Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Services Security Enterprise Architect Summit – 2004 Mark O’Neill CEO.

Published byAlejandro Bendell Modified over 10 years ago

Similar presentations

Presentation on theme: "Web Services Security Enterprise Architect Summit – 2004 Mark O’Neill CEO."— Presentation transcript:

1 Web Services Security Enterprise Architect Summit – 2004 Mark O’Neill CEO

2 Enterprise Architect 20042 XML Security requirements Protect XML systems by ensuring that only the right users using the right applications sending the right data can connect. What are examples of XML systems? New XML interfaces into established database and CRM products Service Delivery Platforms (e.g. for mobile telecoms) Service Oriented Architectures EDI exchanges using XML documents Collaborative systems which use XML, e.g. instant messaging Web Services

3 Enterprise Architect 20043 Insecurity Complex It’s well known that Web Services have provoked security concerns. However, there is a lot of confusion in the area – leading to a common belief that Web Services are “just plain insecure”. The vast number of new specifications and standards for Web Services security may seem to indicate a security nightmare for Web Services However, many of the initiatives for Web Services security – such as WS- Security and the Liberty Alliance – are about bridging security domains and solving security interoperability problems – not about “plugging holes”. They are enabling security, not protective security

4 Enterprise Architect 20044 Web Services have three distinct security issues: 1.Authorize the end-user, even if the end-user has authenticated in a different security domain from the Web Service, using a different authentication method, under a different profile. 2.Block new application layer threats that make use of XML and SOAP. 3.Block unauthorized clients from accessing Web Services. What is the problem? 123

5 Enterprise Architect 20045 Use or Misuse? Ironically: An attacker who can break through the access control layer can cause more damage using a valid SOAP message than using an invalid SOAP message… because the valid SOAP message will work. In other words, use of a Web Service by an intruder is often more dangerous than misuse of a Web Service by the same intruder. Think about it – if an attacker can get past the access control for a bank’s inter- bank money transfer Web Services, what represents the greatest threat: (a) use it to transfer money to their bank account, or; (b) pass it enormous parameters to probe for a buffer-overflow attack?

6 Enterprise Architect 20046 There are two architectural options for applying security to XML/Web Services: 1)Network-level filtering of traffic targeted at the XML System (i.e. an “XML Firewall”) 2)Deploy XML security as a shared service for an entire XML network (an enterprise-wide “security server”) The solution:

7 Enterprise Architect 20047 “XML gateway” (hardware or software). Filters XML traffic in-line Deployed as software, or as an appliance with HSM and crypto-acceleration “XML security server” Centralize the security management for an entire XML network, across network boundaries and tiers Provide enforcement plug-ins (“security agents”) for common Web Service platforms and with proxies (“traffic cops”) to filter traffic in-line. An API is essential [Java and C++] to create custom agents. Suitable for securing a Service Oriented Architecture Two product requirements

8 Enterprise Architect 20048 Suitable for organizations which have a network chokepoint suitable to act as a logical XML gateway: XML traffic is authenticated and validated, then routed to its destination Messages may be signed, encrypted, or transformed by the gateway Multiple XML systems be protected by one XML Gateway A single XML Gateway may consist of multiple copies, distributed using a Load balancer (e.g. Cisco Local Director) Hardware options: 1U appliance [SafeNet], Intel Itanium 2, cryptographic acceleration cards (SafeNet, nCipher) XML Firewall

9 Enterprise Architect 20049 XML Security Server An XML Security Server is a server dedicated to XML security processing It performs encryption, signing, SAML issuance and validation, WS-Security processing, as well as connecting to identity-management infrastructure. It avoids the need to program security into each XML System. Enforcement points – agents, API, and proxies are distributed around the network. An XML Security Server is particularly suitable to secure a Service Oriented Architecture, where there is no logical “choke point” in which to put an XML Firewall. It provides a central point for management and reporting of XML traffic.

10 Enterprise Architect 200410 Typical Web Services rollout In this diagram, an XML Gateway is in place as a “perimeter”, while some internal Web Services have begun to appear also.

11 Enterprise Architect 200411 Points of attack in a Web Services rollout Perimeter security does not prevent attacks which make use of points of access such as VPNs or Wireless LANs, which are launched internally. Security is required to be pervasive, rather than perimeter-based.

12 Enterprise Architect 200412 XML Security Server Enterprise Deployment The XML Security Server allows XML security rules to be enforced across the organization. Security is a Service. It’s pervasive security, not perimeter security.

13 Enterprise Architect 200413 VordelSecure – XML gateway XML gateway Proxy for XML and SOAP traffic Filters XML according to security rules, based on the sender and the content Supports SSL, WS-Security, SAML “ Service virtualization ” means that Web Services names and implementation details are hidden behind the XML gateway Web Services systems are protected from direct contact by untrusted entities Real time monitoring and security transaction reporting XML security appliance Safenet and Vordel Cryptographic acceleration Secure key storage, for digital signing and encryption

14 Enterprise Architect 200414 VordelDirector – XML security server XML Security Server with Agents Agents embedded in application endpoints (e.g. SOAP, TIBCO, MQ etc.) Meta-policy management Coordinating policies from Single Sign-On, WSDL, Alerting systems Agent API for creation of agents to enforce VordelDirector functionality Real time monitoring and security transaction reporting VordelConnect Single Sign-On -RSA ClearTrust, Entrust GetAccess, IBM Tivoli Access Manager, Oblix NetPoint Firewalls -OPSEC Digital Certificate Management -Entrust PKI, RSA Keon, VeriSign LDAP Directories -SunOne Directory Server, Microsoft Active Directory Server, IBM Directory Server

15 Enterprise Architect 200415 Summary Security for XML/Web Services means controlling: Who runs your Web Services, What XML data they send Standards exist which are useful WS-Security, WS-* SAML Products exist VordelSecure VordelDirector

16 Enterprise Architect 2004 Vic Morris CEO vic.morris@vordel.com

Download ppt "Web Services Security Enterprise Architect Summit – 2004 Mark O’Neill CEO."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Welcome to Middleware Joseph Amrithraj

Welcome to Middleware Joseph Amrithraj
Service Oriented Architecture for Mobile Applications Swarupsingh Baran University of North Carolina Charlotte.

Service Oriented Architecture for Mobile Applications Swarupsingh Baran University of North Carolina Charlotte.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.

Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
Extending ForeFront beyond the limit www.AGATSolutions.com TMGUAG ISAIAG AG Security Suite.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.

Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.
Database Administration and Security Transparencies 1.

Database Administration and Security Transparencies 1.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Barracuda Web Application Firewall

Barracuda Web Application Firewall
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Dr. Sarbari Gupta Electrosoft Services Tel: (703)757-9096 Security Characteristics of Cryptographic.

Dr. Sarbari Gupta Electrosoft Services Tel: (703) Security Characteristics of Cryptographic.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Fawaz Alsaadi Fahad Alsolmai.  Secure information sharing across different organizations is an emerging issue for collaborative software development,

Fawaz Alsaadi Fahad Alsolmai.  Secure information sharing across different organizations is an emerging issue for collaborative software development,
Security in Service Oriented and REST architectures SiliconIndia Java Conference, Nimhans, Bangalore 29 Oct 2010 Srinivas Padmanabhuni, Ph.D. Principal.

Security in Service Oriented and REST architectures SiliconIndia Java Conference, Nimhans, Bangalore 29 Oct 2010 Srinivas Padmanabhuni, Ph.D. Principal.

Similar presentations

Ads by Google