FORUM SYSTEMS

Web Services and SOA Security

SOA for E-Government Conference

Greg Hudson, Vice President Sales

Forum SOA for e-Gov Conference 2006

 Company Overview
Founded: May 2001
Product: Forum Sentry™,
Maturity: In Production since 2002
Over 150 Customers
Accomplishments
Customers
• Mature product, Version 6.0
• Leader in SOA Security Infrastructure
Citigroup Motorola • Award winning technology
Amazon.com • Award winning company
T-Mobile • Sales presence in all major US cities
MassMutual NWM • Global operations and support
US Navy Capital Group • Flexible, Functional, Scalable
Knights of – Hardware and Software
NATO – Development to Deployment
US Air force Columbus
– Test, Protect, Trust, Assurance
Amazon Phoenix Companies – Simple to Sophisticated
IRS Chubb Insurance • Non-Invasive Installation
Navy Medical • Strong, well established partnerships
USDA
Charles Schwab Center
Providian AFG
Marsh…. Synovus
Certifications

• Only FIPS 140-2 Level III SOA

Appliance
• DoD PKI Certification
• EAL 4+ Common Criteria
Forum SOA for e-Gov Conference 2006
Industry In Transition

.COM XML
EDI Web Services
 Business Agility
 Open Standards
 Service Contracts
 Loose Coupling
 Autonomy
 Abstraction
 Common Semantics

Forum SOA for e-Gov Conference 2006

Service-Oriented Architecture: A Foregone Conclusion?

Forrester:
Over 80 percent of business application
products sold between 2005 and 2008 will
be Service Oriented Business Applications

ZapThink:
Estimates that XML will
represent 25% of all network
traffic by 2006
Gartner Group:
Predicts that over 80% of all
software development will be based
on SOA by 2008
Forum SOA for e-Gov Conference 2006
 Evolution of The IP Network
Application-Oriented Networking

Metadata

2. User locates service in 1. Service describes itself and

• WS-*
directory and find service details interfaces to the directory using
WSDL
• WSDL
• SOAP
Service
Consumer
3. User and service interact
Provider • XML
using XML/SOAP likely over
HTTP

Internet Protocol Networking

Forum SOA for e-Gov Conference 2006
 So What’s Stopping You?
Approximately 75% of attacks today target business
applications and these threats are poised to rise
with the growing adoption of XML web services.

HTML
The Automated
Enterprise XML
SOAP

By 2005, web services will have reopened 70 percent of the

attack paths against Internet-connected systems that
were closed by network firewalls.

UDDI WSDL

By 2008 at least 30 percent of companies that have

deployed web services applications will fall
victim to successful hacker attacks causing
more than four hours of downtime to business-
critical functions.

Forum SOA for e-Gov Conference 2006

 The Need for an XML/Web Services Security Infrastructure

WEB SERVICES WEB SERVICES PRODUCER

CONSUMER
1. Execute Order
Order
Fulfillment Request Management

2. Order
Fulfillment 3. EXPLOSIVE
WEB SERVER DOCUMENT
Message

APPLICATION
SERVER
4. SENSITIVE
DOCUMENT

Is message
Is this valid
Inventory Is the request privacy/integrity
XML/SOAP?
Management accessing data assured?
using inadequate
CUSTOMER
privileges?
DATABASE

NETWORK LAYER APPLICATION LAYER

INTERNET

Forum SOA for e-Gov Conference 2006

You Can’t Deploy Web Services Without Security

Service Oriented Architecture/Web Services greatly

simplify application integration and increase business
opportunities… but also introduce new concerns:

• Security
– XML and SOAP expose valuable backend systems
– XML Denial of Service, buffer overruns, SQL Injections
– SSL insufficient for message confidentiality
– Protecting against unauthorized access

• Manageability
– Policy development and enforcement becomes difficult
– Root cause & business impact analysis challenging
– Upholding service level agreements becomes challenging
– And most importantly, service lifecycles accelerate out of control

Forum SOA for e-Gov Conference 2006

 Is SSL and firewalls enough…?

