Slide 1 - SOURCE Conference

  • 424 views
Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
424
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
2
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. SOA Security SOURCE Boston 2008 Eugene Kuznetsov [email_address]
  • 2. Agenda
    • Brief intro to XML/WebServices/SOA
      • Terms
      • Why?
      • Standards
    • XML threats
    • Secure enablement
      • Validation
      • Encryption, digital signature
      • Identity management & FIM
      • Deployment of SOA security technology
    • A broader view
      • Positive security model
      • Message-level security
    • Conclusion
  • 3. Some Terms
    • XML (eXtensible Markup Language)
      • text-based data encoding standard, a relative of SGML & HTML
      • <foo><id>201</id><name>bar</name></foo>
      • Unicode & legacy character encoding support
    • SOAP
      • Standard for using XML-encoded messages in server-to-server communication
    • Web services (WS)
    • WS-* (“WS-star” or “WS-splat”)
    • SOA (Service Oriented Architecture)
    • Resources:
      • http://www.w3.org/XML/
      • http://www.w3.org/TR/soap/
      • http://www.oasis-open.org/specs/index.php#wssv1.1
  • 4. Why care about SOA Security?
    • Meant to ease connecting applications
    • Every new technology creates new security concerns
    • Often used to connect critical, back-end applications
    • Not addressed by existing packet-level security infrastructure
    • Increasingly included in larger software packages and services
    • Complex processing model
    • New compliance or regulatory environments
    • More than one part of an organization has to be involved
    • Presents some opportunities for improved security
    “ Implementation of Microsoft SOAP, a protocol running over HTTP precisely so it could bypass firewalls, should be withdrawn. According to the Microsoft documentation: ‘Since SOAP relies on HTTP as the transport mechanism, and most firewalls allow HTTP to pass through, you'll have no problem invoking SOAP endpoints from either side of a firewall.’&quot; – Bruce Schneier, circa 2000
  • 5. Key Specs & Standards
    • Foundation
      • XML
      • SOAP
      • XPath/XSLT
      • XSD (XML Schema)
    • Security Building Blocks
      • XML Digital Signature
      • XML Encryption
    • Upper-Layer Protocols/Standards
      • WS-Security
      • WS-Trust
      • WS-SecureConversation
      • XKMS
      • SAML
      • XACML
      • WS-Policy and WS-SecurityPolicy
  • 6. Web Service Message Layout IP SOAP Envelope SOAP Headers SOAP Body HTTP Binary Text XML/Text WS-Security SAML token
  • 7. Some XML Threats
    • XML Entity Expansion and Recursion Attacks
    • XML Document Size Attacks
    • XML Document Width Attacks
    • XML Document Depth Attacks
    • XML Wellformedness-based Parser Attacks
    • Jumbo Payloads
    • Recursive Elements
    • MegaTags – aka Jumbo Tag Names
    • Public Key DoS
    • XML Flood
    • Resource Hijack
    • Dictionary Attack
    • Message Tampering
    • Data Tampering
    • Message Snooping
    • XPath Injection
    • SQL injection
    • WSDL Enumeration
    • Routing Detour
    • Schema Poisoning
    • Malicious Morphing
    • Malicious Include – also called XML External Entity (XXE) Attack
    • Memory Space Breach
    • XML Encapsulation
    • XML Virus
    • Falsified Message
    • Replay Attack
  • 8. Attacks on WS Engine itself
    • Memory barrier breach
      • Buffer overruns
    • XDoS
      • Single-message (incl. crypto)
      • Multimessage
      • Asymmetry of XML processing
    • Field injection
      • Automarshalling
    • External reference attacks
      • Filesystem
      • Internal network
      • External network
    XDoS Impact on Server Resources resources time Requests overwhelm system resources time Faster detection allows system to resist attack
  • 9. XML-SOA Validation
    • 3 major categories:
    • Well-formedness checking (generic)
      • Is this XML-encoded data?
    • Protocol validation (generic)
      • Is this SOAP?
    • Schema validation (application-specific)
      • Does structure of XML document match our expectation?
      • Does its data conform to data types and constraints?
