1 / 35

Web Services and SOA Security

FORUM SYSTEMS. Web Services and SOA Security. Greg Hudson, Vice President Sales. SOA for E-Government Conference. Company Overview. Founded: May 2001 Product: Forum Sentry™, Maturity: In Production since 2002 Over 150 Customers. Mature product, Version 6.0

joylyn
Download Presentation

Web Services and SOA Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FORUM SYSTEMS Web Services and SOA Security Greg Hudson, Vice President Sales SOA for E-Government Conference

  2. Company Overview Founded: May 2001 Product: Forum Sentry™, Maturity: In Production since 2002 Over 150 Customers • Mature product, Version 6.0 • Leader in SOA Security Infrastructure • Award winning technology • Award winning company • Sales presence in all major US cities • Global operations and support • Flexible, Functional, Scalable • Hardware and Software • Development to Deployment • Test, Protect, Trust, Assurance • Simple to Sophisticated • Non-Invasive Installation • Strong, well established partnerships Accomplishments Customers Motorola Amazon.com NWM Capital Group Knights of Columbus Phoenix Companies Chubb Insurance Navy Medical Center AFG Synovus Citigroup T-Mobile MassMutual US Navy NATO US Air force Amazon IRS USDA Charles Schwab Providian Marsh…. Certifications • Only FIPS 140-2 Level III SOA Appliance • DoD PKI Certification • EAL 4+ Common Criteria

  3. Industry In Transition XML Web Services .COM EDI • Business Agility • Open Standards • Service Contracts • Loose Coupling • Autonomy • Abstraction • Common Semantics

  4. Service-Oriented Architecture: A Foregone Conclusion? • Forrester: • Over 80 percent of business application products sold between 2005 and 2008 will be Service Oriented Business Applications • ZapThink: • Estimates that XML will represent 25% of all network traffic by 2006 • Gartner Group: • Predicts that over 80% of all software development will be based on SOA by 2008

  5. Evolution of The IP Network Metadata 1. Service describes itself and interfaces to the directory using WSDL 2. User locates service in directory and find service details Service Provider Consumer 3. User and service interact using XML/SOAP likely over HTTP Application-Oriented Networking • WS-* • WSDL • SOAP • XML Internet Protocol Networking

  6. So What’s Stopping You? Approximately75% of attacks today target business applications and these threats are poised to rise with the growing adoption of XML web services. By 2005, web services will have reopened 70 percent of the attack pathsagainst Internet-connected systems that were closed by network firewalls. HTML The AutomatedEnterprise SOAP XML UDDI WSDL By 2008 at least 30 percent of companies that have deployed web services applications will fall victim to successful hacker attackscausing more than four hours of downtime to business-critical functions.

  7. The Need for an XML/Web Services Security Infrastructure WEB SERVICES CONSUMER WEB SERVICES PRODUCER 1. Execute Order Fulfillment Request Order Management 2. Order Fulfillment Message 3. EXPLOSIVE DOCUMENT WEB SERVER APPLICATION SERVER 4. SENSITIVE DOCUMENT Is message privacy/integrity assured? Is this valid XML/SOAP? Is the request accessing data using inadequate privileges? Inventory Management CUSTOMER DATABASE NETWORK LAYER APPLICATION LAYER INTERNET

  8. You Can’t Deploy Web Services Without Security Service Oriented Architecture/Web Services greatly simplify application integration and increase business opportunities… but also introduce new concerns: • Security • XML and SOAP expose valuable backend systems • XML Denial of Service, buffer overruns, SQL Injections • SSL insufficient for message confidentiality • Protecting against unauthorized access • Manageability • Policy development and enforcement becomes difficult • Root cause & business impact analysis challenging • Upholding service level agreements becomes challenging • And most importantly, service lifecycles accelerate out of control

  9. Is SSL and firewalls enough…? Majority (over 98%) of breaches happen while the data is at rest not in-transit: • Firewalls still allow for OPEN PORTS (80 & 443) • SSL begins and terminates at the network perimeter • SSL is Point to Point and breaks down in a multi-point environment • SSL is not data aware: It just encrypts everything that is there • SSL hides content from switches • SSL is dependent on the network • SSL and VPN do not authenticate at the data-level and rarely at the transport user level • Firewalls are not content aware

  10. Firewalls are blind to XML/SOAP <Firewall Inspection Depth> Firewalls can not scan and block malicious payloads <XML/SOAP Inspection is about Context, Not Just Content>

  11. XML-related Threat Reference Table Technique Description Protection Schema Poisoning Manipulating the XML Schema to alter processing information Protect against schema poisoning by relying on trusted WSDL documents and XML Schema’s XML Parameter Tampering Injection of malicious scripts or content into request parameters Validation of parameter values to ensure they are consistent with WSDL and XML Schema specifications Inadvertent XML DoS Poorly encoded SOAP messages causing the application to fail Content inspection ensures SOAP messages are constructed properly according to WSDL, XML Schema and intrusion prevention rules WSDL Scanning Scanning the WSDL interface can reveal sensitive information about invocation patterns, underlying technology implementations and associated vulnerabilities Web services cloaking hides the web services true location from consumers Oversized Payload Sending oversized messages to create an XDoS attack Inspect the payload and enforce element, document, and other maximum payload thresholds Recursive Payload Sending mass amounts of nested data to create an XDoS attack against the XML parser Content inspection ensures SOAP messages are constructed properly according to WSDL, XML Schema, and other security specifications

