Forwarded from: Elizabeth Lennon 

ITL BULLETIN FOR AUGUST 2007

SECURE WEB SERVICES

Shirley Radack, Editor
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
U.S. Department of Commerce

Web services technologies help organizations use their computer systems 
and networks more efficiently and serve their customers more 
effectively. Web services provide a flexible way for organizations to 
connect applications and services so that they can communicate with each 
other and support each other over networks. This connectivity allows for 
better communication with customers, improved sharing of resources and 
data, and more efficient links of organizational processes across 
different systems and operating environments. In applying Web services, 
organizations can utilize different computer systems without changing 
their existing technologies and software design approaches, and without 
making major modifications to their legacy applications and databases.

Web services are implemented by means of a service-oriented architecture 
(SOA) that allows for interoperability, connectivity, and resource 
sharing. The SOA, which is based on open standards, is a collection of 
software services that can communicate with each other by passing data 
or by coordinating internal or external computer activities. This allows 
for the development of applications that use services and that are 
available as services for other applications to use. Examples of Web 
service applications are a financial institution's business-to-business 
service that allows transactions to be sent by third parties such as 
customers and business partners, and a healthcare provider's application 
that binds the healthcare provider networks with a hospital's Web 
services.

The many features that make Web services appealing also present security 
challenges to the implementation of the Web services approach. The 
improved accessibility of data, dynamic application-to-application 
connections, and reduced need for human intervention in providing Web 
services are capabilities that are not easily protected using 
traditional security models and controls.


Guide to Secure Web Services

The Information Technology Laboratory of the National Institute of 
Standards and Technology (NIST) recently issued NIST Special Publication 
(SP) 800-95, Guide to Secure Web Services: Recommendations of the 
National Institute of Standards and Technology, written by Anoop Singhal 
of NIST, Theodore Winograd of Booz Allen Hamilton, and Karen Scarfone of 
NIST. This publication helps organizations understand Web services and 
the challenges of integrating information security practices into SOA 
design and development to assure secure Web services.

The guide explains current and emerging standards that have been 
developed for Web services and provides background information on the 
most common security threats to SOAs. The information presented can be 
applied to many different hardware platforms, operating systems, and 
applications. Other topics discussed in the guide include Web portals, 
the human user's entry point into the SOA based on Web services; the 
challenges associated with making legacy applications secure; and secure 
implementation tools and technologies.

Important supplemental information is included in the appendices to the 
guide: a discussion of attacks that have been initiated against Web 
services and SOAs; an overview of Electronic Business eXtensible Markup 
Language (ebXML), a Web services protocol suite developed by the United 
Nations Centre for Trade Facilitation and Electronic Business 
(UN/CEFACT); a glossary of terms related to Web services; an acronym 
list; and a list of in-print resources and online tools and resources 
that will help the reader understand Web services and SOAs, security 
concepts and methodologies, and the general relationship between them.

The secure Web services guide is available from NIST's Web page: 
http://csrc.nist.gov/publications/nistpubs/index.html 


Security Issues

Standards are essential to the successful use of service-oriented 
computing. The SOA can be implemented using open standards and standard 
protocols such as SOAP, an eXtensible Markup Language (XML)-based 
protocol for exchanging structured information in a decentralized, 
distributed environment.

Voluntary standards organizations have been addressing the need for 
standards that form the foundation for Web services, and for standards 
and techniques that protect Web services. These organizations include 
the World Wide Web Consortium (W3C), the Organization for the 
Advancement of Structured Information Standards (OASIS), the Internet 
Engineering Task Force (IETF), and the Liberty Alliance.

Many of the standards and techniques that have been developed complement 
or extend one another, but there are many problems to be solved, such as 
service description, automatic service discovery, and quality of service 
(QoS) methods. The standards developed for Web service security do not 
provide all of the techniques that are needed to develop robust, secure, 
and reliable Web services.