      • Specs: DTD, XML Schema, WSDL, RELAX-NG, Schematron
    • Most of the information created as side-effect of app development
    • Key take-away: can validate content of app-specific PDU on the wire
    Server App Server App <xml> …
  • 10. XML Crypto
    • XML Encryption
      • Encrypt: select, crypt
      • Decrypt: select, decrypt
    • XML Digital Signature
      • Sign: select, transform, canonicalize, hash, crypt
      • Verify: select, transform, canonicalize, hash, crypt, compare
    • Resources:
      • http://www.w3.org/TR/xmldsig-core/
      • http://www.w3.org/TR/xmlenc-core/
    • Key takeaway: can sign, verify, encrypt, decrypt messages or portions of messages using a well-specified, interoperable standard
  • 11. XML Signature Example
    •   <?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot; ?>
    • - < Envelope xmlns =&quot; urn:envelope &quot;>
    • - < Signature xmlns =&quot; http://www.w3.org/2000/09/xmldsig# &quot;>
    • - < SignedInfo >
    •   < CanonicalizationMethod Algorithm =&quot; http://www.w3.org/TR/2001/REC-xml-c14n- 20010315#WithComments &quot; />
    •   < SignatureMethod Algorithm =&quot; http://www.w3.org/2000/09/ xmldsig#dsa-sha1 &quot; />
    • - < Reference URI =&quot;&quot;>
    • - < Transforms >
    •   < Transform Algorithm =&quot; http://www.w3.org/2000/09/ xmldsig#enveloped-signature &quot; />
    •   </ Transforms >
    •   < DigestMethod Algorithm =&quot; http://www.w3.org/2000/09/ xmldsig#sha1 &quot; />
    •   < DigestValue > uooqbWYa5VCqcJCbuymBKqm17vY= </ DigestValue >
    •   </ Reference >
    •   </ SignedInfo >
    •   < SignatureValue > KedJuTob5gtvYx9qM3k3gm7kbLBwVbEQRl26S2tmXjqNND7MRGtoew== </ SignatureValue >
    • - < KeyInfo >
    • - < KeyValue >
    • - < DSAKeyValue >
    •   < P > /KaCzo4Syrom78z3EQ5SbbB4sF7ey80etKII864WF64B81uRpH5t9jQTxe Eu0ImbzRMqzVDZkVG9xD7nN1kuFw== </ P >
    •   < Q > li7dzDacuo67Jg7mtqEm2TRuOMU= </ Q >
    •   < G > Z4Rxsnqc9E7pGknFFH2xqaryRPBaQ01khpMdLRQnG541Awtx/ XPaF5Bpsy4pNWMOHCBiNU0NogpsQW5QvnlMpA== </ G >
    •   < Y > qV38IqrWJG0V/ mZQvRVi1OHw9Zj84nDC4jO8P0axi1gb6d+475yhMjSc/ BrIVC58W3ydbkK+Ri4OKbaRZlYeRA== </ Y >
    •   </ DSAKeyValue >
    •   </ KeyValue >
    •   </ KeyInfo >
    •   </ Signature >
    •   </ Envelope >
    https://java.sun.com/webservices/docs/2.0/tutorial/doc/XMLDigitalSignatureAPI7.html
  • 12. (Federated) Identity Management
    • Uniquely intertwined
    • Federated identity standards use Web services (XML) protocols
    • Secure SOA and Web services require identity
    • Rebuilding enterprise identity management architecture the SOA way
    • SOA governance requires identity
    • However, the federated identity management and web services security problems are not the same
  • 13. Access Control With Federated Identity Protocols XML protocol application HR portal Expense App Support App CRM Travel Desk Server #1 Server #2 Quote App
  • 14. Federated Identity
    • Uses lessons from US federal system and application integration
    • Optionally decentralized model
    • XML formats for representing identity and attribute information
    • Set of open XML protocols for requests and responses for access control information
    • One or more access control servers
    • Enable applications by
      • Use of open web services protocols
      • Optional use for utility toolkits / APIs
    • Communication between enabled app and server is via open web services wire protocol
    • Resources:
      • http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security#samlv20
      • http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.html
  • 15. XML Security Gateways / XML Firewalls
    • XML (WS) Security Gateway is superset, includes XML Firewall
    • XML Firewall: XML threat protection, filtering
    • WS-Security, WS-Trust, digital signature, encryption
    • Fine-grained access control & security policy enforcement point
    • Service level management
    • Service virtualization
    • Resources:
      • http://www.ibm.com/software/integration/datapower/
  • 16. SOA Security Deployment XML protocol application Web Service #2 Web Service #1 Access Control (IM) Server UDDI Registry Service Level Monitoring & Management Server Not pictured: PKI server, log server, datacenter mgmt, etc.
  • 17. From Packets to Messages
    • “ Packet-level” security: filter and control IP packets
    • Limitations
      • Transition from perimeter to perimeter-less world
      • Network application security
    • Partial protocol parsing, attack signatures, learning mode, etc.
    • Most applications care about “messages”, not packets
    • To secure an app, must know valid inputs and outputs for the app
    • “ Known-good”, “positive” security model
    • 5000 apps  5000 configurations
    • Data-centric security, protecting the actual data and documents
    • Basic technology has been there long before SOA/XML
  • 18. Message-Level Security
    • Enabled by software industry’s shift to XML Web Services
    • Mature standards
      • WSDL
      • XML Schema
      • XPath
      • WS-Security
      • SAML
    • Creates new capabilities and features for apps (not just for security)
    • Application-specific wire protocols documented in machine-readable, declarative style
    • Security context bound to message
    • Standard policy language
    • A network device can now instantly “grok” a custom application
    • End of manual configuration  positive security model
  • 19. Summary
    • To first order, XML=SOAP=WebServices~SOA
    • Why SOA security matters
    • XML threats
    • Security building blocks
    • Federated identity
    • Web services security gateways
    • Message-level security