SOA Security SOURCE Boston 2008  Eugene Kuznetsov [email_address]
Agenda <ul><li>Brief intro to XML/WebServices/SOA </li></ul><ul><ul><li>Terms </li></ul></ul><ul><ul><li>Why? </li></ul></...
Some Terms <ul><li>XML (eXtensible Markup Language) </li></ul><ul><ul><li>text-based data encoding standard, a relative of...
Why care about SOA Security? <ul><li>Meant to ease connecting applications </li></ul><ul><li>Every new technology creates ...
Key Specs & Standards <ul><li>Foundation  </li></ul><ul><ul><li>XML  </li></ul></ul><ul><ul><li>SOAP </li></ul></ul><ul><u...
Web Service Message Layout IP SOAP Envelope SOAP Headers SOAP Body HTTP Binary Text XML/Text WS-Security SAML token
Some XML Threats <ul><li>XML Entity Expansion and Recursion Attacks </li></ul><ul><li>XML Document Size Attacks </li></ul>...
Attacks on WS Engine itself <ul><li>Memory barrier breach </li></ul><ul><ul><li>Buffer overruns </li></ul></ul><ul><li>XDo...
XML-SOA Validation <ul><li>3 major categories: </li></ul><ul><li>Well-formedness checking (generic) </li></ul><ul><ul><li>...
XML Crypto <ul><li>XML Encryption </li></ul><ul><ul><li>Encrypt: select, crypt </li></ul></ul><ul><ul><li>Decrypt: select,...
XML Signature Example <ul><li>    <?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot; ?>   </li></ul><ul><li>-  < Env...
(Federated) Identity Management <ul><li>Uniquely intertwined </li></ul><ul><li>Federated identity standards use Web servic...
Access Control With Federated Identity Protocols XML protocol application HR portal Expense App Support App CRM Travel Des...
Federated Identity  <ul><li>Uses lessons from US federal system and application integration </li></ul><ul><li>Optionally d...
XML Security Gateways /  XML Firewalls <ul><li>XML (WS) Security Gateway is superset, includes XML Firewall </li></ul><ul>...
SOA Security Deployment XML protocol application Web Service #2 Web Service #1 Access Control (IM) Server UDDI Registry Se...
From Packets to Messages <ul><li>“ Packet-level” security: filter and control IP packets </li></ul><ul><li>Limitations </l...
Message-Level Security <ul><li>Enabled by software industry’s shift to XML Web Services </li></ul><ul><li>Mature standards...
Summary <ul><li>To first order, XML=SOAP=WebServices~SOA </li></ul><ul><li>Why SOA security matters </li></ul><ul><li>XML ...
Upcoming SlideShare
Loading in...5
×

Slide 1 - SOURCE Conference

454

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
454
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Slide 1 - SOURCE Conference

  1. 1. SOA Security SOURCE Boston 2008 Eugene Kuznetsov [email_address]
  2. 2. Agenda <ul><li>Brief intro to XML/WebServices/SOA </li></ul><ul><ul><li>Terms </li></ul></ul><ul><ul><li>Why? </li></ul></ul><ul><ul><li>Standards </li></ul></ul><ul><li>XML threats </li></ul><ul><li>Secure enablement </li></ul><ul><ul><li>Validation </li></ul></ul><ul><ul><li>Encryption, digital signature </li></ul></ul><ul><ul><li>Identity management & FIM </li></ul></ul><ul><ul><li>Deployment of SOA security technology </li></ul></ul><ul><li>A broader view </li></ul><ul><ul><li>Positive security model </li></ul></ul><ul><ul><li>Message-level security </li></ul></ul><ul><li>Conclusion </li></ul>
  3. 3. Some Terms <ul><li>XML (eXtensible Markup Language) </li></ul><ul><ul><li>text-based data encoding standard, a relative of SGML & HTML </li></ul></ul><ul><ul><li><foo><id>201</id><name>bar</name></foo> </li></ul></ul><ul><ul><li>Unicode & legacy character encoding support </li></ul></ul><ul><li>SOAP </li></ul><ul><ul><li>Standard for using XML-encoded messages in server-to-server communication </li></ul></ul><ul><li>Web services (WS) </li></ul><ul><li>WS-* (“WS-star” or “WS-splat”) </li></ul><ul><li>SOA (Service Oriented Architecture) </li></ul><ul><li>Resources: </li></ul><ul><ul><li>http://www.w3.org/XML/ </li></ul></ul><ul><ul><li>http://www.w3.org/TR/soap/ </li></ul></ul><ul><ul><li>http://www.oasis-open.org/specs/index.php#wssv1.1 </li></ul></ul>
