Preview of MasteringWeb Services...
Transcript of Preview of MasteringWeb Services...
![Page 1: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/1.jpg)
Preview of
Mastering Web Services SecurityPreview of
Mastering Web Services Security
Konstantin [email protected]
QuadrãsisSeptember 16, 2002
![Page 2: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/2.jpg)
2
Talk OutlineTalk OutlineBook introductionHighlights of the book
Web Services security problemXML SecurityWS-SecuritySecurity mechanisms for ASP.NET Web ServicesPlanning and building secure Web Service systems
– Architectural and policy principlesEASI FrameworkExample
![Page 3: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/3.jpg)
3
![Page 4: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/4.jpg)
4
Why am I talking to you?Why am I talking to you?Ph.D. “Engineering Access Control for Distributed Enterprise Applications”CORBA Security
CORBA Security“Resource Access Decision” (RAD) Facility“Security Domain Membership Management”
Security Architectwith Baptist Health, Concept 5, Quadrasis (HICAM)Architecture, design and implementation of enterprise security solutions and products using CORBA, EJB, COM+, .NET
![Page 5: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/5.jpg)
5
Book GoalsBook GoalsAudience
practicing application/enterprise security designers and architectsExplain
key underlying principles for securing WShow to secure today
– simple WS systemsJava and (ASP).NET
– complex WS systemsfor large enterprises
Describe what’s coming and what to expect
![Page 6: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/6.jpg)
6
It’s aboutIt’s about1. Principles of Securing Web Services
Getting Started with Web Services SecurityXML SecurityWS-SecuritySAMLPrinciples of Securing Web Services
2. Middleware Mechanisms for securing Web ServicesMiddleware security mechanisms– CORBA, COM+, .NET, EJBSecuring (ASP).NET and Java Web Services
3. Advanced TopicsInteroperabilityAdministrationPlanning and Building
![Page 7: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/7.jpg)
7
Web Service Syste
mWhat’s a Web Service System?What’s a Web Service System?
SOAP
![Page 8: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/8.jpg)
8
Typical Web Service EnvironmentTypical Web Service Environment
![Page 9: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/9.jpg)
9
Conventional Approach to SecurityConventional Approach to SecurityProtection
Authorization Accountability
AssuranceAvailability
Acc
ess C
ontro
l
Dat
a Pr
otec
tion
Audit
Non-Repudiation
Serv
ice
Con
tinui
ty
Dev
elop
men
t Ass
uran
ce
Ope
ratio
nal A
ssur
ance
Des
ign
Ass
uran
ce
Dis
aste
r Rec
over
yAuthenticationCryptography
![Page 10: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/10.jpg)
10
Web Usage Scenario - SecurityWeb Usage Scenario - Security
SOAPUltimateReceiver
SOAPUltimateSender
Bought 5000 shares MSFT
@$YY/share
Bought 5000 shares MSFT
@$YY/share
SOAPIntermediary
Buy 5000 shares MSFT
@$XX/share
SOAPIntermediary
Buy 5000 shares MSFT
@$XX/share
Trader’sSystem
NotarySystem
TradingSystemTradingSystem
Trader’sSystem
NotarySystem
SOAPUltimateReceiver
SOAPUltimateSender
![Page 11: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/11.jpg)
11
Changes in the Security PictureChanges in the Security PictureWS open enterprise resources to outside worldNew security responsibilities due to mixing lines of business:
Outsourcing credit card authorization serviceCross-selling and customer relationship managementSupply chain-management
Risk must be assessed and managed across a collection of organizationsInteractions are more complex and take place among diverse environments
![Page 12: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/12.jpg)
12
WS Security Building BlocksWS Security Building Blocks
NetworkSecurity Directories Firewalls IDS
Web ServersSecurity
MiddlewareSecurity
MainframeSecurity
Physical Security
DatabaseSecurity
XMLSecurity
SOAPSecurity
WSDLSecurity
UDDISecurity
WS-Security
![Page 13: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/13.jpg)
XML SecurityXML Security
![Page 14: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/14.jpg)
14
XML EncryptionXML EncryptionEncrypt all or part of an XML messageSeparation of encryption information from encrypted dataSuper-encryption of data
<EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#' Type='http://www.w3.org/2001/04/xmlenc#Content'><EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#3des-cbc'/><ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'><ds:KeyName>John Smith</ds:KeyName></ds:KeyInfo> <CipherData>
<CipherValue>A23B45C56</CipherValue></CipherData>
</EncryptedData>
![Page 15: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/15.jpg)
15
XML SignatureXML SignatureApply to all or part of a documentContains: references to signed portions, canonicalization algorithm, hashing and signing algorithm Ids, public key of the signer.Multiple signatures with different characteristics over the same content
<Signature Id="MySignature" xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> <Reference URI="http://www.w3.org/TR/2000/REC-xhtml1-20000126/"> <Transforms> <Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
</Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>j6lwx3rvEPO0vKtMup4NbeVu8nk=</DigestValue>
</Reference> </SignedInfo> <SignatureValue>MC0CFFrVLtRlk=...</SignatureValue> <KeyInfo> <KeyValue> <DSAKeyValue> <P>...</P><Q>...</Q><G>...</G><Y>...</Y>
</DSAKeyValue></KeyValue>
</KeyInfo></Signature>
![Page 16: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/16.jpg)
16
GapsGapsSignature and Encryption specifications are for XML not SOAP
Format and location of security information in SOAP messageSupport for multiple security operationsTargeting specific actors
Passing security-related client informationAuthenticationAttributes
![Page 17: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/17.jpg)
SOAP Message SecuritySOAP Message Security
![Page 18: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/18.jpg)
18
WS-SecurityWS-Security
Message integrity and message confidentialityCompliance with XML Signature and XML EncryptionEncoding for binary security tokens
Set of related claims (assertions) about a subjectX.509 certificatesKerberos ticketsEncrypted keys
![Page 19: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/19.jpg)
19
SOAP Message with WS-SecuritySOAP Message with WS-Security<? Xml version=‘1.0’ ?><env:Envelope xmlns:env=“http://www.w3.org/2001/12/soap-envelope”
xmlns:sec=“http://schmas.xmlsoap.org/ws/2002/04/secext”xmlns:sig=“http://www.w3.org/2000/09/xmldsig#”xmlns:enc=“http://www.w3.org/2001/04/xmlenc#”><env:Header><sec:Security
sec:actor=“http://www.w3.org/2001/12/soap-envelope/actor/next”sec:mustUnderstand=“true”><sig:Signature>
…</sig:Signature><enc:EncryptedKey>
…</enc:EncryptedKey><sec:BinarySecurityToken
…</sec:BinarySecurityToken
</sec:Security></env:Header><env:Body><enc:EncryptedData>
…</enc:EncryptedData></env:Body>
</env:Envelope>
![Page 20: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/20.jpg)
20
Web Services Security RoadmapWeb Services Security RoadmapSecurity in a Web Services World: A proposed Architecture and Roadmap – April 2002Joint IBM and Microsoft White PaperInitial specifications:
WS-SecurityWS-Trust
WS-PolicyWS-Privacy
WS-SecureConversationWS-Federation
Follow-On Specifications:
WS-Authorization
![Page 21: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/21.jpg)
21
Security Assertion Markup Language(SAML)
Security Assertion Markup Language(SAML)
AuthenticationAuthority
AttributeAuthority
AuthorizationAuthority
AuthenticationAssertion
AuthorizationAssertion
CredentialsAssertion 61 2 3 5
4
AttributeAssertion
![Page 22: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/22.jpg)
22
Comprehensive Message SecurityComprehensive Message Security
<SOAP-ENV:Body>
</SOAP-ENV:Body>
<SOAP-ENV:Header><WS-Security>
<SAML Token>
</SAML Token>
</WS-Security></SOAP-ENV:Header>
<SOAP-ENV:Envelope>
</SOAP-ENV:Envelope>
Secured SOAP Message
- Authenticates initiator of SOAP request - Enables role based authorization- Time-limited- Interoperable
SAML Token
- Multiple signed areas of header and body- Integrity protection via PKI based cryptography- Prevents tampering
XML Signature, DSIG
- Validates against XML schemaXML Schema Verification
- End-to-end tracing, Method accessAudit
SOAP Message
- Multiple encrypted areas of body- Prevents disclosure
XML Encryption
- Prevents unauthorized call to methodsRPC Method Authorization
FunctionSecurity Feature
