Securing Web 2.0
What You Need to Know
K. Scott Morrison
VP Engineering and Chief Architect

January 2007
Bio – K. Scott Morrison

 VP Engineering & Chief Architect at Layer 7 Technologies
  • http://www.layer7tech.com
  • Layer...
Agenda


         Web 2.0
         AJAX
         What’s new about this?
           The collision between AJAX & SOA
      ...
Web 2.0


Web 2.0 isn’t a technology
      It’s actually an approach to building for the Web

Web 2.0 is:
                ...
AJAX


AJAX is an approach underpinning Web 2.0
   Provides rich browser interaction models
           This contributes to...
Web 1.0

                                           Firewall
                                                             ...
Web 1.0 (cont.)

                               Firewall
                                                                 ...
Web 1.0 (cont.)

                                    Firewall
                                                            ...
Web 2.0 – AJAX Paradigm

                                             Firewall
                                           ...
Web 2.0 – AJAX Paradigm (cont.)

                                             Firewall
                                   ...
Web 2.0 – Server Side Aggregations
   Look familiar? It’s data
 integration all over again…                       Firewall...
What are the Threats?


   Threats Against The Client
                                                                    ...
What are the Threats (cont.)?

                                        Firewall
  Threats Against The Server              ...
What are the Threats (cont.)?


    Threats Against Content




   External
  Feeds and
   Services
                    In...
Why Should You Care?


Big questions around corporate responsibility
       Regulatory issues around privacy (HIPAA, PIPED...
Tactical Security Measures

Clients (browsers)
       Tough area to secure
       Must ensure you are serving solid code
 ...
Tactical Security Measures (cont.)

Core Servers (Web application servers)
      More control, and more mature best practi...
Tactical Security Measures (cont.)

Aggregation Servers (Application servers)
     Emerging area, with few best practices
...
Thanks For Nothing Scott: “So How Do I Really Do This?”


You could just build it into your systems…

       But that is b...
Why Tunable Policy?

  Not all services are equal:
  Not all services are equal:



      getStockQuote():
      anonymous...
Securing Web 2.0: SecureSpan Data Screen™




                                                                            ...
Securing Web 2.0: SecureSpan Data Screen™

    Hardware appliance for Web, REST, & AJAX security
  processing.
    ASICs f...
Securing Web 2.0: SecureSpan Data Screen™
   Wire speed schema validation of XML entering network
    Wire speed schema va...
Securing Web 2.0: SecureSpan Data Screen™
Proxy Deployment For
Proxy Deployment For
   Outgoing Calls
    Outgoing Calls  ...
Summary


Web 2.0 and the technologies associated with it are too good to
ignore

    However, they introduce huge new sec...
For further information:


  K. Scott Morrison
  Layer 7 Technologies
  1501 – 700 West Georgia St.
  Vancouver, B.C. V7Y ...
Upcoming SlideShare
Loading in …5
×

Layer 7: Securing Web 2.0 - What You Need to Know

2,178 views

Published on

Web 2.0 has provided users with enhanced capabilities, but with it comes new security risks.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,178
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Layer 7: Securing Web 2.0 - What You Need to Know

