Enterprise Web services security [1st ed]
1584504137, 9781584504139, 9781584506577
The book does a good job introducing the fundamental details of Internet based appplication security concepts for B2C an
312
15
2MB
English
Pages 433
Year 2006
Report DMCA / Copyright
DOWNLOAD PDF FILE
Table of contents :
Contents......Page 8
Introduction......Page 22
1 Security in the Networked World......Page 26
B2B......Page 28
Evolving Business Models......Page 29
Privacy......Page 30
Legal Obligations......Page 31
Web Services......Page 32
SOAP......Page 33
The Messaging Model......Page 34
Policy......Page 35
Intranet......Page 36
Wireless......Page 37
Countermeasures......Page 38
WS-* Family of Standards......Page 39
Security Domains......Page 40
The Model......Page 41
References......Page 42
2 Threats and Attacks......Page 44
Threats, Vulnerabilities, and Countermeasures......Page 45
Ensuring Reliability......Page 46
Vandalism and Sabotage......Page 49
Denial of Service......Page 51
Privacy and Confidentiality Breaches......Page 52
Data Integrity Violations......Page 54
Man-in-the-Middle Attacks......Page 55
Spoofing Attacks......Page 56
Mobile-Code Threats......Page 57
Fraud......Page 59
Special Considerations for Web Services Environments......Page 60
Summary......Page 63
References......Page 64
3 Security Goals......Page 66
Common Security Terms......Page 67
Reducing Vulnerabilities......Page 68
Realistically Assessing Threats......Page 72
Choosing the Right Countermeasures......Page 76
Recognizing and Accepting Residual Risk......Page 77
Classic Security Goals......Page 78
Integrity......Page 79
Availability......Page 80
Transaction Security Goals......Page 81
Authentication......Page 82
Scalability......Page 83
Nonrepudiation......Page 84
The Role of Security Policy in Web Services Security Enforcement......Page 85
References......Page 86
4 The Internet and World Wide Web Infrastructure......Page 88
Internet 101......Page 89
TCP/IP......Page 90
HTTP......Page 92
Security Domains......Page 96
Client System Vulnerabilities......Page 98
Browser Vulnerabilities......Page 99
Java Virtual Machine Vulnerabilities......Page 101
TCP/IP Vulnerabilities......Page 102
SMTP Vulnerabilities......Page 104
Server Vulnerabilities......Page 106
Other Vulnerabilities......Page 107
References......Page 108
5 Web Services......Page 110
Web Services Standards......Page 111
Elements and Attributes......Page 113
Namespaces......Page 115
Schemas......Page 117
Transformations......Page 121
SOAP......Page 124
Document Style Messages......Page 125
RPC Style Messages......Page 128
WSDL......Page 130
UDDI......Page 134
Web Services Toolkits......Page 140
References......Page 141
6 Security Policy Basics......Page 144
The Importance of Security Policy......Page 145
Steps in Developing a Security Policy......Page 147
Identify the Threats You Are Protecting Against......Page 148
Map Threats to Probability of Loss and Cost......Page 150
Continuously Review and Improve Security Policies......Page 151
Summary......Page 152
References......Page 153
7 Communicating Policy......Page 154
Expressing Security Policy in Web Services......Page 155
WS-Policy......Page 156
Normal Form......Page 157
Compact Form......Page 158
WS-SecurityPolicy......Page 160
SecurityToken Assertion......Page 161
Confidentiality Assertion......Page 163
Integrity Assertion......Page 164
Visibility Assertion......Page 167
SecurityHeader Assertions......Page 168
Putting It Together: An Example......Page 169
Tying Policies to Subjects......Page 171
Making Policies Discoverable......Page 173
Effective Policy......Page 177
References......Page 178
8 Protecting the System Components......Page 180
The Client......Page 181
Workstation Vulnerabilities......Page 182
Operating System Security......Page 183
Browser Security......Page 184
Downloading Components......Page 189
ActiveX Security......Page 192
Java Security......Page 194
Scripting......Page 196
Plug-Ins......Page 197
Network Vulnerabilities......Page 198
Wireless Communications......Page 199
Firewalls......Page 200
Gateways, Guards, and Routers......Page 201
Servers......Page 202
Web Server Vulnerabilities......Page 204
Operating System Security......Page 206
Summary......Page 208
References......Page 209
9 Protecting Messages, Transactions, and Data......Page 212
Protecting a Web Services Exchange......Page 213
Securing the Communications Channel......Page 215
Point-to-Point Encryption......Page 216
Identity Management and Trust......Page 217
Identity Management......Page 218
Passwords and Pass-Phrases......Page 220
Third-Party Brokers......Page 221
Microsoft .NET Passport......Page 222
Authentication......Page 223
User IDs and Passwords......Page 224
X.509 Public Key Authentication......Page 225
