Embed Size (px)
Citation preview
Web Services SecurityWeb Services Security
Kerry ChampionKerry Champion CTO, Westbridge Technology
June 8, 2004
Successful Internet StandardsSuccessful Internet Standards
Person Person
• SMTP
• S/MIME
• Instant Messaging
Person Program Program Program
• HTML
• DHTML
• Applets
• XML Schema
• SOAP
• WSDL
• WS-Security
Broadly Accepted Loosely Coupled Cross Organization Extensible
Service-Oriented Architecture (SOA)Service-Oriented Architecture (SOA)
organizing business systems as reusable
components not fixed processes
SOA =
standards based + loosely-coupled + robust
Reusable =
Diverse Web Services Diverse Web Services
XML allows all to play
Most heavily used Services have most primitive standards support. Systems doing billions in transactions today began development 18+ months ago
New code written with current version of J2EE and .NET
Legacy applications, Packaged applications, Specialized devices
Diverse Service ConsumersDiverse Service Consumers
OutsourcedCall Center
Accounts Receivable
On-line MarketingPrograms
Employees’ Contact Managers
Independent Agents
Common CustomerData Repository
Key Key CharacteristicsCharacteristics
Thousands of distinct
consumers
Identity of human that triggered the request is commonly used in program-to-program communication
Spread over hundreds of organizations
With different tools and IT teams. In practice it is unknowable to service what tools will be used by consumer.
At different levels of standards support
XML Schema, SOAP, WSDL, WS-Security, WS-Policy
OutsourcedCall Center
Accounts Receivable
On-line MarketingPrograms
Employees’ Contact Managers
Independent Agents
Common CustomerData Repository
Key CharacteristicsKey Characteristics
With different network
architectures and transports in use
HTTP, HTTPS, MQ, TIBCO, JMS
With different security mechanisms
deployed
Authentication, encryption, signature, content scanning, malicious attack protections, message validation
With identity data in multiple non-
federated systems
Directories, ID management systems, certificates supported by PKIs, single sign-on systems, etc.
OutsourcedCall Center
Accounts Receivable
On-line MarketingPrograms
Employees’ Contact Managers
Independent Agents
Common CustomerData Repository
Key QuestionKey Question
How do you secure all Web Services
while enabling appropriate access,
given diversity of
security mechanisms and policies?
How do you secure all Web Services
while enabling appropriate access,
given diversity of
security mechanisms and policies?
What to doWhat to do
– Make every endpoint behave the same way– Make single repository for all shared data
– Make every endpoint capable of behaving every way
– Negotiate preferences at runtime– Have federated sharing across multiple
repositories
– Use infrastructure to define Service Views– Services and consumers stay as is– Service View abstraction layer mediates
between them
Naïve Response
Elegant Response
Practical Response
Service Views Present Secure InterfacesService Views Present Secure Interfaces
Each Service View• Provide instant security, interoperability, monitoring, routing, and auditing• Enables contracts between consumer and provider supporting local and global policies• Automatically supports latest standards• Support instant interoperability• Leverage existing infrastructure• Hide back end complexity
Requires No Change of Base Services
Service View Service View
.NET J2EE PackagedApp
LegacySystem
ESB,MQ,JMS
CompositeServices
Security for SOA Infrastructure
Security Management
Standards Interoperability
XML Acceleration
SOA Related
Infrastructure
Flexible Deployment
Scalable Administration
AuthDirectory
IdentityMgmt
PKI
NetworkMgmt
UDDI
SystemMgmt
Advantages of Service Views designAdvantages of Service Views design Base web service does not change
Consumer does not change
Service View appears as native web service to consumer
Allows different security mechanism assumptions at service and consumer
Allows different standards assumptions at service and consumer
Allows different transport assumption at service and consumer
Offloads from service developer need to support full range of security standards and mechanisms
Is deployable today
Implements loose-coupling while satisfying practical requirements
Implementation of Secure Service ViewsImplementation of Secure Service Views
Needed Web Services infrastructure goes by many names:Service Virtualization, Web Services Management Platform, XML Firewall, SOAP Gateway, Web Service Gateway, etc. etc.
Multiple vendors provide offerings Key Review Criteria:
Security
Monitor, Report, Alert
Interoperability
Interface Management
SecuritySecurityAuthentication, Access ControlEncryption, SignatureMalicious Attack, Content InspectionSchema Validation, Standards
WestbridgeXMS
Service Consumer
Service Consumer
Existing Security Infrastructure
Web Service
Network Firewall
Authentication, Access Control Authorities, RSA, Oblix, Netegrity, LDAP, SAML,X.509, HTTP, Authentication, Active Directory,
PKI Infrastructure, CRL, OCSP, 3DES, SHA, XML Encryption, XML Signature, WS Security
ExistingSecurity
Infrastructure
NetworkAttack
Application Attack
HTTP JMS
MQ HTTPS
Last Request LatencyMessages per Second
Avg. Message SizeFailed Requests
SLA MonitoringTroubleshootingPerf. MonitoringReal-time View
Malicious AttacksRequests > $10,000Authorization Failed
Weekend Activity
Audit TrailsRegulatoryDebugging
SLA Reporting
Malicious Attack Paging
Exceed Message Rate
sends SNMP Trap
TriggersExceptionsDebugging
SLA Enforcement
Example Benefits
Monitor, Report, AlertMonitor, Report, Alert
Variety of status notifications can be utilized
Service Tracker Monitors connectedservices
SAP
Mainframe
.NET
PeopleSoft
J2EE
MS Excel
Monitoring Reporting Alerting
Service Tracker
InteroperabilityInteroperabilityStandards Support
XML, SOAP, WSDL
.NET, SunOne, IBM, WS-I, Oasis, W3C, BEA, Oracle, Microsoft, etc.
Transport– HTTP, HTTPS (SSL), JMS, MQ, Tibco
Security– XML Signature, signatures (RSA-
SHA1, DSA SHA1), XML Encryption, encryption (RSA Keys, 3DES, AES, 128/192/256 bit keys),
– SAML, LDAP, WS-Security, HTTP-based authentication
– Active Directory, XKMS, OCSP, PKI Infrastructure (including PKCS#7, #10, #11, #12), CRL, X.509 Certificates,
XML– XML Schema, DTD– XPath, XSLT – Alerting: SNMP and SMTP
Data Transformation
Routing
Transport
Mediation
Credential
Mapping
X.509 Liberty
XMS Gateway
SAML LDAP WS Sec. Etc…
Web Services
XMS Gateway
Web Service
XMS Gateway
XMS Gateway
Web ServicesWeb Service
Web Services
Service Consumer
Interface ManagementInterface Management
• Publishing Workflow
• Service Upgrades
• Provisioning
• Versioning
XMS Manager
Configure Stage Test Publish
Customers
Partners
Sales
Web Service
Web Service
Web Service
Service View
Service View
SummarySummary
Real-world considerations create barriers to the loosely-coupled
vision of Web Services and SOA, while maintaining required security.
The “naïve” response creates tight-coupling and does not scale up
The “elegant” response requires a couple more generations of
standards and tools development
The “practical” response uses current tools to implement Service
Views.
