《Accenture SlidesSoa Workshop Starter Kit Web Services Security, v2.0 (Jul ).ppt》由会员分享,可在线阅读,更多相关《Accenture SlidesSoa Workshop Starter Kit Web Services Security, v2.0 (Jul ).ppt(44页珍藏版)》请在三一办公上搜索。
1、Service Oriented ArchitectureSOA Workshop Starter KitWeb Services Security,Last Updated:July,2006,2,Copyright 2006 Accenture All Rights Reserved.,SOA Workshop Starter Kit Web Services Security,3,Copyright 2006 Accenture All Rights Reserved.,Contents,Security and Web ServicesIndustry StandardsWS*In D
2、etailPlatform SupportRecommendations,4,Copyright 2006 Accenture All Rights Reserved.,Business Opportunities,New business modelsService providers that provide Identity related servicesService providers that provide“traditional”value-added services(e.g.,HR or payroll)which can be more easily integrate
3、d into a customers enterpriseDrive revenue growthImprove and streamline the process for identifying and acquiring new customersStreamline ability for collaboration with business partnersCost savingsReduce user administration costs through automationReduce application development/integration costs th
4、rough reusabilityImprove user experienceHave a single identity that can be used globallyImprove the overall security through the reduction of data sources and duplicate data,Significant opportunities exist for organizations to drive revenue growth,create new business models,realize cost savings,and
5、improve the user experience leveraging Security concepts,5,Copyright 2006 Accenture All Rights Reserved.,Security Concerns Limits Use,(Source:“Web Services Security”,Mark ONeil,2003),(Source:SC Magazine,January 2004),(Source:“Making Sense of Web Services Security Standards”,Gartner Aug 03),Security
6、concerns have historically been one of the key reasons that businesses have not taken advantage of the benefits that Web Services and Service Oriented Architectures have to offer:,“the prospect of software from different companies communicating together,while powerful,is fraught with security concer
7、ns.”,“.unless security and management issues are addressed effectively they will hold Web Services back from becoming a truly mainstream technology within enterprise application integration projects.”,“Conflicting standards make Web Services security decisions complex and difficult.(Companies should
8、)begin with simple Web Services deployments that support only your current business needs.”,This is not just a technology issue.,6,Copyright 2006 Accenture All Rights Reserved.,Business Challenges,Mitigating risk and ensuring quality between parties in the circle of trust can be performed through:De
9、finition of business standardsDefinition of minimum requirementsEnforcement through certification and audits,Mutual Confidence(Trust),Pooled knowledge:sharing of customer/identity information(e.g.#of customers,customer names,etc.)between or within enterprises data privacy Revocation procedures:incre
10、ased reliance on third parties for authenticationFraud protection:broadened potential for fraud if an identity is ever compromisedSecurity incident procedures:coordinated effort for analysis and correlation of audit logs among parties involved,Risk,Who is at fault if a critical transaction failed du
11、e to failure?To what extent?Definition of liabilityDefinition of dispute resolution process,Liability,Privacy legislation:ensure privacy terms are not violated when federating an identity between enterprisesWho initiated each transaction audit trail back to initiating user.,Compliance,Key factors fo
12、r widespread adoption of web services include the identification of sound business models and more experience with the contractual frameworks that define trust relationships.Most current implementations are internal though this is changing,7,Copyright 2006 Accenture All Rights Reserved.,What are YOU
13、R Security Requirements?,Non-Repudiation,Confidentiality,Integrity,Identification,Authentication,Administration,Authorization,Accountability,There are several new business challenges that must be addressed before Web Services can be securely deployed,Can I ensure privacy of the transactions(sensitiv
14、e business/client data regulatory compliance,etc.)?,Can I guarantee that transactions are not tampered with?,Can I ensure that only authorized transactions are being performed on the system?,Can I ensure that there will be adequate controls/records to guarantee the results of a processed transaction
15、?,Can I quickly deploy new services without compromising my internal business processes?,Can I ensure that transactions are only being performed by trusted parties(send or receive)?,8,Copyright 2006 Accenture All Rights Reserved.,Overcoming the Security Barriers,Accenture has proven that new standar
16、ds and new products are now able to provide customized solutions to overcome the security challenges,9,Copyright 2006 Accenture All Rights Reserved.,What is Web Service Security?,The W3C defines a Web Service as the following:“A Web service is a software system designed to support interoperable mach
17、ine-to-machine interaction over a network.It has an interface described in a machine-processable format(specifically WSDL).Other systems interact with the Web service in a manner prescribed by its description using SOAP-messages,typically conveyed using HTTP with an XML serialization in conjunction
18、with other Web-related standards.”Web Service Security encompasses the following areas:Transportation Layer Security:providing confidentiality and integrity in transit.Message Layer Security:ensuring that messages are according to specification.Identity and Access Management:providing authentication
19、,authorization and identification.Security Administration of Web Services:enabling audit trails and security administration.Intrusion Detection and Prevention:protecting against common WS threats.,10,Copyright 2006 Accenture All Rights Reserved.,Without Proper Controls Web Services can be Vulnerable
