Threats to XML Web services don't follow the conventions of traditional network or e-mail attacks. Therefore, network administrators and developers are forced to think outside the box in order to keep those messages safe as they traverse an enterprise network.
A combination of existing standard defenses must be used in concert with the bevy of modern standards being crafted by OASIS, the World Wide Web Consortium and other standards bodies to help secure not only the transport layer used by Web services, but the messages themselves.
"Customers want to connect customers, partners and applications quickly and line them up with the way their business works today," said John Lilly, chief technology officer at XML security vendor Reactivity Inc. of Belmont, Calif. "A quick, agile sustainable, secure enterprise is key to customers."
As more enterprises delve into using Web services as standards-based interfaces into applications and eventually into full-blown service-oriented architectures, security becomes a critical enabler.
Defending XML Web services is a threefold process according to experts. First, companies must adhere to security standards, deploy tools that detect attacks on XML traffic and then remediate them.
Security and standards
Threats to XML traffic come in three flavors: attacks on the identity of a message sender, attacks on content and attacks on operations, Lilly said. Warding these off begins with securing the transport layer using a combination of Secure Sockets Layer technology (SSL) and Public Key Infrastructure (PKI). These long-standing security methods keep messages confidential, verify the identity of the sender and receiver and allow messages to be sent only once.
Newer standards like WS-Security, XML-Encryption, XML-Schema and XML-Digital Signature secure traffic against the three categories of attacks on XML traffic.
ZapThink LLC cautioned in a recent white paper that compliance with standards is not enough.
"Enterprises that wish to handle application security in a service-oriented manner must take advantage of an enterprise-wide, content-aware security infrastructure," ZapThink said.
Lilly said that detecting attacks on XML traffic can be difficult and require tools that monitor the behavior of applications rather than searching packets for attack patterns.
Dictionary attacks, for example, are often used to steal passwords and other identity-related data. Detecting repeated failures in authentication attempts is one indication of this type of brute-force attack, Lilly said.
Content filters are also essential, Lilly said.
"One way to implement a content filter is to use regular expressions specified across all messages and to define these regular expressions against all known content-borne attacks," he said.
XML denial-of-service attacks (XDoS) are also common content-borne attacks whose purpose is to shut down a Web service or system running that service. Lilly said a common XDoS attack occurs when an XML message is sent with a multitude of digital signatures.
"A naÏve parser would look at each signature and use all the CPU cycles, eating up all resources," he said. Lilly added that these are less common than inadvertent XDoS attacks, which occur for example, when a programming error by a trusted customer causes a handshake to go into an infinite loop.
Deny, block, alert
Remediation is the final piece of the security puzzle. Should a threat take place, IT managers should have a policy where suspicious messages are denied and alerts are sent to the appropriate people, either automatically or after a log review.
Once attacks are identified, Lilly said it is vital that the offending party's IP address, digital certificate, or other means of authentication and authorization, be blocked.
He also urges enterprises to secure the servers running a Web service.
"Good security entails server request throttling that combines factors of message sizes, back-end server latency and transport-level error codes to maintain a model of back-end server load, which provides a means of predicting the message load that a back-end server is capable of handling," Lilly said.
Finally, enterprises must maintain accurate logs that detail normal traffic patterns, as well as failed and successful attacks.
FEEDBACK: What is your greatest Web services security challenge?
Send your feedback to the SearchWebServices.com news team.