  4. 4. Why care about SOA Security? <ul><li>Meant to ease connecting applications </li></ul><ul><li>Every new technology creates new security concerns </li></ul><ul><li>Often used to connect critical, back-end applications </li></ul><ul><li>Not addressed by existing packet-level security infrastructure </li></ul><ul><li>Increasingly included in larger software packages and services </li></ul><ul><li>Complex processing model </li></ul><ul><li>New compliance or regulatory environments </li></ul><ul><li>More than one part of an organization has to be involved </li></ul><ul><li>Presents some opportunities for improved security </li></ul>“ Implementation of Microsoft SOAP, a protocol running over HTTP precisely so it could bypass firewalls, should be withdrawn. According to the Microsoft documentation: ‘Since SOAP relies on HTTP as the transport mechanism, and most firewalls allow HTTP to pass through, you'll have no problem invoking SOAP endpoints from either side of a firewall.’&quot; – Bruce Schneier, circa 2000
  5. 5. Key Specs & Standards <ul><li>Foundation </li></ul><ul><ul><li>XML </li></ul></ul><ul><ul><li>SOAP </li></ul></ul><ul><ul><li>XPath/XSLT </li></ul></ul><ul><ul><li>XSD (XML Schema) </li></ul></ul><ul><li>Security Building Blocks </li></ul><ul><ul><li>XML Digital Signature </li></ul></ul><ul><ul><li>XML Encryption </li></ul></ul><ul><li>Upper-Layer Protocols/Standards </li></ul><ul><ul><li>WS-Security </li></ul></ul><ul><ul><li>WS-Trust </li></ul></ul><ul><ul><li>WS-SecureConversation </li></ul></ul><ul><ul><li>XKMS </li></ul></ul><ul><ul><li>SAML </li></ul></ul><ul><ul><li>XACML </li></ul></ul><ul><ul><li>WS-Policy and WS-SecurityPolicy </li></ul></ul>
  6. 6. Web Service Message Layout IP SOAP Envelope SOAP Headers SOAP Body HTTP Binary Text XML/Text WS-Security SAML token
  7. 7. Some XML Threats <ul><li>XML Entity Expansion and Recursion Attacks </li></ul><ul><li>XML Document Size Attacks </li></ul><ul><li>XML Document Width Attacks </li></ul><ul><li>XML Document Depth Attacks </li></ul><ul><li>XML Wellformedness-based Parser Attacks </li></ul><ul><li>Jumbo Payloads </li></ul><ul><li>Recursive Elements </li></ul><ul><li>MegaTags – aka Jumbo Tag Names </li></ul><ul><li>Public Key DoS </li></ul><ul><li>XML Flood </li></ul><ul><li>Resource Hijack </li></ul><ul><li>Dictionary Attack </li></ul><ul><li>Message Tampering </li></ul><ul><li>Data Tampering </li></ul><ul><li>Message Snooping </li></ul><ul><li>XPath Injection </li></ul><ul><li>SQL injection </li></ul><ul><li>WSDL Enumeration </li></ul><ul><li>Routing Detour </li></ul><ul><li>Schema Poisoning </li></ul><ul><li>Malicious Morphing </li></ul><ul><li>Malicious Include – also called XML External Entity (XXE) Attack </li></ul><ul><li>Memory Space Breach </li></ul><ul><li>XML Encapsulation </li></ul><ul><li>XML Virus </li></ul><ul><li>Falsified Message </li></ul><ul><li>Replay Attack </li></ul>
  8. 8. Attacks on WS Engine itself <ul><li>Memory barrier breach </li></ul><ul><ul><li>Buffer overruns </li></ul></ul><ul><li>XDoS </li></ul><ul><ul><li>Single-message (incl. crypto) </li></ul></ul><ul><ul><li>Multimessage </li></ul></ul><ul><ul><li>Asymmetry of XML processing </li></ul></ul><ul><li>Field injection </li></ul><ul><ul><li>Automarshalling </li></ul></ul><ul><li>External reference attacks </li></ul><ul><ul><li>Filesystem </li></ul></ul><ul><ul><li>Internal network </li></ul></ul><ul><ul><li>External network </li></ul></ul>XDoS Impact on Server Resources resources time Requests overwhelm system resources time Faster detection allows system to resist attack
