86
Enterprise Security With XML and Web Services Enterprise Security With XML and Web Services Konstantin Beznosov [email protected] www.beznosov.net/konstantin Quadrãsis September 17, 2002
Enterprise Security With XML and
Web Services
Enterprise Security With XML and
Web ServicesKonstantin Beznosov
[email protected]/konstantin
QuadrãsisSeptember 17, 2002
2
Konstantin BeznosovKonstantin BeznosovPh.D. “Engineering Access Control for Distributed Enterprise Applications”Security standards
CORBA Security“Resource Access Decision” (RAD) Facility“Security Domain Membership Management”Extensible Access Control Language (XACML)
Security Architectwith Baptist Health, Concept 5, Quadrasis (HICAM)Architecture, design and implementation of enterprise security solutions and products using CORBA, EJB, COM+, .NET
3
Text BookText Book
4
It CoversIt Covers1. Principles of Securing Web Services
general requirements and solutions for implementing authentication, data protection, and access control for web servicesXML encryption and signature, as well as WS-Security
2. Security Mechanisms for Web Services based on Java and .NET
building blocks for securing Java and .NET web services– authentication, data protection, access control, and audit
3. Planning, Building and Administering Secure Web Service Systems
points to pay attention to when designing and developing enterprise solutions based on web services– integrating security of perimeter, middle and back-end tiers used in web
services systems, providing common security environment to heterogeneous applications, and propagation of security context through various intermediates along the passage of SOAP requests.
Coffee break 10:30—11:00
5
It Does Not CoverIt Does Not Cover
XML & SOAP detailsSOAPSecurity of CORBA, .NET, COM(+), EJB
6
DisclaimerDisclaimer
The technology is new ⇒ I reserve the rightto be wrong and incomplete to not know all the answers
The tutorial is limited in time and does not cover everything on the subject
It’s my personal viewThis is not a “how-to” cook book
7
AssumptionsAssumptions
You are familiar withXMLSOAPWeb ServicesSecurity for distributed systems
Part IPrinciples of Securing Web Services
Part IPrinciples of Securing Web Services
Briefly About Web ServicesBriefly About Web Services
10
Web Service Syste
mWhat’s a Web Service System?What’s a Web Service System?
SOAP
11
Promise of Web ServicesPromise of Web ServicesInteroperability across lines of business and enterprises
– Regardless of platform, programming language and operating system
End-to-end exchange of data – Without custom integration
Loosely-coupled integration across applications– Using Simple Object Access Protocol (SOAP) and Extensible Markup Language
(XML)
TraderApplication
BrokerageApplication
AccountingApplication
SOAPReceiver/Sender
SOAPSender
SOAPReceiver
12
FeaturesFeaturesXMLXML--based messaging interface to computing resources based messaging interface to computing resources
that is accessible via Internet standard protocolsthat is accessible via Internet standard protocolsWS help intranet (business units) and extranet (business partners) applications to communicateSOAP – format for WS communications
Defined in XMLSupports RPC as well as document exchangeStatelessNo RPC predefined RPC semanticsCan be sent over various carriers: HTTP, FTP, SMTP, … postal service, e.g., Swiss Post
13
SOAP Message ExampleSOAP Message Example<?xml version="1.0" ?><env:Envelope xmlns:env="http://www.w3.org/2002/06/soap-envelope">
<env:Header><n:alertcontrol xmlns:n="http://example.org/alertcontrol">
<n:priority>1</n:priority><n:expires>2001-06-22T14:00:00-05:00</n:expires>
</n:alertcontrol></env:Header><env:Body>
<m:alert xmlns:m="http://example.org/alert"><m:msg>Pick up Mary at school at 2pm</m:msg>
</m:alert></env:Body>
</env:Envelope>
14
Typical Web Service EnvironmentTypical Web Service Environment
15
Security Obstacles to Web ServicesSecurity Obstacles to Web Services
