VIEW SLIDES
description
Transcript of VIEW SLIDES
CTO Office
Reliability & SecurityDistinctions and Interactions
Hal LockhartBEA Systems
CTO SOA; Slide 2
Topics
Similarities and differences
Denial of Service
Layering Principles
Security Services
Reliability Services
Combining Security and Reliability
CTO SOA; Slide 3
Are Security & Reliability Different?
Some Security Objectives Service availability
Error detection
Prevent data loss
Prevent data duplication or reordering
Some Reliability Objectives Service availability
Error detection
Prevent data loss
Prevent data duplication or reordering
CTO SOA; Slide 4
Information Security Definition
Technologies and procedures intended to implement organizational policy in spite of human efforts to the
contrary.
Suggested by Authorization
Applies to all security services
Protection against accidents is incidental
Suggests four areas of attention
CTO SOA; Slide 5
Information Security Areas
Policy determination Expression: code, permissions, ACLs, Language
Evaluation: semantics, architecture, performance
Policy enforcement Maintain integrity of Trusted Computing Base (TCB)
Enforce variable policy
CTO SOA; Slide 6
Reliability Service
Protects against accidental errors
Services available in spite of random failures
Many distinct guarantees possible Data complete
Data in order
No duplication
End to end transactions
Queue to queue transactions
Can be combined with security mechanisms
CTO SOA; Slide 7
Different Assumptions
Reliability: messages come from cooperating entity
Security: network is untrusted Any message can be read by attackers
Any message can be modified by attackers
Assume some Trusted Computing Base (TCB)
Reliability Check CRC – retransmit
Ignore low probability events
Security Use secure hash function, e.g. SHA1
Assume any event sequence is possible
CTO SOA; Slide 8
Denial of Service
Commonly misunderstood
Attacker modifies every message Even if modifications are detected – zero throughput
Attack is easily detected and source located
No benefit to attack
Must assume “enough” messages get through
CTO SOA; Slide 9
Types of Denial of Service
Type 1 – Silver Bullet Some message(s) cause crash
Example: Ping O’ Death
Clearly a bug, not in specification or design
Type 2 – Amplifier Attack Small attacker effort - big effect
Example: Smurf
Harder to fix, possibly alter specification or design
Type 3 – Flood Attack Overload slows server to a crawl
Examples: Distributed attack against public web servers
May be indistinguishable from legitimate usage
May be no real way to fix
Important to identify and locate source
CTO SOA; Slide 10
Layering
Layer 3
Layer 2
Layer 1
Layer 3
Layer 2
Layer 1
CTO SOA; Slide 11
Layering Principles
A form of encapsulation
Corresponding layers communicate via peer protocol
Messages pass through all active layers
Guidelines Layers must operate sequentially
Layers must operate on distinct data
Layers should not duplicate each other
Composability Stronger condition
Layers may be omitted
CTO SOA; Slide 12
Composable Services
WS Consumer
Travel AgencyWeb Service
Airline ReservationWeb Service
Hotel ReservationWeb Service
Rental Car ReservationWeb Service
CTO SOA; Slide 13
Composable Layers
Routing
Reliability
Security
Routing
Security
Routing
Reliabilityor or
CTO SOA; Slide 14
Basic Security Services
Not relevant to Reliability Authentication
Confidentiality (encryption)
Authorization
Integrity service Check signature
Discard invalid
Non-duplication service Integrity service
Include nonce and timestamp under signature
Discard if nonce is duplicated or message too old
CTO SOA; Slide 15
Basic Reliability Service
Reliability in face of network failures
Implementation Number all messages
Request retransmission if out of order message received
Discard duplicate messages
Present data in order
Care must be taken when ending session – flush data
Efficiency considerations
TCP does this HTTP can start and stop TCP sessions
SOAP can travel over multiple protocols, not just HTTP
CTO SOA; Slide 16
End to End Reliability
Ensure consistency and recovery in face of node failures as well as network failures
Two levels Distributed transactions
ACID properties
Application rollback on error
Not feasible for loosely coupled systems
Queue to queue transactions
Acid properties from queue to queue (no loss, no duplicates)
Rollback by compensating transactions only (hard)
Desirable approach for public web services
CTO SOA; Slide 17
Combining Security & Reliability
Security should be below Reliability Discard invalid messages
Reliability (if present) will retransmit
SSL/TLS are “broken” in this regard
Security should be below other layers Validate signatures
Decrypt data
Issue: must pass along metadata with message (e.g. what was signed, who was authenticated)
Security & Reliability could be intertwined Loss of composibility
CTO SOA; Slide 18
Summary
Security and Reliability share some goals, but Reliability assumes random errors
Security assumes human attacks
Several distinct types of Denial of Service
Denial of service is not necessarily bad, if we know it is happening and can locate the source
Composability of services is desirable
Security can detect modified and duplicated data
Reliability can protect against network failures alone or network and system failures
Queue to queue transactions are useful for B2B
Security should be the bottom layer