Organizations should apply risk management procedures, use secure 
software development techniques, test their systems, and select 
effective security controls to provide robustness and reliability. 
Organizations should be concerned about providing protection for:

- Confidentiality and integrity of data that is transmitted via Web 
  services protocols in service-to-service transactions, including data 
  that traverses intermediary services;

- Functional integrity of the Web services requiring the establishment 
  of trust between services on a transaction-by-transaction basis; and

- Availability of systems when denial of service attacks exploit 
  vulnerabilities unique to Web service technologies and target core 
  services, such as the discovery service, on which other services rely.

Frequently used perimeter-based network security technologies, such as 
firewalls, do not provide adequate protection for SOAs, which are 
dynamic and can seldom be fully constrained to the physical boundaries 
of a single network. In addition, SOAP is transmitted over HyperText 
Transfer Protocol (HTTP), which is allowed without restriction through 
most firewalls.

Transport Layer Security (TLS), which is used to authenticate and 
encrypt Web-based messages, is inadequate for protecting SOAP messages 
because TLS is designed to operate between two endpoints. Also, TLS does 
not provide protection for messages which are forwarded to other Web 
services when these messages are not forwarded simultaneously by Web 
services applications.

In the Web service processing model, SOAP messages and XML documents 
must be secured as they are forwarded along potentially long and complex 
chains of consumer, provider, and intermediary services. However, Web 
services processing makes those services subject to unique attacks, as 
well as to variations on familiar attacks targeting Web servers.


Security Techniques for Web Services

Ensuring the security of Web services involves augmenting traditional 
security mechanisms with security frameworks based on use of 
authentication, authorization, confidentiality, and integrity 
mechanisms. NIST SP 800-95 describes how to implement those security 
mechanisms in Web services and how to make Web services and portal 
applications robust against expected attacks. Available specifications 
that address specific security issues include:

- Confidentiality of Web service messages. XML Encryption, a 
  specification that is available from the World Wide Web Consortium 
  (W3C), provides a mechanism to encrypt XML documents.

- Integrity of Web service messages. XML Signature, a specification 
  produced jointly by the W3C and the Internet Engineering Task Force 
  (IETF), allows for selectively signing XML data.

- Web service authentication and authorization. XML Signature, Security 
  Assertion Markup Language (SAML) and eXtensible Access Control Markup 
  Language (XACML), as proposed by the Organization for the Advancement 
  of Structured Information Standards (OASIS) group, provide mechanisms 
  for authentication and authorization in a Web services environment.

- Message integrity and confidentiality. Web Services (WS)-Security, a 
  specification produced by OASIS, defines a set of SOAP header 
  extensions for end-to-end SOAP messaging security and allows 
  communicating partners to exchange signed encrypted messages in a Web 
  services environment.

- Authentication. Security for Universal Description, Discovery and 
  Integration (UDDI), developed by OASIS, enables Web services to be 
  easily located and subsequently invoked. Security for UDDI enables 
  publishers, inquirers, and subscribers to authenticate themselves and 
  authorize the information published in the directory.

See Appendix G of NIST SP 800-95 for references to these and other open 
standards that have been developed for secure Web services.


Challenges

While current standards deal with many security issues, there are still 
many issues to be addressed: repudiation of transactions; secure 
issuance of credentials; exploitation of covert channels; compromised 
services; spread of malware, such as viruses and Trojan horses, via SOAP 
messages; denial of service attacks; and incorrect service 
implementations. The following provides additional information on some 
of these challenges.

       Discovery. In Web services discovery, participants identify and 
compose Web Services Description Language (WSDL)-specific services based 
on definitions in a UDDI registry. Discovery involves matching a set of 
functional and other criteria with a set of resource descriptions. The 
goal is to find appropriate Web service-related resources.  Because of 
the potentially large number of service candidates in the registry, 
performance rankings for algorithms used to search, match, and compose 
services can vary from case to case.

