Standards and Strategies of Security for the Service Oriented Architecture

1
Standards and Strategies of Security for the
Service Oriented Architecture

• Christopher Irish
• David Orr
• Sophya Kheim
• Adam Lange
• Daniel Palma

2
Agenda

• Overview
• Current Problems
• Current Strategies
• WS Standards
• Future Areas of Research
• References
• Questions

3
Web Services Definition

• From World Wide Web Consortium (W3C)
• is the programmatic interfaces made available for
  application to application communication

4
Types of Web Services
5
Overview

• Key Concepts for Strategies
• Authentication
• Authorization
• Integrity
• Non-repudiation
• Confidentiality
• Privacy

6
Current Problems

• SOAP monitoring and regulation

7
Current Strategies

• IP Blocking
• XML Firewall
• SSL/TLS
• Virtual Private Networks (VPN)
• XML Digital Signature
• WS-Security
• XACML
• SAML

8
IP Blocking

• Process of identifying those IP addresses from
  which Web requests will be accepted
• Achieved by specifying a list of acceptable IP
  addresses
• Pros
• Simple and easy to implement
• Cons
• Valid users with invalid IP addresses will be
  blocked
• Clients will not be able to access any part of
  the Web site until you have added their IP to the
  accepted list

9
Traditional Firewalls

• Filters out unauthorized requests by IP Address
• Pros
• Easy to implement and maintain
• Cons
• IP Address can be spoofed
• Does not perform authentication, authorization,
  auditing and validation on web service traffic
• Can not encrypt or decrypt
• If web service uses Port 80, difficult to
  implement
• Not XML aware

10
XML Firewalls

• Filters out Unauthorized requests by inspecting
  XML content
• Pros
• Can perform authentication, authorization,
  auditing and validation on web service traffic
• Protect against buffer overflows and denial of
  service
• Message routing, encryption and forwarding are
  available
• Includes features of traditional firewall
• Cons
• Difficult to setup
• Limited vendors
• No standardization

11
SSL/TLS

• Endpoint to endpoint encryption of web service
  traffic over TCP
• Pros
• Easy to implement
• Standardized protocols
• Protects against network sniffing
• Cons
• Does not perform authentication, authorization,
  auditing and validation on web service traffic
• Messages can not have multiple transports
• No Element-Wise Signing
• Data stored on disk before processing can not be
  protected
• Not XML aware

12
Virtual Private Networks

• Enables the creation of secure data tunnels among
  remote sites or hosts for web service traffic
• Pros
• Uses several technologies
• Standardized protocols
• Secure VPNs - IPSec, SSL/TLS, PPTP, L2TP
• Trusted VPNs MPLS, L2F
• Easy to implement
• Protects against network sniffing
• Web service can join or leave dynamically
• A web service can be invoked dynamically
• Frees web service from managing access control,
  auditing and encryption
• Cons
• Does not perform validation on web service
  traffic
• Data stored on disk before processing can not be
  protected
• Not XML aware

13
XML Digital Signature

• Provide
• Authentication
• Data Integrity
• Non-repudiation support
• Can sign many types of resources
• HTML, binary, XML-encoded data
• Can be applied to specific portions of XML tree
  rather than complete document

14
Web Services Standards

• OASIS Web Services Security Standard
• SAML
• XACML

15
OASIS WS Security Standard

• Developed by OASIS on April 29, 2004.
• Revised and republished February 17, 2006 as
  version 1.1.
• Currently the most comprehensive guide to Web
  Service security.
• Main purpose is to allow the exchange of secure
  SOAP messages by protecting its confidentiality
  and integrity

16
WS-Security

• Focuses on Tokens that are added to the SOAP
  messages to provide different kinds of security.
• Is built to be extensible and flexible by
  allowing different types of token formats to be
  used in the same message.

17
WS-Security Username Token

• The username token provides a way for a sender to
  present a claimed identity to the receiver

18
WS Security Binary Security Tokens

• Used to encode non-XML security token, like x.509
  and kerberos.

e.g. x.509
Encoding Format
19
WS-Security XML Signature

• The WS-Security standard incorporates the use of
  XML signatures into SOAP messages

Begin signature
Reference to signature value
Algorithms used to form the signature
End signature
20
WS-Security Timestamp

• Allows the freshness of the security features to
  be determined. Time synchronization is not
  accounted for.

