The rise of internet working was enabled by network-level security technologies such as SSL, IPsec and firewall filtering to create a secure perimeter around an enterprise network. Today, this secure perimeter has become permeable as organizations cut costs and drive revenues by sharing applications with internal business units, external partners and customers. This shift to the server-to-server access required for true application sharing is enabled by new XML Web Services technologies.
But the promise of seamless communication cannot be fulfilled without the introduction of several new security practices. Just as IP internet working was accompanied by new security requirements, so are XML Web Services. While not a comprehensive list, the following best practices gleaned from leading Fortune 500 companies and collected across numerous industries are a solid starting point to further protect enterprise resources with XML Web Services security.
XML Web Services rely on IP and HTTP as a transport layer to connect applications and associated resources. Robust XML Web Services security is built on a strong foundation of transport-layer security, so that sensitive information cannot be intercepted and read in transit.
SSL VPNs are simple to deploy and also provide a flexible security model for securing extranets. Furthermore, best practice includes the use of server certificates and client certificates during the authentication process. Hardware-based accelerators are the preferred way to secure the transport layer, while maintaining high performance for transactions.
XML requires sophisticated processing to ensure that transactions are known to be good before they penetrate deep within the organisation. XML filtering provides managers with a range of functionality as complex rule-sets can be built around network-level information, message size, message content and other variables. Because filters are XML-based, they are easily updated as new threats are detected. Setting up simple filters based on message size or XML Digital Signatures is an easy place to start. As application usage increases, filtering based on content and other parameters enables the security staff to implement sophisticated and granular business rules.
One sound security practice deployed by many companies is the use of Network Address Translation (NAT) to obscure internal IP addresses. In addition to using NAT, one effective way to mask and protect internal resources from external parties is to disallow direct TCP connections between application servers and outside parties. By using an XML proxy to rewrite URLs and other information otherwise exposed by web services, enterprises can quickly and simply hide a significant amount of their internal configuration.
XML DoS attacks (XDoS) might not be as popular as the syn-flood attacks of the dotcom era, but they are more easily launched and capable of much more damage. To protect against XDoS, security staff should implement reasonable constraints for all incoming messages.
With the use of an XML security gateway as a proxy, network managers can configure simple settings on message size, frequency and connection duration. The goal is to allow access to resources, while simultaneously using XML filtering rules to reduce the "aperture of entry" into the corporate network.
Because XML is text-based and, in many instances, generated by humans, there is significant room for error in message creation. One simple way to prevent this problem is to use XML Schema Definitions (XSD) to validate both inbound and outbound data. XSD is the successor to Document Type Definitions (DTDs) because they are more useful and extensible. This best practice reduces the risk of security holes of unknown/undocumented fields or protocol features that might otherwise compromise resources. In addition to performing Schema Validation, managers should also check messages for XML well-formedness, (during parsing), improper identity or lack of resource references, protocol (such as SOAP) validity and other message validity checks.
By transforming all outbound XML messages, network managers enable "XML Address Translation": mapping between the private internal data layout and the external one. This kind of application-layer protection is easily implemented today using XSLT, one of the most mature XML technologies. Using XSLT, businesses can obscure internal schema and object layouts from outside parties. As the number of XML dialects and terms increases, message translation will become a key first step in processing any application request. Because standards are still forming, XSLT is a key asset – it enables an enterprise to support various message formats and standards simultaneously.
Senders can create a secure audit trail by logging each message with a signature that can be verified post-transaction. Because each log entry is signed, their contents cannot be modified or altered and the sender gains non-repudiation protection. While signing and verifying every incoming and outgoing message might seem processing-intensive, use of a hardware appliance avoids the performance bottlenecks that accompany software-based solutions.
Enterprises can augment non-repudiation capabilities by using the Network Time Protocol (NTP) to synchronize all XML network nodes to a single authoritative reference time source. This simple step adds timestamps to all incoming and outgoing messages. When used with XML Digital Signatures, network managers now have a cryptographically secure timestamp that enhances non-repudiation capabilities by being able to definitively prove at what time a given transaction took place.
XML Encryption requires one to parse the XML transaction, then select the section(s) to encrypt/decrypt and finally perform a set of processing-intensive XML and crypto operations. Because both crypto and XML processing are very resource-intensive, deploying both XML encryption and its companion, XML digital signature, can have a significant performance impact on high-transaction applications. Consolidating some of the functions on to an easy-to-manage secure network device that can encrypt/decrypt or sign/verify XML transactions on their way through the network can cut administrative hassles.
The importance of auditing cannot be underestimated. While many network managers rely on syslog for creating audit trails, this alone is not totally secure. By using a combination of XML Digital Signatures and time stamping, a manager can quickly and easily create secure e-business transaction logs that can be used for non-repudiation. In many instances, legal requirements demand that the logging technology used is secure and verifiable.
People sometimes think XML Web Services security is an all-or-nothing proposition requiring the installation of complex applications or the ratification of many standards. But as XML Web service deployments continue to rise, many organizations will need to tailor these security best practices to meet individual needs.But there exist pragmatic, field-tested practices in XML security that enable organizations to enjoy the cost-cutting, revenue-driving benefits of XML Web Services.
Eugene Kuznetsov is founder, chairman and CTO of Datapower Technology