Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Layer 7 Technologies
White Paper
Securing XML Web Services
Contents
Standardizing on XML and Web services for data exchange and integration provides significant cant IT benefits,
including flexibility, interoperability and reach. However, it also introduces new kinds of security challenges:
challenges
• Web services can be transmitted over any transport protocol, including common Web protocols like lik HTTP.
This makes it easy for Web services to bypass network firewalls.
• Web services expose business functionality through open APIs
APIs, requiring new application-aware
application security
measures.
• Web services enable multi-hop
hop composite applications, requiring messag
message e level security and audit that
can span multi-hop
hop SOA transactions end
end-to-end.
• XML-based
based messages can be deliberately or inadvertently malformed to cause parser or applications to
break, creating new XML threats and vulnerability protection requirements.
• Web services transactions are principally machine
machine-to-machine
machine necessitating new thinking around
machine-to-machine
machine trust enablement and credentialing.
• Web services and their client applications must agree on security parameters (like crypto preferences and
standards support) before they can successfully exchange data, creating a need for new kinds of policy
coordination.
Traditional security measures like network firewalls and Virtual Private Networks
Traditional transport- (VPNs) are not sufficient to address these new security chal
challenges.
lenges. Network
level security measures firewalls are not service or applica
application aware, and therefore can’t regulate access
like network firewalls based on service, or (more granularly) on a feature of a service. Network firewalls
also can’t protect against XML borne threats in a message or message attachment
and VPNs are not
since they lack the ability to inspect XML mmessages,
essages, validate XML structures or
application aware, and detect anomalous XML content. Similarly, network
network-based
based VPNs (whether
(wheth SSL or
fundamentally IPSec) can’t preserve a message’s integrity and privacy as it gets passed across
insufficient to address multiple service hops in an SOA transaction. More
Moreover, VPNs can’t
an’t provide a
the security needs of message level audit trail or non
non-repudiation
repudiation across an SOA transaction. As a result,
up until recently the only option for implementing application level XML and Web
message-based Web
services security has been to program security directly into the application-based
applicatio
services service.
Coding security into a Web service, however, requires developers to understand how to implement emerging WS-* WS
standards (such as WS-Security, WS-SecureConversation,
SecureConversation, WSWS-Trust, WS-Federation, and WS-Policy)
Policy) on both the
Web services provider and consumer. It requires Web services coders and client developers to coordinate security
preferences through out-of-band band mechanisms since a Web service can’t communicate security expectations or
capabilities
bilities to clients automatically. And if a Web servi
service’s
ce’s security must be integrated with existing trust
infrastructure like Public Key Infrastructure (PKI), Single Sign
Sign-On (SSO) and Identity
tity Federation, programmers will
need to implement one-off off integrations on both the service and client application. For most situations,
programming XML and Web services security will therefore lack the consistency, flexibility, scalability and
deployment speed organizations require.quire.
As a result, two new classes of security infrastructure have emerged to try and satisfy customer demand for
purpose-built XML and Web services
vices security: XML firewalls and XML VPN clients. XML firewalls help organizations
deal with the complexity of Web services security man
management
agement and enforcement on the Web services provider
side of an integration.
egration. An XML firewall is a dedicated device or piece of software that can be implemented in a
DMZ or data center to enforce XML and Web service security preferences around access control, credentialing,
integrity, privacy, threat mediation and audit. IIn some cases, they can also perform hardware-accelerated
accelerated data
transformation, routing, Service Level Agreement (SLA) and other policy
Two new classes of operations. In all cases, XML firewalls allow security ad
administrators
ministrators to define
security policies for XML and Web service
services transactions
actions and enforce them
security infrastructure
centrally without programming.
have emerged to try and
satisfy customer demand XML firewalls are a necessary first step in securing Web services. However, for
for purpose-built XML some sce
scenarios
narios there is a further requirement to automate security on the client
and Web services application using an XML
XML-based VPN. When Web services are shared across
security and identity domains, or whwhenen the client application is a portal, there is
security: XML firewalls
often a requirement to reconcile identity domains, provision PKI for certificate-
certificate
and XML VPN clients based trust, integrate with an existing SSO infrastructure, enable non-non
repudiation and manage policy change between a Web servi service
ce and client
application. Accounting for all these factors in code is cost prohibitive, which is why some vendors have begun
offering XML VPN clients for automating client security and coordination.
XML firewalls
irewalls typically resolve an incoming message to a specific target Web
Organizations with service either by examining the SOAP message header or, (with native XML) the
multiple Web services HTTP header. Once the target Web service is resolved, the XML firewall can apply a
can significantly reduce stored security policy based on the target address, originating caller identity,
time to market and message content, and in some cases, the succes
successful
ful execution of prior policies.
Most XML firewalls can also examine elements of the message body like fields,
overhead costs by parameters, and attachments. As part of Web services lifecycle management,
centralizing security several XML firewalls also auto
auto-generate
generate virtualized WSDL views of back-end
b target
provisioning and Web ser
services to simplify versioning, addressing, and SLA-based
based operations.
administration at the
XML firewall Conceivably, almost any kind of message
message-level
level XML operation can be controlled
and processed by an XML firewall. By assuming this burden for one or more shared
Web services, application providers can central
centralize
ize security provisioning and
administration. This results in faster time
time-to-market
market for Web services deployments, and greater flexibility when it
comes to changing business conditions.
But an XML firewall only addresses half of the equation. While enforc
enforcing
ing security for Web services providers, XML
firewalls fail to address the broader issue of managing security end
end-to-end
end across an integration. Blocking an
unauthorized application or message from passing throug
throughh an XML firewall is obviously valuable, but without a
corresponding mechanism to communicate security expectations to trusted client applications, there is no
consistent way to ensure that the security applied on one side of an integration complies with security
s policies on
the other side.
through out-of-band
band negotiation, followed by independent client
client-side
side programming and comprehensive
compliance testing. This high-touch
touch process is slow, expensive, and prone to errors. Moreover, there is no timely
way to communicate and apply firewall policy changes to the client application.
Summary
There is no “one size fits all” solution for Web services security. There will always be instances in which
programming access lists into the Web services themselves is still cost-efficient.
efficient. In other cases, SSL may be more
than adequate for privacy and integrity. However, for larger organizations with sophisticated security require-
require
ments, or the mandate to enable partners, customers or branch offices by implementing cross cross--domain access, XML
Firewalls and XML VPN clients will prove necessary. In these cases, orga
organizations
nizations should look for vendors that can
deliver both an XML firewall for defending access to Web services, as well as a client
client-side
side coordination component
for enablingg security across business boundaries. This will ensure that XML Web services integrations are truly
flexible and interoperable without compromising critical security or cost requirements.
Email:
info@layer7tech.com
Web Site:
www.layer7tech.com
Phone:
604-681-9377
1-800-681-9377 (toll free)
Fax:
604-681-9387
Address:
US Office
1200 G Street, NW, Suite 800
Washington, DC 20005
Canada Office
Suite 405-1100 Melville Street
Vancouver, BC
V6E 4A6 Canada
Legal Information
Copyright © 2010 by Layer 7 Technologies, Inc. (www.layer7tech.com). Contents confidential. All rights reserved.
SecureSpan™ is a registered trademark of Layer 7 Technologies, In
Inc.
c. All other mentioned trade names and/or
trademarks are the property of their respective owners.