Chapter 3: New Challenges and New Threats


Overview

Now that we know what Web Services are (Chapter 1) and have at least a basic understanding of the principles of security (Chapter 2), we are in a position to answer the question “what kind of security does Web Services need?” We will see in this chapter that Web Services security focuses on the application layer, although security at the lower layers remains important. The principles of security are the same as those we encountered in the previous chapter: authentication, authorization, and so forth. The implementation technologies on which we focus are HTTP and SOAP, although we will keep SMTP security in mind also since SOAP can be bound to SMTP as well as HTTP.

It may not seem immediately obvious why security for SOAP presents such a challenge. After all, SOAP is generally bound to HTTP, which already has SSL for authentication and confidentiality. In addition, many Web authorization tools already exist. It is a reasonable question to ask why these aren’t enough, and the answer is made up of a number of reasons.

The first reason is that, although frequently bound to HTTP, SOAP is independent of the underlying communications layers. Many different communications technologies can be used in the context of one multi-hop SOAP message; for example, using HTTP for the first leg, then SMTP for the next leg, and so forth. End-to-end security cannot therefore rely on a security technology that presupposes one particular communications technology. Even in the case of a single SOAP message targeted at a Web Service, transport-level security only deals with the originator of the SOAP request. SOAP requests are generated by machines, not by people. If the Web Service wishes to perform security based on the end user, it must have access to authentication and/or authorization information about the end user on whose behalf the SOAP request is being sent. This is the second reason for Web Services security.

This information is not available in the transport layer, which deals only with the originator of the SOAP request. When SOAP messages are routed between Web Services, the same problem applies. The security context spans multiple connections, meaning the principles of security such as integrity and confidentiality must also apply across these multiple connections. These challenges are met by persisting security information inside the SOAP message. This chapter introduces WS-Security, a framework for including security information as XML in SOAP messages. Next, the specifications for expressing security information (digital signatures, encryption, authentication, and authorization data) in XML are introduced.

If confidentiality, integrity, and identity-based security can be viewed as the positive aspects of security, then protecting against hacker attacks is the negative aspect. Hacker attacks are a fact of life when computers connect to the Internet. These attacks tend to follow the path of least resistance; that is, by circumventing security, not tackling it head-on. A sophisticated authentication system is useless if it requires people to “play by the rules” and these rules can be bypassed. Now that many of the vulnerabilities at lower layers of the network have been addressed, the playing field has moved to the application layer. In this chapter, we’ll see how these attacks share many characteristics with the older, more traditional attacks at lower layers of the communications stack.

Web Services presents both a security challenge and a security threat. The challenge is to implement the principles of security at the application layer. The threat is that Web Services presents a new avenue of attack into enterprise systems, one that is not addressed by current security infrastructure (including firewalls). This chapter examines the new technologies that address these challenges and threats.




Web Services Security
Web Services Security
ISBN: 0072224711
EAN: 2147483647
Year: 2003
Pages: 105
Authors: Mark ONeill

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net