Securing XML Web Services

XML Firewalls and XML VPNs

Layer 7 Technologies

White Paper
Securing XML Web Services

Contents

The Challenge of XML and Web Services Security ................................................................

........................................................ 3
XML Firewalls: A First Step ................................
............................................................................................................................
............................ 4
XML VPNs: Enabling True Loose Coupling of Applications ................................................................
........................................... 5
Summary ................................................................
................................................................................................
....................................................... 5
About Layer 7 Technologies ................................
................................................................................................
.......................................................... 6
Contact Layer 7 Technologies ................................
................................................................................................
....................................................... 6
Legal Information ................................
................................................................................................................................
.......................................... 6

Copyright © 2010 Layer 7 Technologies

ogies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights
yrights are the property of their respective owners. 2
 Securing XML Web Services

The Challenge of XML and Web Services S

Security
By providing a flexible, platform-neutral
neutral way for rendering diverse data types, XML has bebecome
come a standard for
exchanging information across heterogeneous applications. Web ser services, a set of XML-based
based protocols for finding
and communicating between loosely-coupled,
coupled, Internet
Internet-callable
callable application “services,” have become the preferred
mechanism for integratinging heterogeneous applications and enabling Service Oriented Architectures (SOAs).

Standardizing on XML and Web services for data exchange and integration provides significant cant IT benefits,
including flexibility, interoperability and reach. However, it also introduces new kinds of security challenges:
challenges

• Web services can be transmitted over any transport protocol, including common Web protocols like lik HTTP.
This makes it easy for Web services to bypass network firewalls.
• Web services expose business functionality through open APIs
APIs, requiring new application-aware
application security
measures.
• Web services enable multi-hop
hop composite applications, requiring messag
message e level security and audit that
can span multi-hop
hop SOA transactions end
end-to-end.
• XML-based
based messages can be deliberately or inadvertently malformed to cause parser or applications to
break, creating new XML threats and vulnerability protection requirements.
• Web services transactions are principally machine
machine-to-machine
machine necessitating new thinking around
machine-to-machine
machine trust enablement and credentialing.
• Web services and their client applications must agree on security parameters (like crypto preferences and
standards support) before they can successfully exchange data, creating a need for new kinds of policy
coordination.

Traditional transport-
level security measures
like network firewalls
and VPNs are not
application aware, and
fundamentally
insufficient to address
the security needs of
message-based Web
services
Traditional security measures like network firewalls and Virtual Private Networks
(VPNs) are not sufficient to address these new security chal
challenges.
lenges. Network
firewalls are not service or applica
application aware, and therefore can’t regulate access
based on service, or (more granularly) on a feature of a service. Network firewalls
also can’t protect against XML borne threats in a message or message attachment
since they lack the ability to inspect XML mmessages,
essages, validate XML structures or
detect anomalous XML content. Similarly, network
network-based
based VPNs (whether
(wheth SSL or
IPSec) can’t preserve a message’s integrity and privacy as it gets passed across
multiple service hops in an SOA transaction. More
Moreover, VPNs can’t
an’t provide a
message level audit trail or non
non-repudiation
repudiation across an SOA transaction. As a result,
up until recently the only option for implementing application level XML and Web
services security has been to program security directly into the application-based
applicatio
service.

Coding security into a Web service, however, requires developers to understand how to implement emerging WS-* WS
standards (such as WS-Security, WS-SecureConversation,
SecureConversation, WSWS-Trust, WS-Federation, and WS-Policy)
Policy) on both the
Web services provider and consumer. It requires Web services coders and client developers to coordinate security
preferences through out-of-band band mechanisms since a Web service can’t communicate security expectations or
capabilities
bilities to clients automatically. And if a Web servi
service’s
ce’s security must be integrated with existing trust
infrastructure like Public Key Infrastructure (PKI), Single Sign
Sign-On (SSO) and Identity
tity Federation, programmers will
need to implement one-off off integrations on both the service and client application. For most situations,
programming XML and Web services security will therefore lack the consistency, flexibility, scalability and
deployment speed organizations require.quire.

