Securing Web Services with CAS Proxy Tickets

June 2010

Securing Web ServicesSolving the Web Services Security Problem with an XML Gateway

IT Services - Jeremy Rosenberg / Steve Hillman

About Us


About Us

• Jeremy Rosenberg Developer in IT services since 2004 Identity management strategy Java Developer


About Us

• Jeremy Rosenberg Developer in IT services since 2004 Identity management strategy Java Developer

• Steve HillmanIT ArchitectWith IT Services since 1987Unix infrastructure


About SFU


About SFU

• Named after famous explorer

Simon Fraser 1776 -1862


About SFU

• Named after famous explorer • Opened on September 9, 1965



About SFU

• Named after famous explorer • Opened on September 9, 1965• One University - Three campuses

• Burnaby• Surrey• Vancouver



About SFU

• Named after famous explorer • Opened on September 9, 1965• One University - Three campuses

• Burnaby• Surrey• Vancouver

• 32,000 students • 900 faculty• 1600 staff• 100,000 alumni Simon Fraser

1776 -1862


About This Presentation



• Definitions



• Definitions• XML Security Challenges



• Definitions• XML Security Challenges• About the Layer 7 SecureSpan XML Gateway



• Definitions• XML Security Challenges• About the Layer 7 SecureSpan XML Gateway• Why we chose SecureSpan



• Definitions• XML Security Challenges• About the Layer 7 SecureSpan XML Gateway• Why we chose SecureSpan• A little about Public Keys



• Definitions• XML Security Challenges• About the Layer 7 SecureSpan XML Gateway• Why we chose SecureSpan• A little about Public Keys• Walkthroughs

• SOAP• REST



• Definitions• XML Security Challenges• About the Layer 7 SecureSpan XML Gateway• Why we chose SecureSpan• A little about Public Keys• Walkthroughs

• SOAP• REST

• Questions


Definitions

•First, A Few Definitions


Definitions


Definitions

Web Service:


Definitions

Web Service:• An API to a remote procedure


Definitions

Web Service:• An API to a remote procedure• Typically accessed over HTTP


Definitions

Web Service:• An API to a remote procedure• Typically accessed over HTTP• Machine-to-machine communications


Definitions

Web Service:• An API to a remote procedure• Typically accessed over HTTP• Machine-to-machine communications • Allows data source to be loosely coupled to

applications


Definitions


applications• Makes systems reusable


Definitions


applications• Makes systems reusable• Very popular with Twitter, Facebook, Amazon, etc


Definitions - SOAP vs REST



•SOAP:



•SOAP:• XML Message passing protocol



•SOAP:• XML Message passing protocol • Numerous ‘WS-’ standards



•SOAP:• XML Message passing protocol • Numerous ‘WS-’ standards• Associated with “Big” Web Services

• Most vendor SOA solutions use SOAP



•REST:

• URL-addressable objects

http://maps.google.com/maps/api/geocode/json?address=1600+Amphitheatre+Parkway,+Mountain+View,+CA&sensor=



•REST:

• URL-addressable objects• “http://maps.google.com/maps/api/geocode/xml?address=Memorial+University,+NL,+CA”




•REST:


• Accessed and manipulated with standard HTTP GET/POST/PUT/DELETE




•REST:



• Lightweight client requirements




•REST:



• Lightweight client requirements• Stateless (every request is self-contained)




•REST:



• Lightweight client requirements• Stateless (every request is self-contained)• WS- standards are less mature



“Put out an A.P.B. on a donut, believed sprinkled.”

!•Web Services Security Challenges


Web Services Security Challenges



• Web Services can communicate over many transport protocols



• Web Services can communicate over many transport protocols• Commonly accessed over web protocols like HTTP



• Web Services can communicate over many transport protocols• Commonly accessed over web protocols like HTTP• Easy for Web services to bypass traditional firewalls



• Web Services can communicate over many transport protocols• Commonly accessed over web protocols like HTTP• Easy for Web services to bypass traditional firewalls

XMLHTTP

XML



• XML-based messages can be deliberately or inadvertently malformed




• Causes parser or applications to break




• Causes parser or applications to break• Creates new XML threats and

vulnerabilities. E.g:





vulnerabilities. E.g:• XML parameter tampering





vulnerabilities. E.g:• XML parameter tampering• XDoS Attacks





vulnerabilities. E.g:• XML parameter tampering• XDoS Attacks• Message Replay





vulnerabilities. E.g:• XML parameter tampering• XDoS Attacks• Message Replay• Oversized/overdeep XML nodes





vulnerabilities. E.g:• XML parameter tampering• XDoS Attacks• Message Replay• Oversized/overdeep XML nodes• Code injection



• Transactions are principally machine-to-machine



• Transactions are principally machine-to-machine • New thinking around machine-to-machine credentialing



• Transactions are principally machine-to-machine • New thinking around machine-to-machine credentialing • Login pages won’t work



• Services and clients must agree on security parameters• crypto preferences• standards support




• Need for new kinds of policy coordination




• Need for new kinds of policy coordination• Incompatibilities have unforeseen consequences



• Web services enable multi-hop composite applications



• Web services enable multi-hop composite applications• Example: Student on boarding process



• Web services enable multi-hop composite applications• Example: Student on boarding process• Message level security and audit that can span multi-

hop SOA transactions end-to-end



Web services expose business functionality through open APIs, requiring new application-aware security measures.