Majority (over 98%) of breaches happen while the data is at

rest not in-transit:

Firewalls still allow for OPEN PORTS (80 & 443)

SSL begins and terminates at the network perimeter
SSL is Point to Point and breaks down in a multi-point environment
SSL is not data aware: It just encrypts everything that is there
SSL hides content from switches
SSL is dependent on the network
SSL and VPN do not authenticate at the data-level and rarely at the
transport user level
Firewalls are not content aware

Forum SOA for e-Gov Conference 2006

Firewalls are blind to XML/SOAP
<Firewall Inspection Depth>

Firewalls can not

scan and block
malicious
payloads

<XML/SOAP Inspection is about Context, Not Just Content>

Forum SOA for e-Gov Conference 2006

 XML-related Threat Reference Table
Technique Description Protection

Manipulating the XML Schema to alter Protect against schema poisoning by relying on
Schema Poisoning
processing information trusted WSDL documents and XML Schema’s

Validation of parameter values to ensure they are

XML Parameter Injection of malicious scripts or content into
consistent with WSDL and XML Schema
Tampering request parameters
specifications

Content inspection ensures SOAP messages are

Inadvertent XML Poorly encoded SOAP messages causing the
constructed properly according to WSDL, XML
DoS application to fail
Schema and intrusion prevention rules

Scanning the WSDL interface can reveal

sensitive information about invocation patterns, Web services cloaking hides the web services
WSDL Scanning
underlying technology implementations and true location from consumers
associated vulnerabilities

Inspect the payload and enforce element,

Oversized Payload Sending oversized messages to create an
document, and other maximum payload
XDoS attack
thresholds

Content inspection ensures SOAP messages are

Sending mass amounts of nested data to
Recursive Payload constructed properly according to WSDL, XML
create an XDoS attack against the XML parser
Schema, and other security specifications

Forum SOA for e-Gov Conference 2006

 XML-related Threat Table (2)
Technique Description Protection

XML Routing WSDL virtualization enforces strict routing

Redirecting sensitive data within the XML path
Detours behavior

SQL Injection allows commands to be executed

Rely on dirty word searches, restrictive context-
SQL Injection directly against the database for unauthorized
sensitive filtering and data validation techniques
disclosure and modification of data

Suppress external URI references to protect

External Entity An attack on an application that parses XML
against malicious data sources and instructions;
Attack input from un-trusted sources
rely on well-known and certified URIs

Scripts embedded within a SOAP message can Content inspection of SOAP attachments ensures
Malicious Code be delivered directly to applications and messages contain legitimate content as defined in
Injection databases; traditional binary executables and the WSDL, XML Schema and content security
viruses attached to SOAP payloads policies

Enforce basic or strong authentication at the

Identity Centric Credentials are forged or impersonated in an
SOAP message level with auditing and logging for
Attack attempt to access sensitive data
forensic analysis

Forum SOA for e-Gov Conference 2006

 Security Is Never One Size Fits All

Trust Management Threat Protection

Message Integrity (Sign & Verify)
Filter all SOAP/XML Messages for
Message Privacy (Encrypt & Decrypt)
Threats/Information Leak
Crypto and XML Acceleration
Attack Prevention – XML DoS, Antivirus
Protocol & Message Authentication
Authentication & Access Control
SAML, WS-Trust, WS-Federation
Interoperability: WS-I, WS-Security
DoD PKI, FIPS, Common Criteria

Forum SOA for e-Gov Conference 2006

Basic Web Service Invocation

Requestor Provider

Request/Reply
Solicit/Response
One-way
Notification

Forum SOA for e-Gov Conference 2006

Web Service Invocation with WS Security Gateway

Apply
Security
Definitions

FS
Requestor Provider
(Proxy)

HTTP(s)
MQ/JMS
Tibco/JMS

Forum SOA for e-Gov Conference 2006

Web Service Enablement – Security

Protocol
Mediation

Forum SOA for e-Gov Conference 2006

Making SOA Operational: Lines of Deployment

Forum SOA for e-Gov Conference 2006

 Mature SOA Deployment Requirements

Attack Prevention Web

Authentication Connectivity
Access Control Services Scaleable Transports
Data Confidentiality Availability
Security
Identity Services
Delivery Accessibility
Performance

Policy/Governance
SLAs
Exceptions Enforcement
Activity Reporting
Monitoring
Privacy
Traceability
Auditing

Forum SOA for e-Gov Conference 2006

Security Policy – Four Major Phases

•Secure
– Authentication
– Encryption
Improve Secure
– Firewall
– Vulnerability Mitigation

•Monitor Security
Policy
•Testing

•Improve
Testing Monitor
•Applicable in each lifecycle phase

Forum SOA for e-Gov Conference 2006

 Web Services Life-cycle Security
Execute-Time Protections
Perimeter Protection Policy Enforcement App-specific Protections
SSL concentration Security management WSDL validation
Sig check/decryption Service management Schema validation
XML/SOAP processing Identity management Content inspection
Malcode filtering Profile compatibility Monitoring
Endpoint filtering Apply Sig/Encryption Discovery
Antivirus Transform/Redirect Vulnerability mgmt.