20、,One of the most enticing aspects of Web Services is that a large degree of complexity is abstracted away from the view of the developer,making the services very easy(and cheap)to develop.Adding a WebMethod parameter to a method allows for almost instant publishing(.NET,similar possibilities in Java
21、).Processing of HTTP requests,serialization of XML and parsing of SOAP message is totally invisible to the developer.SOAP layer will take care of data serialization and de-serialization.Easy is dangerous!Making a web service is so easy that you easily forget that security is not a part of the SOAP s
22、tack:No Authentication or Authorization.Out of the box anyone with access to your web server can execute your web methods!Input data not cleansed but neatly packed in complex class structuresA lot of processing is done before reaching the developer.Protecting the underlying stack cannot be done from
23、 within the code.Rich functionality is once more provided for access from outside of the firewall.,11,Copyright 2006 Accenture All Rights Reserved.,How To Secure Web Services,To secure web services we have to ensure thatonly properly authenticated and authorized users are allowed to execute our web
24、methods.messages are protected both with regards to integrity and confidentiality,during transport and storage,so that third parties cannot alter messages or read confidential contents of messages.application servers are protected against the common threats to SOAP/XML stacks.web service application
25、s are written with security in mind to prevent common security threats to network aware applications.To meet the above requirements we will have to deploy protection along two main axes:Technical SecurityFunctional Security,12,Copyright 2006 Accenture All Rights Reserved.,Technical Security Overview
26、,What do we mean by Technical Security for Web Services?Protection against malicious message formats that may lead to a compromise of security in the SOAP and XML layers of the application server.Protection against malicious contents that does not conform to the defined messaging standard for the we
27、b service.Protection against different forms of denial of service attacks.There are three main avenues of attack that can be used when attacking a web service application stack:Application any exposed business logic is prone to errors,either by design or by coding error.Web services are as vulnerabl
28、e as other applications.SOAP the messaging protocol has ambiguities that can be challenged by an attacker.XML parsing of complex XML messages can create security vulnerabilities.,13,Copyright 2006 Accenture All Rights Reserved.,Application Attacks,The Open Web Application Security Project lists the
29、top ten threats against web applications.Most are equally valid against Web Service applications.Four are specific to the application level:Unvalidated InputBuffer OverflowsInjection FlawsImproper Error Handling,14,Copyright 2006 Accenture All Rights Reserved.,SOAP Attacks,The SOAP protocol which is
30、 the underlying protocol for most Web Services today has no built-in security:All method calls are unprotected.API is publicly available through dynamically created WSDL files.SOAP is stateless.,15,Copyright 2006 Accenture All Rights Reserved.,XML Attacks,XML is the basis of Web Services:Successful
31、attacks on web services generally means crafting a valid XML file that is misinterpreted by either parser or developer.Invalid XML dropped by parser early on.XML documents are validated against their published schema.Tampering with the schema is a common approach.,16,Copyright 2006 Accenture All Rig
32、hts Reserved.,Solution Strategy,Validate your input!Most attacks against a web service are based on poorly validated input.Well controlled input will enable you to gain full control over the data that is passed onto the application layer.Due to the obfuscation possibilities it is highly recommended
33、to validate using an XML aware validator.Enable strict schema validation,and utilize only schemas that are defined by you and that are stored locally on your device.XML schemas can define detailed requirements per field.This allows you to define allowed characters and field lengths.ChallengesSchema
34、validation is processor intensive and requires a large amount of memory.Leaves application server vulnerable to denial of service attacks.Validation will become a part of the application server stack.Introduces manageability issues.,17,Copyright 2006 Accenture All Rights Reserved.,Solution Products,
35、XML Security GatewaysEither server deployed software or appliance.Functions as a SOAP proxy/firewall between client and application server.Main features include:XML Schema ValidationSSL Connection TerminationState aware routing of XML messages.Denial of service protection.Centralized security auditi
36、ng for web services.Most products support being clustered for increase performance.Some products include hardware security modules for improved SSL and WS-Security performance.SOAP Stack EnhancementsVendors provide some of the same functionality as extensions to their basic SOAP stack.,18,Copyright
37、2006 Accenture All Rights Reserved.,Functional Security Overview,We have talked about security threats against an unprotected SOAP web service.Protecting against SOAP attacks with an XML gateway or similar products will protect against malicious messages and denial of service attacks.It will not giv
38、e you access control,confidentiality or message integrity.It will not give you easy security administration of your web services.What are the challenges?Native SOAP does not include any security features.Early adopters used transportation layer protection mechanisms,either HTTP or SSL.This does not
39、protect messages when transported over other mediums(e.g.SMTP).,19,Copyright 2006 Accenture All Rights Reserved.,Solution Availability Matrix,Transport Layer SecurityWorks only peer-to-peer.Will have to be re-established if message is relayed.Protects entire conversation session awareness available.
