1	Securing Web Services NEISG – June 16, 2005
2	What are Web Services? Gartner defines Web Services as: “… Modular business services with each module fully implemented in software and delivered over the Internet. The modules can be combined, can come from any source, and can eventually be acquired dynamically and without human intervention, when needed.” On a slightly more technical level, Web Services are a “reinvention” of the distributed computing paradigm using existing Internet infrastructure, protocols, and information formats for data and logic transfer
3	What are Web Services? From a more technical perspective… Web Services involve the exchange of SOAP (or XML) messages between applications over a network Web Services standards are defined by W3C and Oasis SOAP (Simple Object Access Protocol) UDDI (Universal Description, Discovery, and Integration) Security Web Services are used for server to server messaging
4	Portal and Process Applications
5	How are Web Services Used?
6	Key Web Services security concerns Bypasses standard security implementations (allowed through firewalls) Requires data protection (confidentiality) XML is human- and machine-readable Increases need for strong authentication Lacks tested interoperability Subject to DoS attacks
7	How can Web Services be secured? Prevent DoS attacks with perimeter defenses WS-Security Standard provides the means for the application to secure the sensitive data within the SOAP/XML message Messages must be secured from origin to destination, not secured or stripped at the firewall level!
8	WS-Security Defines security mechanisms for SOAP messages Integral part of all Web Services Provides for digital signature, encryption, and authentication
9	WS-Security Digital Signature support Used to validate identity and support non-repudiation Standard dsig algorithms (HMAC-SHA1, RSA-SHA1, etc) Enveloped, Enveloping, and Detached signatures Encryption support AES, 3DES, RC4 Authentication support X509v3, Username/Password, SAML Token, Kerberos Ticket
10	Key Web Services Security Standards Various standards attempt to address these issues: XML DSig (W3C/IETF) - XML message authentication and integrity XML Enc (W3C) - XML message privacy SAML (OASIS) - Trusted security assertions Web Services Security (OASIS) - SOAP encryption signing and authentication XKMS (W3C) –Public key registration and validation
11	DEMO – Securing a SOAP Message Signing, Encrypting, and adding Authorization
12	Using an XML firewall XML/SOAP firewalls inspect messages and (sometimes) modify them Great for validation, authorization (stops DoS attacks) Can strip all WS-Security information before it gets to the service Should not be used to remove security info – only inspect! Messages must have guaranteed security from end-to-end Risk of exposing sensitive information within your network As we all know >70% of data theft is an inside job….
13	Using application platforms with WS-Security WS-Security functions are being built into application platforms BEA Weblogix IBM WebSphere Microsoft WSE (Web Service Enhancements) for .NET Interoperability issues! All of the above platforms have known interoperability issues with each other and/or the WS-Security standards* Not an issue for internal, homogeneous environments….until a service is exposed to a business partner, customer, or the ‘net What about WS-Federation vs. SAML? RSA toolkit has interoperability modes, successful interoperability
14	Building WS-Security into the application Applications should control what information is secured Data to be secured should be decided at the application layer Business (and customer) demands drive functions and security needs Firewalls can be used to provide “minimum standards” for security Use of “vendor neutral” toolkits can provide greater flexibility and interoperability
15	Authentication in WS-Security Authentication Tokens are used to specify identity of message sender Support for X.509v3 certificates, username/password, SAML tokens, Kerberos Not all platforms support all token types X509 and username/password most widely supported SAML gaining adoption
16	Using Federated Identity with WS-Security SAML Assertion can be converted to SAML token Allows sites with SAML support to validate user externally Receiving service can request revalidation
17	Example Use Case User logs into service provider, and is validated against the database. If validated, a SAML assertion is created for that user The user goes to a service provider portal page, and clicks on “show my shipped orders”, which will cause the portal page to issue web services requests to partners which support this function The web services messages are created using SWS-J to add the SAML token , sign the SOAP message, and encrypt any sensitive data The partner site receives the message, and can identify the user from the assertion
18	Business Benefits Leverage the federation infrastructure for both Web and Web services based applications Pre-built WS-security toolkit reduces time to implement standards-based web services Ongoing development insures standards compatibility going forward Increase technologies supported to be able to support more partners
19	Useful links SOAP - http://www.w3.org/TR/soap/ WS-Security - http://www.oasis-open.org Web Services - http://webservices.sys-con.com