Ten guidelines for deploying secure XML Web services

Computerworld - The rise of internetworking was enabled by the use of network-level security technologies such as Secure Sockets Layer, IPsec and firewall filtering to create a secure perimeter around an enterprise network.
Today, as companies cut costs and drive revenues by securely sharing applications with internal business units, external partners and customers, the secure perimeter has become permeable This shift to the server-to-server access needed for true application sharing is enabled by new XML Web services technologies.
But this promise of seamless communication can't occur without the introduction of several security practices. Just as IP internetworking was accompanied by new security requirements, so are XML Web services. While not a comprehensive list, the following best practices from Fortune 500 companies and collected across numerous industries are a solid starting point to further protect company resources with XML Web services security.
1. Secure the transport layer
XML Web services rely on IP and HTTP as a transport layer to connect applications and associated resources to one another. Robust XML Web services security is built on a strong foundation of transport-layer security so that sensitive information can't be intercepted and read in transit.
SSL VPNs are easy to deploy and provide a flexible security model for securing extranets. In addition, the use of server certificates and client certificates is recommended during authentication. Hardware-based accelerators are the preferred way to secure the transport layer while maintaining high performance for transactions.
2. Implement XML filtering
XML requires sophisticated processing to ensure that transactions are known to be good before they penetrate deep into the enterprise. XML filtering provides managers with a variety of functionality, since complex rule sets can be built around network-level information, message size, message content and other variables. Because filters are XML-based, they are easily updated as new threats are detected. Setting up simple filters based on message size or XML digital signatures is an easy place to start. As application usage increases, filtering based on content and other parameters enables the security staff to implement sophisticated and granular business rules.

3. Mask internal resources
One sound security practice deployed by many today is the use of Network Address Translation to obscure internal IP addresses. Another effective way to mask and protect internal resources from external parties is to disallow direct TCP connections between application servers and outside parties. By using an XML proxy to rewrite URLs and other information otherwise exposed by Web services, companies can quickly and simply hide a significant amount of their internal configuration.
4. Protect against XML denial-of-service attacks