SecureSpan XML Gateway



• Enter the XML Gateway


XML Gateway - What it does



• Parses all Inbound and outbound XML messages



• Parses all Inbound and outbound XML messages• Inspection and modification of XML messages




• Replace “Username” value in inbound XML message with value extracted from client certificate• Prevent spoofing




• Replace “Username” value in inbound XML message with value extracted from client certificate• Prevent spoofing

• Blank-out Student Number value in outbound XML messages • Prevent accidental leakage of confidential info


XML Gateway


XML Gateway

• Thwart attacks


XML Gateway

• Thwart attacks• Prevent malicious and inadvertent XML attacks


XML Gateway

• Thwart attacks• Prevent malicious and inadvertent XML attacks• Prevent other not-so-obvious application-level

attacks - e.g. SQL injection. • Are you sure every one of your developers

sanitizes their inputs?


Benefits


Benefits

• Single point-of-entry for Web Services means:


Benefits

• Single point-of-entry for Web Services means:• Do rate-control/throttling/queueing to enforce SLAs


Benefits

• Single point-of-entry for Web Services means:• Do rate-control/throttling/queueing to enforce SLAs• Standardized logging of all access


Benefits

• Single point-of-entry for Web Services means:• Do rate-control/throttling/queueing to enforce SLAs• Standardized logging of all access• Auditing


Benefits

• Single point-of-entry for Web Services means:• Do rate-control/throttling/queueing to enforce SLAs• Standardized logging of all access• Auditing • Centrally enforced policies


Benefits

• Single point-of-entry for Web Services means:• Do rate-control/throttling/queueing to enforce SLAs• Standardized logging of all access• Auditing • Centrally enforced policies • Reusable rich set of authentication mechanisms


Benefits

• Single point-of-entry for Web Services means:• Do rate-control/throttling/queueing to enforce SLAs• Standardized logging of all access• Auditing • Centrally enforced policies • Reusable rich set of authentication mechanisms • Managed by the Infrastructure team on behalf of all

Web Services development groups


Why We Chose Layer7


Why We Chose Layer7

• Industry leader in this space


Why We Chose Layer7

• Industry leader in this space• Very responsive


Why We Chose Layer7

• Industry leader in this space• Very responsive• Available as either hard or soft appliance


Why We Chose Layer7

• Industry leader in this space• Very responsive• Available as either hard or soft appliance • Extensible using Java. We have Java experts.


Why We Chose Layer7

• Industry leader in this space• Very responsive• Available as either hard or soft appliance • Extensible using Java. We have Java experts.• Supports every standard known to Man


Standards


Standards

XML 1.0SOAP 1.2RESTAJAXXPath 1.0XSLT 1.0WSDL 1.1XML SchemaLDAP 3.0SAML 1.1/2.0PKCS #10X.509 v3 CertificatesFIPS 140-2Kerberos

W3C XML Signature 1.0W3C XML Encryption 1.0SSL/TLS 3.0/1.1SNMPSMTPPOP3IMAP4HTTP/HTTPSJMS 1.0MQ SeriesTibco EMSFTPWS-Security 1.1WS-Trust 1.0

WS-FederationWS-AddressingWSSecureConversationWS-MetadataExchangeWS-PolicyWS-SecurityPolicyWS-PolicyAttachmentWS-SecureExchangeWSILWS-IWS-I BSPUDDI 3.0XACML 2.0MTOM


The Gateway Changes Everything


SOAP Security - Cowboy Style


About DNPKI


About DNPKI

Definitely Not a Public Key Infrastructure (DNPKI)


About DNPKI

Definitely Not a Public Key Infrastructure (DNPKI)• Named out of frustration with the phrase:

• “Cool we have PKI now”


About DNPKI


• “Cool we have PKI now”• Needed a way to manage X.509 certificates for:

• https client certificate authentication• WS-Security Signature Authentication


About DNPKI




• Store and push RSA public keys into LDAP


About DNPKI




• Store and push RSA public keys into LDAP• Ability to de-provision certificate access


About DNPKI




• Store and push RSA public keys into LDAP• Ability to de-provision certificate access • Leveraged existing IdM architecture


About DNPKI


SOAP Security - Best Practices


Gateway SOAP Assertions


The Zimbra Conundrum



.../courses?user=me



.../courses?user=notme


REST Security that Never Rests


Gateway REST Assertions


Lessons Learned


Lessons Learned

• Security is an enabler


Lessons Learned

• Security is an enabler• Stick to standards where possible


Lessons Learned

• Security is an enabler• Stick to standards where possible• A good vendor is huge


Lessons Learned

• Security is an enabler• Stick to standards where possible• A good vendor is huge• Start small

• Control the service and consumer


Lessons Learned

• Security is an enabler• Stick to standards where possible• A good vendor is huge• Start small

• Control the service and consumer• Security can be fun!


THANK YOU

Thank You !

[email protected][email protected]

!

mailto:[email protected]

Securing Web Services with CAS Proxy Tickets

Technology

Transcript of Securing Web Services with CAS Proxy Tickets