Upload
robert-marshall
View
23
Download
2
Embed Size (px)
DESCRIPTION
Web Services Security Requirements. Stephen T. Whitlock Security Architect Boeing. Outline. Disclaimer Requirements are from a user perspective to cover the use of web services in our environment Some of these requirements are met by existing technologies Requirements - PowerPoint PPT Presentation
Citation preview
Web Services Security Requirements
Stephen T. WhitlockSecurity ArchitectBoeing
Outline
Disclaimer Requirements are from a user perspective
to cover the use of web services in our environment
Some of these requirements are met by existing technologies
Requirements WS data/transaction/orchestration Infrastructure General
Examples
WS Transaction/Orchestration Protection Requirements
Data protection Integrity Confidentiality Privacy support
Attack resistant to Replay attacks Person in the middle attacks Orchestration hijacking
Evidence to support non-repudiation Signature Timestamp Audit trail
Infrastructure Protection Requirements
Transport Integrity Confidentiality
Authentication Multiple mechanisms – certificates, shared secrets,
Kerberos/AD Application authentication User authentication
Access control Multiple mechanisms – RBAC, directory based Credential propagation Credential caching Transaction level granularity – resource or application
access authorized separately from individual transaction authorization
More Infrastructure Protection Requirements
Resource protection Server and network isolation Server resource control Network bandwidth control
Centralized Policy administration Provisioning Access control Auditing Monitoring
General Requirements
User transparent (AMAP)Standards based
Vendor neutral Interoperable – no proprietary value-added extensions IPR Free
Compatible with existing security technology VPNs – IPSec, TLS PKI LDAP
Performance Support for real time applications Reliable Redundancy
ExtensibleDevelopment environment that enables and promotes the creation of secure web services
Future Requirements
Secure context passing between different web servicesPass a security context through an integration broker including support for: End to end access The ability to switch between
environments such as J2EE and .NET
Example 1: Web Single Sign On (WSSO) based end to end security
WSSO accepts user credentials Account, password, X.509 certificate Front end to multiple applications
Using the same approach to provide web service to web service application security
3
3
2 2
WSSO – Desired Service
Requesting web service
Requesting web service
Request
Service 1Service 1
1. Client request
2. Application request
3. Service response
2
2
2
2
WSSO – Needed Security
Requesting web service
Requesting web service
Service 1Service 1
Request
Service protection
Access control
User authenticationEnterprise protection
Application authentication
ConfidentialityMessage integrity
Audit trailSignature
2
2
2
2
WSSO – Existing Security
Requesting web service
Requesting web service
Service 1Service 1
Authentication Service
Authentication Service
Directory
Request
Validation Service
Validation Service
1. Client logon
3. Application certificate 9. Service
response
2. Client request
4. Authentication Request
5. Check for revocation
6. Directory attribute check
8. Application request
7. Credential cache
SSL/TLS
Perimeter to protect applicatio
n
Example 2: Engineering Drawing Application (EDA)
Supports engineering drawings and parts listsTotal database size = 1.5TB, About 15M documents, Average document size = 100KBQuery to retrieval time < 2 secondsSupports 1500 concurrent users, average of 1000 TPM, peak of 2000 TPMCurrently undergoing an expansion and conversion to web services
EDA Architecture
Internet
Intranet
User
User
HTTP ServerWeb Server
EJB Container
NewDatastore
LegacyDatastore
Other systemsand data
DatastoreManager
Load
Bal
SOAP Messages
For web pages
For SOAP objects
EDA Needed Security
Internet
Intranet
User
User
HTTP ServerWeb Server
EJB Container
NewDatastore
LegacyDatastore
Other systemsand data
DatastoreManager
Load
Bal
Enterprise protection
Confidentiality
User authentication
Service resource
protectionAccess control
Application authentication
ConfidentialityMessage integrity
Audit trailSignature
User authentication
EDA Existing Security
Internet
Intranet
User
User
HTTP ServerWeb Server
EJB Container
Directory basedAuthentication
And accessControl Service
NewDatastore
LegacyDatastore
Other systemsand data
DatastoreManager
Rev
Proxy
Firewall
Load
Bal
Centralized Parts Inventory (CPI)
Descriptions of partsCurrent parts stock level informationOriginally a collection of disparate web sites linked to different databasesIn the process of being converted to a centralized service that provides a common look and feel and navigation services
CPI Architecture
Navigation Services
ObjectDatabase
Access RulesDatabase
Parts Descriptions
Descriptions Access Rules
Descr.Obj 1
Descr.Obj 2
Descr.Obj n…
Parts Inventory Status
Inventory Access Rules
Inv.Obj 1
Inv.Obj 2
Inv.Obj n…
Common LookAnd FeelServices
…
CPI Needed Security
Navigation Services
ObjectDatabase
Access RulesDatabase
Parts Descriptions
Descriptions Access Rules
Descr.Obj 1
Descr.Obj 2
Descr.Obj n…
Parts Inventory Status
Inventory Access Rules
Inv.Obj 1
Inv.Obj 2
Inv.Obj n…
Common LookAnd FeelServices
…
Enterprise protection User authentication
User Authorization
ConfidentialityMessage integrity
Audit trailSignature Application
access control
CPI Existing Security
Navigation Services
ObjectDatabase
Access RulesDatabase
Parts Descriptions
Descriptions Access Rules
Descr.Obj 1
Descr.Obj 2
Descr.Obj n…
Parts Inventory Status
Inventory Access Rules
Inv.Obj 1
Inv.Obj 2
Inv.Obj n…
Common LookAnd FeelServices
…
Directory andCertificate basedAuthentication
And accessControl Service
Perimeter Services
Conclusions
We need data protection for web services messages SSL/TLS is insufficient because it only provides
integrity at the packet level, not at the XML message level
We need interoperable, multivendor solutionsSecurity solutions need to integrate with existing security technologiesSecurity solutions must work between enterprises as well as within them