Enterprise Web Services Need Thorough Firewall Protection


XML-based Web Services are a convenient and powerful way for companies to deploy new business services and to integrate existing business applications. Interoperability based on standards such as SOAP and WSDL makes applications and services accessible for a wide range of other applications and users.
Documents
Data Sheet
Tech. White Paper
White Paper High-Avail.
Position Paper

Web Services extend the reach of an enterprise's business functions from intranet clients to the site of business partners that access services over extranets or the Internet.

The open and flexible nature of the XML/SOAP messaging framework enables easy integration, but it can also expose corporations to severe security risks:

  • With HTTP as the underlying transport protocol and access over port 80, SOAP messages tunnel existing corporate firewall installations. Without appropriate security checks this powerful messaging technology undermines the company's firewall security.
  • Malicious SOAP messages can cause damage to critical computing assets in the internal network, such as databases and backend systems.
  • Unauthorized users can illegally access services and data via Web Services interfaces of the company's application systems.
  • SOAP messages in transfer over unprotected networks are prone to eavesdropping, forgery, and other forms of misuse.

Without answers to these security threats, deploying Web Services in production environments means serious risks for the security and reliability of the company's business processes. The introduction of Web Services must be accompanied by the introduction of appropriate security technology, most importantly at the enterprise′s domain boundaries.

Safeguarding the Business

Firewall installations must be complemented with application level gateways that perform deep packet inspection on all SOAP traffic crossing the enterprise firewall. Each Web Service must be protected by authentication, authorization, and audit (AAA).
Integrity and confidentiality of the information must be protected during processing and while in transit. Each access to a service must be controlled. Authorization models must fit the requirements of typical Web Services applications, such as in extranet and B2B scenarios.
Content inspection is necessary to prevent application-level attacks that are based on malicious message content. Possible attacks include virus-ridden binary message content, hand-crafted command injections, or other sophisticated application-level attacking techniques. Validating and filtering messages can detect these attacks and also prevent the leakage of internal data.
Finally, security must live up to the typical operational requirements in enterprise settings. Enterprise services and XML security integration must be possible without undue effort, best with application vendor independent security gateways. All message controls must be performed at wire-speed, and all security functions must be extremely scalable and highly available.

printable version
Contact | Site Map | Legal | Privacy | Webmaster
© PrismTech, 1999-2008