LDAP (The Role of Directory Services)......Page 226
Kerberos......Page 227
Authorization......Page 230
Basic Web Servers......Page 233
J2EE Applications Servers......Page 235
ASP.NET Servers......Page 236
Access Control......Page 238
Choosing the Identity Mapping Scheme......Page 242
Mandatory Access Controls......Page 244
Choosing the Access Control Decision Point......Page 245
References......Page 246
10 Implementing the Information Security Triad......Page 250
Encryption......Page 251
Steganography......Page 267
SSL and TLS......Page 268
Digital Signatures......Page 272
Nonrepudiation......Page 275
References......Page 276
11 Communicating Security Credentials......Page 278
Client-Server Credential Communication......Page 279
Message Security Model......Page 280
Security Header Element......Page 281
XML Encryption......Page 290
XML Signature......Page 296
Message Protection......Page 301
Putting It Together: An Example......Page 302
Summary......Page 304
References......Page 305
12 Audit......Page 308
What to Audit......Page 309
Auditable Events......Page 310
Levels of Audit......Page 311
Network......Page 312
Components......Page 313
Application......Page 314
Active versus Passive Auditing......Page 317
Audit Data Processing......Page 318
Intrusion Detection and Prevention Systems......Page 319
Intrusion Prevention Systems......Page 320
References......Page 321
13 Virtual Domain Model for Web Services Security......Page 324
Trust Relationships......Page 325
General Security Context Model......Page 326
Types of Trust Relationships......Page 327
Trust Relationships Between Principals......Page 328
Trust Domains......Page 329
Trust Relationships Between Domains......Page 331
Where Should Trust Relationships Be Created?......Page 333
What Credentials Will Be Used?......Page 334
What Are the Integrity and Confidentiality Considerations?......Page 335
How Will Credentials Be Provisioned?......Page 336
What Principals Will a Given Principal Trust?......Page 337
Experience Based......Page 339
Reference Based......Page 340
Reputation Based......Page 343
Summary......Page 344
References......Page 345
14 Establishing and Communicating Trust......Page 346
Types of Trust Relationships......Page 347
Requesting and Returning Tokens: The STS Framework......Page 349
Negotiation and Challenge Extensions......Page 353
Key and Token Extensions......Page 354
WS-Federation......Page 355
Basic Concepts......Page 356
Attribute and Pseudonym Services......Page 358
Context Binding......Page 359
XML Key Registration Service......Page 360
XML Key Information Service......Page 361
SAML......Page 362
XACML......Page 365
References......Page 369
15 Pulling It All Together: Using Virtual Trust Domains to Secure Enterprise Web Services......Page 372
Enterprise Web Services......Page 373
Step 1: Identify the Parties Involved......Page 374
How Will Clients Discover the Service?......Page 375
Step 2: Identify Relevant Domain Infrastructure and Capabilities......Page 376
What Token Services are Involved in Providing those Services?......Page 377
Are Authentication Services Needed?......Page 378
Are Authorization and Access Control Services Needed?......Page 379
Are Confidentiality Services Needed?......Page 380
Step 4: Identify Gaps and Project a Virtual Trust Domain......Page 381
Missing Services......Page 383
Differences in Services......Page 384
Security-Relevant Differences in Levels......Page 385
Step 5: Allocate New Infrastructure Services across Physical and Logical Domains......Page 387
Step 6: Allocate Security Services across Actors......Page 389
J2EE Environment......Page 390
.NET Environment......Page 392
Crossing a Technology Boundary......Page 393
Summary......Page 396
16 FutureScape......Page 398
What Is Self-Protecting Data?......Page 399
Protecting Data In Transit......Page 400
Protecting Data At Rest......Page 402
Protecting Data In Use......Page 403
Digital Rights Management......Page 404
Rights Expression Languages......Page 405
References......Page 406
Appendix A: The Security Policy Document......Page 408
Introduction......Page 409
Physical Security......Page 410
Security Standards......Page 411
Defending the Computing Environment......Page 412
Server Security......Page 413
Database Management System (DBMS) Services......Page 414
Mobile Code......Page 415
Firewalls......Page 416
Remote Access......Page 417
Gateway Spam Filtering and Virus Protection......Page 418
Key Management......Page 419
Intrusion Protection......Page 420
Disaster Recovery......Page 421
Web Services......Page 422
Points of Contact......Page 423
References......Page 424
System Requirements......Page 426
Web Site......Page 427
C......Page 428
F......Page 429
M......Page 430
S......Page 431
T......Page 432
Z......Page 433