.microsoft.com/uk/msdn/events/nu ggets.aspx http://www.microsoft.com/uk/msdn/events/nu ggets.aspx WSE 3.0 Download http://msdn.microsoft.com/webservices/webser vices/building/wse/default.aspx http://msdn.microsoft.com/webservices/webser vices/building/wse/default.aspx Mail me with questions alexm@cm-consulting.com

31 © 2004 Microsoft Limited. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Download ppt "Web Services Security Patterns Alex Mackman CM Group Ltd"

Similar presentations

GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.

A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Core Web Service Security Patterns

Core Web Service Security Patterns
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Security and Policy Enforcement Mark Gibson Dave Northey

Security and Policy Enforcement Mark Gibson Dave Northey
© 2007 Charteris plc20 June 2015 1 1 Extending Web Service Security with WS-* Presented by Chris Seary MVP Charteris plc, 39-40 Bartholomew Close, London.

© 2007 Charteris plc20 June Extending Web Service Security with WS-* Presented by Chris Seary MVP Charteris plc, Bartholomew Close, London.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
X.509 support in WCF Exploring support for X.509 Certificates in Microsoft’s Windows Communication Foundation Paul Cormier UCCS CS591 Fall 2009.

X.509 support in WCF Exploring support for X.509 Certificates in Microsoft’s Windows Communication Foundation Paul Cormier UCCS CS591 Fall 2009.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Identity and Access Management

Identity and Access Management
Web services security I

Web services security I

Similar presentations

Ads by Google