Best Practices and Pitfalls

The following sections discuss the best practices and the associated pitfalls you should consider when implementing security in a Web-services infrastructure and in application services.

Best Practices

Web Services Infrastructure Security

1. End-to-End Transport Layer Security. During communication, secure the transport layer with appropriate message integrity and confidentiality mechanisms. The communication must be tamperproof and the messages in transit must not be intercepted or accessed. Adopting two-way SSL/TLS communication with the use of both server and client certificates is often considered the best-practice solution.

2. Standards-Based Security and Infrastructure. Web services are all about implementing standards-based messages and communication. They enable the adopted security mechanisms and countermeasures to seamlessly work together with architecture independence in all application layers and enable cross-platform support among Web-services providers and the client requesters. Thus, follow standards and adopt standards-based infrastructure providers to ensure security interoperability throughout the life cycle of the service. Using proprietary mechanisms affects interoperability with standards-based infrastructure providers.

3. Network Perimeter Protection. Use network firewalls and intrusion detection systems for identifying and protecting the Web-services infrastructure against connection attacks such as network spoofing, man-in-the-middle, and DOS attacks. Use router mechanisms for filtering incoming and outgoing traffic and use network access control lists (ACLs) for allowing authorized hosts and blocking traffic from unauthorized hosts based on IP addresses and protocols.

4. Minimization and Hardening. Prior to deployment testing of the host platform infrastructure, remove all unnecessary services, user accounts, OS/application libraries, and tools. All services that are considered to be insecure or vulnerable must be secured or replaced with alternatives (for example, SSH, SFTP, and so forth). Furthermore, it is important to consider adopting preventive measures such as securing file systems with encryption, tightened access control, and deploying host-based intrusion detection and monitoring systems that allow detection of suspicious events, policy violations, and abuses.

5. IP Filtering. Use IP filtering mechanisms to provide packet filtering based on IP addresses, port, protocol, network interface, and traffic direction. This helps to safeguard the Web-services endpoint host by allowing messages passed through authorized hosts and proxy servers.

6. XML-Aware Security Infrastructure. Adopt an XML-aware security infrastructure such as an XML firewall or Web-services security solution that can proactively detect and protect against XML DOS attacks, malformed or corrupted XML, malicious SOAP/XML payloads, and unsupported message attachments. These issues can disrupt the infrastructure by consuming excessive bandwidth and can degrade performance with infinite processing loops that can compromise availability of the service endpoint.

7. Access Protection. Make sure direct access to all service endpoints is disabled. Use an XML firewall or a Web-proxy infrastructure that masks all the underlying service endpoints and communicates through network address translation (NAT) or URL rewriting mechanisms. This helps in enforcing transport-layer security (such as two-way SSL/TLS) and in identifying all incoming traffic for XML and content-layer vulnerabilities before processing at the application service endpoint.

8. XML Firewall Appliance Adoption for Performance. XML firewall appliances can recognize and provide protection against XML-related malicious attacks. In particular, they can enhance message throughput significantly by reducing the processing time involved with resource-intensive tasks such as XML parsing, XML schema validation, XML Encryption and decryption, and XML Signature validation.

9. Origin Host Verification. Verify the host ID initiating the Web-services request before processing the message. This helps in identifying man-in-the-middle, message replay, impersonation, and illegitimate-request attacks initiated from unauthorized hosts. When it is determined that a request is from an unauthorized host, the service endpoint must drop those requests without further processing.

10. Adopt Hardware Cryptographic Devices. Cryptographic keys play a vital role in applying digital signatures and encryption mechanisms. It is important to safeguard the keys so that they are not accessible to hackers, because they are vulnerable to attack by modification, duplication, or substitution. Using hardware cryptographic devices ensures safer and more tamper-proof key management and helps in off-loading computationally intensive operations.

11. VPN Access. Consider using VPN-based limited access for Web-services solutions deployed within an intranet or an extranet (extended to potential consumers). Using VPN reduces security risks from external intrusions.

12. Employ Honeypots. Honeypots are intrusion detection decoys deployed with the intent to mislead potential attackers and thereby provide early warning to systems administrators. In-depth analysis of a honeypot's Web-service traffic can yield useful knowledge for purposes of both research and defense against attacks.

Communication and Message Security

13. Restrict direct WSDL Access. WSDLs describe Web services providers in terms of their exposed operations, type and number of parameters, type and structure of returned results, protocol bindings, and so on. Protect WSDLs from public viewing and unauthorized access by disallowing all direct access to WSDL descriptions. Enforce an authentication and authorization mechanism that restricts access to viewing or downloading WSDL descriptions.