As the set of available Web services expands, advanced tools will be 
needed to help identify services that match a customer's functional and 
security requirements. It is important for service providers to describe 
their service capabilities and for service requesters to describe their 
requirements in an unambiguous and semantic way.  Techniques that take 
advantage of Semantic Web technologies can improve discovery 
capabilities. An existing standard for Ontology Web Language for 
Services (OWL-S) is an example, but more work needs to be done to 
integrate such technologies into Web service registries. In OWL-S, the 
service requester can describe the service requirements using terms from 
a semantic model. Reasoning techniques are then used to find the 
semantic similarity between the service description and the request to 
find a set of matching services automatically. Both UDDI and OWL-S can 
be used to specify the security properties of a Web service, but this 
security support is not available for the discovery process. However, 
W3C's Semantic Annotations for WSDL is a step in the direction of 
merging Web services discovery technology with semantic Web technology.  
Even with semantic Web services discovery, true automation will require 
that the requester be able to determine explicitly the security 
requirements of the provider in addition to its functionality.

       End-to-End Quality of Service and Protection. Most Web services 
deployed do not provide guarantees for Quality of Service (QoS) or 
Quality of Protection (QoP) under the scenario of attacks. QoS is 
important in defining the expected level of performance a particular Web 
service will have. By prioritizing traffic, overall performance of the 
system can be improved. Standards have been developed for WS-Reliability 
and WS-ReliableMessaging to provide some level of QoS. Both standards 
support guaranteed message delivery and message ordering. Other QoS 
parameters, such as rate of failure or average latency, are usually 
dealt with by lower-layer protocols. For Web services to truly support 
QoS, existing QoS support must be extended so that the packets 
corresponding to individual Web service messages can be routed 
accordingly to achieve predictable performance.

       Overlap between OASIS and W3C Standards. Similar and overlapping 
Web services security standards that are being developed by different 
standards bodies are a source of confusion to system developers. These 
standards are often updated, resulting in interoperability problems and 
a need for more formal specification and testing of standards.

       Methodologies for Web Services Security. The main emphasis of Web 
services security today is on basic infrastructure (e.g., protocols and 
languages). As technology matures and Web services become widely 
adopted, there will be a need for methodologies and recommended 
practices for security to help developers identify assets to be 
protected, analyze possible attacks, and decide protection levels and 
trade-offs.

       Availability and Protection from Denial of Service Attacks. 
Availability enables a Web services application to detect a denial of 
service (DoS) attack, to continue operation as long as possible, and 
then to gracefully recover and resume operations after the attack. 
Techniques are needed to replicate data and services and ensure 
continuity of operations in the event of a fault. Also needed are 
management and monitoring solutions to provide service performance and 
availability monitoring to meet certain service-level objectives.

NIST's Recommendations for Secure Web Services

NIST recommends the following actions to protect Web services. 
Organizations should consider these actions as part of their risk 
management processes to balance the economic and operational costs of 
protective measures and achieve gains in mission capability by 
protecting systems and data.

- Replicate Data and Services to Improve Availability. Since Web 
  services are susceptible to DoS attacks, it is important to replicate 
  data and applications in a robust manner. Replication and redundancy 
  can ensure access to critical data in the event of a fault. This 
  protective measure will also enable the system to react in a 
  coordinated way in dealing with disruptions.

- Use Logging of Transactions to Improve Non-Repudiation and 
  Accountability. Non-repudiation and accountability require logging 
  mechanisms involved in the entire Web service transaction. As of 
  mid-2007, there were few implemented logging standards that can be 
  used across an entire SOA. In particular, the level of logging 
  provided by various UDDI registries, identity providers, and 
  individual Web services varies greatly. Where the provided information 
  is not sufficient to maintain accountability and non-repudiation, it 
  may be necessary to introduce additional software or services into the 
  SOA to support these security requirements.