Web Services have a huge problem– They are too open– Requests via HTTP pass through firewalls
Critical corporate information exposure risks– Unauthorized access to valuable resources
Patient records, Credit card numbers, Manufacturing designs– Unauthorized use of service– Tampering with or bringing down the service
Protecting Web Services– Securing XML documents– Securing remote procedure calls (RPC)
Implementation obstacles – Bridging to back-office databases– Cross-domain Single Sign-On (SSO)– Different companies use different security products
Companies may not open up corporate networks– Need to implement proper countermeasures
Web Services and SecurityWeb Services and Security
17
WS Security Building BlocksWS Security Building Blocks
NetworkSecurity Directories Firewalls IDS
Web ServersSecurity
MiddlewareSecurity
MainframeSecurity
Physical Security
DatabaseSecurity
XMLSecurity
SOAPSecurity
WSDLSecurity
UDDISecurity
WS-Security
18
SOAP Message VulnerabilitiesSOAP Message VulnerabilitiesMessage related risks
• Ill-formed message potentially damaging• Modification & eavesdropping in transit• Sent from non-trusted sources
Services related risks• Access by unauthenticated users• Use of unauthorized services• Unaccountable use of service
Interoperability risks• Vulnerabilities from lack of interoperability
with currently deployed security products• Insecure application-to-application
message exchange
Unsecured SOAP Message
<SOAP-ENV:Body>
</SOAP-ENV:Body>
<SOAP-ENV:Header>
</SOAP-ENV:Header>
<SOAP-ENV:Envelope>
</SOAP-ENV:Envelope>
19
Web Usage Scenario - SecurityWeb Usage Scenario - Security
SOAPUltimateReceiver
SOAPUltimateSender
Bought 5000 shares MSFT
@$YY/share
Bought 5000 shares MSFT
@$YY/share
SOAPIntermediary
Buy 5000 shares MSFT
@$XX/share
SOAPIntermediary
Buy 5000 shares MSFT
@$XX/share
Trader’sSystem
NotarySystem
TradingSystemTradingSystem
Trader’sSystem
NotarySystem
SOAPUltimateReceiver
SOAPUltimateSender
20
Securing SOAP: RequirementsSecuring SOAP: RequirementsInspection of Messages
– Message Validation– Message Integrity– Message Origin
Integration with Enterprise Security– Authentication– Authorization– Audit– Administration– Interoperability
Encryption of SOAP MessageIs NOT Sufficient
21
Changes in the Security PictureChanges in the Security PictureWS open enterprise resources to outside worldNew security responsibilities due to mixing lines of business:
Outsourcing credit card authorization serviceCross-selling and customer relationship managementSupply chain-management
Risk must be assessed and managed across a collection of organizationsInteractions are more complex and take place among diverse environments
Simple Example of Securing a Web Service
Simple Example of Securing a Web Service
23
24
Simple Security SolutionSimple Security Solutionimpersonates
authenticated user
ePortal.comor
Internet customers
IISASP. NET
SOAP server
COM+
Middle Tier Server
Accounts
DC
OM
Aut
hent
icat
ion
DCOM
ePortal.com
IIS
ASP .NET
ePortal.aspx
eBusiness.comH
TT
P B
asic
Aut
hent
icat
ion
SSL
SOAP/HTTPWeb browser HTTP POST
SSL
25
LimitationsLimitationsOnly homogenous solutionsRelies on Web server security – riskyEnd-to-end all-or-nothing encryption with SSLPassword-based authenticationUnrestricted delegation
ePortal is trusted to pass passwords from clients to eBusinessOS account for each customerCoarse-grain authorizationWeak accountability
Web Services Security:Advanced Principles
Web Services Security:Advanced Principles
27
AuthenticationAuthenticationRequirements: Authenticate initiator, Authenticate intermediaries
Message-orientedDigital signatures
– XML signatures or S/MIME
– Require PKI– Unclear intent of signature
in a SOAP messageSAML assertions
Connection-orientedTypes
PasswordChallenge-response
Implementation OptionsOSWeb serverTokenWeb SSO
– Commercial Products– Liberty Project– Microsoft Passport
Client-server SSO
28