14. UDDI Registration and Lookups. UDDI registries allow registering WSDL information for public or private access and provide a repository for searching and sharing information about published services. While registering services in a public registry, ensure that the accessible methods and data types are subject to use after an agreement and mandated security policies. You should choose to register methods for providing inquiry transactions only. It is always recommended not to expose methods that allow critical business-transaction processing.

15. Message Validation and Compliance. Verify all incoming and outgoing messages for XML well-formedness, format, and syntax, and validate the messages against XML schemas or DTD-based rules mandated by the service endpoint. This ensures that the messages are not manipulated, are free from issues related to discontinuity or malformedness that affect parsing, and are compliant with valid XML schemas. XML-aware firewalls or hardware accelerators can be used for better performance and to reduce processing times.

16. Message Inspection. Make sure all incoming XML traffic is intercepted and filtered for performing message-level security operations before processing at its intended endpoint. These operations include authentication, authorization, auditing, validating signatures, encryption or decryption, compression or decompression, transformation, routing, and management of functions mandated by the service endpoint. This eliminates the risks and potential dangers of malicious content-level threats and XML-based attacks from unauthorized parties and hackers. Use the Message Inspector pattern and strategies for enforcing message inspection.

17. WSDL Generation. Using automated tools for generating WSDLs generally exposes all the methods provided by the underlying application component. Exposing all the methods available for Web services consumption is prone to using unpublished methods, guess attacks, service abuses, and related vulnerabilities. Make sure the generated WSDL file exposes only specific operations intended for external access.

18. Secure XML Schemas. XML schemas help Web services requesters and services share rules and instructions for content, syntax, and semantics processing of XML documents. Storing XML schemas in a way that gives the public access to them invites manipulation that can compromise the security of the service endpoints and the exchanged data. Verify that all XML schemas are secured with appropriate rules and access privileges for public use.

19. Timestamps. Use timestamps in message headers to determine the timeliness and validity of security headers. Doing so also helps by providing non-repudiation evidence of the time of a transaction's execution. In addition, if a Web-services endpoint receives two contradictory messages, the timestamps inserted in the message can be used to determine its validity or its expiration. Timestamps help in identifying forged requests and message replay attacks.

20. Correlation. Identify correlated messages and service endpoints by tying a message sent from the requesting endpoint and the response message sent from the replying endpoint together using a unique identifier. The identifier, also referred to as correlation ID, identifies both the original request message from the sender and its response message from the receiver. Using message correlation helps to uniquely identify messages and their consumers from logs and recorded audit trails. It also helps when diagnosing issues in forensic investigations.

21. Signing Messages. Adopt XML signatures for signing messages and ensuring message-level integrity and authentication. Using XML signatures allows a message recipient to verify the signed messages from a sender. This proves that the signed messages originated by a sender are authentic and have not been altered or tampered with during their transit or storage. Using XML signatures also offers the flexibility of signing specific XML portions of a message and then applying changes to the message involving multiple parties during communication.

22. Message and Element-Level Encryption. Adopt XML encryption for maintaining message-level data confidentiality and privacy during transit or storage. Depending on the scenario, using XML Encryption allows encrypting XML messages in their entirety, applying encryption for portions of a message, or applying multiple encryptions to different parts of the message and leaving selected portions of the message unencrypted. XML Encryption preserves the encrypted data intended for multiple parties in a workflow or a multi-hop communication involving intermediaries.

23. XKMS Adoption. XKMS defines a Web services interface to PKI services such as key registration, revocation, location, and validation. In Web-services communication, XKMS allows you to register, look up, and validate cryptographic keys used in XML signatures and XML Encryption. Adopting XKMS in Web services delegates all public-key lookup, registration, and verification tasks intended for XML signatures and XML Encryption. As a result, it delivers performance gains through reducing the message payload by off-loading all processing of key information to the XKMS trust service.

24. Fault Handling. When a Web services client request cannot be completed or fails, the service-provider endpoint must return an error as a SOAP Fault element. This is represented descriptively in the detail element that provides all of the error information provided by the service endpoint. In case of failures related to an application service, particularly exceptions from underlying application and services, the faults expose the weakness in the application and allow hackers to design potential vulnerabilities based on them. It is important to proactively identify those faults and redefine them with information that does not reveal the weakness of the underlying service endpoint.

25. Logging and Recording of Audit Trails. Create secure transaction logs and audit trails that can be used for forensic investigation about life-cycle events and transactions taken by the services provider based on the requests made by the consumer. This verifies that the initiating clients are accountable for their requested operations with an irrefutable proof of originating request or response. The audit trails provides information that can be used to monitor resources, system break-ins, failed login and breach attempts; to determine security loopholes, violations, and identity spoofing; and to identify users attempting to circumvent security, either intentionally or unintentionally.