40、Message Layer SecurityProtects message and contents of message.Protection persists across multiple hops no session awareness,20,Copyright 2006 Accenture All Rights Reserved.,Security Recommendations,Web Services Standards are still emerging,however preparation and implementation of basic federated b
41、uilding blocks should be considered now,Access control-Identify who you want in your circle of trust and how much you trust them.Maintain identity who initiated the transaction.Audit connected trail of activities-important for compliance efforts.Identity and Access Management(I&AM)integrated into yo
42、ur Service Oriented Architecture to support the above.Other technology controls integrity and confidentiality as required.,Preparation,Consumer portals should look to areas like Liberty and SAML to see if there are gains to be achieved from supporting some of the existing federated solutionsIn areas
43、 where portal-to-portal single sign-on has already been custom-built,replace these with point to point SAML solutionsUse SAML for all new single sign-on initiatives that cross organizational boundaries,Implementation,21,Copyright 2006 Accenture All Rights Reserved.,Contents,Security and Web Services
44、Industry StandardsWS*In DetailPlatform SupportRecommendations,22,Copyright 2006 Accenture All Rights Reserved.,WS*vs.Liberty Alliance,WS*More generic frameworkDeveloped by Microsoft,IBM and selected vendors(e.g.Verisign,Oblix(now Oracle),SAP,RSA,etc)Subject to a somewhat ambiguous Royalty Free(RF)pr
45、ocess,Liberty AllianceMore purpose-specific solutions(identity federation)instead of a generic frameworkDeveloped by Industry,less vendor-centric:SUN,Vodaphone,IBM,Fidelity Investments America Online,Nokia,EricsonMore open process,Competing and somewhat overlapping standards Expect dust to settle in
46、 OASIS and WS-I,23,Copyright 2006 Accenture All Rights Reserved.,Standards:WS-Security,The WS-Security initiative is driven by the OASIS standards organization,and led by Microsoft,IBM and Verisign.The goal of WS-Security is to construct secure SOAP message exchanges,Initial Specifications,Follow-on
47、 Specifications,24,Copyright 2006 Accenture All Rights Reserved.,Liberty Alliance Project,Federated Network Identity and Identity-based ServicesID FF 1.2(Final:November 2003)Cross-Domain Single Sign-OnAccount LinkingMainly Browser Based InteractionsID-WSF 1.1(Final:May 2004)Discovery ServiceInteract
48、ion ServiceAuthentication ServiceID-SIS 1.1Personal ProfileEmployee ProfileContact BookGeoLocation ServicePresence Service,Purpose-specific,deeply defined specifications,25,Copyright 2006 Accenture All Rights Reserved.,Standards lifecycle,Developing(Not a Standard),Early Adopters,Mature,SSL/TLS,SAML
49、 2.0March 2005*,SAML 1.1August 2003*,WS-SecurityMarch 2004*,XML-EncryptionXML-SignatureDec 2002*,WS-Security Extensions,*Indicates the date that a Specification became an official Standard.,Usage,Acceptance,26,Copyright 2006 Accenture All Rights Reserved.,Contents,Security and Web ServicesIndustry S
50、tandardsWS*In DetailPlatform SupportRecommendations,27,Copyright 2006 Accenture All Rights Reserved.,Interaction Model,2001-2002 International Business Machines Corporation,Microsoft Corporation.,28,Copyright 2006 Accenture All Rights Reserved.,Standards:WS*,SOAP,WS-Security,WS-Secure Conversation,W
