Web Services Security Requirements Stephen T. Whitlock Security Architect Boeing.

Slides:



Advertisements
Similar presentations
HCQ P MEDICARES HEALTH CARE QUALITY IMPROVEMENT PROGRAM QualityNet Exchange Dennis Stricker Director, Information Systems Group Office of Clinical Standards.
Advertisements

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
MyProxy Jim Basney Senior Research Scientist NCSA
17 March 2010 Workshop on Efficient and Effective eGovernment FASTeTEN : a Flexible Technology in Different European Administrative Contexts
Internet Protocol Security (IP Sec)
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Overview of Web Services
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Security by Design A Prequel for COMPSCI 702. Perspective “Any fool can know. The point is to understand.” - Albert Einstein “Sometimes it's not enough.
SAML Integration Doug Bayer Director, Windows Security Microsoft Corporation
Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan.
Lecture 23 Internet Authentication Applications
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
Security and Policy Enforcement Mark Gibson Dave Northey
Chapter 12 USING TECHNOLOGY TO ENHANCE BUSINESS PROCESSES.
Chapter 12 USING TECHNOLOGY TO ENHANCE BUSINESS PROCESSES.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
Clinic Security and Policy Enforcement in Windows Server 2008.
1 Directories and Policy-Based Networking - Strassner Directories & Policy-Based Networking 0827_02F8_c1 John Strassner Cisco Systems.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Session 11: Security with ASP.NET
Networked Application Architecture Design. Application Building Blocks Application Software Data Infrastructure Software Local Area Network Server Desktop.
Web Services Quality Model V2.0 Business Value Quality Group Business Value Quality Cost Suitability Effect Service Measurement Quality Group Service Level.
The Windows NT ® 5.0 Public Key Infrastructure Charlie Chase Program Manager Windows NT Security Microsoft Corporation.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.
Philadelphia Area SharePoint User Group Building Customer/Partner Extranets Designing a Secure Extranet with Sharepoint 2007 Russ Basiura RJB Technical.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
X-Road – Estonian Interoperability Platform
Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Module 9: Fundamentals of Securing Network Communication.
Harshavardhan Achrekar - Grad Student Umass Lowell presents 1 Scenarios Authentication Patterns Direct Authentication v/s Brokered Authentication Kerberos.
ACM 511 Introduction to Computer Networks. Computer Networks.
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks.
Shibboleth: An Introduction
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
19 December 1998EMGnet meeting INRIA Rhône-Alpes1 An Overview of Security Issues in the Web José KAHAN OBLATT W3C/INRIA 19 December 1998.
Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.
Module 13: Enterprise PKI Active Directory Certificate Services (AD CS)
Web Services Security Patterns Alex Mackman CM Group Ltd
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
The Hierarchical Trust Model. PGP Certificate Server details Fast, efficient key repository –LDAP, HTTP interfaces Secure remote administration –“Pending”
Web Services Security Standards Dr. Phillip M. Hallam-Baker C.Eng. FBCS VeriSign Inc.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Securing Access to Data Using IPsec Josh Jones Cosc352.
E-commerce Architecture Ayşe Başar Bener. Client Server Architecture E-commerce is based on client/ server architecture –Client processes requesting service.
Module 8: Securing Network Traffic by Using IPSec and Certificates
Security in ebXML Messaging
Goals Introduce the Windows Server 2003 family of operating systems
Security & .NET 12/1/2018.
Public Key Infrastructure from the Most Trusted Name in e-Security
Tim Bornholtz Director of Technology Services
Module 8: Securing Network Traffic by Using IPSec and Certificates
Data and Applications Security Developments and Directions
Data and Applications Security Developments and Directions
Advanced Computer Networks
InfiNET Solutions 5/21/
Data and Applications Security Developments and Directions
Presentation transcript:

Web Services Security Requirements Stephen T. Whitlock Security Architect Boeing

Outline Disclaimer Requirements are from a user perspective to cover the use of web services in our environment Some of these requirements are met by existing technologies Requirements WS data/transaction/orchestration Infrastructure General Examples

WS Transaction/Orchestration Protection Requirements Data protection Integrity Confidentiality Privacy support Attack resistant to Replay attacks Person in the middle attacks Orchestration hijacking Evidence to support non-repudiation Signature Timestamp Audit trail