  1. 1. Securing Web 2.0 What You Need to Know K. Scott Morrison VP Engineering and Chief Architect January 2007
  2. 2. Bio – K. Scott Morrison VP Engineering & Chief Architect at Layer 7 Technologies • http://www.layer7tech.com • Layer 7 is based in Vancouver BC, Canada Co-author of Sams’ Java Web Services Unleashed and Wrox’s Professional JMS • Over 50 other publications in academic journals and trade magazines Co-Editor WS-I Basic Security Profile Co-Author WS-Federation Frequent speaker on Web services, XML, mobile/wireless computing systems, distributed systems architecture, and Java design issues January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 2
  3. 3. Agenda Web 2.0 AJAX What’s new about this? The collision between AJAX & SOA What are the new threat vectors Mitigation strategies Infrastructure solutions January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 3
  4. 4. Web 2.0 Web 2.0 isn’t a technology It’s actually an approach to building for the Web Web 2.0 is: MySpace Aggregation of content Flickr Collaboration Google Maps Google Gmail Synergizing the efforts of individuals Google Suggest del.icio.us Rich interaction models …etc Remember: “You” is not a technology Graphic source: http://www.time.com/time/covers/0,16641,20061225,00.html January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 4
  5. 5. AJAX AJAX is an approach underpinning Web 2.0 Provides rich browser interaction models This contributes to goal of fostering individual contributions Can also be used to aggregate content AJAX is really a slick new name for existing technology: 1. (X)HTML and CSS for presentation markup 2. DOM and JavaScript for dynamic content 3. XMLHttpRequest (XHR), IFrame, dynamic <SCRIPT> hack for asynchronous content retrieval 4. XML, JSON, JavaScript Objects, or just text for data communication So what is different here? January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 5
  6. 6. Web 1.0 Firewall Web Application Server Network Directory Server User clicks link, User clicks link, presses button, presses button, is referred, etc is referred, etc Corporate Network Internet Web Browser January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 6
  7. 7. Web 1.0 (cont.) Firewall Web Application Server Network Directory Server AuthN, AuthN, AuthR AuthR HTTP headers+ Query params or POST contents HTTP GET or HTTP GET or Corporate POST POST Network Internet HTTP Request Web Browser January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 7
  8. 8. Web 1.0 (cont.) Firewall Web Application Server Network Directory Server New page New page rendered rendered Corporate Network HTTP Internet Response HTML, images, JavaScript, etc User experiences long Web Browser latency delays that affects usability January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 8
  9. 9. Web 2.0 – AJAX Paradigm Firewall Web Application Server Network Directory Server … Request as before … Request as before Page load HTML Page load HTML with embedded with embedded JavaScript Engine Corporate JavaScript Engine Separation between Network presentation and HTTP content retrieval Response Internet HTML, images, JavaScript engine, etc Web Browser January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 9
  10. 10. Web 2.0 – AJAX Paradigm (cont.) Firewall Web Application Server Network Directory Server Service HTTP GET, HTTP GET, POST, PUT, POST, PUT, DELETE, HEAD, DELETE, HEAD, etc User interacts etc Corporate User interacts Network with AJAX HTTP with AJAX engine Request engine Internet HTTP XML, JSON, Response JavaScript Objects, text, etc Web Browser January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 10
  11. 11. Web 2.0 – Server Side Aggregations Look familiar? It’s data integration all over again… Firewall New data, new transport, Web same old problems Application Server pulls Server Network Server pulls Directory external RSS, ATOM, external Server XML, etc information information External Feeds and Services User interacts Corporate User interacts Network with web app with web app server server Internet Aggregate content page This, of course could There are also models for Web also be an AJAX-based Browser application client-side (browser) aggregation January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 11
  12. 12. What are the Threats? Threats Against The Client New Attack New Attack Surface: the Surface: the AJAX engine AJAX engine itself itself AJAX Engine Loads of potential parameter & injection attacks. Attempts to hijack session tokens, cookies, etc. Cross Site Scripting (XSS), Cross Site Reference Forgery (XSRF) Lots of potentially dangerous Lots of potentially dangerous things to query or even set. things to query or even set. Consider DOM: Consider DOM: document.URL document.URL document.cookie document.cookie Web document.domain document.domain Browser document.referrer document.referrer etc… etc… Turn off JavaScript??? No. January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 12
  13. 13. What are the Threats (cont.)? Firewall Threats Against The Server Web Application Server Classic Attack Classic Attack Surface, but Surface, but with new with new challenges challenges 80, 443 In: Richer parameter attacks, XML-based DOS Corporate attacks, etc Network Out: Information leaking, integrity compromise, injection, etc Big problem: XML parsers are just too helpful and naive January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 13
  14. 14. What are the Threats (cont.)? Threats Against Content External Feeds and Services In: Session hijacking, unauthorized access, etc Out: Integrity compromise, injection of poison content Corporate like scripts into XML, etc Network Another classic attack Another classic attack surface, but with still surface, but with still more new challenges more new challenges Note that the aggregator is just another web client. It’s not a browser, but many similar attack still apply January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 14
  15. 15. Why Should You Care? Big questions around corporate responsibility Regulatory issues around privacy (HIPAA, PIPEDA, etc) Regulatory issues around accountability (Sarbox, etc) Liability for forged transaction Liability for damage from compromised servers Not to mention huge issues around brand and reputation damage accrued from a significant security event January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 15