- Use Threat Modeling and Secure Software Design Techniques to Protect 
  from Attacks. Secure software design techniques facilitate the design 
  and implementation of Web services software without defects that can 
  be exploited. Threat modeling and risk analysis techniques should be 
  used to protect the Web services application from attacks. Used 
  effectively, threat modeling can find security strengths and 
  weaknesses, discover vulnerabilities, and provide feedback into the 
  security life cycle of the application. Software security testing 
  should include security-oriented code reviews and penetration testing.  
  When threat modeling and secure software design techniques are used, 
  Web services can be implemented to withstand a variety of attacks.

- Use Performance Analysis and Simulation Techniques for End-to-End 
  Quality of Service and Quality of Protection. Queuing networks and 
  simulation techniques are important tools in designing, developing, 
  and managing complex information systems. Similar techniques can be 
  used for quality-assured and highly available Web services. In 
  addition to the QoS of a single service, end-to-end QoS is critical 
  for most composite services. For example, enterprise systems with 
  several business partners must complete business processes in a timely 
  manner to meet real-time market conditions. The dynamic and 
  compositional nature of Web services makes end-to-end QoS management a 
  major challenge for service-oriented distributed systems.

- Digitally Sign UDDI Entries to Verify the Author of Registered 
  Entries.  UDDI registries openly provide details about the purpose of 
  a Web service as well as how to access it. Web services use UDDI 
  registries to discover and dynamically bind to Web services at run 
  time. Should an attacker compromise a UDDI entry, it would be possible 
  for requesters to bind to a malicious provider. Therefore, it is 
  important to digitally sign UDDI entries so as to verify the publisher 
  of these entries.

- Enhance Existing Security Mechanisms and Infrastructure. Web services 
  rely on many existing Internet protocols and often coexist with other 
  network applications on an organization's network. Many Web service 
  security standards, tools, and techniques require that traditional 
  security mechanisms, such as firewalls, intrusion detection systems 
  (IDSs), and secured operating systems, are in effect before 
  implementation or deployment of Web services applications.


More Information

NIST publications assist organizations in planning and implementing a 
comprehensive approach to information security. Publications dealing 
with some of the issues discussed in NIST SP 800-95 include:

NIST SP 800-21-1, Guideline for Implementing Cryptography in the Federal 
Government, provides guidance to federal agencies on how to select 
cryptographic controls.

NIST SP 800-30, Risk Management Guide for Information Technology 
Systems, provides guidance to organizations in identifying the risks to 
their missions as a result of using information technology, in assessing 
the risks, and in taking steps to reduce the risks to an acceptable 
level.

NIST SP 800-32, Introduction to Public Key Technology and the Federal 
PKI Infrastructure, discusses PKI functions and their applications, and 
the implementation of PKI techniques by federal agencies.

NIST SP 800-44, Guidelines on Securing Public Web Servers, helps 
organizations develop, configure, and maintain secure Web servers.

NIST SP 800-92, Guide to Computer Security Log Management, provides 
advice on developing, implementing, and maintaining effective log 
management practices throughout an organization.

These publications and other security-related publications are available 
from NIST's Web site: 
http://csrc.nist.gov/publications/nistpubs/index.html 

Disclaimer Any mention of commercial products or reference to commercial 
organizations is for information only; it does not imply recommendation 
or endorsement by NIST, nor does it imply that the products mentioned 
are necessarily the best available for the purpose.


Elizabeth B. Lennon
Writer/Editor
Information Technology Laboratory
National Institute of Standards and Technology
100 Bureau Drive, Stop 8900
Gaithersburg, MD 20899-8900
Telephone (301) 975-2832
Fax (301) 975-2378


____________________________________
Attend HITBSecConf2007 - Malaysia 
Taking place September 3-6 2007 featuring seven tracks of technical 
training and a dual-track security conference with keynote speakers 
Lance Spitzner and Mikko Hypponen!  -  Book your seats today! 
http://conference.hitb.org/hitbsecconf2007kl/