View
227
Download
3
Tags:
Embed Size (px)
Citation preview
Forum SOA for e-Gov Conference 2006
Web Services and SOA SecuritySOA for E-Government Conference
Greg Hudson, Vice President Sales
FORUM SYSTEMS
Forum SOA for e-Gov Conference 2006
• Mature product, Version 6.0• Leader in SOA Security Infrastructure• Award winning technology• Award winning company• Sales presence in all major US cities• Global operations and support• Flexible, Functional, Scalable
– Hardware and Software– Development to Deployment– Test, Protect, Trust, Assurance– Simple to Sophisticated
• Non-Invasive Installation• Strong, well established partnerships
Founded: May 2001
Product: Forum Sentry™,
Maturity: In Production since 2002Over 150 Customers
CitigroupT-MobileMassMutualUS NavyNATOUS Air forceAmazonIRSUSDACharles SchwabProvidianMarsh….
Motorola Amazon.comNWMCapital GroupKnights of ColumbusPhoenix CompaniesChubb InsuranceNavy Medical CenterAFGSynovus
Certifications
• Only FIPS 140-2 Level III SOA Appliance
• DoD PKI Certification• EAL 4+ Common Criteria
Accomplishments
Customers
Company Overview
Forum SOA for e-Gov Conference 2006
Industry In Transition
Business Agility Open Standards Service Contracts Loose Coupling Autonomy Abstraction Common Semantics
EDI .COM XML Web Services
Forum SOA for e-Gov Conference 2006
Service-Oriented Architecture: A Foregone Conclusion?
Forrester:
Over 80 percent of business application products sold between 2005 and 2008 will be Service Oriented Business Applications
ZapThink:
Estimates that XML will represent 25% of all network traffic by 2006
Gartner Group:
Predicts that over 80% of all software development will be based on SOA by 2008
Forum SOA for e-Gov Conference 2006
Evolution of The IP Network
Application-Oriented Networking
Internet Protocol Networking
• WS-*• WSDL• SOAP• XML
1. Service describes itself and interfaces to the directory using
WSDL
2. User locates service in directory and find service details
3. User and service interact using XML/SOAP likely over
HTTP
Consumer
Metadata
Service Provider
Forum SOA for e-Gov Conference 2006
HTML
XMLSOAP
UDDI WSDL
Approximately 75% of attacks today target business applications and these threats are poised to rise with the growing adoption of XML web services.
By 2005, web services will have reopened 70 percent of the attack paths against Internet-connected systems that were closed by network firewalls.
By 2008 at least 30 percent of companies that have deployed web services applications will fall victim to successful hacker attacks causing more than four hours of downtime to business-critical functions.
The AutomatedEnterprise
So What’s Stopping You?
Forum SOA for e-Gov Conference 2006
APPLICATIONSERVER
CUSTOMERDATABASE
Order Management
WEB SERVER
NETWORK LAYER APPLICATION LAYER
WEB SERVICES PRODUCER
INTERNET
2. OrderFulfillment
Message3. EXPLOSIVEDOCUMENT
Inventory Management
WEB SERVICESCONSUMER
1. Execute OrderFulfillment Request
4. SENSITIVEDOCUMENT
Is this valid XML/SOAP?
Is the requestaccessing data
using inadequate privileges?
Is messageprivacy/integrity
assured?
The Need for an XML/Web Services Security Infrastructure
Forum SOA for e-Gov Conference 2006
Service Oriented Architecture/Web Services greatly simplify application integration and increase business
opportunities… but also introduce new concerns:
You Can’t Deploy Web Services Without Security
• Security– XML and SOAP expose valuable backend systems– XML Denial of Service, buffer overruns, SQL Injections– SSL insufficient for message confidentiality– Protecting against unauthorized access
• Manageability– Policy development and enforcement becomes difficult– Root cause & business impact analysis challenging– Upholding service level agreements becomes challenging– And most importantly, service lifecycles accelerate out of control
Forum SOA for e-Gov Conference 2006
Is SSL and firewalls enough…?
