WebServices, GridServices
and Firewalls
Matthew J. Dovey
Technical Manager
Oxford e-Science Centre
http://e-science.ox.ac.uk
(matthew.dovey@oucs.ox.ac.uk)
WebServices
Method of inter-computer communication
„
Initially Remote Procedural Call
Uses XML for messages
Uses existing “Web”/Internet protocols for
transfer
„
„
e.g. HTTP for synchronous
e.g. SMTP for asynchronous
WebServices
Service defined by endpoint
„
„
e.g. URL http://myserver.org/myservice
m.g. e-mail address myservice@myserver.org
Operation (and parameters) defined by XML
message
e.g.
<SOAP-Env:body>
<myOperation>
<myParam>…</myParam>
</myOperation>
</SOAP-Env:body>
WebServices and Firewalls
SOAP 1.0 (Microsoft) – the ability to
transfer information between organisations
through the firewall
Ability to offer multiple WebServices
through a single port
Ability to offer multiple WebServices
through protocols traditionally allowed
through firewalls (http, smtp)
No portmappers
Securing WebServices
Publishing model
„
„
„
Internal services behind the firewall
“publish” only safe public services
Comparable to public website vs internal
intranet for documents
But…
„
„
„
Web Services have bugs
Web Service Infrastructures have bugs
Web Servers/SMTP Servers have bugs
Securing WebServices
Application Level Firewalls
„
„
„
„
„
„
„
Traditional firewalls assume application defined by
port
WebServices defined by endpoint (URL) and XML
data
Application Firewalls inspect XML data
Check XML conformant with application (determined
by endpoint)
Block unregistered endpoints/XML data
Strong linkage between firewall and application (no
longer disconnected black boxes)
Issues with encrypted data
Securing WebServices
Private Networks via SSL
„
WebService encryption either
Sensitive message parts (avoiding cost of
encrypting all the message)
Transport (e.g. https, smtp over SSL etc.)
„
Use of SSL for private network services
Encrypt and authenticate via x509 certificates
No certificate – no access
„
Comparable to VPN solutions for Globus 2
GridServices
An application framework built on
WebServices
Differences from traditional “WebServices”
„
„
State handling
NotificationSource and NotificationSink
Notification Events
Under OGSA Notification model both
source and recipient of a notification must
implement a GRID Service interface
i.e. GRID clients (typically desktops) must
behave as a GRID Service (WebService)
server
Security of desktop as crucial as security
of server
Issues with VPNs
State handling
WebServices handle state via
„
„
Out of band session id, e.g. HTTP cookie
Service defined session id carried in SOAP
Envelope
GRIDServices handle state via factories
„
„
„
Factory service returns a URL to a dedicated
service for that client
URL acts as session id
Similar to RPC port mapping (“URL mapping”)
GRIDService Factories - Cons
Hijacking
„
„
URLs transparent when not over SSL
(WebServices can selectively encrypt)
Danger of predictable URLs
(WebServices can generate random and
semantic-less keys)
May be difficult to use with application
level firewalls which rely on fixed
endpoints for services
GRIDService Factories - Pros
Factory could link generated service strongly to
client
„
„
„
Service linked to given ip address only
Service only allows https/SSL connection from client
certificate
i.e. knock on door system comparable in “dynamic
firewall” solution to Globus 2
Instance could be on another machine
„
Factory on front-end box
Summary
WebServices originally bypassed firewalls
WebServices require sophisticated
application-aware protection
WebServices/GRIDServices potential offer
mechanisms for enforcing security (e.g.
certificate authentication)
Slide number 14