Secret Web services may pose new risks

Secret Web services that originate both inside and outside of a company's firewall could soon pose serious security risks to many companies, even those not officially working with Web services. However, there are measures companies can take to mitigate those dangers.


Though they pose little danger today, a Gartner Inc. analyst believes that secret Web services originating both inside and outside of the firewall could eventually pose serious security risks to many companies.

Raymond Wagner
Raymond R. Wagner Jr., Ph.D., research director of information security strategies at Stamford, Conn.-based Gartner, said that as Web service technology grows in popularity, security threats both from malicious external Web services and from unauthorized, unmonitored internal Web services will grow.

"Companies are going to have trouble keeping track of Web services," Wagner said. "When they actually begin to

cross the firewall, they're difficult to see."

Wagner said Web services network traffic is often tricky to detect because it utilizes ports 80 and 443 on a Web server, which are the same ports used by HTTP traffic, making it impossible for a standard firewall to tell the difference.

"And the danger is that almost anything can come over a Web service connection," Wagner said, including executable files containing harmful worms or viruses. He said Gartner has estimated that the use of Web services could at some point reopen approximately 60% to 70% of the security holes that companies have plugged during the last 10 years.

Wagner said that unless a company has software in place specifically intended to detect and monitor Web services traffic, not only could harmful data get past a firewall, but an internal department could also build its own Web service and send data out without being detected.

To be absolutely sure what type of data is moving across the firewall, Wagner said a company must break Secure Socket Layer (SSL) connections at its network perimeter and inspect all traffic around its active server ports.

However, that can be a challenge today because of the need to inspect the data at near wire speed. According to Wagner, vendors such as Vordel Ltd., Hitachi subsidiary Quadrasis, Reactivity Inc. and Westbridge Technology Inc. have made strides in developing software that detects Web service traffic at the perimeter but, for the most part, the technology is unproven.

Wagner said few vendors are making a good case for Web services discovery and monitoring mechanisms. Yet he said the market for those products will mature because enterprises will eventually realize the need to differentiate and monitor Web services traffic.

Fortunately, Wagner said, security problems from secret Web services are unlikely to reach epidemic proportions because most companies are a few years away from experimenting with external Web services, and those that have are proceeding with caution.

"There is ample time for organizations to prepare for this," Wagner said. "It's possible for organizations to put in a strong Web services infrastructure by the 2004 or 2005 time frame that can protect against most of this."

FOR MORE INFORMATION:

CLICK for columnist Preston Gralla's exclusive on XML firewalls

CLICK to ask our experts about Web services security

CLICK for more articles by News Editor Eric B. Parizo

Dig deeper on Service-oriented architecture (SOA) implementations

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchSoftwareQuality

SearchCloudApplications

SearchAWS

TheServerSide

SearchWinDevelopment

Close