Majority (over 98%) of breaches happen while the data is at rest not in-transit:
Firewalls still allow for OPEN PORTS (80 & 443) SSL begins and terminates at the network perimeterSSL is Point to Point and breaks down in a multi-point environmentSSL is not data aware: It just encrypts everything that is thereSSL hides content from switchesSSL is dependent on the networkSSL and VPN do not authenticate at the data-level and rarely at the transport user levelFirewalls are not content aware
Forum SOA for e-Gov Conference 2006
Firewalls are blind to XML/SOAP<Firewall Inspection Depth>
Firewalls can not scan and block malicious payloads
<XML/SOAP Inspection is about Context, Not Just Content>
Forum SOA for e-Gov Conference 2006
Inspect the payload and enforce element, document, and other maximum payload thresholds
Sending oversized messages to create an XDoS attack
Oversized Payload
Content inspection ensures SOAP messages are constructed properly according to WSDL, XML Schema, and other security specifications
Sending mass amounts of nested data to create an XDoS attack against the XML parser
Recursive Payload
Web services cloaking hides the web services true location from consumers
Scanning the WSDL interface can reveal sensitive information about invocation patterns, underlying technology implementations and associated vulnerabilities
WSDL Scanning
Content inspection ensures SOAP messages are constructed properly according to WSDL, XML Schema and intrusion prevention rules
Poorly encoded SOAP messages causing the application to fail
Inadvertent XMLDoS
Validation of parameter values to ensure they are consistent with WSDL and XML Schema specifications
Injection of malicious scripts or content into request parameters
XML ParameterTampering
Protect against schema poisoning by relying on trusted WSDL documents and XML Schema’s
Manipulating the XML Schema to alter processing information
Schema Poisoning
ProtectionDescriptionTechnique
XML-related Threat Reference Table
Forum SOA for e-Gov Conference 2006
Suppress external URI references to protect against malicious data sources and instructions; rely on well-known and certified URIs
An attack on an application that parses XML input from un-trusted sources
External Entity Attack
Content inspection of SOAP attachments ensures messages contain legitimate content as defined in the WSDL, XML Schema and content security policies
Scripts embedded within a SOAP message can be delivered directly to applications and databases; traditional binary executables and viruses attached to SOAP payloads
Malicious Code Injection
Enforce basic or strong authentication at the SOAP message level with auditing and logging for forensic analysis
Credentials are forged or impersonated in an attempt to access sensitive data
Identity Centric Attack
Rely on dirty word searches, restrictive context-sensitive filtering and data validation techniques
SQL Injection allows commands to be executed directly against the database for unauthorized disclosure and modification of data
SQL Injection
WSDL virtualization enforces strict routing behavior
Redirecting sensitive data within the XML pathXML Routing
Detours
ProtectionDescriptionTechnique
XML-related Threat Table (2)
Forum SOA for e-Gov Conference 2006
Security Is Never One Size Fits All
Trust Management
Message Integrity (Sign & Verify)Message Privacy (Encrypt & Decrypt)Crypto and XML AccelerationProtocol & Message Authentication SAML, WS-Trust, WS-FederationDoD PKI, FIPS, Common Criteria
Trust Management
Message Integrity (Sign & Verify)Message Privacy (Encrypt & Decrypt)Crypto and XML AccelerationProtocol & Message Authentication SAML, WS-Trust, WS-FederationDoD PKI, FIPS, Common Criteria
Threat Protection
Filter all SOAP/XML Messages for Threats/Information LeakAttack Prevention – XML DoS, AntivirusAuthentication & Access ControlInteroperability: WS-I, WS-Security
Threat Protection
Filter all SOAP/XML Messages for Threats/Information LeakAttack Prevention – XML DoS, AntivirusAuthentication & Access ControlInteroperability: WS-I, WS-Security
Forum SOA for e-Gov Conference 2006
Requestor Provider
Basic Web Service Invocation
Request/ReplySolicit/ResponseOne-wayNotification
Forum SOA for e-Gov Conference 2006
Requestor Provider
Web Service Invocation with WS Security Gateway
FS(Proxy)
ApplySecurityDefinitions
HTTP(s)MQ/JMSTibco/JMS
Forum SOA for e-Gov Conference 2006
Web Service Enablement – Security
ProtocolMediation
Forum SOA for e-Gov Conference 2006
Making SOA Operational: Lines of Deployment
Forum SOA for e-Gov Conference 2006
Mature SOA Deployment Requirements
ScaleableDelivery
ConnectivityTransportsAvailabilityAccessibilityPerformance
Policy/GovernanceEnforcement
SLAsExceptionsActivity ReportingMonitoringPrivacyTraceabilityAuditing
Attack PreventionAuthenticationAccess ControlData ConfidentialityIdentity Services
Web Services Security
Forum SOA for e-Gov Conference 2006
Secure
Testing
Improve
Monitor
Security
Policy
Security Policy – Four Major Phases
•Secure
– Authentication– Encryption– Firewall – Vulnerability Mitigation
•Monitor
•Testing
•Improve
•Applicable in each lifecycle phase
Forum SOA for e-Gov Conference 2006
Web Services Life-cycle Security
SSL concentrationSig check/decryptionXML/SOAP processingMalcode filteringEndpoint filteringAntivirus
Security managementService managementIdentity managementProfile compatibilityApply Sig/EncryptionTransform/Redirect
WSDL validationSchema validationContent inspectionMonitoringDiscoveryVulnerability mgmt.