Data ProtectionData ProtectionRequirements: confidentiality, integrity, authenticity
Connection-orientedProtects only in transit
Implementation optionsSSLIPSec
Features+ Easy to implement+ Comodity- All or nothing- No protection from
intermediaries
Message-orientedProtects in transit and in storage
Implementation optionsXML Encrypt/SignS/MIME
Features- Hard to implement- Very new+ Could be fine grain+ Protection from intermediaries
29
Access ControlAccess ControlRequirements: fine grain, complex principals
ConsiderationSemantics of binding user attributes with the contextMultiples requests in one messageChoice of authorization mechanisms is constrained by authentication ones
OptionsOperating systemWeb serverApplication serverApplication
XML SecurityXML Security
31
XML EncryptionXML EncryptionFunctionality
Encrypt all or part of an XML messageSeparation of encryption information from encrypted data
<EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#' Type='http://www.w3.org/2001/04/xmlenc#Content'><EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#3des-cbc'/><ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'><ds:KeyName>John Smith</ds:KeyName></ds:KeyInfo> <CipherData>
<CipherValue>A23B45C56</CipherValue></CipherData>
</EncryptedData>
32
XML SignatureXML SignatureApply to all or part of a documentContains: references to signed portions, canonicalization algorithm, hashing and signing algorithm Ids, public key of the signer.Multiple signatures with different characteristics over the same content
<Signature Id="MySignature" xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> <Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/"> <Transforms> <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
</Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue>
</Reference> </SignedInfo> <SignatureValue>MC0CFFrVLtRlk=...</SignatureValue> <KeyInfo> <KeyValue> <DSAKeyValue> <P>...</P><Q>...</Q><G>...</G><Y>...</Y>
</DSAKeyValue></KeyValue>
</KeyInfo></Signature>
Security of SOAP MessagesSecurity of SOAP Messages
34
GapsGapsSignature and Encryption specifications are for XML not SOAP
Format and location of security information in SOAP messageTargeting specific actorsSupport for multiple security operations
Passing security-related client informationAuthenticationAttributes
35
WS-SecurityWS-Security
Message integrity and message confidentialityCompliance with XML Signature and XML EncryptionEncoding for binary security tokens
Set of related claims (assertions) about a subjectX.509 certificatesKerberos ticketsEncrypted keys
36
SOAP Message with WS-SecuritySOAP Message with WS-Security<? Xml version=‘1.0’ ?><env:Envelope xmlns:env=“http://www.w3.org/2001/12/soap-envelope”
xmlns:sec=“http://schmas.xmlsoap.org/ws/2002/04/secext”xmlns:sig=“http://www.w3.org/2000/09/xmldsig#”xmlns:enc=“http://www.w3.org/2001/04/xmlenc#”><env:Header><sec:Security
sec:actor=“http://www.w3.org/2001/12/soap-envelope/actor/next”sec:mustUnderstand=“true”><sig:Signature>
…</sig:Signature><enc:EncryptedKey>
…</enc:EncryptedKey><sec:BinarySecurityToken
ValueType="sec:X509v3"EncodingType="sec:Base64Binary" Id="X509Token">
MIIEZzCCA9CgAwIBAgIQEmtJZc0rqrKh5i...</sec:BinarySecurityToken
</sec:Security></env:Header><env:Body><enc:EncryptedData>
…</enc:EncryptedData>
</env:Body></env:Envelope>
37
Web Services Security RoadmapWeb Services Security RoadmapSecurity in a Web Services World: A proposed Architecture and Roadmap – April 2002Joint IBM and Microsoft White PaperGoal: “enable customers to easily build interoperable solutions using heterogeneous systems”Initial specifications:
WS-SecurityWS-Trust
WS-PolicyWS-Privacy
WS-SecureConversationWS-Federation
Follow-On Specifications:
WS-Authorization
38
Current StatusCurrent Status
W3C XML Signature is a W3C recommendationW3C XML Encryption is a candidate recommendationIBM/Microsoft Web Services Security Roadmap is publishedWS-Security published and moved to OASIS
Mor
e M
atur
eLe
ss M
atur