  9. 9. XML-SOA Validation <ul><li>3 major categories: </li></ul><ul><li>Well-formedness checking (generic) </li></ul><ul><ul><li>Is this XML-encoded data? </li></ul></ul><ul><li>Protocol validation (generic) </li></ul><ul><ul><li>Is this SOAP? </li></ul></ul><ul><li>Schema validation (application-specific) </li></ul><ul><ul><li>Does structure of XML document match our expectation? </li></ul></ul><ul><ul><li>Does its data conform to data types and constraints? </li></ul></ul><ul><ul><li>Specs: DTD, XML Schema, WSDL, RELAX-NG, Schematron </li></ul></ul><ul><li>Most of the information created as side-effect of app development </li></ul><ul><li>Key take-away: can validate content of app-specific PDU on the wire </li></ul>Server App Server App <xml> …
  10. 10. XML Crypto <ul><li>XML Encryption </li></ul><ul><ul><li>Encrypt: select, crypt </li></ul></ul><ul><ul><li>Decrypt: select, decrypt </li></ul></ul><ul><li>XML Digital Signature </li></ul><ul><ul><li>Sign: select, transform, canonicalize, hash, crypt </li></ul></ul><ul><ul><li>Verify: select, transform, canonicalize, hash, crypt, compare </li></ul></ul><ul><li>Resources: </li></ul><ul><ul><li>http://www.w3.org/TR/xmldsig-core/ </li></ul></ul><ul><ul><li>http://www.w3.org/TR/xmlenc-core/ </li></ul></ul><ul><li>Key takeaway: can sign, verify, encrypt, decrypt messages or portions of messages using a well-specified, interoperable standard </li></ul>
  11. 11. XML Signature Example <ul><li>  <?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot; ?> </li></ul><ul><li>- < Envelope xmlns =&quot; urn:envelope &quot;> </li></ul><ul><li>- < Signature xmlns =&quot; http://www.w3.org/2000/09/xmldsig# &quot;> </li></ul><ul><li>- < SignedInfo > </li></ul><ul><li>  < CanonicalizationMethod Algorithm =&quot; http://www.w3.org/TR/2001/REC-xml-c14n- 20010315#WithComments &quot; /> </li></ul><ul><li>  < SignatureMethod Algorithm =&quot; http://www.w3.org/2000/09/ xmldsig#dsa-sha1 &quot; /> </li></ul><ul><li>- < Reference URI =&quot;&quot;> </li></ul><ul><li>- < Transforms > </li></ul><ul><li>  < Transform Algorithm =&quot; http://www.w3.org/2000/09/ xmldsig#enveloped-signature &quot; /> </li></ul><ul><li>  </ Transforms > </li></ul><ul><li>  < DigestMethod Algorithm =&quot; http://www.w3.org/2000/09/ xmldsig#sha1 &quot; /> </li></ul><ul><li>  < DigestValue > uooqbWYa5VCqcJCbuymBKqm17vY= </ DigestValue > </li></ul><ul><li>  </ Reference > </li></ul><ul><li>  </ SignedInfo > </li></ul><ul><li>  < SignatureValue > KedJuTob5gtvYx9qM3k3gm7kbLBwVbEQRl26S2tmXjqNND7MRGtoew== </ SignatureValue > </li></ul><ul><li>- < KeyInfo > </li></ul><ul><li>- < KeyValue > </li></ul><ul><li>- < DSAKeyValue > </li></ul><ul><li>  < P > /KaCzo4Syrom78z3EQ5SbbB4sF7ey80etKII864WF64B81uRpH5t9jQTxe Eu0ImbzRMqzVDZkVG9xD7nN1kuFw== </ P > </li></ul><ul><li>  < Q > li7dzDacuo67Jg7mtqEm2TRuOMU= </ Q > </li></ul><ul><li>  < G > Z4Rxsnqc9E7pGknFFH2xqaryRPBaQ01khpMdLRQnG541Awtx/ XPaF5Bpsy4pNWMOHCBiNU0NogpsQW5QvnlMpA== </ G > </li></ul><ul><li>  < Y > qV38IqrWJG0V/ mZQvRVi1OHw9Zj84nDC4jO8P0axi1gb6d+475yhMjSc/ BrIVC58W3ydbkK+Ri4OKbaRZlYeRA== </ Y > </li></ul><ul><li>  </ DSAKeyValue > </li></ul><ul><li>  </ KeyValue > </li></ul><ul><li>  </ KeyInfo > </li></ul><ul><li>  </ Signature > </li></ul><ul><li>  </ Envelope > </li></ul>https://java.sun.com/webservices/docs/2.0/tutorial/doc/XMLDigitalSignatureAPI7.html
  12. 12. (Federated) Identity Management <ul><li>Uniquely intertwined </li></ul><ul><li>Federated identity standards use Web services (XML) protocols </li></ul><ul><li>Secure SOA and Web services require identity </li></ul><ul><li>Rebuilding enterprise identity management architecture the SOA way </li></ul><ul><li>SOA governance requires identity </li></ul><ul><li>However, the federated identity management and web services security problems are not the same </li></ul>
