Forum SOA for e-Gov Conference 2006 Web Services and SOA Security SOA for E-Government Conference Greg Hudson, Vice President Sales FORUM SYSTEMS

Forum SOA for e-Gov Conference 2006

Web Services and SOA SecuritySOA for E-Government Conference

Greg Hudson, Vice President Sales

FORUM SYSTEMS


• Mature product, Version 6.0• Leader in SOA Security Infrastructure• Award winning technology• Award winning company• Sales presence in all major US cities• Global operations and support• Flexible, Functional, Scalable

– Hardware and Software– Development to Deployment– Test, Protect, Trust, Assurance– Simple to Sophisticated

• Non-Invasive Installation• Strong, well established partnerships

Founded: May 2001

Product: Forum Sentry™,

Maturity: In Production since 2002Over 150 Customers

CitigroupT-MobileMassMutualUS NavyNATOUS Air forceAmazonIRSUSDACharles SchwabProvidianMarsh….

Motorola Amazon.comNWMCapital GroupKnights of ColumbusPhoenix CompaniesChubb InsuranceNavy Medical CenterAFGSynovus

Certifications

• Only FIPS 140-2 Level III SOA Appliance

• DoD PKI Certification• EAL 4+ Common Criteria

Accomplishments

Customers

Company Overview


Industry In Transition

Business Agility Open Standards Service Contracts Loose Coupling Autonomy Abstraction Common Semantics

EDI .COM XML Web Services


Service-Oriented Architecture: A Foregone Conclusion?

Forrester:

Over 80 percent of business application products sold between 2005 and 2008 will be Service Oriented Business Applications

ZapThink:

Estimates that XML will represent 25% of all network traffic by 2006

Gartner Group:

Predicts that over 80% of all software development will be based on SOA by 2008


Evolution of The IP Network

Application-Oriented Networking

Internet Protocol Networking

• WS-*• WSDL• SOAP• XML

1. Service describes itself and interfaces to the directory using

WSDL

2. User locates service in directory and find service details

3. User and service interact using XML/SOAP likely over

HTTP

Consumer

Metadata

Service Provider


HTML

XMLSOAP

UDDI WSDL

Approximately 75% of attacks today target business applications and these threats are poised to rise with the growing adoption of XML web services.

By 2005, web services will have reopened 70 percent of the attack paths against Internet-connected systems that were closed by network firewalls.

By 2008 at least 30 percent of companies that have deployed web services applications will fall victim to successful hacker attacks causing more than four hours of downtime to business-critical functions.

The AutomatedEnterprise

So What’s Stopping You?


APPLICATIONSERVER

CUSTOMERDATABASE

Order Management

WEB SERVER

NETWORK LAYER APPLICATION LAYER

WEB SERVICES PRODUCER

INTERNET

2. OrderFulfillment

Message3. EXPLOSIVEDOCUMENT

Inventory Management

WEB SERVICESCONSUMER

1. Execute OrderFulfillment Request

4. SENSITIVEDOCUMENT

Is this valid XML/SOAP?

Is the requestaccessing data

using inadequate privileges?

Is messageprivacy/integrity

assured?

The Need for an XML/Web Services Security Infrastructure


Service Oriented Architecture/Web Services greatly simplify application integration and increase business

opportunities… but also introduce new concerns:

You Can’t Deploy Web Services Without Security

• Security– XML and SOAP expose valuable backend systems– XML Denial of Service, buffer overruns, SQL Injections– SSL insufficient for message confidentiality– Protecting against unauthorized access

• Manageability– Policy development and enforcement becomes difficult– Root cause & business impact analysis challenging– Upholding service level agreements becomes challenging– And most importantly, service lifecycles accelerate out of control


Is SSL and firewalls enough…?