Development-Time Protections

Vulnerability Testing
WSDL Generation The App.
Schema Generation App.-specific
WSDL Tightening controls
Schema Tightening

Forum SOA for e-Gov Conference 2006

US Government - Secure Data Requirements

» U.S. Gov. Systems Security Requirements

» DITSCAP (DIACAP), (DCID 6/3), FISMA, NSTISSP #11,
CNSS Policy #15, NCES, EGA, GISRA . . . .
» Gov. Certifications and Accreditation Requirements
» FIPS - Federal Information Processing Stds.
» DoD PKI Compliance
» NIAP Common Criteria Certification
» eGov and Federal Enterprise Architecture Standards
» Oasis, W3C, WSI, Liberty Alliance

Forum SOA for e-Gov Conference 2006

IA– Information Assurance - Security

Threat Mitigation - Intrusion Detection and Message Threat Prevention

• Web Services validation - Only valid WSDLs and XML are allowed to be published and
consumed
• SOAP and XML Validation - Only properly formatted SOAP and XML are permitted
• SOAP and XML Message based Denile of Service Mitigation – SOAP message and
XML are scrubbed for potential denile of service threats and quarantined
• SOAP with XML and non-XML attachments Virus Scanned – SOAP w/ attachments
are scanned for known virus signatures and quarantined

Trust - Information Policy Management & Trust Enforcement

• Authentication and Authorization - Only authorized users (service consumers, services
providers, and applications) access Web Services.
• Confidentiality - Protects messages or documents so that they cannot be made
available to unauthorized parties.
• Data Integrity - Provides protection against unauthorized alteration of messages during
transit.
• Non-repudiation - Ensures that a sender cannot deny a message already sent, and a
receiver cannot deny a message already received. (Non-repudiation is especially
important in monetary transactions and security auditing.)
• Accountability - Provides secure logging and auditing. (Supports non-repudiation.)
• Interoperability – Government and Industry Standards support interoperability between
entities

Forum SOA for e-Gov Conference 2006

Forum Systems: The Leader in Web Services and SOA Security

• A comprehensive suite of XML Acceleration, Trust Management,

Threat Protection solutions that actively protects XML data and Web
services across networks & business boundaries
– Flexible hardware, software and embedded products
– Seamless security solutions architecture – adaptive, life-cycle

 Trust Management
 Threat Protection
 XML Acceleration
Forum SOA for e-Gov Conference 2006
PRODUCT LINE
` Web Services Firewall

SOA Gateway

Web Services Diagnostics

XML Accelerator

Vulnerability Containment

• Rack mounted appliances

Windows 64-bit Appliance consist of specific components

Hardware
Software

for high speed optimization, Intel

Linux HP BladeCenter Xeon, Broadcom, nCipher,
SafeNet
Solaris eBlade from IBM
•32-bit and 64-bit Architecture
Unix Crossbeam APM • All products available in
multiple form factors

Forum SOA for e-Gov Conference 2006

Flexibility … In Deployment Options

Forum SOA for e-Gov Conference 2006

The most extensive technology
partnerships in the industry

Forum SOA for e-Gov Conference 2006

 ROI: Security, Management & Acceleration
LDAP Directory

Policy Server

4, 5 Authentication 2, 3 Authentication
/Access Delegation /Access Decision

1. HTTP(S) Traffic 6. Authorized Web Service

MQ/JMS/HTTP(S) Traffic

Request Processing
Authenticates User to IdAM
Inspects Messages and Attachments for threats
Web Service Client Encrypts sensitive data
Generates SAML Assertions in WS-Security
Header Web Service
• Response Processing
Inspects messages
Forum SOA and
for e-Gov attachments
Conference 2006for threats
Inspects messages for data leaks
Obfuscates sensitive exceptions
Forum Government Focus

