Ten guidelines for deploying secure XML Web services

The rise of internetworking was enabled by the use of network-level security technologies such as Secure Sockets Layer, IPsec and firewall filtering to create a secure perimeter around an enterprise network.

Today, as companies cut costs and drive revenues by securely sharing applications with internal business units, external partners and customers, the secure perimeter has become permeable This shift to the server-to-server access needed for true application sharing is enabled by new XML Web services technologies.

But this promise of seamless communication can't occur without the introduction of several security practices. Just as IP internetworking was accompanied by new security requirements, so are XML Web services. While not a comprehensive list, the following best practices from Fortune 500 companies and collected across numerous industries are a solid starting point to further protect company resources with XML Web services security.

1. Secure the transport layer

XML Web services rely on IP and HTTP as a transport layer to connect applications and associated resources to one another. Robust XML Web services security is built on a strong foundation of transport-layer security so that sensitive information can't be intercepted and read in transit.

SSL VPNs are easy to deploy and provide a flexible security model for securing extranets. In addition, the use of server certificates and client certificates is recommended during authentication. Hardware-based accelerators are the preferred way to secure the transport layer while maintaining high performance for transactions.

2. Implement XML filtering

XML requires sophisticated processing to ensure that transactions are known to be good before they penetrate deep into the enterprise. XML filtering provides managers with a variety of functionality, since complex rule sets can be built around network-level information, message size, message content and other variables. Because filters are XML-based, they are easily updated as new threats are detected. Setting up simple filters based on message size or XML digital signatures is an easy place to start. As application usage increases, filtering based on content and other parameters enables the security staff to implement sophisticated and granular business rules.

3. Mask internal resources

One sound security practice deployed by many today is the use of Network Address Translation to obscure internal IP addresses. Another effective way to mask and protect internal resources from external parties is to disallow direct TCP connections between application servers and outside parties. By using an XML proxy to rewrite URLs and other information otherwise exposed by Web services, companies can quickly and simply hide a significant amount of their internal configuration.

4. Protect against XML denial-of-service attacks

XML denial-of-service attacks may not be as popular as the syn flood attacks of the dot-com era, but they are more easily launched and are capable of more damage. To protect against such attacks, implement reasonable constraints for all incoming messages. With the use of an XML security gateway as a proxy, network managers can configure simple settings on message size, frequency and connection duration. The goal is to allow access to resources while simultaneously using XML filtering rules to reduce the aperture of entry into the corporate network.

5. Validate all messages

Because XML is text-based and in many instances generated by people, there is significant room for error in message creation. One simple step to prevent this problem is to use XML Schema Definitions (XSD) to validate both inbound and outbound data. XSDs are the successors to Document Type Definitions, because they are more useful and extensible. This best practice reduces the risk of security holes of unknown/undocumented fields or protocol features that might otherwise compromise resources. In addition to performing schema validation, managers should also check messages for well-formed XML (during parsing), improper identity or lack of resource references, and protocol validity (such as the Simple Object Access Protocol) and conduct other message-validity checks.

6. Transform all messages

By transforming all outbound XML messages, network managers enable XML address translation, or mapping between the private internal data layout and the external one. This kind of application-layer protection is easily implemented today using Extensible Stylesheet Language Transformations (XSLT), one of the most mature XML technologies. Using XSLT, businesses can obscure internal schemas and object layouts from outside parties. As the number of XML dialects and vocabularies increases, message translation will become a key first step in processing any application request. Because standards are nascent, XSLT is a key asset because it enables a company to simultaneously support varying message formats and standards.

7. Sign all messages

By signing each outgoing message, the sender can create a secure audit trail by logging each message with a signature that can be verified post-transaction. Because each log entry is signed, its contents can't be modified or altered, and the sender gains nonrepudiation protection. While signing and verifying every incoming and outgoing message may seem processing-intensive, the use of a hardware appliance avoids the performance bottlenecks that accompany software-based solutions.

8. Time-stamp all messages

Enterprises can augment nonrepudiation capabilities by using the Network Time Protocol to synchronize all XML network nodes to a single authoritative time-source reference. This simple step adds time stamps to all incoming and outgoing messages. When used with XML Digital Signatures, network managers have a cryptographically secure time stamp that enhances nonrepudiation capabilities by being able to definitively prove at what time a given transaction took place.

9. Encrypt all message fields

XML Encryption requires one to fully parse the XML transaction, then select the section(s) to encrypt/decrypt and finally perform a set of processing-intensive XML and cryptographic operations. Because both crypto and XML processing are very resource-intensive, deploying both XML encryption and its companion, XML digital signatures, can have a significant performance effect on high-transaction applications. Consolidating some of the functions onto an easy-to-manage secure network device that can encrypt/decrypt or sign/verify XML transactions on their way through the network helps centralize control and reduce administrative hassles.

10. Implement secure auditing

The importance of auditing can't be overestimated. While many network managers rely on syslog for creating audit trails, this alone is not totally secure. By using a combination of XML digital signatures and time-stamping, a manager can quickly and easily create secure e-business transaction logs that can be used for nonrepudiation. In many instances, legal requirements require that the logging technology used is secure and verifiable.

Summary

There may be a misconception that XML Web services security is an all-or-nothing proposition requiring the installation of advanced, complex applications or the ratification of many standards. As XML Web service deployments continue to rise, many organizations will need to augment and tailor these security best practices to meet individual needs. But today there are pragmatic, field-tested practices to XML security that enable companies to capture the cost-cutting, revenue-driving benefits promised by XML Web services.

Copyright © 2004 IDG Communications, Inc.

  
Shop Tech Products at Amazon