e
Part IISecurity Mechanisms for Web Services
based on
Java and .NET
Part IISecurity Mechanisms for Web Services
based on
Java and .NET
40
Options for Building MS WSOptions for Building MS WS1. Publish COM+ component as SOAP Endpoint
Only Windows.NET and XP ProLimitations on what COM+ components could be publishedMight be not 100% interoperable with other SOAP implementations
2. Use CLR remoting over SOAP/HTTPSupports (non-interoperable) passing object referencesSupports client and server-activated objectsCan be hosted by IISVague on client authentication and channel protection, unless IIS security is used
3. Generate COM WrapperGood way to reuse existing COM componentsNo support for custom typesNo .NET framework in the picture
4. Use ASP.NET MechanismsClaimed to be interoperable with other SOAP-compliant web servicesLeverages .NET, ASP.NET and IIS security mechanisms
ASP.NET Web Services SecurityASP.NET Web Services Security
42
Ways to Do AuthenticationWays to Do AuthenticationIIS
Basic (over SSL)DigestIntegrated Windows (NTLM, Kerberos)
– Only for homogenous IE/Windows clientsX.509 Certificates over SSL
ASP.NETASP.NET authentication servicesCustom HTTP authentication modules
SOAPCredentials in the SOAP header
– Application-specific– According to MS WS-Security Language– SAML identity assertion
43
ASP.NET Custom HTTP ModulesASP.NET Custom HTTP Modules
AdvantagesAllows custom authentication schemes
Allows decoupling (HTTP) transport from SOAP
Makes application security-unaware
Supports CLR authorization
DisadvantagesCouples client and server
unmanaged code
managed code
IIS
ASP.NET_ISAPI.DLL
Quadrasis.Authentication.AuthFooModule
Web Service (.asmx) Handler Factory
StoreFrontService.asmx Other .asmx files
SOAP/HTTP
…
SOAP client
44
Message Authenticity, Integrity, Confidentiality ProtectionMessage Authenticity, Integrity, Confidentiality Protection
IISHTTP/SSL –
– Mature commodity– Only point-to-point (i.e. no end-to-end)
SOAP messageXML encryption and digital signature as defined by W3C[5]WS-Security language as defined by Microsoft[6]End-to-endVery new(almost) no tool support
45
Different Ways to Control AccessDifferent Ways to Control Access
IIS (Web Server)Restrictions based on client IP address or DNS name
Port restrictions based on client IP address or DNS nameWindows OS ACLsASP.NET “URL authorization”ASP.NET HTTP Modules.NET CLR
Up to per method level on a class per user ids or rolesSupports CLR identities
46
Audit: IISAudit: IIS
47
Audit: .NETAudit: .NET
48
SummarySummaryFour ways to build XML web services using .NETASP.NET web services are built on top of
ASP.NET.NETIISWindows
ASP.NET web services have mechanisms forAuthenticationData protectionAuditService continuity
Several routes to protect your .NET Web services
Java Web Services SecurityJava Web Services Security
50
J2EE Web Service SystemsJ2EE Web Service Systems
EJB Container
PresentationTier
Web Server
Client Tier
Browser
ApplicationClient
Back-office
Tier
Databases
Mainframes
Component Tier
JSPs
Servlets
EJB
EJB
EJB
RMI-IIOP
HTML
SOAP
JDBC
JCA
RMI-IIOP
51
What’s ComingWhat’s Coming
The J2EE 1.4 platform = the J2EE 1.3 platform + WS Pack and moreWeb Services Pack:
Java APIs for XMLTomcat “JSP™ container”A set of standard JSP tag librariesJavaServer Faces™ UI Kit for building complete web-based UI (JSR-127)
52
Java APIs for XML Java APIs for XML
Java API for XML Messaging (JAXM)Java API for XML Processing (JAXP)Java API for XML Registries (JAXR)Java API for XML-based RPC (JAX-RPC)Java API for XML Data Binding (JAXB)
53
JAX-RPC Architecture
HTTP
JAX-RPC Architecture
SOAP
Container
Client-side JAX-RPCRuntime System
Container
Server-side JAX-RPCRuntime System
JAX-RPC Client J2EE Server
WSDLWSDL->JavaGenerated Proxy Code
WSDL <->Java
54
EJB Run Time SecurityEJB Run Time Security
Enterprise Bean class
Client address space (JVM)
EJB object stubEnterprise Bean instance
Container address space (JVM)
EJB server