  13. 13. Access Control With Federated Identity Protocols XML protocol application HR portal Expense App Support App CRM Travel Desk Server #1 Server #2 Quote App
  14. 14. Federated Identity <ul><li>Uses lessons from US federal system and application integration </li></ul><ul><li>Optionally decentralized model </li></ul><ul><li>XML formats for representing identity and attribute information </li></ul><ul><li>Set of open XML protocols for requests and responses for access control information </li></ul><ul><li>One or more access control servers </li></ul><ul><li>Enable applications by </li></ul><ul><ul><li>Use of open web services protocols </li></ul></ul><ul><ul><li>Optional use for utility toolkits / APIs </li></ul></ul><ul><li>Communication between enabled app and server is via open web services wire protocol </li></ul><ul><li>Resources: </li></ul><ul><ul><li>http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security#samlv20 </li></ul></ul><ul><ul><li>http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.html </li></ul></ul>
  15. 15. XML Security Gateways / XML Firewalls <ul><li>XML (WS) Security Gateway is superset, includes XML Firewall </li></ul><ul><li>XML Firewall: XML threat protection, filtering </li></ul><ul><li>WS-Security, WS-Trust, digital signature, encryption </li></ul><ul><li>Fine-grained access control & security policy enforcement point </li></ul><ul><li>Service level management </li></ul><ul><li>Service virtualization </li></ul><ul><li>Resources: </li></ul><ul><ul><li>http://www.ibm.com/software/integration/datapower/ </li></ul></ul>
  16. 16. SOA Security Deployment XML protocol application Web Service #2 Web Service #1 Access Control (IM) Server UDDI Registry Service Level Monitoring & Management Server Not pictured: PKI server, log server, datacenter mgmt, etc.
  17. 17. From Packets to Messages <ul><li>“ Packet-level” security: filter and control IP packets </li></ul><ul><li>Limitations </li></ul><ul><ul><li>Transition from perimeter to perimeter-less world </li></ul></ul><ul><ul><li>Network application security </li></ul></ul><ul><li>Partial protocol parsing, attack signatures, learning mode, etc. </li></ul><ul><li>Most applications care about “messages”, not packets </li></ul><ul><li>To secure an app, must know valid inputs and outputs for the app </li></ul><ul><li>“ Known-good”, “positive” security model </li></ul><ul><li>5000 apps  5000 configurations </li></ul><ul><li>Data-centric security, protecting the actual data and documents </li></ul><ul><li>Basic technology has been there long before SOA/XML </li></ul>
  18. 18. Message-Level Security <ul><li>Enabled by software industry’s shift to XML Web Services </li></ul><ul><li>Mature standards </li></ul><ul><ul><li>WSDL </li></ul></ul><ul><ul><li>XML Schema </li></ul></ul><ul><ul><li>XPath </li></ul></ul><ul><ul><li>WS-Security </li></ul></ul><ul><ul><li>SAML </li></ul></ul><ul><li>Creates new capabilities and features for apps (not just for security) </li></ul><ul><li>Application-specific wire protocols documented in machine-readable, declarative style </li></ul><ul><li>Security context bound to message </li></ul><ul><li>Standard policy language </li></ul><ul><li>A network device can now instantly “grok” a custom application </li></ul><ul><li>End of manual configuration  positive security model </li></ul>
  19. 19. Summary <ul><li>To first order, XML=SOAP=WebServices~SOA </li></ul><ul><li>Why SOA security matters </li></ul><ul><li>XML threats </li></ul><ul><li>Security building blocks </li></ul><ul><li>Federated identity </li></ul><ul><li>Web services security gateways </li></ul><ul><li>Message-level security </li></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×