- Encryption and signature verificationX.509 Certificate (or other security token)
SOAP Body
SOAP Header
- Attaches signature, encryption, security tokens to SOAP messages
WS-Security
![Page 23: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/23.jpg)
Security Mechanisms for (ASP).NET Web Services
Security Mechanisms for (ASP).NET Web Services
![Page 24: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/24.jpg)
24
Options for Building MS WSOptions for Building MS WS1. Publish COM+ component as SOAP Endpoint
Only Windows.NET and XP ProLimitations on what COM+ components could be publishedMight be not 100% interoperable with other SOAP implementations
2. Use CLR remoting over SOAP/HTTPSupports (non-interoperable) passing object referencesSupports client and server-activated objectsCan be hosted by IISVague on client authentication and channel protection, unless IIS security is used
3. Generate COM WrapperGood way to reuse existing COM componentsNo support for custom typesNo .NET framework in the picture
4. Use ASP.NET MechanismsClaimed to be interoperable with other SOAP-compliant web servicesLeverages .NET, ASP.NET and IIS security mechanismsSimplifies handling of WS-Security data via WSDK
![Page 25: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/25.jpg)
25
ASP.NET Custom HTTP ModulesASP.NET Custom HTTP Modules
AdvantagesAllows custom authentication schemes
Allows decoupling (HTTP) transport from SOAP
Makes application security-unaware
Supports CLR authorization
DisadvantagesCouples client and server
unmanaged code
managed code
IIS
ASP.NET_ISAPI.DLL
Quadrasis.Authentication.AuthFooModule
Web Service (.asmx) Handler Factory
StoreFrontService.asmx Other .asmx files
SOAP/HTTP
…
SOAP client
![Page 26: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/26.jpg)
Planning, BuildingSecure Web Service Systems
Planning, BuildingSecure Web Service Systems
![Page 27: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/27.jpg)
27
Recommended ApproachRecommended ApproachConsistent with TCB principlesSimplifies the analysis
Leave security to expertsSecurity COTS integration vs. do-it-yourself
– More thoroughly tested by other customers– More careful about common development mistakes
Follow good architectural and policy design principlesPlan for evolution and manageability
Have a security framework
![Page 28: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/28.jpg)
28
Security Architecture PrinciplesSecurity Architecture PrinciplesTrust no one
Don’t’ make your firewall the only point of enforcementView Web Services collections as mutually suspicious islands
Enable interoperabiltiyUse vendor-neutral standards (WS-Security, SAML)
Modularize security“Push” security down – security unaware applicationsInsulate applications from security functionality with stable APIs
![Page 29: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/29.jpg)
29
Security Policy PrinciplesSecurity Policy PrinciplesAuthentication: balance cost against threat
SSOAuthorization: application-driven
Use the business of the application to drive authorization settings
Accountability: audit early, not often“pop” audit into/near the application
Security administration: collections and hierarchies for scale
![Page 30: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/30.jpg)
Enterprise Application Security Integration(EASI)
Framework
Enterprise Application Security Integration(EASI)
Framework
![Page 31: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/31.jpg)
31
EASI Framework ArchitectureEASI Framework Architecture
Enterprise Security Integration Framework
Core Security Services
Authentication Authorization Cryptography Accountability SecurityAdministration
AuthenticationProducts
AuthorizationProducts
CryptographyProducts
AccountabilityProducts
SecurityAdministration
Products
FrameworkSecurity Facilities
ProfileManager
SecurityAssociation
ProxyServices
Security APIs
Custom Security APIs Vendor Security APIs
Standard Security APIs
Presentation Components Business Logic Components Legacy Data Stores
![Page 32: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/32.jpg)
32
Specific Example of EASI: QuadrasisSpecific Example of EASI: Quadrasis
AuthenticationServices
PresentationTier
WebServers
Client Tier
Browser
ApplicationClient
Back-OfficeTier
Mainframes
Component Tier