Container
Caller IdentityCaller Identity
AccessControlEntriesBean Identity
EJB object
55
Upcoming J2EE APIsUpcoming J2EE APIs
Compiling XML schemas into Java classesSending and receiving SOAP messagesMaking XML-based RPCsHandling WSDL filesExchanging SAML assertions
Part III Planning, Building and Administering
Secure Web Service Systems
Part III Planning, Building and Administering
Secure Web Service Systems
57
What Security Means To YouWhat Security Means To You
Examine business-level drivers for securityCross-company security agreements
Determine level of trustworthnessYour architecture and its implementation are as secure as you want it
58
Traditional TCBTraditional TCBuser
1resource
1
resource2
resource3
resource4
user2
user3
user4
TrustedComputing
Base
Tamper-proofNonbypassableSmall enough to be thoroughly analyzed
59
“Distributed TCB”“Distributed TCB”
Middleware
Operating System
Hardware
Application Objects
Middleware
Operating System
Hardware
Application Objects
Middleware
Operating System
Hardware
Application Objects
Network
Tamper-proofNonbypassableLarge and difficult to be analyzed
60
Recommended ApproachRecommended ApproachConsistent with TCB principlesSimplifies the analysis
Leave security to expertsSecurity COTS integration vs. do-it-yourself
– More thoroughly tested by other customers– More careful about common development mistakes
Follow good architectural and policy design principlesPlan for evolution and manageability
Have a security framework
61
Security Architecture PrinciplesSecurity Architecture PrinciplesTrust no one
Don’t’ make your firewall the only point of enforcementView Web Services collections as mutually suspicious islands
Enable interoperabiltiyUse vendor-neutral standards (WS-Security, SAML)
Modularize security“Push” security down – security unaware applicationsInsulate applications from security functionality with stable APIs
62
Security Policy PrinciplesSecurity Policy PrinciplesAuthentication: balance cost against threat
SSOAuthorization: application-driven
Use the business of the application to drive authorization settings
Accountability: audit early, not often“pop” audit into/near the application
Security administration: collections and hierarchies for scale
Enterprise Application Security Integration(EASI)
Framework
Enterprise Application Security Integration(EASI)
Framework
64
Patchwork of Security - VulnerabilitiesPatchwork of Security - VulnerabilitiesMultiple ProtocolsMultiple Protocols
Multiple Security TechnologiesMultiple Security Technologies
Multiple PlatformsMultiple Platforms
Multiple Application Multiple Application ServersServers
Perimeter SecurityPerimeter Security
First line of defense: Protection against External Hackers
MidMid--tier Securitytier Security
Second line of defense: Protection against
Insider Attacks
• Mainframe security• Database security
BackBack--office Securityoffice Security
Third line of defense: Protection of
Back-end Servers
• Component-based security • Cryptography• Entitlements servers
• Firewalls/VPNs • Cryptography• Web Single Sign-on (SSO)• Intrusion detection
Multiple Tiers of SecurityMultiple Tiers of Security
65
EASI Solutions Consist ofEASI Solutions Consist of1. Security framework2. Hardware and software products for securing
applications3. Integration “modules” to plug applications and
security products into the framework
66
EASI Framework ArchitectureEASI Framework Architecture
Enterprise Security Integration Framework
Core Security Services
Authentication Authorization Cryptography Accountability SecurityAdministration
AuthenticationProducts
AuthorizationProducts
CryptographyProducts
AccountabilityProducts
SecurityAdministration
Products
FrameworkSecurity Facilities
ProfileManager
SecurityAssociation
ProxyServices
Security APIs
Custom Security APIs Vendor Security APIs
Standard Security APIs
Presentation Components Business Logic Components Legacy Data Stores
67
