he indisputable appeal of Web services will drive most organizations to evaluate development platforms such as .NET. However, security concerns have always made organizations reluctant to embrace new technologies. Fortunately, well-proven security and network technologies such as virtual private networks (VPNs) and firewalls can improve the security and performance of Web service applications tremendously?and free developers from having to implement still-evolving, XML-based security technologies into their applications.
Of course, your choice of network and security mechanisms is highly dependant on your Web service’s target audience, but every architecture must meet the following two demands:
- Fast network performance
- A level of security that corresponds with the value of the information you must protect.
If you’re pressed to implement a high level of security, you may already have all you need to fulfill your objective. This article illustrates how you can leverage the traditional infrastructure security controls found in some common Microsoft technologies to enable a robust and secure foundation for your Web services. Firewalls: Block Improper Activity
A firewall can increase the security of a Web service and the environment in which it operates. Because Web service code inherits a large number of common vulnerabilities from the Web process that executes it, safeguarding the data that may be sent to the computer hosting your Web service is important. Microsoft’s firewall server, Internet Security and Acceleration Server (ISA) 2000, performs this task. Few other firewalls are mature enough to offer the same assurance, simply because filtering application layer data is so complex.
From the firewall perspective, HTTP requests (which act as the transport for SOAP messages) should be evaluated for the following criteria:
- HTTP Host Header Compliance?All HTTP requests should contain a host header and should follow the HTTP 1.1 specification. The requests generated by Web audit tools such as Whisker and malicious worms such as NIMDA and Code Red do not follow this specification. Additionally, requests that “randomly generate” (a technique commonly used by worm programs) rely on reverse DNS to generate the proper host header. Ensuring that reverse DNS names do not match the true DNS name bound (as a valid destination/identity) to the exposed Web instance can quickly defeat attacker scanning tools.
- Exposing Specific Virtual Directories and Files?Many Web vulnerabilities exploit sample code packaged with the Web server or misbehaving script mappings in Web server extensions. Microsoft ISA Server allows the unique publication of specific virtual directories or individual files. By doing so, vulnerabilities inherited from the Web server are mitigated (unless published!).
- XML Filtering?ISA Server has the ability to perform rigorous application layer analysis. It can analyze protocols such as XML over HTTP and guarantee that requests are proper. The importance of this analysis is twofold. First, the firewall can stop malicious data before it reaches the target host running the Web service. Secondly, you can apply role-based access control, which ensures the authorization of the user or process submitting the request. For environments that demand intensive auditing, Microsoft ISA Server can parse?and log?requests on a facility separate from the intended target (which will help determine events if a compromise occurs).
VPNs: Guarantee Confidentiality, Integrity, and Authenticity
Web services that are used between business partners may require more intense control. From the network perspective, implementing VPN technology can guarantee the confidentiality and integrity of Web services. Traditionally, VPNs have been used to enable secure inter-company communications or as remote-access facilities for users. However, VPNs also can play a valuable role in guaranteeing the security of your partner communications and the Web services that rely on the network.
Although you can utilize traditional X.509 resources with XML signatures, these security assurances can drastically increase the size of each SOAP message. By implementing VPNs, you guarantee the confidentiality, integrity, and authenticity of messages through traditional IP security (IPSec) facilities.
IPSec also resides at the network layer of the OSI model, thus completely abstracting the complexities of the security operations from the application layer. Instead of worrying about the confidentiality, integrity, and authenticity of each message, the application programmer can focus on other security elements within the business application.
Site-to-Site VPNs: Build Enterprise-Level VPN Networks
Networks are common barriers to the deployment of an application. The distributed nature of Web services makes flexible network facilities a necessity. Fortunately, VPN technologies enable a high degree of flexibility while enabling secure messaging.
Microsoft ISA Server and Windows 2000 provide a model known as site-to-site VPN networking to establish VPN connectivity between business partners and their networks. This model enforces security between gateways (perimeter machines that encrypt/decrypt traffic on behalf of other machines). The Windows 2000 Routing and Remote Access (RRAS) service allows the secure interconnection of private networks over a public network (such as the Internet). This network connectivity technique enables two servers?separated on a public network?to create a logical tunnel for data traversing private networks. To the end-user, RRAS VPN services operate as a traditional network router. For the administrator, all VPN connections are maintained in an easy-to-manage interface. For the business owner, inexpensive?but effective?site connectivity is achieved.
Traditional VPN systems are often based upon simple point-to-point connectivity?typically geared toward building a hub-and-spoke networking model. This model is very beneficial if a single provider serves multiple clients (and the clients do not communicate between each other). This model has commonly been used in branch-office transactional systems that must interact with a single location (see Figure 1).
With Microsoft VPN solutions, a hub-and-spoke VPN system can be implemented quickly. However, to accommodate time-sensitive technologies and uncertain routing conditions to the Internet for a large networking scenario, a dynamically routed “mesh” VPN solution is best. A mesh VPN solution is desirable if all locations on a network require access amongst each other (see Figure 2).
The key to effective VPN solutions is the minimization of transitive paths between sites. In a hub scenario, each intranet site must route through the data center to reach other intranet sites. Again, for time-sensitive transactions, this practice is quite detrimental to performance. The mesh concept alleviates this issue.
IPSec VPNs: Guarantee End-to-End Security
In some business scenarios, security of data transmissions must be guaranteed between endpoints. Thus, VPN technologies that utilize a gateway for security operations (as noted in previous sections) will not meet this requirement. Instead, IPSec facilities can guarantee:
- The identity of hosts based upon x.509 certificates
- Confidentiality through data encryption
- Integrity of data through MD5/SHA-1 hash algorithms
Operating systems such as Windows 2000 include support for IPSec. In this model, security associates are established between the client (initiating the connection) and the server (hosting the Web service).
Leverage Traditional Infrastructure Security Controls
To implement a high level of security within Web service applications, your organization will benefit from leveraging traditional infrastructure security controls such as VPNs, firewalls, and IPSec. Not only will these technologies defend exposed services from worm-like Internet attacks, but you can use well-proven VPN security mechanisms to make a Web service between your organization and its partners trustworthy as well.