As a result, two new classes of security infrastructure have emerged to try and satisfy customer demand for
purpose-built XML and Web services
vices security: XML firewalls and XML VPN clients. XML firewalls help organizations
deal with the complexity of Web services security man
management
agement and enforcement on the Web services provider
side of an integration.
egration. An XML firewall is a dedicated device or piece of software that can be implemented in a
DMZ or data center to enforce XML and Web service security preferences around access control, credentialing,

Copyright © 2010 Layer 7 Technologies

ogies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights
yrights are the property of their respective owners. 3
 Securing XML Web Services

integrity, privacy, threat mediation and audit. IIn some cases, they can also perform hardware-accelerated
accelerated data
transformation, routing, Service Level Agreement (SLA) and other policy
Two new classes of operations. In all cases, XML firewalls allow security ad
administrators
ministrators to define
security policies for XML and Web service
services transactions
actions and enforce them
security infrastructure
centrally without programming.
have emerged to try and
satisfy customer demand XML firewalls are a necessary first step in securing Web services. However, for
for purpose-built XML some sce
scenarios
narios there is a further requirement to automate security on the client
and Web services application using an XML
XML-based VPN. When Web services are shared across
security and identity domains, or whwhenen the client application is a portal, there is
security: XML firewalls
often a requirement to reconcile identity domains, provision PKI for certificate-
certificate
and XML VPN clients based trust, integrate with an existing SSO infrastructure, enable non-non
repudiation and manage policy change between a Web servi service
ce and client
application. Accounting for all these factors in code is cost prohibitive, which is why some vendors have begun
offering XML VPN clients for automating client security and coordination.

This white paper examines

nes how and when to deploy XML ffirewalls and XML VPN clients to deliver a complete XML
and Web services security solution for SOAs.

XML Firewalls: A First Step

Taking their cue from the Web world, technology vendors have developed XML XML-specific firewalls
walls to address the
unique security challenges
llenges of XML and Web services. XML firewalls are designed to examine and evaluate the XML
content of incoming traffic and, based on that evaluation, perform an appropriate security action. That action may
require routing the message
sage to a designated endp
endpoint,
oint, transforming the message based on its content, validating a
signature, decrypting a field, or blocking access to certain operations. All of these
hese operations can be accelerated
through specialized ASIC accelerators.

Organizations with
multiple Web services
can significantly reduce
time to market and
overhead costs by
centralizing security
provisioning and
administration at the
XML firewall
administration. This results in faster time
comes to changing business conditions.
XML firewalls
irewalls typically resolve an incoming message to a specific target Web
service either by examining the SOAP message header or, (with native XML) the
HTTP header. Once the target Web service is resolved, the XML firewall can apply a
stored security policy based on the target address, originating caller identity,
message content, and in some cases, the succes
successful
ful execution of prior policies.
Most XML firewalls can also examine elements of the message body like fields,
parameters, and attachments. As part of Web services lifecycle management,
several XML firewalls also auto
auto-generate
generate virtualized WSDL views of back-end
b target
Web ser
services to simplify versioning, addressing, and SLA-based
based operations.
Conceivably, almost any kind of message
message-level
level XML operation can be controlled
and processed by an XML firewall. By assuming this burden for one or more shared
Web services, application providers can central
centralize
ize security provisioning and
time-to-market
market for Web services deployments, and greater flexibility when it

But an XML firewall only addresses half of the equation. While enforc
enforcing
ing security for Web services providers, XML
firewalls fail to address the broader issue of managing security end
end-to-end
end across an integration. Blocking an
unauthorized application or message from passing throug
throughh an XML firewall is obviously valuable, but without a
corresponding mechanism to communicate security expectations to trusted client applications, there is no
consistent way to ensure that the security applied on one side of an integration complies with security
s policies on
the other side.