Specific Example of EASI: QuadrasisSpecific Example of EASI: Quadrasis
AuthenticationServices
PresentationTier
WebServers
Client Tier
Browser
ApplicationClient
Back-OfficeTier
Mainframes
Component Tier
WebServices Application
Servers
EASI Executive
EASI Security Service Mappers
EASI Application Environment Adapters
EASI
Sec
urity
Uni
fier
App
licat
ion
Infr
astr
uctu
reSe
curit
ySe
rvic
es
Security Management Security Administration Security Configuration
Security Policy
Data-bases
Authentication API
Authorization API
AuditAPI
CryptographyAPI
Security Administration
Services
Authorization Services
CryptographyServices
AccountabilityServices
68
EASI Pros and ConsEASI Pros and ConsCommon security infrastructure shared across the enterpriseDecoupling applications from productsWell defined boundary between business and security logicNo need to implement everything at once
Complex due to generalityPerformance and scalability constraintsSignificant initial effort in designing and building itHas to be politically accepted in many different “parties” of organizationSemantic mismatch among security products makes their “swapping” hard
Administering Secure Web Services
Administering Secure Web Services
70
How WSS Administration DifferentHow WSS Administration DifferentAs any other middleware
Scaling with collections and hierarchies– User attributes– Domains– Permission collections
Effective authorization models– RBAC policies– Rule-based policies
Data protection
71
Role-based Access ControlRole-based Access Control
PermissionsUsers
Sessions
Roles
Operations
Objects
User-to-roleassignment
Permission-to-role assignment
Session rolesUser sessions
Role Hierarchy
72
Role Hierarchy for eBusinessRole Hierarchy for eBusiness
staff
customer
member
visitor
73
RBAC GotchasRBAC Gotchas
Engineering of roles in large systems is hardMore roles ⇒ less effective administrationFewer roles ⇒ unnecessary permissions are grantedException cases ⇒ superfluous roles
Roles tend to be used for everything“18-year-or-older-reader”
Roles are assigned statically
74
Selecting Factors for RBACSelecting Factors for RBAC
From Penn, Jonathan. "Role-Based Access Control Implementations Require Advanced Capabilities." Giga Information Group, Inc., 2002.
Support role hierarchiesDynamic determination of rolesRule for exception cases and for other attributesIntegrated with the organizational workflow to track changes in user roles
75
Data ProtectionData Protection
Connection-oriented(relatively) Easy to administer
Message-orientedCan be fine grain ⇒ administration nonscalableNo reasonable administration modelsBecomes very complex in non-trivial casesStay away if you can
ExampleExample
77
ePortal.com eBusiness.comePortal.com eBusiness.com
ePortal.com eBusiness.com
SOAP/HTTPSHTML/HTTPSInternet
customers
78
Functional Security RequirementsFunctional Security RequirementsCommonCommon
Limit visitor accessSecure exchange with business partners
Grant members more access
ePortalePortal.com.comEliminate administration of new customers
eBusiness.comeBusiness.comProtect the accounts of each individualAdministrator control of critical functionsRestrict administrators’ abilities
79
Browser
EASI FrameworkEASI Framework and Services
Middle Tier Back OfficeTier
FirewallDMZ
eBusiness.comPerimeter
Tier
FrameworkSecurity Facilities
Security APIs
Core SecurityServices
Oracle
AccountsProducts/Prices
WebLogic
J2EEApp Svr
StoreFront
Service
iPlanet
eBusiness.com WebServer
EASI Framework and Services
Middle Tier
FirewallFirewallDMZ
ePortal.comPerimeter
Tier
FrameworkSecurity Facilities
Security APIs
Core SecurityServices
COM+
StoreFront
MiddleTier
eBuyer.com
WebServiceClient
Application
Internetcustomer
IIS
ASP.NET
ePortal.comWeb
ServerInternet
Firewall
HTML/HTTPS
SOAP/HTTPS
SOAP/HTTPS
DCOM
SOAP/HTTP
80
EASI Framework for ePortal.comEASI Framework for ePortal.comePortal.com Enterprise Application Security Integration Framework
Core Security Services
