1 / 16

Securing Web Services An evaluation of methods for securing web services introduced in different of the network stack

Securing Web Services An evaluation of methods for securing web services introduced in different of the network stack. Curt Marjaniemi CS522 Semester Project 12/02/06. Agenda. Important Security Features When Evaluating Methods Common Methods for Securing Web Services WS-Security SSL

komala
Download Presentation

Securing Web Services An evaluation of methods for securing web services introduced in different of the network stack

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing Web ServicesAn evaluation of methods for securing web services introduced in different of the network stack Curt Marjaniemi CS522 Semester Project 12/02/06 Securing .NET Web Services

  2. Agenda • Important Security Features When Evaluating Methods • Common Methods for Securing Web Services • WS-Security • SSL • IPSec • Test Configuration • Test Results • Analyzing Traffic using Ethereal • Future Research/Tests Securing .NET Web Services

  3. Important Security Features When Evaluating Methods • Encryption of data • Integrity (signing) • Non-repudiation Securing .NET Web Services

  4. Methods Evaluated • WS-Security • IP Security (IPSec) • Secure Sockets Layer (SSL) Securing .NET Web Services

  5. Application (HTTP) Security (SSL) Transport (TCP) Network (IP) Data Link (PPP) Physical Layer WS-Security • Protocol for applying security to Web Services • Originally Developed by IBM, Microsoft, and VeriSign • Contains specifications on how integrity and confidentiality cab be enforced Securing .NET Web Services

  6. WS-Security • Version 1.1 contain the following specifications • WS-SecureConversation • WS-Federation • WS-Authorization • WS-Policy • WS-Trust • WS-Privacy Securing .NET Web Services

  7. WS-Security Implementation • Implementation was difficult • Microsoft’s Web Service Enhancements (WSE) 3.0 • Simplifies development of secure web services • Hides the implementation details of the WS-* specifications Securing .NET Web Services

  8. Application (HTTP) Security (SSL) Transport (TCP) Network (IP) Data Link (PPP) Physical Layer SSL • SSL 3.0 most commonly used version • Client and server negotiate a common secret • Each record optionally compressed, encrypted and packed with a MAC • Supports multiple cryptographic algorithms, such as Triple DES Securing .NET Web Services

  9. SSL Implementation • Implementation was extremely easy • When contacting the web service, just use HTTPS Securing .NET Web Services

  10. Application (HTTP) Security (SSL) Transport (TCP) Network (IP) Data Link (PPP) Physical Layer IPSec • Suite of protocols for securing IP communications by encrypting and/or authenticating each IP packet • Two modes: • Transport • Tunnel Securing .NET Web Services

  11. IPSec Implementation • Implementation was complex, but not too difficult • Windows 2003 IP Security Policy Manager • Allows you to create IP Security policies to secure traffic based on IP, Protocol, Port, etc. • Can specify the type of encryption (Triple DES, DES, etc) • Can specify the type of authentication (Kerberos, Windows, etc) • X.509 certificates for key exchange Securing .NET Web Services

  12. Web Service Windows 2003 IIS 6.0 .NET 2.0 Dual Pentium III 1GHz 1 GB Ram Web Client Windows 2003 IIS 6.0 .NET 2.0 Dual Pentium III 1GHz 1 GB Ram Load Tester Windows XP Visual Studio 2005 Test Edition Pentium III 1.5 GHz 1 GB Ram Test Configuration • Web Service • Calculated the Fibonacci sequence • Returned 34 K of data • Web Client • Called the web service using either SSL, IPSec, WS-Security or Nothing • Load Tester • Simulated 50 concurrent users Default.aspx Fibonacci.asmx Securing .NET Web Services

  13. Test Results Securing .NET Web Services

  14. Analyzing Traffic using Ethereal • IPSec • 40,447 bytes • 43 Packets • Protocols • 10 ISAKMP • 33 ESP (Encapsulating Security Payload) • 1 BROWSER • WS-Security • 67,004 bytes • 63 Packets • Protocols • 2 HTTP • 61 TCP • No Security • 37,961 bytes • 46 Packets • Protocols • 2 ARP • 3 HTTP • 41 TCP • SSL • 37,457 bytes • 38 Packets • Protocols • 6 TLS • 32 TCP Securing .NET Web Services

  15. Future Research/Tests • Introduce Load Balancing • Add authentication mechanisms • Add a third server in-between the client and the service Securing .NET Web Services

  16. References • Dominick Baier, Developing More-Secure ASP.NET 2.0 Applications, Microsoft Press • Various, WS-Security. Retrieved November 25, 2006, from http://en.wikipedia.org/wiki/WS-Security • Andrew S. Tanenbaum, Computer Networks, Prentice-Hall • Security in a Web Services World: A Proposed Architecture and Roadmap. Retrieved November 25, 2006 from http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwssecur/html/securitywhitepaper.asp Securing .NET Web Services

More Related