  12. XML-related Threat Table (2) Technique Description Protection XML Routing Detours Redirecting sensitive data within the XML path WSDL virtualization enforces strict routing behavior SQL Injection SQL Injection allows commands to be executed directly against the database for unauthorized disclosure and modification of data Rely on dirty word searches, restrictive context-sensitive filtering and data validation techniques External Entity Attack An attack on an application that parses XML input from un-trusted sources Suppress external URI references to protect against malicious data sources and instructions; rely on well-known and certified URIs Malicious Code Injection Scripts embedded within a SOAP message can be delivered directly to applications and databases; traditional binary executables and viruses attached to SOAP payloads Content inspection of SOAP attachments ensures messages contain legitimate content as defined in the WSDL, XML Schema and content security policies Identity Centric Attack Credentials are forged or impersonated in an attempt to access sensitive data Enforce basic or strong authentication at the SOAP message level with auditing and logging for forensic analysis

  13. Security Is Never One Size Fits All Trust Management Message Integrity (Sign & Verify) Message Privacy (Encrypt & Decrypt) Crypto and XML Acceleration Protocol & Message Authentication SAML, WS-Trust, WS-Federation DoD PKI, FIPS, Common Criteria Threat Protection Filter all SOAP/XML Messages for Threats/Information Leak Attack Prevention – XML DoS, Antivirus Authentication & Access Control Interoperability: WS-I, WS-Security

  14. Basic Web Service Invocation Requestor Provider Request/Reply Solicit/Response One-way Notification

  15. Web Service Invocation with WS Security Gateway Apply Security Definitions Requestor FS (Proxy) Provider HTTP(s) MQ/JMS Tibco/JMS

  16. Web Service Enablement – Security Protocol Mediation

  17. Making SOA Operational: Lines of Deployment

  18. Mature SOA Deployment Requirements Scaleable Delivery • Web Services • Security Attack Prevention Authentication Access Control Data Confidentiality Identity Services Connectivity Transports Availability Accessibility Performance Policy/Governance Enforcement SLAs Exceptions Activity Reporting Monitoring Privacy Traceability Auditing

  19. Security Policy – Four Major Phases • Secure • Authentication • Encryption • Firewall • Vulnerability Mitigation • Monitor • Testing • Improve • Applicable in each lifecycle phase

  20. Web Services Life-cycle Security Execute-Time Protections Perimeter Protection Policy Enforcement App-specific Protections SSL concentration Sig check/decryption XML/SOAP processing Malcode filtering Endpoint filtering Antivirus Security management Service management Identity management Profile compatibility Apply Sig/Encryption Transform/Redirect WSDL validation Schema validation Content inspection Monitoring Discovery Vulnerability mgmt. Development-Time Protections Vulnerability Testing WSDL Generation Schema Generation WSDL Tightening Schema Tightening The App.App.-specific controls

  21. US Government - Secure Data Requirements • U.S. Gov. Systems Security Requirements • DITSCAP (DIACAP), (DCID 6/3), FISMA, NSTISSP #11, CNSS Policy #15, NCES, EGA, GISRA . . . . • Gov. Certifications and Accreditation Requirements • FIPS - Federal Information Processing Stds. • DoD PKI Compliance • NIAP Common Criteria Certification • eGov and Federal Enterprise Architecture Standards • Oasis, W3C, WSI, Liberty Alliance

  22. IA– Information Assurance - Security Threat Mitigation - Intrusion Detection and Message Threat Prevention • Web Services validation - Only valid WSDLs and XML are allowed to be published and consumed • SOAP and XML Validation - Only properly formatted SOAP and XML are permitted • SOAP and XML Message based Denile of Service Mitigation – SOAP message and XML are scrubbed for potential denile of service threats and quarantined • SOAP with XML and non-XML attachments Virus Scanned – SOAP w/ attachments are scanned for known virus signatures and quarantined Trust - Information Policy Management & Trust Enforcement • Authentication and Authorization - Only authorized users (service consumers, services providers, and applications) access Web Services. • Confidentiality - Protects messages or documents so that they cannot be made available to unauthorized parties. • Data Integrity - Provides protection against unauthorized alteration of messages during transit. • Non-repudiation - Ensures that a sender cannot deny a message already sent, and a receiver cannot deny a message already received. (Non-repudiation is especially important in monetary transactions and security auditing.) • Accountability - Provides secure logging and auditing. (Supports non-repudiation.) • Interoperability – Government and Industry Standards support interoperability between entities

