Upload
roger-williamson
View
219
Download
0
Tags:
Embed Size (px)
Citation preview
© 2004 VeriSign, Inc.
Web Services and the Old World
Phillip Hallam-Baker
Principal Scientist
VeriSign Inc.
2
A Quotation
“I have seen the future and it has angle brackets.”A Web Services Architect
3
More Quotations
“Without Trust and Security, Web Services are dead on arrival.”Phillip Hallam-Baker
“Unless you fix Internet crime people are not going to be very confident in your ability to secure Web Services.”
One of his customers
4
Internet Crime
+ It is real, it is organized, it is for profit+ Spam was the start, phishing is the merely the current tactic
+ Has required a re-evaluation of legacy Internet protocol security+ Email was not designed to be secure
+ Phishing gangs are now exploiting that lack of security+ Direct losses due to fraud are hundreds of millions+ The cost of lost consumer confidence is potentially much higher
+ SSL held the line for ten years+ During which time little was done to improve the user interface+ Introduction of domain authenticated certificates reduced security assurance
+ IPSEC, DNSSEC don’t really meet the security issues of Internet crime+ Designed for very different threats
+ What is to be done?
5
Industry Solution – Retrofit Web Services Architecture
+ Not acknowledged as such (of course)+ Not even an acknowledgement that there is a systematic architecture+ But close similarities exist
+ Example: Web Services Discovery and Protocol Negotiation+ XML defines common protocol syntax+ XML-Schema defines data structures+ WSDL describes message set etc.+ WS-Policy allows negotiation of protocol version and features+ WS-SecurityPolicy allows negotiation of security context
+ Fixing Email+ Multiple schemes, SPF/Sender-ID, Domain Keys/Identified Internet Mail
+ But each adds a security policy layer to the existing SMTP protocol+ “All legitimate mail from this domain comes from these IP addresses”+ “All legitimate mail from this domain is signed”
6
Using the DNS for Protocol Policy Distribution
+ SPF (Sender Policy Framework) stores protocol policy in the DNS+ Lightweight & ubiquitous protocol designed for name resolution protocol
+ Works very well for policy distribution+ Has built in caching, time to live
+ No cryptographic security+ But this is now a matter of time due to level of attack
+ Why not extend to general security policy distribution protocol?+ Does this web site support SSL?
+ Negotiate transparent upgrade using HTTP SSL
+ Does this email server support SSL?+ Always on security
+ Why not distribute WS-Policy statements via DNS?+ We are not there - yet
7
Rediscovering the Edge
+ Traditional Internet architecture regarded firewalls as evil+ End-to-end security or nothing+ Usually ending up with nothing or next to nothing
+ Web Services & Web Services Security model embrace firewalls+ “Here is the information you need to let me through”
+ Security architectures to address Internet Crime rediscover the edge+ Authenticate email at the domain level+ Apply authentication to email at the edge server+ Verify authentication at the incoming edge
8
‘Web Services Lite’
+ Legacy Internet Protocols packaged in Web Services friendly form+ SOAP is not supported+ Protocol must be hand coded+ Syntax and specification are idiosyncratic
+ But allow client to answer important questions+ What version of the protocol are supported?+ What security enhancements are supported?+ Is there a pure Web Service connection available?
+ But acknowledge the fact that edge security is legitimate+ Network infrastructure is not abstracted away in security model+ End-to-End considered a cop-out, ignoring the real security issues
9
What are the Implications for Web Services?
+ Lessons learned #1+ Its not the technology, it’s the deployment strategy
+ Lessons learned #2+ Its not the standards body, it’s the constituency of stakeholders+ See Lesson #1
+ Lessons learned #3+ Make the barriers to entry exceptionally low+ See Lesson #1
+ Lessons learned #4+ The bad guys attack the system at its weakest point+ That is often the consumer+ See Lesson #1
10
What are the Implications for Web Services?
+ Web Services Lite is being deployed+ SPF/Sender-ID Email authentication has critical mass+ Considerable backing for Domain Keys/Identified Internet Mail+ Internet crime provides a major forcing function+ Expect businesses to sign SMTP mail by default in near future
+ It would be good to use as much Web Services experience as possible+ If only to serve as prototype deployment/sanity check for Web Services+ Legacy protocols are in flux, change is possible
+ Potential downside+ It is concluded that the legacy internet protocols are sufficient+ No need to move to new platforms such as SOAP
+ Potential upside+ Close many of the security holes that create ‘gotchas’ for Web Services+ Co-opt Web Services Lite to provide low barrier to entry for true Web Services
11
Beyond EDI with angle brackets
+ One view of Web Services is to provide ‘frictionless capitalism’+ XML is better than the ASN.1 in EDI because wind resistance of the
angle brackets is lower…
+ Web Services will connect big company to big company+ Electronic supply chain+ Smaller companies will be bullied into line and forced to comply+ Huge benefits for large companies+ Smaller companies with no ERM systems to integrate to will get ?
+ Perhaps there is another approach+ Support the small business doing one Web Services transaction a week+ Real-Time integration will still require infrastructure
12
Web Services without the server
+ Servers represent a real cost to a small business+ Software is expensive, requires specialist coding skills+ Maintenance is even more expensive+ Have to be on 24/7+ Reliability requires redundant configuration
+ Clients are cheap+ Software is subject to commodity pricing, off the shelf distribution+ Client connection is more forgiving, coding errors less disastrous
+ Email is ubiquitous and inexpensive+ With new cryptographic enhancements it is becoming reliably secure
13
Proposal: Use Email for the low cost entry point
+ Example: Electronic Invoicing+ Transition will mean that there are multiple speeds:
+ Large business supports e-Invoice Web Service+ Some small businesses and consumers opt to receive invoices by email+ Some still receive paper
+ Some businesses will interface their Web Services to paper+ Order received by Web Service, is printed out and sent to Accounts
+ Some businesses will have tight integration with their ERM system
+ Some will be using Quicken, QuickBooks or Microsoft Money+ Application recognizes message as an invoice+ Source is identified as trustworthy+ Automatically enter it into the ledger.
14
Conclusions
+ Internet Crime is affecting Web Services+ A major effect on consumer and business confidence in the Internet+ Requiring redesign of legacy protocols infrastructures
+ Many features of Web Services are being grafted onto the legacy base
+ Web Services can benefit from this process+ Make use of the secured legacy infrastructures
+ Use them to lower barriers to adoption+ Make Web Services into a mass market technology, not merely EDI mkII
© 2004 VeriSign, Inc.
Thank You