Web Services Security Requirements

Stephen T. WhitlockSecurity ArchitectBoeing

Outline

Disclaimer Requirements are from a user perspective

to cover the use of web services in our environment

Some of these requirements are met by existing technologies

Requirements WS data/transaction/orchestration Infrastructure General

Examples

WS Transaction/Orchestration Protection Requirements

Data protection Integrity Confidentiality Privacy support

Attack resistant to Replay attacks Person in the middle attacks Orchestration hijacking

Evidence to support non-repudiation Signature Timestamp Audit trail

Infrastructure Protection Requirements

Transport Integrity Confidentiality

Authentication Multiple mechanisms – certificates, shared secrets,

Kerberos/AD Application authentication User authentication

Access control Multiple mechanisms – RBAC, directory based Credential propagation Credential caching Transaction level granularity – resource or application

access authorized separately from individual transaction authorization

More Infrastructure Protection Requirements

Resource protection Server and network isolation Server resource control Network bandwidth control

Centralized Policy administration Provisioning Access control Auditing Monitoring

General Requirements

User transparent (AMAP)Standards based

Vendor neutral Interoperable – no proprietary value-added extensions IPR Free

Compatible with existing security technology VPNs – IPSec, TLS PKI LDAP

Performance Support for real time applications Reliable Redundancy

ExtensibleDevelopment environment that enables and promotes the creation of secure web services

Future Requirements

Secure context passing between different web servicesPass a security context through an integration broker including support for: End to end access The ability to switch between

environments such as J2EE and .NET

Example 1: Web Single Sign On (WSSO) based end to end security

WSSO accepts user credentials Account, password, X.509 certificate Front end to multiple applications

Using the same approach to provide web service to web service application security

3

3

2 2

WSSO – Desired Service

Requesting web service

Requesting web service

Request

Service 1Service 1

1. Client request

2. Application request

3. Service response

2

2

2

2

WSSO – Needed Security

Requesting web service

Requesting web service

Service 1Service 1

Request

Service protection

Access control

User authenticationEnterprise protection

Application authentication

ConfidentialityMessage integrity

Audit trailSignature

2

2

2

2

WSSO – Existing Security

Requesting web service

Requesting web service

Service 1Service 1

Authentication Service

Authentication Service

Directory

Request

Validation Service

Validation Service

1. Client logon

3. Application certificate 9. Service

response

2. Client request

4. Authentication Request

5. Check for revocation

6. Directory attribute check

8. Application request

7. Credential cache

SSL/TLS

Perimeter to protect applicatio

n

Example 2: Engineering Drawing Application (EDA)

Supports engineering drawings and parts listsTotal database size = 1.5TB, About 15M documents, Average document size = 100KBQuery to retrieval time < 2 secondsSupports 1500 concurrent users, average of 1000 TPM, peak of 2000 TPMCurrently undergoing an expansion and conversion to web services

EDA Architecture

Internet

Intranet

User

User

HTTP ServerWeb Server

EJB Container

NewDatastore

LegacyDatastore

Other systemsand data

DatastoreManager

Load

Bal

SOAP Messages

For web pages

For SOAP objects

EDA Needed Security

Internet

Intranet

User

User

HTTP ServerWeb Server

EJB Container

NewDatastore

LegacyDatastore

Other systemsand data

DatastoreManager

Load

Bal

Enterprise protection

Confidentiality

User authentication

Service resource

protectionAccess control

Application authentication

ConfidentialityMessage integrity

Audit trailSignature

User authentication

EDA Existing Security

Internet

Intranet

User

User

HTTP ServerWeb Server

EJB Container

Directory basedAuthentication

And accessControl Service

NewDatastore

LegacyDatastore

Other systemsand data

DatastoreManager

Rev

Proxy

Firewall

Load

Bal

Centralized Parts Inventory (CPI)

Descriptions of partsCurrent parts stock level informationOriginally a collection of disparate web sites linked to different databasesIn the process of being converted to a centralized service that provides a common look and feel and navigation services

CPI Architecture

Navigation Services

ObjectDatabase

Access RulesDatabase

Parts Descriptions

Descriptions Access Rules

Descr.Obj 1

Descr.Obj 2

Descr.Obj n…

Parts Inventory Status

Inventory Access Rules

Inv.Obj 1

Inv.Obj 2

Inv.Obj n…

Common LookAnd FeelServices

…

CPI Needed Security

Navigation Services

ObjectDatabase

Access RulesDatabase

Parts Descriptions

Descriptions Access Rules

Descr.Obj 1

Descr.Obj 2

Descr.Obj n…

Parts Inventory Status

Inventory Access Rules

Inv.Obj 1

Inv.Obj 2

Inv.Obj n…

Common LookAnd FeelServices

…

Enterprise protection User authentication

User Authorization

ConfidentialityMessage integrity

Audit trailSignature Application

access control

CPI Existing Security

Navigation Services

ObjectDatabase

Access RulesDatabase

Parts Descriptions

Descriptions Access Rules

Descr.Obj 1

Descr.Obj 2

Descr.Obj n…

Parts Inventory Status

Inventory Access Rules

Inv.Obj 1

Inv.Obj 2

Inv.Obj n…

Common LookAnd FeelServices

…

Directory andCertificate basedAuthentication

And accessControl Service

Perimeter Services

Conclusions

We need data protection for web services messages SSL/TLS is insufficient because it only provides

integrity at the packet level, not at the XML message level

We need interoperable, multivendor solutionsSecurity solutions need to integrate with existing security technologiesSecurity solutions must work between enterprises as well as within them