1 / 15

Web Services and the Old World

Web Services and the Old World. Phillip Hallam-Baker Principal Scientist VeriSign Inc. A Quotation. “I have seen the future and it has angle brackets.” A Web Services Architect. More Quotations. “Without Trust and Security, Web Services are dead on arrival.” Phillip Hallam-Baker

kbenson
Download Presentation

Web Services and the Old World

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Web Services and the Old World Phillip Hallam-Baker Principal Scientist VeriSign Inc.

  2. A Quotation “I have seen the future and it has angle brackets.” A Web Services Architect

  3. More Quotations “Without Trust and Security, Web Services are dead on arrival.” Phillip Hallam-Baker “Unless you fix Internet crime people are not going to be very confident in your ability to secure Web Services.” One of his customers

  4. Internet Crime • It is real, it is organized, it is for profit • Spam was the start, phishing is the merely the current tactic • Has required a re-evaluation of legacy Internet protocol security • Email was not designed to be secure • Phishing gangs are now exploiting that lack of security • Direct losses due to fraud are hundreds of millions • The cost of lost consumer confidence is potentially much higher • SSL held the line for ten years • During which time little was done to improve the user interface • Introduction of domain authenticated certificates reduced security assurance • IPSEC, DNSSEC don’t really meet the security issues of Internet crime • Designed for very different threats • What is to be done?

  5. Industry Solution – Retrofit Web Services Architecture • Not acknowledged as such (of course) • Not even an acknowledgement that there is a systematic architecture • But close similarities exist • Example: Web Services Discovery and Protocol Negotiation • XML defines common protocol syntax • XML-Schema defines data structures • WSDL describes message set etc. • WS-Policy allows negotiation of protocol version and features • WS-SecurityPolicy allows negotiation of security context • Fixing Email • Multiple schemes, SPF/Sender-ID, Domain Keys/Identified Internet Mail • But each adds a security policy layer to the existing SMTP protocol • “All legitimate mail from this domain comes from these IP addresses” • “All legitimate mail from this domain is signed”

  6. Using the DNS for Protocol Policy Distribution • SPF (Sender Policy Framework) stores protocol policy in the DNS • Lightweight & ubiquitous protocol designed for name resolution protocol • Works very well for policy distribution • Has built in caching, time to live • No cryptographic security • But this is now a matter of time due to level of attack • Why not extend to general security policy distribution protocol? • Does this web site support SSL? • Negotiate transparent upgrade using HTTP SSL • Does this email server support SSL? • Always on security • Why not distribute WS-Policy statements via DNS? • We are not there - yet

  7. Rediscovering the Edge • Traditional Internet architecture regarded firewalls as evil • End-to-end security or nothing • Usually ending up with nothing or next to nothing • Web Services & Web Services Security model embrace firewalls • “Here is the information you need to let me through” • Security architectures to address Internet Crime rediscover the edge • Authenticate email at the domain level • Apply authentication to email at the edge server • Verify authentication at the incoming edge

  8. ‘Web Services Lite’ • Legacy Internet Protocols packaged in Web Services friendly form • SOAP is not supported • Protocol must be hand coded • Syntax and specification are idiosyncratic • But allow client to answer important questions • What version of the protocol are supported? • What security enhancements are supported? • Is there a pure Web Service connection available? • But acknowledge the fact that edge security is legitimate • Network infrastructure is not abstracted away in security model • End-to-End considered a cop-out, ignoring the real security issues

  9. What are the Implications for Web Services? • Lessons learned #1 • Its not the technology, it’s the deployment strategy • Lessons learned #2 • Its not the standards body, it’s the constituency of stakeholders • See Lesson #1 • Lessons learned #3 • Make the barriers to entry exceptionally low • See Lesson #1 • Lessons learned #4 • The bad guys attack the system at its weakest point • That is often the consumer • See Lesson #1

  10. What are the Implications for Web Services? • Web Services Lite is being deployed • SPF/Sender-ID Email authentication has critical mass • Considerable backing for Domain Keys/Identified Internet Mail • Internet crime provides a major forcing function • Expect businesses to sign SMTP mail by default in near future • It would be good to use as much Web Services experience as possible • If only to serve as prototype deployment/sanity check for Web Services • Legacy protocols are in flux, change is possible • Potential downside • It is concluded that the legacy internet protocols are sufficient • No need to move to new platforms such as SOAP • Potential upside • Close many of the security holes that create ‘gotchas’ for Web Services • Co-opt Web Services Lite to provide low barrier to entry for true Web Services

  11. Beyond EDI with angle brackets • One view of Web Services is to provide ‘frictionless capitalism’ • XML is better than the ASN.1 in EDI because wind resistance of the angle brackets is lower… • Web Services will connect big company to big company • Electronic supply chain • Smaller companies will be bullied into line and forced to comply • Huge benefits for large companies • Smaller companies with no ERM systems to integrate to will get ? • Perhaps there is another approach • Support the small business doing one Web Services transaction a week • Real-Time integration will still require infrastructure

  12. Web Services without the server • Servers represent a real cost to a small business • Software is expensive, requires specialist coding skills • Maintenance is even more expensive • Have to be on 24/7 • Reliability requires redundant configuration • Clients are cheap • Software is subject to commodity pricing, off the shelf distribution • Client connection is more forgiving, coding errors less disastrous • Email is ubiquitous and inexpensive • With new cryptographic enhancements it is becoming reliably secure

  13. Proposal: Use Email for the low cost entry point • Example: Electronic Invoicing • Transition will mean that there are multiple speeds: • Large business supports e-Invoice Web Service • Some small businesses and consumers opt to receive invoices by email • Some still receive paper • Some businesses will interface their Web Services to paper • Order received by Web Service, is printed out and sent to Accounts • Some businesses will have tight integration with their ERM system • Some will be using Quicken, QuickBooks or Microsoft Money • Application recognizes message as an invoice • Source is identified as trustworthy • Automatically enter it into the ledger.

  14. Conclusions • Internet Crime is affecting Web Services • A major effect on consumer and business confidence in the Internet • Requiring redesign of legacy protocols infrastructures • Many features of Web Services are being grafted onto the legacy base • Web Services can benefit from this process • Make use of the secured legacy infrastructures • Use them to lower barriers to adoption • Make Web Services into a mass market technology, not merely EDI mkII

  15. Thank You

More Related