  23. Forum Systems: The Leader in Web Services and SOA Security • A comprehensive suite of XML Acceleration, Trust Management, Threat Protection solutions that actively protects XML data and Web services across networks & business boundaries • Flexible hardware, software and embedded products • Seamless security solutions architecture – adaptive, life-cycle à Trust Management à Threat Protection à XML Acceleration

  24. ` Web Services Firewall SOA Gateway Web Services Diagnostics P R O D U C T L I N E XML Accelerator Vulnerability Containment • Rack mounted appliances consist of specific components for high speed optimization, Intel Xeon, Broadcom, nCipher, SafeNet • 32-bit and 64-bit Architecture • All products available in multiple form factors 64-bit Appliance Windows HP BladeCenter Linux Hardware Software eBlade from IBM Solaris Unix Crossbeam APM

  25. Flexibility … In Deployment Options

  26. The most extensive technology partnerships in the industry

  27. ROI: Security, Management & Acceleration LDAP Directory Policy Server 4, 5 Authentication /Access Delegation 2, 3 Authentication /Access Decision 6. Authorized Web Service MQ/JMS/HTTP(S) Traffic 1. HTTP(S) Traffic • Request Processing • Authenticates User to IdAM • Inspects Messages and Attachments for threats • Encrypts sensitive data • Generates SAML Assertions in WS-Security Header • Response Processing • Inspects messages and attachments for threats • Inspects messages for data leaks • Obfuscates sensitive exceptions Web Service Client Web Service

  28. Forum Government Focus Security is our First Priority • Our Products are aligned with government use cases • Prevent, Guard, Protect, Compliance • Federal Information Processing Stds.(FIPS 140-2 Level III) • Only security gateway to provide a entire FIPS-compliant hardware-based solution that implements the NIST Crypto Security Standards. • DoD PKI Compliance • Only security gateway to be Interoperable with the Joint Interoperability Test Command (JITC) • NIAP Common Criteria Certification EAL 4+ (Final stages) • Federal Enterprise Architecture (FEA)/Federal XML Working Group, Liberty Alliance, Oasis, W3C

  29. Forum XRay – Closing the Security loop Operational Security Pre-Deployment Security • Identify Vulnerabilities • Reporting • Conformance Testing • Active Monitoring of the • Web Services Topology • Real-time Profiling • Integration w/ Enforcement Products (XWall) Web Services Security Management Vulnerability Database (VulCon™) Web Service Developers

  30. XRAY Features

  31. Web Services Firewall Web administration via a "wizard" based configuration Policy configuration, SLA Monitoring, Auditing, Logging • XML Web services Authentication and Access Control • XML Schema Validation and XML Intrusion Prevention • Standards Support – WS-I, WS-Security • Attack Prevention – Denial of Service, Virus, Probe & Extract, XML/XSD Schema & WSDL Breaches • WSDL Aggregation and Obfuscation Web Services Security Management Internet XML SOAP Admission Control &Threat Protection Protected Web Services and Content

  32. Web Services Security GatewayManagement & Acceleration of XML Web Services • Sign, Verify, Encrypt, Decrypt, Validate, Transform XML messages • Support HTTP(s) to JMS gateway functionality - protocol mixing • Accelerated SSL connections • Content based routing • Message authentication via Sign-On (SSO) tokens: CA/Netegrity, IBM Tivoli, Oblix COREid, RSA ClearTrust • Gov. Certification of Appliance Web Services Security Management Internet XML SOAP Protected Web Services and Content

  33. Features • Data Admission Control • Validate XML structure • Filter for malicious content (MalWare, Viruses, Sql injections,DoS • Ensure interoperability • Schema Tightening • Large Attachment Support • Web Service Cloaking • Web Service Authorization • Fine-grained WSDL/SOAP/XML authentication • Business API access control • Identity and entitlements administration • Identity Management Integration (add-on) • CA/Netegrity SiteMinder, Clear Trust • IBM Tivoli Access Manager • Oblix COREid • Integration with Systinet, Amberpoint, HP SOA Mgr. . . .

  34. Features • Web Services Privacy and Integrity • High Performance XML Processing • Element-level encryption • Electronic (digital) signatures • Support for WS-Security 2004 • SAML Token Profile • Username Token Profile • SOAP with Attachments • Kerberos • 100% DoD PKI certification • Content Based Routing • Protocol mixing • IBM MQ • Tibco Rendezvous & EMS • JMS Compliant • SMTP

  35. Vulnerability Containment Single-source of XML-related vulnerabilities Threat intelligence subscription service Product vulnerability lookup dictionary Tools to limit exposure for SOA’s and Web Services Notifications via HTML, WSDL/XML, RSS and Email Automated delivery of Industrial strength anti-virus Real-time policy updates (XML Intrusion Prevention) Patch updates: stored and updated by product, version, vulnerability Vulnerability response management – cross-platform XML Vulnerability Intelligence Database Security Threat Intelligence

More Related