Web Services and the Old World

advertisement
Web Services and the Old World
Phillip Hallam-Baker
Principal Scientist
VeriSign Inc.
© 2004 VeriSign, Inc.
A Quotation
“I have seen the future and it has angle brackets.”
A Web Services Architect
2
More Quotations
“Without Trust and Security, Web Services are dead on arrival.”
Phillip Hallam-Baker
“Unless you fix Internet crime people are not going to be very
confident in your ability to secure Web Services.”
One of his customers
3
Internet Crime
+ It is real, it is organized, it is for profit
+ Spam was the start, phishing is the merely the current tactic
+ Has required a re-evaluation of legacy Internet protocol security
+ Email was not designed to be secure
+ Phishing gangs are now exploiting that lack of security
+ Direct losses due to fraud are hundreds of millions
+ The cost of lost consumer confidence is potentially much higher
+ SSL held the line for ten years
+ During which time little was done to improve the user interface
+ Introduction of domain authenticated certificates reduced security assurance
+ IPSEC, DNSSEC don’t really meet the security issues of Internet crime
+ Designed for very different threats
+ What is to be done?
4
Industry Solution – Retrofit Web Services Architecture
+ Not acknowledged as such (of course)
+ Not even an acknowledgement that there is a systematic architecture
+ But close similarities exist
+ Example: Web Services Discovery and Protocol Negotiation
+
+
+
+
+
XML defines common protocol syntax
XML-Schema defines data structures
WSDL describes message set etc.
WS-Policy allows negotiation of protocol version and features
WS-SecurityPolicy allows negotiation of security context
+ Fixing Email
+ Multiple schemes, SPF/Sender-ID, Domain Keys/Identified Internet Mail
+ But each adds a security policy layer to the existing SMTP protocol
+ “All legitimate mail from this domain comes from these IP addresses”
+ “All legitimate mail from this domain is signed”
5
Using the DNS for Protocol Policy Distribution
+ SPF (Sender Policy Framework) stores protocol policy in the DNS
+ Lightweight & ubiquitous protocol designed for name resolution protocol
+ Works very well for policy distribution
+ Has built in caching, time to live
+ No cryptographic security
+ But this is now a matter of time due to level of attack
+ Why not extend to general security policy distribution protocol?
+ Does this web site support SSL?
+ Negotiate transparent upgrade using HTTP SSL
+ Does this email server support SSL?
+ Always on security
+ Why not distribute WS-Policy statements via DNS?
+ We are not there - yet
6
Rediscovering the Edge
+ Traditional Internet architecture regarded firewalls as evil
+ End-to-end security or nothing
+ Usually ending up with nothing or next to nothing
+ Web Services & Web Services Security model embrace firewalls
+ “Here is the information you need to let me through”
+ Security architectures to address Internet Crime rediscover the edge
+ Authenticate email at the domain level
+ Apply authentication to email at the edge server
+ Verify authentication at the incoming edge
7
‘Web Services Lite’
+ Legacy Internet Protocols packaged in Web Services friendly form
+ SOAP is not supported
+ Protocol must be hand coded
+ Syntax and specification are idiosyncratic
+ But allow client to answer important questions
+ What version of the protocol are supported?
+ What security enhancements are supported?
+ Is there a pure Web Service connection available?
+ But acknowledge the fact that edge security is legitimate
+ Network infrastructure is not abstracted away in security model
+ End-to-End considered a cop-out, ignoring the real security issues
8
What are the Implications for Web Services?
+ Lessons learned #1
+ Its not the technology, it’s the deployment strategy
+ Lessons learned #2
+ Its not the standards body, it’s the constituency of stakeholders
+ See Lesson #1
+ Lessons learned #3
+ Make the barriers to entry exceptionally low
+ See Lesson #1
+ Lessons learned #4
+ The bad guys attack the system at its weakest point
+ That is often the consumer
+ See Lesson #1
9
What are the Implications for Web Services?
+ Web Services Lite is being deployed
+
+
+
+
SPF/Sender-ID Email authentication has critical mass
Considerable backing for Domain Keys/Identified Internet Mail
Internet crime provides a major forcing function
Expect businesses to sign SMTP mail by default in near future
+ It would be good to use as much Web Services experience as possible
+ If only to serve as prototype deployment/sanity check for Web Services
+ Legacy protocols are in flux, change is possible
+ Potential downside
+ It is concluded that the legacy internet protocols are sufficient
+ No need to move to new platforms such as SOAP
+ Potential upside
+ Close many of the security holes that create ‘gotchas’ for Web Services
+ Co-opt Web Services Lite to provide low barrier to entry for true Web Services
10
Beyond EDI with angle brackets
+ One view of Web Services is to provide ‘frictionless capitalism’
+ XML is better than the ASN.1 in EDI because wind resistance of the
angle brackets is lower…
+ Web Services will connect big company to big company
+
+
+
+
Electronic supply chain
Smaller companies will be bullied into line and forced to comply
Huge benefits for large companies
Smaller companies with no ERM systems to integrate to will get ?
+ Perhaps there is another approach
+ Support the small business doing one Web Services transaction a week
+ Real-Time integration will still require infrastructure
11
Web Services without the server
+ Servers represent a real cost to a small business
+
+
+
+
Software is expensive, requires specialist coding skills
Maintenance is even more expensive
Have to be on 24/7
Reliability requires redundant configuration
+ Clients are cheap
+ Software is subject to commodity pricing, off the shelf distribution
+ Client connection is more forgiving, coding errors less disastrous
+ Email is ubiquitous and inexpensive
+ With new cryptographic enhancements it is becoming reliably secure
12
Proposal: Use Email for the low cost entry point
+ Example: Electronic Invoicing
+ Transition will mean that there are multiple speeds:
+ Large business supports e-Invoice Web Service
+ Some small businesses and consumers opt to receive invoices by email
+ Some still receive paper
+ Some businesses will interface their Web Services to paper
+ Order received by Web Service, is printed out and sent to Accounts
+ Some businesses will have tight integration with their ERM system
+ Some will be using Quicken, QuickBooks or Microsoft Money
+ Application recognizes message as an invoice
+ Source is identified as trustworthy
+ Automatically enter it into the ledger.
13
Conclusions
+ Internet Crime is affecting Web Services
+ A major effect on consumer and business confidence in the Internet
+ Requiring redesign of legacy protocols infrastructures
+ Many features of Web Services are being grafted onto the legacy base
+ Web Services can benefit from this process
+ Make use of the secured legacy infrastructures
+ Use them to lower barriers to adoption
+ Make Web Services into a mass market technology, not merely EDI mkII
14
Thank You
© 2004 VeriSign, Inc.
Download