Docstoc

Security vulnerability management in SOA

Document Sample
Security vulnerability management in SOA Powered By Docstoc
					Buvana
Agenda
 What is Vulnerability?
 Types of vulnerability
 Problems in vulnerability
 SOA- Windows communication foundation
 Common Deployment Scenarios
 Services and Client
 Metadata and Proxy creation
 WCF features
 Project plan and design
Vulnerability analysis
 Means : Security holes
 It is also known as vulnerability assessment
 It is a process that defines, identifies, and classifies the
  security holes in a computer, network, or
  communications infrastructure.
 It also evaluate their actual effectiveness after they are
  put into use
 Vulnerability management tools require patterns to
  find or monitor vulnerabilities
 In a service-oriented architecture (SOA),where
  business processes are implemented as flexible
  composition of local and remote services, the
  challenge of finding vulnerabilities becomes more
  complicated and more pressing at the same time.
Why need vulnerability analysis?
 Using SOA to increase the degree of automation
  increases the degree to which businesses depend on
  services.
 This in turn increases the need to find the
  vulnerabilities that risk the dependability and security
  of SOA-based business processes.
example
 Single- Sign-On (SSO) scenarios are a straight-forward
 example
Methods
 Existing analysis methods : Attack trees and FMEA
 Advantage:
    They leave much room for the security expert to apply
     subjective skills and personal experience, enabling the
     discovery even of completely new types of
     vulnerabilities.
 Disadvantage:
    It require much experience and provide little guidance
     during the analysis.
New method
 ATLIST - “attentive listener” as the method was developed
  during and for the analysis of SOA service orchestrations.
 It is mix of established web technologies and SOA-specific
  standards, previously observed vulnerability types and
  variations thereof can be found.
 Advantage
   Re-usability, flexibility, and extensive use of standards
   It facilitates the detection of known vulnerability types
   Enables the derivation of vulnerability patterns for tool
    support
   Applicable to business processes
New method…
 ATLIST explicitly builds upon the vulnerability
  knowledge extracted from various sources
 It focuses on known vulnerability types rather than
  completely new ones
 Better transferability than previous methods by
  guiding the analysis with a set of analysis elements
ATLIST Vulnerability analysis
method
 Analysis of previous vulnerability classifications and
  the entries of vulnerability databases shows that
  completely new types of vulnerabilities are extremely
  rare
 ATLIST, the analysis method combines main notions
  of the fault tree and FMEA approaches while giving
  guidance regarding starting points and the analysis
  focus, keeping the analysis from becoming circuitous.
Vulnerability lifecycle
Comparison of analysis
What is WCF?
 Part of Microsoft Framework 3.0
    Part of the Windows Vista operating system and
     windows server 2008 and higher version
    Supported by Windows XP SP2 and windows server
     2003
 Microsoft platform for SOA
 Unifies ASMX, .Net Remoting and MSMQ etc
 Programming platform and runtime system for
 building, configuring and deploying network-
 distributed services
Common Deployment Scenarios
 Intranet Application
 Business partners
 Web Applications
 SOA application
Intranet Application                            Intranet
                                                 Client

 WCF supports Client-Server
                                                             Windows
 deployment
                                                                         Active
   Mutual windows authentication                                      Directory1
                                                       TCP

   TCP/binary messing
   Windows credential for
                                    NetTcpBinding
    message protection
                                                Service
 Service distribution across                                               1 Active

                                                                             Directory®
 process or machine boundaries                 Business
                                             Components                      directory
                                                                             service

                                                    DALC
Business Partner or Cross Machine
                                                 Internet Client
                                               (Business Partner)

 WCF supports mutual certificate
  authentication
                                                               Certificate
    Transfer security provided by the
     transport or via message security             HTTP


    Certificate authentication
                                                                     Certificate
                                                                       Store
 HTTP/Text or HTTP/MTOM                  WSHttpBinding


    For business partner scenario                   Service

 TCP/binary                                       Business
                                                  Components
    For machine-to-machine
     authentication behind the firewall               DALC
                                           Browser



Web Application                            HTTPS



                                                          UserName
 WCF can expose business                                                  aspnetdb
                                       ASP.NET
 functionality to web                  Application

 applications
   Mutual certificate behind                        Certificate
                                     TCP
    firewall
   TCP/binary for performance                                     Certificate
                                                                     Store


 Provides a security boundary for         Service
  ASP. Net applications
 Enables distribution of work          Business
                                       Components

  across process or machine
                                           DALC
  boundaries
SOA
 WCF services are a strategic part of SOA
 Service supporting
    Web applications
    Internal/external client applications
    Business partners integration
 Distribution of business functionality
      Internet Client   Internet Client
                                                    Browser
      (Basic Profile)       (WS*)


                HTTPS              HTTP                      HTTPS




                                                   ASP.NET
                                                   Application




                                                    NetTcp
                                          WSHttp


                                   BasicHttp


                                                     Service


                                                    Business
                                                   Components


                                                   Data Access


SOA
Service & Client

   Client                             A   B   C       Service

                                      A   B   C
   Proxy     A   B    C                              Service Host




            Address         Binding       Contract
            Where?           How?          What?

                          End Point
Basic requirements
 Service
    Define and implement a service contract
    Construct a ServiceHost instance for the service type ,
     exposing endpoint.
    Open the communication channel
 Client
    Requires a copy of the service contract and information
     about endpoints
    Construct a communication channel for a particular
     endpoint and call operation
Metadata and Proxy creation
 Client and service should share contracts not code
 Web Service Description Language(WSDL)
   Interoperable contract
   Describes a service and its endpoints,
   Binding and operations
   Message and type definitions
   Polices
 Used to generate client proxies, configuration
WCF Features
 Contracts and Serialization
 Exceptions and faults
 Bindings and protocols
 Hosting environment
 Instancing and throttling
 Security
 Reliable messaging and queued calls
 Transactions
Project scope
 Develop an desktop and web application for
  uploading and download the documents
 Store the documents into different location type like
  SQL server or File Share
 Using WCF service as an intermediate to communicate
  with date center
Design
                                               ASP.NET /Silverlight
           Windows Application                     Application




                                                        BasicHttp
         NetTcp

                                 WCF Service   Certificate
                                               authentication




                  SQL                             File Share
Functionality
 Client operations
    Create an folder
    Upload an file to the server
    Download the file from the server
    Delete document
    Progress bar for upload operation
    Document viewer
Application
 Client
    Windows application
    Web application(ASP.Net/Silverlight)
 Note: Silverlight provides rich user interface
 Server
    SQL server 2008
    WCF server developed using framework 3.5
    File Share folder
Key points
 WCF will expose the service with different protocols
 Client will consume the service based on efficient
  protocols
 Services are authenticated based on user and machine
  certificate
 Data can be stored in SQL server or File share based
  upon the configuration from server side
Conclusion
 Building dependable and secure business processes
  and services without any vulnerabilities will either
  be impossible or cause prohibitively high costs
 The security loop holes will be analyzing based on
  the service oriented application implementation
 Identification of security risk available in SOA
 Generate an reports on measures need to be
  consider on security systems implementation
Thank you

				
DOCUMENT INFO
Categories:
Tags:
Stats:
views:16
posted:8/20/2012
language:English
pages:30