Organizations that are building XML-based Web applications and Web services are increasingly turning to the Security Assertion Markup Language (SAML) to communicate identities and authorization information. These organizations need to protect themselves from attacks at the XML protocol level, the SAML protocol level and at the level of the application itself. Although the standard is sound, it is easy to make mistakes in the implementation or the configuration of systems and undermine the security SAML is intended to provide. XML-aware firewalls provide a solution to this multi-layered problem.
SAML, a standard defined by the Organization for the Advancement of Structured Information Standards, specifies how XML can be used to carry authentication and authorization statements or assertions. Assertions are a set of XML elements that allow identity providers (or asserting parties) to build statements regarding the authenticity of a subject (user or principal) and pass those assertions to a service provider. In other words, a Web site (and identity provider) that has authenticated a user can exchange assertions that vouch for the authenticity of the user with other sites. For example, a travel agent site can authenticate users via log on and allow single sign-on to airline sites, hotel sites and car rental sites to make the entire travel booking process seamless and convenient for the user. SAML makes this type of coordination possible by establishing standard XML-based
XML was chosen as the language to define and implement Web services and SAML because it is flexible, expressive and generally accepted. However, the expressiveness and flexibility provides opportunities for attackers to embed attacks in messages that attempt to exploit weaknesses in the layers of systems that consume the XML, Web services and application elements. For example, the modular nature of XML allows elements, like large attachments, to be embedded in Web services requests without adversely affecting the behavior of the protocol. If such optional elements are handled incorrectly, the application or the system may be compromised.
These threats can be mitigated by deploying XML-aware firewall devices that inspect the contents of messages, check syntax, check authentication and generally weed out requests that may be attacks. These specialized firewall devices typically provide high throughput and can be shared by multiple systems across an infrastructure.
XML firewall appliances are designed to efficiently parse the XML elements and inspect them for malformed, unacceptable or unexpected content. These malformed messages can then be rejected prior to reaching the application system. In cases where the application needs to support embedded attachments, some XML firewalls can be integrated with virus-detection services and inspect the contents of attachments for infections.
As mentioned above, SAML was defined to support communication of identity information and federation. One of the critical aspects of federation is the establishment and maintenance of trust relationships among the coordinating parties (or circle of trust). That typically means setting up a public key infrastructure and/or exchanging secret keys. These cryptographic key exchanges allow parties to encrypt, sign and verify the authenticity of assertions or the connections carrying them.
XML firewalls can look inside the SAML assertions, and perform authentication and integrity checks. While this approach shouldn't obviate the need for application components to perform these critical checks, it may help to detect and reject attacks based on forged or modified assertions.
Overall, XML firewalls offer an attractive set of features that can help to protect systems and applications from attacks that are surely going to become commonplace. The combination of speed and the convenience of a single point of administration for multiple applications and layers within applications make these devices worth investigating.
- See how one vendor is improving it's XML firewall to handle larger SOAP messages
- Learn how SAML is being used in real world applications
About the Author:
Richard Mackey, Principal, SystemExperts, is an authority on distributed computing infrastructure and security. He has advised leading Wall Street firms on overall security architecture, VPNs, enterprise-wide authentication, and intrusion detection and analysis. He has been a frequent speaker at major conferences and has led numerous tutorials on developing secure distributed applications.
This tip orginally appeared on SearchSecurity.com.
This was first published in June 2005