Infrastructure Protection Requirements Transport Integrity Confidentiality Authentication Multiple mechanisms – certificates, shared secrets, Kerberos/AD Application authentication User authentication Access control Multiple mechanisms – RBAC, directory based Credential propagation Credential caching Transaction level granularity – resource or application access authorized separately from individual transaction authorization

More Infrastructure Protection Requirements Resource protection Server and network isolation Server resource control Network bandwidth control Centralized Policy administration Provisioning Access control Auditing Monitoring

General Requirements User transparent (AMAP) Standards based Vendor neutral Interoperable – no proprietary value-added extensions IPR Free Compatible with existing security technology VPNs – IPSec, TLS PKI LDAP Performance Support for real time applications Reliable Redundancy Extensible Development environment that enables and promotes the creation of secure web services

Future Requirements Secure context passing between different web services Pass a security context through an integration broker including support for: End to end access The ability to switch between environments such as J2EE and.NET

Example 1: Web Single Sign On (WSSO) based end to end security WSSO accepts user credentials Account, password, X.509 certificate Front end to multiple applications Using the same approach to provide web service to web service application security

WSSO – Desired Service Requesting web service Request Service 1 1. Client request 2. Application request3. Service response

WSSO – Needed Security Requesting web service Service 1 Request Service protection Access control User authentication Enterprise protection Application authentication Confidentiality Message integrity Audit trail Signature

WSSO – Existing Security Requesting web service Service 1 Authentication Service Directory Request Validation Service 1. Client logon 3. Application certificate 9. Service response 2. Client request 4. Authentication Request 5. Check for revocation 6. Directory attribute check 8. Application request 7. Credential cache SSL/TLS Perimeter to protect application

Example 2: Engineering Drawing Application (EDA) Supports engineering drawings and parts lists Total database size = 1.5TB, About 15M documents, Average document size = 100KB Query to retrieval time < 2 seconds Supports 1500 concurrent users, average of 1000 TPM, peak of 2000 TPM Currently undergoing an expansion and conversion to web services

EDA Architecture Internet Intranet User HTTP Server Web Server EJB Container New Datastore Legacy Datastore Other systems and data Datastore Manager LoadBalLoadBal SOAP Messages For web pages For SOAP objects

EDA Needed Security Internet Intranet User HTTP Server Web Server EJB Container New Datastore Legacy Datastore Other systems and data Datastore Manager LoadBalLoadBal Enterprise protection Confidentiality User authentication Service resource protection Access control Application authentication Confidentiality Message integrity Audit trail Signature User authentication

EDA Existing Security Internet Intranet User HTTP Server Web Server EJB Container Directory based Authentication And access Control Service New Datastore Legacy Datastore Other systems and data Datastore Manager RevProxyRevProxy FirewallFirewall LoadBalLoadBal

Centralized Parts Inventory (CPI) Descriptions of parts Current parts stock level information Originally a collection of disparate web sites linked to different databases In the process of being converted to a centralized service that provides a common look and feel and navigation services

CPI Architecture Navigation Services Object Database Access Rules Database Parts Descriptions Descriptions Access Rules Descr. Obj 1 Descr. Obj 2 Descr. Obj n … Parts Inventory Status Inventory Access Rules Inv. Obj 1 Inv. Obj 2 Inv. Obj n … Common Look And Feel Services …

CPI Needed Security Navigation Services Object Database Access Rules Database Parts Descriptions Descriptions Access Rules Descr. Obj 1 Descr. Obj 2 Descr. Obj n … Parts Inventory Status Inventory Access Rules Inv. Obj 1 Inv. Obj 2 Inv. Obj n … Common Look And Feel Services … Enterprise protection User authentication User Authorization Confidentiality Message integrity Audit trail Signature Application access control

CPI Existing Security Navigation Services Object Database Access Rules Database Parts Descriptions Descriptions Access Rules Descr. Obj 1 Descr. Obj 2 Descr. Obj n … Parts Inventory Status Inventory Access Rules Inv. Obj 1 Inv. Obj 2 Inv. Obj n … Common Look And Feel Services … Directory and Certificate based Authentication And access Control Service Perimeter Services

Conclusions We need data protection for web services messages SSL/TLS is insufficient because it only provides integrity at the packet level, not at the XML message level We need interoperable, multivendor solutions Security solutions need to integrate with existing security technologies Security solutions must work between enterprises as well as within them

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.