  16. 16. Tactical Security Measures Clients (browsers) Tough area to secure Must ensure you are serving solid code Rigorous code review AJAX has submarine complexity Ensure that data streams you serve are validated Redaction, strict validation to tightened schemas Servers offer Servers offer clean and secure clean and secure code code Servers offer Servers offer validated and validated and cleansed data cleansed data The problem with JavaScript is that it makes it easy to Web write code, but hard to Browser write secure code January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 16
  17. 17. Tactical Security Measures (cont.) Core Servers (Web application servers) More control, and more mature best practices Add rigorous AuthN, AuthR, Audit Look at cryptographic model Inward: DOS protect Threat protect Parameter validate Outward: Schema validation and redaction Validate Validate params params Validate and Validate and cleanse data cleanse data What makes this difficult is the Secure channel added complexity of XML data Secure channel structures, and the richer attack surface of service-based APIs January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 17
  18. 18. Tactical Security Measures (cont.) Aggregation Servers (Application servers) Emerging area, with few best practices Encourage authenticated access model You may be forced into this anyway… Look at cryptographic model Incoming data: Validate feed content Strip potential exploits like embedded <SCRIPT> tags Authenticate Authenticate access access The big problem here is you may not have control of the source of the data. A large number of sites are cracking down Validate and on “unauthorized” use in mashups. Validate and threat protect threat protect data feed Furthermore, APIs may change data feed radically, making it critical to validate the incoming feed against a schema to Secure channel Secure channel catch API updates January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 18
  19. 19. Thanks For Nothing Scott: “So How Do I Really Do This?” You could just build it into your systems… But that is brittle and error-prone What you really need is specialized infrastructure built for this purpose Needs to be: High performance Scalable Simple to configure And most important: offer tunable security policy January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 19
  20. 20. Why Tunable Policy? Not all services are equal: Not all services are equal: getStockQuote(): anonymous access, unsecure channel buyStock(): authenticated and authorized access, secured (integrity and privacy) channel or message Policy (the security Policy (the security processing model) must processing model) must be customized to the be customized to the business requirements business requirements January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 20
  21. 21. Securing Web 2.0: SecureSpan Data Screen™ January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 21
  22. 22. Securing Web 2.0: SecureSpan Data Screen™ Hardware appliance for Web, REST, & AJAX security processing. ASICs for XML schema validation, XPath, XSLT, cryptographic operations Fully clustered Policy-based processing model Browser-based management and operations console Integration with all major directory, IAM, access control servers Integration with Symantec antivirus scan engine Web Browser-based SecureSpan Data Screen™ management and cluster operations January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 22
  23. 23. Securing Web 2.0: SecureSpan Data Screen™ Wire speed schema validation of XML entering network Wire speed schema validation of XML entering network Rigorous HTTP parameter validation Rigorous HTTP parameter validation Tight control over HTTP methods (GET, POST, Web Tight control over HTTP methods (GET, POST, DELETE, PUT, etc). Control over REST. Application DELETE, PUT, etc). Control over REST. Server Network Hardware transformation of XML content in and out of Hardware transformation of XML content in and out of Directory network network Server Throttle access to back end services Throttle access to back end services Traffic shaping across server farms Traffic shaping across server farms XML threat detection XML threat detection Endpoint for SSL and XML document security Endpoint for SSL and XML document security (encryption, signature & canonicalization according to W3C (encryption, signature & canonicalization according to W3C specs) specs) Controlled striping of <SCRIPT>, eval() (PHP, JS, Controlled striping of <SCRIPT>, eval() (PHP, JS, Python, etc), shell injection attacks, etc to combat XSS Python, etc), shell injection attacks, etc to combat XSS Corporate Network Internet Web Gateway Deployment Gateway Deployment Browser For Incoming Calls For Incoming Calls January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 23
  24. 24. Securing Web 2.0: SecureSpan Data Screen™ Proxy Deployment For Proxy Deployment For Outgoing Calls Outgoing Calls Web Application Server Network RSS, ATOM, XML, etc Directory Server External Services Corporate Network Wire speed validation of XML entering network Wire speed validation of XML entering network Stripping of potential harmful data in feeds Stripping of potential harmful data in feeds (<SCRIPT>, etc) (<SCRIPT>, etc) Web Management of outgoing cryptography and credentials Management of outgoing cryptography and credentials Browser Wire speed transformation of XML data to insulate Wire speed transformation of XML data to insulate internal servers from external API changes internal servers from external API changes January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 24
  25. 25. Summary Web 2.0 and the technologies associated with it are too good to ignore However, they introduce huge new security complexities The only way to deal with these effectively is with diligence, rigor, and specialized infrastructure to manage an evolving threat model Layer 7’s SecureSpan Data Screen™ provides the tools to help secure Web 2.0, REST, AJAX, SOA, RSS and ATOM today. January 2007 SecureSpan™ Gateway Overview Proprietary and Confidential 25
  26. 26. For further information: K. Scott Morrison Layer 7 Technologies 1501 – 700 West Georgia St. Vancouver, B.C. V7Y 1B6 Canada (800) 681-9377 smorrison@layer7tech.com http://www.layer7tech.com January 2007

×