Majority (over 98%) of breaches happen while the data is at rest not in-transit:

Firewalls still allow for OPEN PORTS (80 & 443) SSL begins and terminates at the network perimeterSSL is Point to Point and breaks down in a multi-point environmentSSL is not data aware: It just encrypts everything that is thereSSL hides content from switchesSSL is dependent on the networkSSL and VPN do not authenticate at the data-level and rarely at the transport user levelFirewalls are not content aware


Firewalls are blind to XML/SOAP<Firewall Inspection Depth>

Firewalls can not scan and block malicious payloads

<XML/SOAP Inspection is about Context, Not Just Content>


Inspect the payload and enforce element, document, and other maximum payload thresholds

Sending oversized messages to create an XDoS attack

Oversized Payload

Content inspection ensures SOAP messages are constructed properly according to WSDL, XML Schema, and other security specifications

Sending mass amounts of nested data to create an XDoS attack against the XML parser

Recursive Payload

Web services cloaking hides the web services true location from consumers

Scanning the WSDL interface can reveal sensitive information about invocation patterns, underlying technology implementations and associated vulnerabilities

WSDL Scanning

Content inspection ensures SOAP messages are constructed properly according to WSDL, XML Schema and intrusion prevention rules

Poorly encoded SOAP messages causing the application to fail

Inadvertent XMLDoS

Validation of parameter values to ensure they are consistent with WSDL and XML Schema specifications

Injection of malicious scripts or content into request parameters

XML ParameterTampering

Protect against schema poisoning by relying on trusted WSDL documents and XML Schema’s

Manipulating the XML Schema to alter processing information

Schema Poisoning

ProtectionDescriptionTechnique

XML-related Threat Reference Table


Suppress external URI references to protect against malicious data sources and instructions; rely on well-known and certified URIs

An attack on an application that parses XML input from un-trusted sources

External Entity Attack

Content inspection of SOAP attachments ensures messages contain legitimate content as defined in the WSDL, XML Schema and content security policies

Scripts embedded within a SOAP message can be delivered directly to applications and databases; traditional binary executables and viruses attached to SOAP payloads

Malicious Code Injection

Enforce basic or strong authentication at the SOAP message level with auditing and logging for forensic analysis

Credentials are forged or impersonated in an attempt to access sensitive data

Identity Centric Attack

Rely on dirty word searches, restrictive context-sensitive filtering and data validation techniques

SQL Injection allows commands to be executed directly against the database for unauthorized disclosure and modification of data

SQL Injection

WSDL virtualization enforces strict routing behavior

Redirecting sensitive data within the XML pathXML Routing

Detours

ProtectionDescriptionTechnique

XML-related Threat Table (2)


Security Is Never One Size Fits All

Trust Management

Message Integrity (Sign & Verify)Message Privacy (Encrypt & Decrypt)Crypto and XML AccelerationProtocol & Message Authentication SAML, WS-Trust, WS-FederationDoD PKI, FIPS, Common Criteria

Trust Management

Message Integrity (Sign & Verify)Message Privacy (Encrypt & Decrypt)Crypto and XML AccelerationProtocol & Message Authentication SAML, WS-Trust, WS-FederationDoD PKI, FIPS, Common Criteria

Threat Protection

Filter all SOAP/XML Messages for Threats/Information LeakAttack Prevention – XML DoS, AntivirusAuthentication & Access ControlInteroperability: WS-I, WS-Security

Threat Protection

Filter all SOAP/XML Messages for Threats/Information LeakAttack Prevention – XML DoS, AntivirusAuthentication & Access ControlInteroperability: WS-I, WS-Security


Requestor Provider

Basic Web Service Invocation

Request/ReplySolicit/ResponseOne-wayNotification


Requestor Provider

Web Service Invocation with WS Security Gateway

FS(Proxy)

ApplySecurityDefinitions

HTTP(s)MQ/JMSTibco/JMS


Web Service Enablement – Security

ProtocolMediation


Making SOA Operational: Lines of Deployment


Mature SOA Deployment Requirements

ScaleableDelivery

ConnectivityTransportsAvailabilityAccessibilityPerformance

Policy/GovernanceEnforcement

SLAsExceptionsActivity ReportingMonitoringPrivacyTraceabilityAuditing

Attack PreventionAuthenticationAccess ControlData ConfidentialityIdentity Services