26. Avoiding Composability issues. All exposed services must define the security requirements to the service-requester clients that relate to transport-level and message-level security mechanisms. It is important to verify the ability to compose the messages including the required security mechanisms and the endpoint-specific message payload. The composability of the message should not cause any unintentional functional side-effects.

27. Identity and Policy Management. Web services should use identity information, trust policies, and their access privileges from underlying applications and should map them between service providers and consumers within a domain or multiple domains. The identity and policies associated with users can be used to define their roles and to access rules that are required as part of requests and responses between the communicating parties. Adopting a Liberty-enabled identity provider with the identity-federation capabilities required by Liberty Alliance specifications helps to aggregate Web services without compromising security by delivering a federated SSO, global logout, identity registration, and termination.

Testing and Deployment

28. Service Penetration Tests. The security-related vulnerabilities of Web services generally stem from improper handling of XML-based request messages or a lack of parameter validation checking that expose the service endpoint to buffer overflow, message injection, and malicious cross-site scripting attacks. It is important to identify these vulnerabilities by performing penetration tests on the service endpoint, hardening the underlying application code, and immunizing the host environment for these erroneous conditions. For example, the penetration test must draw out illicit conditions and anomalous behavior from the service endpoint by manipulating the request parameters and operations using special characters, large white spaces, missing tags, oversized requests, replay or recursive requests, malformed requests, malformed XML with discontinuity, schema poisoning, injecting malformed XML, SQL, Xquery, or Xpath expressions, and so forth. These tests identify known threats and vulnerabilities and help to fix the service endpoint through application-level hardening.

29. Stress Testing. Load testing with simulated users allows you to determine the Web-services provider scalability and number of supported concurrent users, to identify the breaking point, and to identify the acceptable service-level requirements. In a security context, it helps to validate the architecture capacity, scalability, and reliability and to identify potential security breaches after failures.

30. Centralized Management. Adopt a centralized control and administration solution for provisioning and monitoring all service endpoints. The solution includes deployment and monitoring of service endpoints, enabling content-based logging and auditing, enabling and disabling service endpoints, configuring authentication and security policies, and so forth.

31. Monitoring and Alerting. Monitor all security operations using automated monitoring of service components in a way that lets you detect malicious activities. For example, set a threshold with an alert on the number of authentication failures per client and to detect a hacker undergoing an XML DOS or WSDL descriptions attack. In such cases, the monitoring system must alert the security administrator that countermeasures and other corrective actions are needed.

32. Fault Management and Self-Healing. Fault management begins upon detection of an error or a security breach, and it is expected to capture sufficient data to diagnose the underlying problem. Once a diagnosis of a problem is determined, the fault-management solution should perform problem isolation and self-healing tasks. Adopting fault management and self-healing mechanisms improves the availability of the application infrastructure. Fault-management and self-healing solutions can be deployed using watchdog agents that automatically respond to the problem by disabling faulty components, restarting the services, issuing messages to alert administrators, and providing diagnostic information for forensic investigation.

33. Fault Tolerance. Mission-critical Web services demand fault-tolerance capabilities that provide reliability and solutions to support unpredictable and voluminous concurrent workloads. To handle such requirements requires a recovery mechanism that identifies the service failure, activates a new service-provider instance, and then reads the logs about the outstanding failed request to continue processing. Capturing the state of outstanding requests in order to repeat processing and restart a new service might degrade performance. To meet performance requirements, consider fault-tolerance capabilities for service requests that involve a business transactionbut not an inquiry transaction. Ensure all security tasks are processed as prescribed by the service provider, even though the service endpoint runs on a fault-tolerant mode.

34. Configuration Management. Follow a secure configuration management practice to administer all configuration information applied to the service endpoint. Make sure you adopt a security strategy that restricts access to configuration information to privileged users based on their roles. Any opening to unauthorized access to configuration information may cause a vulnerability that can compromise the security of all exposed services.

Pitfalls

35. Vendor-Specific Security APIs. Adopting vendor-specific API mechanisms often affects interoperability and integration of services across vendors due to failures related to message compliance, mismatched crypto algorithms, and schema validation. Choose API mechanisms evolved through community processes and adopt a standards-based infrastructure that enables interoperability and seamless integration with other standards-based technology providers.

36. Content Encryption. Encrypting the messages in their entirety often results in abnormal payloads, increases network bandwidth utilization, and causes processing overheads. Consider adopting element-level encryption that allows encrypting selected portions of messages and then using secure communication channels that ensure data integrity and confidentiality during transit and storage.