© 2004 VeriSign, Inc. Web Services and the Old World Phillip Hallam-Baker Principal Scientist VeriSign Inc.

Slides:



Advertisements
Similar presentations
Copyright © 2005 EFT Network, Inc. All Rights Reserved. Automated Recurring Payments Flexible Payment Solution.
Advertisements

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.
Addressing spam and enforcing a Do Not Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.
A tour of new discovery introducing XpertCapture Your ultimate data capturing solution.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Cyberbad Where Spam is leading to Phillip Hallam-Baker
1 Aug. 3 rd, 2007Conference on and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.
WS-Denial_of_Service Dariusz Grabka M.Sc. Candidate University of Guelph February 13 th 2007.
CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.
Shopping and ORM Solutions
Elias M. Awad Third Edition ELECTRONIC COMMERCE From Vision to Fulfillment 13-1© 2007 Prentice-Hall, Inc ELC 200 Day 23.
© 2004 VeriSign, Inc. Secure Letterhead Phillip Hallam-Baker Principal Scientist VeriSign Inc.
Electronic Commerce. On-line ordering---an e-commerce application On-line ordering assumes that: A company publishes its catalog on the Internet; Customers.
PRISM-PROOF Phillip Hallam-Baker Comodo Group Inc.
Improving Customer Satisfaction Through Advances in Remote Management Technology Greg Michel Product Manager Quintum Technologies Inc.
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
INTRANETS DEFINITION (from Cambridge International Dictionary of English) intra- Combining form used to form adjectives meaning 'within' (the stated place.
 ENGR 1110 Introduction to Engineering – Cyber Security Allison Holt, Adam Brown Auburn University.
 Communicating with friends is now easier than ever, for example on Facebook you can connect with all your friends and chat to them very easily and instantly.
SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.
Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
X-Road (X-tee) A platform-independent secure standard interface between databases and information systems to connect databases and information systems.
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
Lessons Learned from the Evolution of eB/eG Secure Communication—What Does the Future Hold? Rik Drummond, CEO, Drummond Group Inc.
Barracuda Load Balancer Server Availability and Scalability.
CIS 375—Web App Dev II Microsoft’s.NET. 2 Introduction to.NET Steve Ballmer (January 2000): Steve Ballmer "Delivering an Internet-based platform of Next.
An XMPP (Extensible Message and Presence Protocol) based implementation for NHIN Direct 1.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Identifying Application Impacts on Network Design Designing and Supporting Computer.
X-Road – Estonian Interoperability Platform
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
Web Services based e-Commerce System Sandy Liu Jodrey School of Computer Science Acadia University July, 2002.
XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.
Module 9: Fundamentals of Securing Network Communication.
Customer Interface for wuw.com 1.Context. Customer Interface for wuw.com 2. Content Our web-site can be classified as an service-dominant website. 3.
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
Cloud Computing Project By:Jessica, Fadiah, and Bill.
Selling Strategies Microsoft Internet Security and Acceleration (ISA) Server 2004 Powerful Protection for Microsoft Applications.
Delivering Fixed Content to Oracle Portal Doug Daniels & Ken Barrette Quest Software.
2.1 © 2004 Pearson Education, Inc. Exam Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 2: Examining.
Telephone Checks Innovative, Flexible, and Convenient Payment Solution.
TCP/IP (Transmission Control Protocol / Internet Protocol)
Kemal Baykal Rasim Ismayilov
Security Patterns for Web Services 02/03/05 Nelly A. Delessy.
2015 NetSymm Overview NETSYMM OVERVIEW December
Web Security Introduction (Some of the slides were adapted from Oppliger’s online slides at
1 Active Directory Service in Windows 2000 Li Yang SID: November 2000.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter One Introduction to Exchange Server 2003.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
1 Chapter 7 WEB Security. 2 Outline Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Electronic Transaction.
Web Services Security Standards Dr. Phillip M. Hallam-Baker C.Eng. FBCS VeriSign Inc.
BE-com.eu Brussel, 26 april 2016 EXCHANGE 2010 HYBRID (IN THE EXCHANGE 2016 WORLD)
Vmware 2V0-621D Vmware Exam Questions & Answers VMware Certified Professional 6 Presents
A service Oriented Architecture & Web Service Technology.
EDI ( ELECTRONIC DATA INTERCHANGE). Strategic Impact of EDI Business processes can become more efficient Customer-supplier relationships may change more.
Chapter 7. Identifying Assets and Activities to Be Protected
E-business Infrastructure
TOPIC: Applications of Web Technologies in Distributed Systems
SuperComputing 2003 “The Great Academia / Industry Grid Debate” ?
The future of distributed systems architecture
ONLINE SECURE DATA SERVICE
Network Security 4/21/2019 Raj Rajarajan.
Slides Credit: Sogand Sadrhaghighi
EDI Systems What They Are and Why They Matter
Presentation transcript:

© 2004 VeriSign, Inc. Web Services and the Old World Phillip Hallam-Baker Principal Scientist VeriSign Inc.

2 A Quotation “I have seen the future and it has angle brackets.” A Web Services Architect

3 More Quotations “Without Trust and Security, Web Services are dead on arrival.” Phillip Hallam-Baker “Unless you fix Internet crime people are not going to be very confident in your ability to secure Web Services.” One of his customers

4 Internet Crime + It is real, it is organized, it is for profit + Spam was the start, phishing is the merely the current tactic + Has required a re-evaluation of legacy Internet protocol security + was not designed to be secure + Phishing gangs are now exploiting that lack of security + Direct losses due to fraud are hundreds of millions + The cost of lost consumer confidence is potentially much higher + SSL held the line for ten years + During which time little was done to improve the user interface + Introduction of domain authenticated certificates reduced security assurance + IPSEC, DNSSEC don’t really meet the security issues of Internet crime + Designed for very different threats + What is to be done?