Additionally, without some form of client

client-side coordination, essential operations like synchronizing
nizing cryptographic
parameters between a client and Web service, or provisioning client
client-side
side certificates and keys must be done

Copyright © 2010 Layer 7 Technologies

ogies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights
yrights are the property of their respective owners. 4
 Securing XML Web Services

through out-of-band
band negotiation, followed by independent client
client-side
side programming and comprehensive
compliance testing. This high-touch
touch process is slow, expensive, and prone to errors. Moreover, there is no timely
way to communicate and apply firewall policy changes to the client application.

XML VPNs: Enabling True Loose Coupling of Applications

One possible security coordination model is to use an XML firewall in conjunction with client-side
side technology.
Similar to a traditional VPN solution, the client
client-side
side technology should be available as either software or hardware
depending on deployment requirements, or as a code base for inclusion in client
client-side
side software for customers
uncomfortable with any client footprin
footprint. The client-side
side technology should also provide other value-added
value
functions for a Web services transaction, such as SSO integration, PKI provisioning, federation coordination, non-
non
repudiation and policy change management.

The Web service provider

Deploying an XML
VPN client in
conjunction with an
XML firewall can
provide organizations
with secure, reliable
transactions both
within and beyond
traditional corporate
boundaries
provider-side and client-side
side components of this architecture could
then coordinate the
their
ir specific security preferences, terms, and conditions for a
transaction by ex
exchanging
changing a virtual outline of a policy document. This would preserve
the loosely
loosely-coupled nature
ture of Web services by ensuring policy changes on one system
are automatically comm
communicated to any others.
In conjunction with an XML firewall, this type of client component can provide
organizations with a security model for transactions that oc
occur
cur both within and
beyond traditional corporate security boundaries. Negotiating on on-the
the-fly with an XML
firewall would not only save con
considerable
siderable developer effort and time, but would also
remove the risk of errors and inconsistencies inherent in any programming-based
programming
security provision. While not a panacea, this type of two
two-way
way security model is
potentially beneficial in many Web services integration scenarios.

Summary
There is no “one size fits all” solution for Web services security. There will always be instances in which
programming access lists into the Web services themselves is still cost-efficient.
efficient. In other cases, SSL may be more
than adequate for privacy and integrity. However, for larger organizations with sophisticated security require-
require
ments, or the mandate to enable partners, customers or branch offices by implementing cross cross--domain access, XML
Firewalls and XML VPN clients will prove necessary. In these cases, orga
organizations
nizations should look for vendors that can
deliver both an XML firewall for defending access to Web services, as well as a client
client-side
side coordination component
for enablingg security across business boundaries. This will ensure that XML Web services integrations are truly
flexible and interoperable without compromising critical security or cost requirements.

Copyright © 2010 Layer 7 Technologies

ogies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights
yrights are the property of their respective owners. 5
Securing XML Web Services

About Layer 7 Technologies

With offices in San Mateo, California; New York, New York; and Vancouver, British Columbia, Canada; Layer 7
Technologies helps enterprises accomplish secure and cost
cost-effective
effective business integration using XML and Web
services. Layer 7 Technologies’ SecureSpan™ Solution is the first technology th
that
at addresses security and
governance across a Web services integration without expensive and inflexible programming. With the
SecureSpan™ Solution, customers realize lowered integration costs, increased security reliability, and the ability to
future-proof their Web services investments. Contact Layer 7 Technologies or visit www.layer7tech.com for more
information.

Contact Layer 7 Technologies

Layer 7 Technologies welcomes your questions, comments, and general feedback.

Email:
info@layer7tech.com

Web Site:
www.layer7tech.com

Phone:
604-681-9377
1-800-681-9377 (toll free)

Fax:
604-681-9387

Address:
US Office
1200 G Street, NW, Suite 800
Washington, DC 20005

Canada Office
Suite 405-1100 Melville Street
Vancouver, BC
V6E 4A6 Canada

Legal Information
Copyright © 2010 by Layer 7 Technologies, Inc. (www.layer7tech.com). Contents confidential. All rights reserved.
SecureSpan™ is a registered trademark of Layer 7 Technologies, In
Inc.
c. All other mentioned trade names and/or
trademarks are the property of their respective owners.

Copyright © 2010 Layer 7 Technologies

ogies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights
yrights are the property of their respective owners. 6