Web Services Security


Secure

Testing

Improve

Monitor

Security

Policy

Security Policy – Four Major Phases

•Secure

– Authentication– Encryption– Firewall – Vulnerability Mitigation

•Monitor

•Testing

•Improve

•Applicable in each lifecycle phase


Web Services Life-cycle Security

SSL concentrationSig check/decryptionXML/SOAP processingMalcode filteringEndpoint filteringAntivirus

Security managementService managementIdentity managementProfile compatibilityApply Sig/EncryptionTransform/Redirect

WSDL validationSchema validationContent inspectionMonitoringDiscoveryVulnerability mgmt.

Vulnerability TestingWSDL GenerationSchema GenerationWSDL TighteningSchema Tightening

Execute-Time ProtectionsPerimeter Protection Policy Enforcement App-specific Protections

The App.App.-specific

controls

Development-Time Protections


US Government - Secure Data Requirements

» U.S. Gov. Systems Security Requirements

» DITSCAP (DIACAP), (DCID 6/3), FISMA, NSTISSP #11, CNSS Policy #15, NCES, EGA, GISRA . . . .

» Gov. Certifications and Accreditation Requirements

» FIPS - Federal Information Processing Stds.» DoD PKI Compliance» NIAP Common Criteria Certification

» eGov and Federal Enterprise Architecture Standards

» Oasis, W3C, WSI, Liberty Alliance


IA– Information Assurance - Security

Threat Mitigation - Intrusion Detection and Message Threat Prevention• Web Services validation - Only valid WSDLs and XML are allowed to be published and

consumed• SOAP and XML Validation - Only properly formatted SOAP and XML are permitted• SOAP and XML Message based Denile of Service Mitigation – SOAP message and

XML are scrubbed for potential denile of service threats and quarantined• SOAP with XML and non-XML attachments Virus Scanned – SOAP w/ attachments

are scanned for known virus signatures and quarantined

Trust - Information Policy Management & Trust Enforcement• Authentication and Authorization - Only authorized users (service consumers, services

providers, and applications) access Web Services. • Confidentiality - Protects messages or documents so that they cannot be made

available to unauthorized parties. • Data Integrity - Provides protection against unauthorized alteration of messages during

transit. • Non-repudiation - Ensures that a sender cannot deny a message already sent, and a

receiver cannot deny a message already received. (Non-repudiation is especially important in monetary transactions and security auditing.)

• Accountability - Provides secure logging and auditing. (Supports non-repudiation.) • Interoperability – Government and Industry Standards support interoperability between

entities


Forum Systems: The Leader in Web Services and SOA Security

Trust Management Threat Protection XML Acceleration

• A comprehensive suite of XML Acceleration, Trust Management, Threat Protection solutions that actively protects XML data and Web services across networks & business boundaries– Flexible hardware, software and embedded products – Seamless security solutions architecture – adaptive, life-cycle


`P R

O D

U C

T L

I N E

• Rack mounted appliances consist of specific components for high speed optimization, Intel Xeon, Broadcom, nCipher, SafeNet

•32-bit and 64-bit Architecture• All products available in multiple form factors

Web Services Firewall

SOA Gateway

Vulnerability Containment

Web Services Diagnostics

XML Accelerator

So

ftw

are

Ha

rdw

are

Linux

Solaris

Unix

eBlade from IBM

64-bit Appliance

HP BladeCenter

Crossbeam APM

Windows


Flexibility … In Deployment Options


The most extensive technology

partnerships in the industry


ROI: Security, Management & Acceleration

Web Service Client

1. HTTP(S) Traffic

Web Service

6. Authorized Web ServiceMQ/JMS/HTTP(S) Traffic

Policy Server

4, 5 Authentication/Access Delegation

2, 3 Authentication /Access Decision

LDAP Directory

Request Processing Authenticates User to IdAM Inspects Messages and Attachments for threats Encrypts sensitive data Generates SAML Assertions in WS-Security Header • Response Processing Inspects messages and attachments for threats Inspects messages for data leaks Obfuscates sensitive exceptions


