Web Services Security

By Doug Kaye

From Web Hosting Monthly, June 2003 Edition

July 28, 2003 -- (WEB HOST INDUSTRY REVIEW) -- Perhaps sooner than you expect, you're going to want to add Web services to your Web site or those of your customers. Have you considered the security implications of doing so? Let's take a brief look at the issues surrounding the secure deployment of XML, SOAP, WSDL, and UDDI.

VPNs and SSL

VPNs (virtual private networks) and SSL fill a specific niche for point-to-point, synchronous Web services. SSL is so ubiquitous that it's nearly guaranteed to remain the standard for securing simple Web services that don't require persistent connections, particularly those available to a large number of anonymous parties. A VPN is conceptually the same as a connection using SSL--a VPN can even be based on SSL--but a VPN is persistent. A VPN isn't initialized and torn down in a matter of milliseconds like most SSL connections.

More complex Web services security challenges require an even better platform in which security concepts are implemented independently of any particular network or transport protocol. For example, if all or part of a SOAP message is encrypted, that encryption will endure regardless of whether the message is sent using HTTP, SMTP, or any other protocol. Network- and transport-independent security is required for any message that will be routed over more than one protocol on the way to its final destination.

Applications Firewalls

A traditional network firewall deals with packets. It understands the supposed source and destination of traffic at the system-to-system level, rather than at the application-to-application level. Network firewalls are also aware of the general nature of the traffic according to the protocols used (FTP, HTTP, etc.), but most network firewalls can't distinguish a Web services packet from one that's part of a World Wide Web browser/server exchange. An XML firewall or application firewall operates at the application layer, examining the XML content of packets rather than just their addresses.

When an XML firewall receives a message destined for one of the applications it protects, the firewall looks within the message and within its envelope to examine the XML data contained in the message's header and body.

Roadmap

For now, most Web services don't even use SOAP. They exchange small chunks of XML using the standard methods of HTTP. More confidential Web services are typically secured using VPNs and SSL. Advanced XML firewalls are rare today, but they'll become common in two to three years. You may not need one until then, but keep an eye on their evolution and acceptance and the overall growth of Web services. It's only a matter of time.