Security is our First Priority

» Our Products are aligned with government use cases
» Prevent, Guard, Protect, Compliance
» Federal Information Processing Stds.(FIPS 140-2 Level III)
» Only security gateway to provide a entire FIPS-compliant hardware-based
solution that implements the NIST Crypto Security Standards.
» DoD PKI Compliance
» Only security gateway to be Interoperable with the Joint Interoperability
Test Command (JITC)
» NIAP Common Criteria Certification EAL 4+ (Final stages)
» Federal Enterprise Architecture (FEA)/Federal XML Working Group, Liberty
Alliance, Oasis, W3C

Forum SOA for e-Gov Conference 2006

 Forum XRay – Closing the Security loop

Pre-Deployment Security Operational Security

• Identify Vulnerabilities • Active Monitoring of the
• Reporting • Web Services Topology
• Conformance Testing • Real-time Profiling
• Integration w/ Enforcement Products (XWall)

Web Services
Security Management

Vulnerability Database
Web Service Developers (VulCon™)

Forum SOA for e-Gov Conference 2006

XRAY Features

Feature XRAY
Enterprise SOA

Dynamic Service Testing √

Vulnerability Assessment √
Job History √
Test Results Reporting √
VulCon & XWall Integration √

Policy Driven Security Testing √

Policy Compliance Reporting √

Centralized Management √
Enterprise Collaboration √
Shared Library (User selected DB) √

Forum SOA for e-Gov Conference 2006

 Web Services Firewall

Web administration via a "wizard" based configuration

Policy configuration, SLA Monitoring, Auditing, Logging

Web Services
Security Management
Internet

XML SOAP

Admission Control &Threat Protection

• XML Web services Authentication and Access Control

Protected • XML Schema Validation and XML Intrusion Prevention
Web Services • Standards Support – WS-I, WS-Security
and Content • Attack Prevention – Denial of Service, Virus, Probe & Extract, XML/XSD Schema &
WSDL Breaches
• WSDL Aggregation and Obfuscation

Forum SOA for e-Gov Conference 2006

 Web Services Security Gateway

Management & Acceleration of XML Web Services

Web Services
Security Management
Internet

XML SOAP

 Sign, Verify, Encrypt, Decrypt, Validate, Transform XML messages

 Support HTTP(s) to JMS gateway functionality - protocol mixing
Protected  Accelerated SSL connections
Web Services  Content based routing
and Content  Message authentication via Sign-On (SSO) tokens: CA/Netegrity, IBM Tivoli, Oblix COREid, RSA ClearTrust
 Gov. Certification of Appliance

Forum SOA for e-Gov Conference 2006

 Features

• Data Admission Control

– Validate XML structure
– Filter for malicious content (MalWare, Viruses, Sql injections,DoS
– Ensure interoperability
– Schema Tightening
– Large Attachment Support
– Web Service Cloaking

• Web Service Authorization

– Fine-grained WSDL/SOAP/XML authentication
– Business API access control
– Identity and entitlements administration
– Identity Management Integration (add-on)
• CA/Netegrity SiteMinder, Clear Trust
• IBM Tivoli Access Manager
• Oblix COREid
• Integration with Systinet, Amberpoint, HP SOA Mgr. . . .

Forum SOA for e-Gov Conference 2006

 Features

• Web Services Privacy and Integrity

– High Performance XML Processing
– Element-level encryption
– Electronic (digital) signatures
– Support for WS-Security 2004
• SAML Token Profile
• Username Token Profile
• SOAP with Attachments
• Kerberos
– 100% DoD PKI certification
– Content Based Routing
– Protocol mixing
• IBM MQ
• Tibco Rendezvous & EMS
• JMS Compliant
• SMTP
Forum SOA for e-Gov Conference 2006
 Vulnerability Containment

Single-source of XML-related vulnerabilities

Threat intelligence subscription service
Product vulnerability lookup dictionary
Tools to limit exposure for SOA’s and Web Services
Notifications via HTML, WSDL/XML, RSS and Email
Automated delivery of Industrial strength anti-virus
Real-time policy updates (XML Intrusion Prevention)
Patch updates: stored and updated by product, version, vulnerability
Vulnerability response management – cross-platform

XML
Vulnerability
Intelligence
Database

Security Threat
Intelligence

Forum SOA for e-Gov Conference 2006