In a Web services environment, the choice of deployment infrastructure is greatly influenced by the development and deployment environment, which is typically either the J2EE platform or Microsoft .NET. In both cases, the security infrastructure is expected to provide comparable run-time services for securing the services provider or a consumer's endpoint. These services must address all the mandated security layers, which include the network infrastructure, transport, and messages. Figure 11-2 illustrates a conceptual Web services infrastructure and components of an organization that securely exposes its business applications as XML Web services to a partner organization. Figure 11-2. Conceptual Web services security infrastructureNetwork Perimeter SecurityNetwork infrastructure security is provided by a network firewall, an IP router, or filtering gateways that can enforce access control by examining and filtering the inbound and outbound traffic routed between the networks. The firewall or IP router resides at the junction point or gateway between the two networks, usually a private network and a public network such as the Internet. Most network firewalls can filter packets based on their source, protocols, destination addresses, and port numbers. At the protocol level, the network infrastructure security can filter and apply decisions to forward or reject traffic based on the protocol used, such as HTTP, SMTP, or FTP. It can also filter traffic by packet attribute or state of the request. XML FirewallThe XML firewall is an XML-aware security device or a proxy infrastructure that can perform XML-based security processing operations. It helps in identifying and thwarting content-level threats and vulnerabilities such as malicious messages, buffer overflows, oversized payloads, virus attachments, and so on. It encapsulates access and enforces XML-based security mechanisms and access control policies to the underlying Web service endpoints and WSDL descriptions. Usually, XML firewalls are provided as specialized hardware or an XML-aware agent component that can be plugged in a Web server running on a bastion host. XML firewalls are also required to support XML Web services standards and specifications to enable message interoperability and compliance with the underlying Web services provider infrastructure. Web Services InfrastructureThe Web services infrastructure is a standards-based platform that deploys application components as XML Web services. These services are accessible over the Internet using XML standards and XML standards-based technologies. In addition, the Web services infrastructure implements mechanisms for discovering and locating XML Web services, descriptions for defining how to use the exposed services, and representations of messages defining how to communicate with a Web services endpoint. For more information about Web services infrastructure basics, refer to Chapter 6, "Web Services SecurityStandards and Technologies." Identity ProviderThe Identity Provider facilitates identity management, single sign-on (SSO), and identity federation for participating applications, service providers, and service requesters. Its primary responsibility is to provide authentication, authorization, and auditing services for all service interactions between the services provider and the requester. It also facilitates identity registration and termination services in conjunction with a user's repository. With Liberty standards compliance, it also enables interoperability and allows the establishment of trusted relationships between communicating service providers and identity providers. Directory ServicesThe Directory Services provide mechanisms for storing and managing the user profiles, configuration, policies, and rules for accessing application and network resources. It features a specialized database, standard protocol, and APIs to store and retrieve information. LDAP is a de facto standard for implementing directory services. It defines a lightweight protocol that specifies the data model for representing information, naming, and security and functionalities for storing, accessing, and updating the LDAP information. Directory services provide support for application security mechanisms related to locating and managing PKI certificates and supporting other PKI life-cycle operations. For more information about LDAP, PKI, and digital certificates, refer to Chapter 2, "Basics of Security." |