Vulnerability TestingWSDL GenerationSchema GenerationWSDL TighteningSchema Tightening
Execute-Time ProtectionsPerimeter Protection Policy Enforcement App-specific Protections
The App.App.-specific
controls
Development-Time Protections
Forum SOA for e-Gov Conference 2006
US Government - Secure Data Requirements
» U.S. Gov. Systems Security Requirements
» DITSCAP (DIACAP), (DCID 6/3), FISMA, NSTISSP #11, CNSS Policy #15, NCES, EGA, GISRA . . . .
» Gov. Certifications and Accreditation Requirements
» FIPS - Federal Information Processing Stds.» DoD PKI Compliance» NIAP Common Criteria Certification
» eGov and Federal Enterprise Architecture Standards
» Oasis, W3C, WSI, Liberty Alliance
Forum SOA for e-Gov Conference 2006
IA– Information Assurance - Security
Threat Mitigation - Intrusion Detection and Message Threat Prevention• Web Services validation - Only valid WSDLs and XML are allowed to be published and
consumed• SOAP and XML Validation - Only properly formatted SOAP and XML are permitted• SOAP and XML Message based Denile of Service Mitigation – SOAP message and
XML are scrubbed for potential denile of service threats and quarantined• SOAP with XML and non-XML attachments Virus Scanned – SOAP w/ attachments
are scanned for known virus signatures and quarantined
Trust - Information Policy Management & Trust Enforcement• Authentication and Authorization - Only authorized users (service consumers, services
providers, and applications) access Web Services. • Confidentiality - Protects messages or documents so that they cannot be made
available to unauthorized parties. • Data Integrity - Provides protection against unauthorized alteration of messages during
transit. • Non-repudiation - Ensures that a sender cannot deny a message already sent, and a
receiver cannot deny a message already received. (Non-repudiation is especially important in monetary transactions and security auditing.)
• Accountability - Provides secure logging and auditing. (Supports non-repudiation.) • Interoperability – Government and Industry Standards support interoperability between
entities
Forum SOA for e-Gov Conference 2006
Forum Systems: The Leader in Web Services and SOA Security
Trust Management Threat Protection XML Acceleration
• A comprehensive suite of XML Acceleration, Trust Management, Threat Protection solutions that actively protects XML data and Web services across networks & business boundaries– Flexible hardware, software and embedded products – Seamless security solutions architecture – adaptive, life-cycle
Forum SOA for e-Gov Conference 2006
`P R
O D
U C
T L
I N E
• Rack mounted appliances consist of specific components for high speed optimization, Intel Xeon, Broadcom, nCipher, SafeNet
•32-bit and 64-bit Architecture• All products available in multiple form factors
Web Services Firewall
SOA Gateway
Vulnerability Containment
Web Services Diagnostics
XML Accelerator
So
ftw
are
Ha
rdw
are
Linux
Solaris
Unix
eBlade from IBM
64-bit Appliance
HP BladeCenter
Crossbeam APM
Windows
Forum SOA for e-Gov Conference 2006
Flexibility … In Deployment Options
Forum SOA for e-Gov Conference 2006
The most extensive technology
partnerships in the industry
Forum SOA for e-Gov Conference 2006
ROI: Security, Management & Acceleration
Web Service Client
1. HTTP(S) Traffic
Web Service
6. Authorized Web ServiceMQ/JMS/HTTP(S) Traffic
Policy Server
4, 5 Authentication/Access Delegation
2, 3 Authentication /Access Decision
LDAP Directory
Request Processing Authenticates User to IdAM Inspects Messages and Attachments for threats Encrypts sensitive data Generates SAML Assertions in WS-Security Header • Response Processing Inspects messages and attachments for threats Inspects messages for data leaks Obfuscates sensitive exceptions
Forum SOA for e-Gov Conference 2006
Forum Government Focus
» Our Products are aligned with government use cases» Prevent, Guard, Protect, Compliance
