XML Web services security best practices

COMMENTARY--The rise of internetworking was fueled by the use of network-level security technologies such as SSL, IPSec and firewall filtering to create a secure perimeter around an enterprise network. Today, this secure perimeter has become permeable as enterprises cut costs and drive revenues by securely sharing applications with internal business units, external partners and customers. This shift to the server-to-server access needed for true application sharing is enabled by new XML Web Services technologies.

But this promise of seamless communication cannot occur without the introduction of several new security practices. Just as IP internetworking was accompanied by new security requirements, so are XML Web Services. While not a comprehensive list, the following best practices from leading Fortune 500 companies and collected across numerous industries are a solid starting point to further protect enterprise resources with XML Web Services security.

1. Secure the transport layer
XML Web Services rely on IP and HTTP as a transport layer to connect applications and associated resources to one another. Robust XML Web Services security is built on a strong foundation of transport layer security so that sensitive information cannot be intercepted and read in transit. SSL VPNs are easy to deploy and provide a flexible security model for securing extranets. Additionally, the use of server certificates and client certificates are recommended during authentication. Hardware-based accelerators are the preferred way to secure the transport layer while maintaining high performance for transactions.

2. Implement XML filtering
XML requires sophisticated processing to ensure that transactions are known to be good before they penetrate deep into the enterprise. XML filtering provides managers with a variety of functionality as complex rule sets can be built around network level information, message size, message content and other variables. Because filters are XML-based, they are easily updated as new threats are detected. Setting up simple filters based on message size or XML Digital Signatures is an easy place to start. As application usage increases, filtering based on content and other parameters enables the security staff to implement sophisticated and granular business rules.

3. Mask internal resources
One sound security practice deployed by many today is the use of Network Address Translation (NAT) to obscure internal IP addresses. In addition to using NAT, one effective way to mask and protect internal resources from external parties is to disallow direct TCP connections between application servers and outside parties. By using an XML proxy to rewrite URLs and other information otherwise exposed by Web services, enterprises can quickly and simply hide a significant amount of their internal configuration.

4. Protect against XML denial-of-service attacks
XML Denial of Service (XDoS) attacks may not be as popular as the syn-flood attacks of the dotcom era, but they are more easily launched and capable of much more damage. To protect against XDoS, implement reasonable constraints for all incoming messages. With the use of an XML security gateway as a proxy, network managers can configure simple settings on message size, frequency and connection duration. The goal is to allow access to resources while simultaneously using XML filtering rules to reduce the “aperture of entry” into the corporate network.

5. Validate all messages
Because XML is text-based and in many instances generated by humans, there is significant room for error in message creation. One simple step to prevent this problem is to use XML Schema Definitions (XSD) to validate both inbound and outbound data. XSD is the successor to Document Type Definitions (DTDs) because they are more useful and extensible. This best practice reduces the risk of security holes of unknown/undocumented fields or protocol features that might otherwise compromise resources. In addition to performing Schema Validation, managers should also check messages for XML well-formedness, (during parsing), improper identity or lack of resource references, protocol (e.g. SOAP) validity and other message validity checks.

6. Transform all messages
By transforming all outbound XML messages, network managers enable “XML Address Translation”: mapping between the private internal data layout and the external one. This kind of application-layer protection is easily implemented today using XSLT, one of the most mature XML technologies. Using XSLT, businesses can obscure internal schemas and object layouts from outside parties. As the number of XML dialects and vocabularies increases, message translation will become a key first step in processing any application request. Because standards are nascent, XSLT is a key asset as it enables an enterprise to simultaneously support varying message formats and standards.

7. Sign all messages
By signing each outgoing message, the sender can create a secure audit trail by logging each message with a signature that can be verified post-transaction. Because each log entry is signed, their contents cannot be modified or altered and the sender gains non-repudiation protection. While signing and verifying every incoming and outgoing message may seem processing-intensive, use of a hardware appliance avoids the performance bottlenecks that accompany software-based solutions.

8. Timestamp all messages
Enterprises can augment non-repudiation capabilities by using the Network Time Protocol (NTP) to synchronize all XML network nodes to a single authoritative reference time source. This simple step adds timestamps to all incoming and outgoing messages. When used with XML Digital Signatures, network managers now have a cryptographically secure timestamp that enhances non-repudiation capabilities by being able to definitively prove at what time a given transaction took place.

9. Encrypt message fields
XML Encryption requires one to parse the XML transaction, and then select the section(s) to encrypt/decrypt and finally perform a set of processing-intensive XML and crypto operations. Because both crypto and XML processing are very resource-intensive, deploying both XML encryption and its companion, XML digital signature, can have a significant performance impact on high-transaction applications. Consolidating some of the functions onto an easy-to-manage secure network device that can encrypt/decrypt or sign/verify XML transactions on their way through the network helps centralize control and reduce administrative hassles.

10. Implement secure auditing
The importance of auditing cannot be underestimated. While many network managers rely on syslog for creating audit trails, this alone it is not totally secure. By using a combination of XML Digital Signatures and time stamping, a manager can quickly and easily create secure e-business transaction logs that can be used for non-repudiation. In many instances, legal requirements demand that the logging technology used is secure and verifiable.

Summary
There may be a misconception is that XML Web Services security is an all or nothing proposition requiring the installation of advanced, complex applications or the ratification of many standards. As XML Web service deployments continue to rise, many organizations will need to augment and tailor these security best practices to meet individual needs. But there exists today pragmatic, field-tested practices to XML security that enables enterprises to capture the cost cutting, revenue driving benefits promised by XML Web services.

biography
Eugene Kuznetsov is chairman & chief technology officer at DataPower Technology Inc., the leading provider of XML-aware networking devices in Cambridge, Mass.