5 Industry Solution – Retrofit Web Services Architecture + Not acknowledged as such (of course) + Not even an acknowledgement that there is a systematic architecture + But close similarities exist + Example: Web Services Discovery and Protocol Negotiation + XML defines common protocol syntax + XML-Schema defines data structures + WSDL describes message set etc. + WS-Policy allows negotiation of protocol version and features + WS-SecurityPolicy allows negotiation of security context + Fixing + Multiple schemes, SPF/Sender-ID, Domain Keys/Identified Internet Mail + But each adds a security policy layer to the existing SMTP protocol + “All legitimate mail from this domain comes from these IP addresses” + “All legitimate mail from this domain is signed”

6 Using the DNS for Protocol Policy Distribution + SPF (Sender Policy Framework) stores protocol policy in the DNS + Lightweight & ubiquitous protocol designed for name resolution protocol + Works very well for policy distribution + Has built in caching, time to live + No cryptographic security + But this is now a matter of time due to level of attack + Why not extend to general security policy distribution protocol? + Does this web site support SSL? + Negotiate transparent upgrade using HTTP SSL + Does this server support SSL? + Always on security + Why not distribute WS-Policy statements via DNS? + We are not there - yet

7 Rediscovering the Edge + Traditional Internet architecture regarded firewalls as evil + End-to-end security or nothing + Usually ending up with nothing or next to nothing + Web Services & Web Services Security model embrace firewalls + “Here is the information you need to let me through” + Security architectures to address Internet Crime rediscover the edge + Authenticate at the domain level + Apply authentication to at the edge server + Verify authentication at the incoming edge

8 ‘Web Services Lite’ + Legacy Internet Protocols packaged in Web Services friendly form + SOAP is not supported + Protocol must be hand coded + Syntax and specification are idiosyncratic + But allow client to answer important questions + What version of the protocol are supported? + What security enhancements are supported? + Is there a pure Web Service connection available? + But acknowledge the fact that edge security is legitimate + Network infrastructure is not abstracted away in security model + End-to-End considered a cop-out, ignoring the real security issues

9 What are the Implications for Web Services? + Lessons learned #1 + Its not the technology, it’s the deployment strategy + Lessons learned #2 + Its not the standards body, it’s the constituency of stakeholders + See Lesson #1 + Lessons learned #3 + Make the barriers to entry exceptionally low + See Lesson #1 + Lessons learned #4 + The bad guys attack the system at its weakest point + That is often the consumer + See Lesson #1

10 What are the Implications for Web Services? + Web Services Lite is being deployed + SPF/Sender-ID authentication has critical mass + Considerable backing for Domain Keys/Identified Internet Mail + Internet crime provides a major forcing function + Expect businesses to sign SMTP mail by default in near future + It would be good to use as much Web Services experience as possible + If only to serve as prototype deployment/sanity check for Web Services + Legacy protocols are in flux, change is possible + Potential downside + It is concluded that the legacy internet protocols are sufficient + No need to move to new platforms such as SOAP + Potential upside + Close many of the security holes that create ‘gotchas’ for Web Services + Co-opt Web Services Lite to provide low barrier to entry for true Web Services

11 Beyond EDI with angle brackets + One view of Web Services is to provide ‘frictionless capitalism’ + XML is better than the ASN.1 in EDI because wind resistance of the angle brackets is lower… + Web Services will connect big company to big company + Electronic supply chain + Smaller companies will be bullied into line and forced to comply + Huge benefits for large companies + Smaller companies with no ERM systems to integrate to will get ? + Perhaps there is another approach + Support the small business doing one Web Services transaction a week + Real-Time integration will still require infrastructure

12 Web Services without the server + Servers represent a real cost to a small business + Software is expensive, requires specialist coding skills + Maintenance is even more expensive + Have to be on 24/7 + Reliability requires redundant configuration + Clients are cheap + Software is subject to commodity pricing, off the shelf distribution + Client connection is more forgiving, coding errors less disastrous + is ubiquitous and inexpensive + With new cryptographic enhancements it is becoming reliably secure

13 Proposal: Use for the low cost entry point + Example: Electronic Invoicing + Transition will mean that there are multiple speeds: + Large business supports e-Invoice Web Service + Some small businesses and consumers opt to receive invoices by + Some still receive paper + Some businesses will interface their Web Services to paper + Order received by Web Service, is printed out and sent to Accounts + Some businesses will have tight integration with their ERM system + Some will be using Quicken, QuickBooks or Microsoft Money + Application recognizes message as an invoice + Source is identified as trustworthy + Automatically enter it into the ledger.

14 Conclusions + Internet Crime is affecting Web Services + A major effect on consumer and business confidence in the Internet + Requiring redesign of legacy protocols infrastructures + Many features of Web Services are being grafted onto the legacy base + Web Services can benefit from this process + Make use of the secured legacy infrastructures + Use them to lower barriers to adoption + Make Web Services into a mass market technology, not merely EDI mkII

© 2004 VeriSign, Inc. Thank You

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.