This article can also be found in the Premium Editorial Download "Information Security magazine: CISO survival guide: 18 of the best security tips."
Download it now to read this article plus other related content.
|XML Security Gateways|
One of the strategic challenges with applying security in a loosely coupled world is where and how to provide authentication, authorization and auditing services in a conversation between a service requester and provider. XML security gateways have emerged as effective tools to mediate communication between services and apply security policy. They allow the organization to use a message-level security approach using standards such as WS-Security and SAML to represent security tokens in the XML message. (See figure, right). XML security gateways can deliver a number of useful security services in SOA:
Authentication/authorization. Authenticates and authorizes service requests and responses using open standards, such as WS-Security and SAML. Interestingly, many SOA standards allow for the architecture to use different namespaces for different tokens, such as one token for message routing and one for data access. What this means in practice is that the token protecting, say, account data, may originate in Tokyo, while the token protecting routing information may originate in Dallas.
Audit. Provide a convenient point to deploy audit logging services for the services they protect.
Input validation. Services are still vulnerable to injection attacks like SQL or LDAP injection; additionally, services have to deal with attacks on infrastructure, such as those against XML parsers. XML security gateways provide a pipeline to execute whitelist and/or blacklist input validation rules.
XML Denial of Service (XDoS) protection. There are several known ways to execute denial of service against a service using XML. These include sending recursive elements (building the same object over and over again) and jumbo payloads (in a loosely coupled world there's nothing to stop an attacker from sending a 1 GB file). XML security gateways can deploy specialized logic for dealing with XDoS.
Security token and identity mapping. Since SOAs span multiple technologies, a single request can easily traverse mainframe, Java servers and Windows. Typically, these identity tokens must be mapped to local formats, so the mainframe may require username/password, the Java system uses LDAP, and the Windows system uses Kerberos. XML security gateways provide an enforcement point for token validation and exchange through token mapping.
There are many services that can be deployed in XML security gateways, and each tool has its strengths and weaknesses. The OWASP XML Security Gateway Evaluation Criteria Project (https://www.owasp.org/index.php/Category:OWASP_XML_Security_Gateway_Evaluation_Criteria_Project) provides an open standard for evaluation criteria that represents a transparent, level playing field for XML security gateway solutions to define their solution's key value propositions.
This was first published in July 2007