|
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE] [IMAGE] XML Security Gateways
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
Message mediators
One of the strategic challenges with applying security in a loosely coupled world is where and how to provide authentication, authorization and auditing services in a conversation between a service requester and provider. XML security gateways have emerged as effective tools to mediate communication between services and apply security policy. They allow the organization to use a message-level security approach using standards such as WS-Security and SAML to represent security tokens in the XML message. (See figure, right). XML security gateways can deliver a number of useful security services in SOA:
[IMAGE]
Authentication/authorization. Authenticates and authorizes service requests and responses using open standards, such as WS-Security and SAML. Interestingly, many SOA standards allow for the architecture to use different namespaces for different tokens, such as one token for message routing and one for data access. What this means in practice is that the token protecting, say, account data, may originate in Tokyo, while the token protecting routing information may originate in Dallas.
Audit. Provide a convenient point to deploy audit logging services for the services they protect.
Input validation. Services are still vulnerable to injec...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
tion attacks like SQL or LDAP injection; additionally, services have to deal with attacks on infrastructure, such as those against XML parsers. XML security gateways provide a pipeline to execute whitelist and/or blacklist input validation rules.
XML Denial of Service (XDoS) protection. There are several known ways to execute denial of service against a service using XML. These include sending recursive elements (building the same object over and over again) and jumbo payloads (in a loosely coupled world there's nothing to stop an attacker from sending a 1 GB file). XML security gateways can deploy specialized logic for dealing with XDoS.
Security token and identity mapping. Since SOAs span multiple technologies, a single request can easily traverse mainframe, Java servers and Windows. Typically, these identity tokens must be mapped to local formats, so the mainframe may require username/password, the Java system uses LDAP, and the Windows system uses Kerberos. XML security gateways provide an enforcement point for token validation and exchange through token mapping.
There are many services that can be deployed in XML security gateways, and each tool has its strengths and weaknesses. The OWASP XML Security Gateway Evaluation Criteria Project (https://www.owasp.org/index.php/Category:OWASP_XML_Security_Gateway_Evaluation_Criteria_Project) provides an open standard for evaluation criteria that represents a transparent, level playing field for XML security gateway solutions to define their solution's key value propositions.
--Gunnar Peterson
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE]
|
 |
|