WebServices Application
Servers
EASI Executive
EASI Security Service Mappers
EASI Application Environment Adapters
EASI
Sec
urity
Uni
fier
App
licat
ion
Infr
astr
uctu
reSe
curit
ySe
rvic
es
Security Management Security Administration Security Configuration
Security Policy
Data-bases
Authentication API
Authorization API
AuditAPI
CryptographyAPI
Security Administration
Services
Authorization Services
CryptographyServices
AccountabilityServices
![Page 33: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/33.jpg)
33
EASI Pros and ConsEASI Pros and ConsCommon security infrastructure shared across the enterpriseDecoupling applications from productsWell defined boundary between business and security logicNo need to implement everything at once
Complex due to generalityPerformance and scalability constraintsSignificant initial effort in designing and building itHas to be politically accepted in many different “parties” of organizationSemantic mismatch among security products makes their “swapping” hard
![Page 34: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/34.jpg)
ExampleExample
![Page 35: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/35.jpg)
35
ePortal.com eBusiness.comePortal.com eBusiness.com
ePortal.com eBusiness.comSOAP/HTTPSHTML/HTTPS
Internet customers
![Page 36: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/36.jpg)
36
Functional Security RequirementsFunctional Security RequirementseBusiness.comeBusiness.com
Limit visitor accessProtect the accounts of each individualGrant members more accessSecure exchange with ePortal.comAdministrator control of critical functionsRestrict administrators’ abilities
ePortalePortal.com.comLimit visitor accessEliminate administration of new customersGrant members more accessSecure exchange with eBusiness.com
![Page 37: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/37.jpg)
37
Browser
EASI FrameworkEASI Framework and Services
Middle Tier Back OfficeTier
FirewallDMZ
eBusiness.comPerimeter
Tier
FrameworkSecurity Facilities
Security APIs
Core SecurityServices
Oracle
AccountsProducts/Prices
WebLogic
J2EEApp Svr
StoreFront
Service
iPlanet
eBusiness.com WebServer
EASI Framework and Services
Middle Tier
FirewallFirewallDMZ
ePortal.comPerimeter
Tier
FrameworkSecurity Facilities
Security APIs
Core SecurityServices
COM+
StoreFront
MiddleTier
eBuyer.com
WebServiceClient
Application
Internetcustomer
IIS
ASP.NET
ePortal.comWeb
ServerInternet
Firewall
HTML/HTTPS
SOAP/HTTPS
SOAP/HTTPS
DCOM
SOAP/HTTP
![Page 38: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/38.jpg)
38
EASI Framework for ePortal.comEASI Framework for ePortal.comePortal.com Enterprise Application Security Integration Framework
Core Security Services
Authentication Authorization Cryptography Accountability SecurityAdministration
FrameworkSecurity Facilities
ActiveDirectoryService
WS-Security/SAML
Service
Security APIs
Custom Self-Registration Web SSO, SAML Service
ASP.NET, COM+
FirewallIntrusion Detection System
Web SSOCOM+
Windows 2000SSL
Custom Self-Registration Module
![Page 39: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/39.jpg)
39
EASI Framework for eBusiness.comEASI Framework for eBusiness.com
eBusiness.com Enterprise Application Security Integration Framework
Core Security Services
Authentication Authorization Cryptography Accountability SecurityAdministration
FrameworkSecurity Facilities
iPlanetDirectoryService
WS-Security/SAML
Service
Security APIs
Oracle Security, SAML Service
FirewalliPlanet
WebLogicSSL
OracleAttribute Mapping
JAAS, EJB
![Page 40: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/40.jpg)
40
Security Gotchas at the System Architecture LevelSecurity Gotchas at the System Architecture Level
ScalingDistribute requests over multiple security policy serversCentral administrationAdministration delegation
Performance – “No free lunch”Encryption algorithmsUnderlying transportPolicy granularityCaching
![Page 41: Preview of MasteringWeb Services Securitykonstantin.beznosov.net/doc/talks/ibm_zurich_2002-09-16.pdf · Web Services security problem XML Security WS-Security Security mechanisms](https://reader033.fdocuments.us/reader033/viewer/2022050207/5f5a21e4de200e4be6310203/html5/thumbnails/41.jpg)
41
Presentation SlidesPresentation Slides
http://www.beznosov.net/konstantin