Authentication Authorization Cryptography Accountability SecurityAdministration
FrameworkSecurity Facilities
ActiveDirectoryService
WS-Security/SAML
Service
Security APIs
Custom Self-Registration Web SSO, SAML Service
ASP.NET, COM+
FirewallIntrusion Detection System
Web SSOCOM+
Windows 2000SSL
Custom Self-Registration Module
81
EASI Framework for eBusiness.comEASI Framework for eBusiness.com
eBusiness.com Enterprise Application Security Integration Framework
Core Security Services
Authentication Authorization Cryptography Accountability SecurityAdministration
FrameworkSecurity Facilities
iPlanetDirectoryService
WS-Security/SAML
Service
Security APIs
Oracle Security, SAML Service
FirewalliPlanet
WebLogicSSL
OracleAttribute Mapping
JAAS, EJB
82
Security Gotchas at the System Architecture LevelSecurity Gotchas at the System Architecture Level
ScalingDistribute requests over multiple security policy serversCentral administrationAdministration delegation
Performance – “No free lunch”Encryption algorithmsUnderlying transportPolicy granularityCaching
83
For More InformationFor More InformationD. Ferraiolo, et al. "Proposed NIST Standard for Role-Based Access Control." ACM Transactions on Information and System Security 4(3): 224–274, http://ite.gmu.edu/list/journals/tissec/p224-ferraiolo.pdf, 2001.Hartman, Bret, Donald J. Flinn and Konstantin Beznosov, Enterprise Security With EJB and CORBA. John Wiley & Sons, Inc., New York, 2001.IBM and Microsoft. "Security in a Web Services World: A Proposed Architecture and Roadmap." http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwssecur/html/securitywhitepaper.asp, 2002.Ruh, William A., Francis X. Maginnis, and William J. Brown. Enterprise Application Integration: A Wiley Tech Brief. John Wiley & Sons, 2000.Sun. "Java Technology & Web Services Frequently Asked Questions." Sun Microsystems, http://java.sun.com/webservices/faq.html, 2002.W3C. "XML Encryption Syntax and Processing." Candidate Recommendation, http://www.w3.org/TR/xmlenc-core/, March, 2002.W3C. " XML-Signature Syntax and Processing." http://www.w3.org/TR/xmldsig-core/, February 12, 2002.Atkinson, Bob, et al. "Web Services Security (WS-Security) v1.0.".IBM, Microsoft, Verisign, http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnglobspec/html/ws-security.asp, 2002. Hartman, B., D.J. Flinn, K. Beznosov and S. Kawamoto, Mastering Web Services Security. John Wiley & Sons, Inc., New York, 2002.K. Beznosov, “Overview of .NET Web Services Security,” Tutorial at DOCSec ’02, Baltimore, MD, U.S.A , March 18, 2003, http://www.beznosov.net/konstantin/professional/tutorials/overview_of_dotnet_web_services_security.html
AppendixAppendix
85
What Information Security MeansWhat Information Security MeansProtection
Authorization Accountability
AssuranceAvailability
Acc
ess C
ontro
l
Dat
a Pr
otec
tion
Audit
Non-Repudiation
Serv
ice
Con
tinui
ty
Dev
elop
men
t Ass
uran
ce
Ope
ratio
nal A
ssur
ance
Des
ign
Ass
uran
ce
Dis
aste
r Rec
over
yAuthenticationCryptography
87
Comprehensive Message SecurityComprehensive Message Security
<SOAP-ENV:Body>
</SOAP-ENV:Body>
<SOAP-ENV:Header><WS-Security>
<SAML Token>
</SAML Token>
</WS-Security></SOAP-ENV:Header>
<SOAP-ENV:Envelope>
</SOAP-ENV:Envelope>
Secured SOAP Message
- Authenticates initiator of SOAP request - Enables role based authorization- Time-limited- Interoperable
SAML Token
- Multiple signed areas of header and body- Integrity protection via PKI based cryptography- Prevents tampering
XML Signature, DSIG
- Validates against XML schemaXML Schema Verification
- End-to-end tracing, Method accessAudit
SOAP Message
- Multiple encrypted areas of body- Prevents disclosure
XML Encryption
- Prevents unauthorized call to methodsRPC Method Authorization
FunctionSecurity Feature
- Encryption and signature verificationX.509 Certificate (or other security token)
SOAP Body
SOAP Header
- Attaches signature, encryption, security tokens to SOAP messages
WS-Security
