Firewalls: Block Improper Activity
A firewall can increase the security of a Web service and the environment in which it operates. Because Web service code inherits a large number of common vulnerabilities from the Web process that executes it, safeguarding the data that may be sent to the computer hosting your Web service is important. Microsoft's firewall server, Internet Security and Acceleration Server (ISA) 2000
, performs this task. Few other firewalls are mature enough to offer the same assurance, simply because filtering application layer data is so complex.
From the firewall perspective, HTTP requests (which act as the transport for SOAP messages) should be evaluated for the following criteria:
- HTTP Host Header ComplianceAll HTTP requests should contain a host header and should follow the HTTP 1.1 specification. The requests generated by Web audit tools such as Whisker and malicious worms such as NIMDA and Code Red do not follow this specification. Additionally, requests that "randomly generate" (a technique commonly used by worm programs) rely on reverse DNS to generate the proper host header. Ensuring that reverse DNS names do not match the true DNS name bound (as a valid destination/identity) to the exposed Web instance can quickly defeat attacker scanning tools.
- Exposing Specific Virtual Directories and FilesMany Web vulnerabilities exploit sample code packaged with the Web server or misbehaving script mappings in Web server extensions. Microsoft ISA Server allows the unique publication of specific virtual directories or individual files. By doing so, vulnerabilities inherited from the Web server are mitigated (unless published!).
- XML FilteringISA Server has the ability to perform rigorous application layer analysis. It can analyze protocols such as XML over HTTP and guarantee that requests are proper. The importance of this analysis is twofold. First, the firewall can stop malicious data before it reaches the target host running the Web service. Secondly, you can apply role-based access control, which ensures the authorization of the user or process submitting the request. For environments that demand intensive auditing, Microsoft ISA Server can parseand logrequests on a facility separate from the intended target (which will help determine events if a compromise occurs).
VPNs: Guarantee Confidentiality, Integrity, and Authenticity
Web services that are used between business partners may require more intense control. From the network perspective, implementing VPN technology can guarantee the confidentiality and integrity of Web services. Traditionally, VPNs have been used to enable secure inter-company communications or as remote-access facilities for users. However, VPNs also can play a valuable role in guaranteeing the security of your partner communications and the Web services that rely on the network.
Although you can utilize traditional X.509 resources with XML signatures, these security assurances can drastically increase the size of each SOAP message. By implementing VPNs, you guarantee the confidentiality, integrity, and authenticity of messages through traditional IP security (IPSec) facilities.
IPSec also resides at the network layer of the OSI model, thus completely abstracting the complexities of the security operations from the application layer. Instead of worrying about the confidentiality, integrity, and authenticity of each message, the application programmer can focus on other security elements within the business application.