» Federal Information Processing Stds.(FIPS 140-2 Level III)» Only security gateway to provide a entire FIPS-compliant hardware-based
solution that implements the NIST Crypto Security Standards. » DoD PKI Compliance
» Only security gateway to be Interoperable with the Joint Interoperability Test Command (JITC)
» NIAP Common Criteria Certification EAL 4+ (Final stages)» Federal Enterprise Architecture (FEA)/Federal XML Working Group, Liberty
Alliance, Oasis, W3C
Security is our First Priority
Forum SOA for e-Gov Conference 2006
Web Service Developers
Forum XRay – Closing the Security loop
Pre-Deployment Security
• Identify Vulnerabilities• Reporting• Conformance Testing
Operational Security
Vulnerability Database(VulCon™)
• Active Monitoring of the• Web Services Topology• Real-time Profiling• Integration w/ Enforcement Products (XWall)
Web ServicesSecurity Management
Forum SOA for e-Gov Conference 2006
XRAY Features
Feature XRAY
Enterprise SOA
Dynamic Service Testing √
Vulnerability Assessment √
Job History √
Test Results Reporting √
VulCon & XWall Integration √
Policy Driven Security Testing √
Policy Compliance Reporting √
Centralized Management √
Enterprise Collaboration √
Shared Library (User selected DB) √
Forum SOA for e-Gov Conference 2006
Web ServicesSecurity Management
XML SOAP
Internet
Admission Control &Threat Protection
• XML Web services Authentication and Access Control• XML Schema Validation and XML Intrusion Prevention • Standards Support – WS-I, WS-Security• Attack Prevention – Denial of Service, Virus, Probe & Extract, XML/XSD Schema &
WSDL Breaches• WSDL Aggregation and Obfuscation
Web administration via a "wizard" based configurationPolicy configuration, SLA Monitoring, Auditing, Logging
ProtectedWeb Servicesand Content
Web Services Firewall
Forum SOA for e-Gov Conference 2006
Web ServicesSecurity Management
ProtectedWeb Servicesand Content
XML SOAP
Internet
Web Services Security Gateway
Management & Acceleration of XML Web Services
Sign, Verify, Encrypt, Decrypt, Validate, Transform XML messages Support HTTP(s) to JMS gateway functionality - protocol mixing Accelerated SSL connections Content based routing Message authentication via Sign-On (SSO) tokens: CA/Netegrity, IBM Tivoli, Oblix COREid, RSA ClearTrust Gov. Certification of Appliance
Forum SOA for e-Gov Conference 2006
Features
• Data Admission Control– Validate XML structure – Filter for malicious content (MalWare, Viruses, Sql injections,DoS– Ensure interoperability– Schema Tightening– Large Attachment Support– Web Service Cloaking
• Web Service Authorization– Fine-grained WSDL/SOAP/XML authentication – Business API access control – Identity and entitlements administration– Identity Management Integration (add-on)
• CA/Netegrity SiteMinder, Clear Trust• IBM Tivoli Access Manager• Oblix COREid• Integration with Systinet, Amberpoint, HP SOA Mgr. . . .
Forum SOA for e-Gov Conference 2006
Features
• Web Services Privacy and Integrity– High Performance XML Processing– Element-level encryption– Electronic (digital) signatures– Support for WS-Security 2004
• SAML Token Profile
• Username Token Profile
• SOAP with Attachments
• Kerberos– 100% DoD PKI certification – Content Based Routing– Protocol mixing
• IBM MQ
• Tibco Rendezvous & EMS
• JMS Compliant
• SMTP
Forum SOA for e-Gov Conference 2006
Vulnerability Containment
XMLVulnerabili
tyIntelligenc
eDatabase
Security ThreatIntelligence
Single-source of XML-related vulnerabilities
Threat intelligence subscription serviceProduct vulnerability lookup dictionary Tools to limit exposure for SOA’s and Web Services Notifications via HTML, WSDL/XML, RSS and Email
Automated delivery of Industrial strength anti-virusReal-time policy updates (XML Intrusion Prevention)Patch updates: stored and updated by product, version, vulnerabilityVulnerability response management – cross-platform