Forum Government Focus

» Our Products are aligned with government use cases» Prevent, Guard, Protect, Compliance

» Federal Information Processing Stds.(FIPS 140-2 Level III)» Only security gateway to provide a entire FIPS-compliant hardware-based

solution that implements the NIST Crypto Security Standards. » DoD PKI Compliance

» Only security gateway to be Interoperable with the Joint Interoperability Test Command (JITC)

» NIAP Common Criteria Certification EAL 4+ (Final stages)» Federal Enterprise Architecture (FEA)/Federal XML Working Group, Liberty

Alliance, Oasis, W3C

Security is our First Priority


Web Service Developers

Forum XRay – Closing the Security loop

Pre-Deployment Security

• Identify Vulnerabilities• Reporting• Conformance Testing

Operational Security

Vulnerability Database(VulCon™)

• Active Monitoring of the• Web Services Topology• Real-time Profiling• Integration w/ Enforcement Products (XWall)

Web ServicesSecurity Management


XRAY Features

Feature XRAY

Enterprise SOA

Dynamic Service Testing √

Vulnerability Assessment √

Job History √

Test Results Reporting √

VulCon & XWall Integration √

Policy Driven Security Testing √

Policy Compliance Reporting √

Centralized Management √

Enterprise Collaboration √

Shared Library (User selected DB) √



XML SOAP

Internet

Admission Control &Threat Protection

• XML Web services Authentication and Access Control• XML Schema Validation and XML Intrusion Prevention • Standards Support – WS-I, WS-Security• Attack Prevention – Denial of Service, Virus, Probe & Extract, XML/XSD Schema &

WSDL Breaches• WSDL Aggregation and Obfuscation

Web administration via a "wizard" based configurationPolicy configuration, SLA Monitoring, Auditing, Logging

ProtectedWeb Servicesand Content

Web Services Firewall



ProtectedWeb Servicesand Content

XML SOAP

Internet

Web Services Security Gateway

Management & Acceleration of XML Web Services

Sign, Verify, Encrypt, Decrypt, Validate, Transform XML messages Support HTTP(s) to JMS gateway functionality - protocol mixing Accelerated SSL connections Content based routing Message authentication via Sign-On (SSO) tokens: CA/Netegrity, IBM Tivoli, Oblix COREid, RSA ClearTrust Gov. Certification of Appliance


Features

• Data Admission Control– Validate XML structure – Filter for malicious content (MalWare, Viruses, Sql injections,DoS– Ensure interoperability– Schema Tightening– Large Attachment Support– Web Service Cloaking

• Web Service Authorization– Fine-grained WSDL/SOAP/XML authentication – Business API access control – Identity and entitlements administration– Identity Management Integration (add-on)

• CA/Netegrity SiteMinder, Clear Trust• IBM Tivoli Access Manager• Oblix COREid• Integration with Systinet, Amberpoint, HP SOA Mgr. . . .


Features

• Web Services Privacy and Integrity– High Performance XML Processing– Element-level encryption– Electronic (digital) signatures– Support for WS-Security 2004

• SAML Token Profile

• Username Token Profile

• SOAP with Attachments

• Kerberos– 100% DoD PKI certification – Content Based Routing– Protocol mixing

• IBM MQ

• Tibco Rendezvous & EMS

• JMS Compliant

• SMTP


Vulnerability Containment

XMLVulnerabili

tyIntelligenc

eDatabase

Security ThreatIntelligence

Single-source of XML-related vulnerabilities

Threat intelligence subscription serviceProduct vulnerability lookup dictionary Tools to limit exposure for SOA’s and Web Services Notifications via HTML, WSDL/XML, RSS and Email

Automated delivery of Industrial strength anti-virusReal-time policy updates (XML Intrusion Prevention)Patch updates: stored and updated by product, version, vulnerabilityVulnerability response management – cross-platform

Documents

Forum SOA for e-Gov Conference 2006 Web Services and SOA Security SOA for E-Government Conference Greg Hudson, Vice President Sales FORUM SYSTEMS