21
WS-Security The big picture
22
WS-Security The big picture cont.
23
XACML

• Covers subjects such as authorization, access
  control, and privacy policies that is often
  overlooked in other standards.
• XACML (Extensible Access Control Markup Language)
  is an XML-based policy language that allows for
  the description of access control requirements.

24
XACML

1. Request sent to Policy Enforcement Point (PEP).
2. the Policy Information Point (PIP), will use
   XACML to describe requestors in terms of
   attributes.
3. PDP actually makes the decisions.
4. Current policy is retrieved
5. Return response to the PEP and ultimately to the
   user.

25
SAML

• Uses Assertions to validity and authenticiy.

26
Service to Service Authentication

• Verify if a service should be allowed to
  communicate with another
• Authorization Methods
• Tokens
• PK certificates
• Kerberos tickets
• SAML assertions
• SSL certificates
• Most web services follow the OASIS WS-Security
  standard for any of these methods

27
Establishing Trust Between Services

• Trust relationships need to be established
  between remote web services in order to be useful
  on a large scale
• Involves a Trusted Third Party (TTP)
• Uses Public Key Infrastructure to pass keys
  through the TTP

28
Distributed Authorization and Access Management

• Web Service Access Controls
• Role-Based
• Policy-Based
• Risk-Adaptive

29
Role-Based Access Control

• Associates a set of access privileges with a
  particular user role
• Allows access based on membership in a group or
  by id
• Simplifies security management by providing a
  role hierarchy

30
Role Based Example
31
Policy Based Access Control

• Enforces strict environmental-level access
  control policies
• Use notion of a Policy Authority
• Focuses on automatically enforcing Mandatory
  Access Controls

32
Risk Adaptive Access Control

• Access control decisions are based on a relative
  risk profile of the subject
• Predefined policy rules arent as strictly
  enforced as role based
• Requires real-time information to base risk
  assessment on with each authentication request

33
Enforcing Least Privilege Access

• Users and services should never be given more
  than the minimum privileges needed to perform an
  operation
• Give privileges only when needed
• Relinquish privileges immediately upon completion
• Divide complex functions into simple ones, with
  separate minimal required privilege for each
  function

34
End to End Accountability

• Auditing essential to ensure operations/transactio
  ns occurred as expected
• Dynamic services make it difficult to implement
  auditing
• No auditing standard has been defined
• Web Server logging most common

35
SOAP

• Simple Object Access Protocol
• A SOAP message is fundamentally a one-way
  transmission between SOAP nodes, from a SOAP
  sender to a SOAP receiver, but SOAP messages are
  expected to be combined by applications to
  implement more complex interaction patterns
  ranging from request/response to multiple,
  back-and-forth "conversational" exchanges.
• Pros
• Powerful, can perform RPC.
• Widespread industry support and acceptance
• Cons
• Tunnels through other protocols, circumventing
  security.
• Application programmer responsible for protocol
  functionality.

36
REST

• Representational State Transfer
• REST strictly refers to a collection of
  architectural principles. The term is also often
  used in a looser sense to describe any simple
  interface that uses XML (or YAML, JSON, plain
  text) over HTTP without an additional messaging
  layer such as SOAP.

37
Block Extensive Exchange ProtocolBEEP

• DTD and XML aware generic application protocol
  kernel for connection-oriented asynchronous
  interactions (web services) using Simple
  Authentication and Security Layer for
  authentication and authorization
• Pros
• Very extensible and simple
• Built in profiles for security
• Provides single application user-identity
• Gaining popularity
• Implements standardized technologies
• Sits at transport layer
• Cons
• Limited support
• Development costs can be expensive
• Can become complicated quickly

38
Future areas of research

• Focus on standardization
• Performance of Web Services security mechanisms
• Scale of Web Services security

39
Future Areas of Research cont..

• Possible future configuration of a web services
  security system in which an XML Firewall and EASI
  framework are both implemented together

40
Summary

• Overview
• Current Problems
• Current Strategies
• New Strategies
• WS Standards including OASIS, SAML, XACML
• References

41
Questions?