Securing Web Services

insidiousbehaviorΑσφάλεια

3 Νοε 2013 (πριν από 3 χρόνια και 5 μήνες)

70 εμφανίσεις

Curt Marjaniemi

Securing .NET Web Services

1

Securing Web Services

An evaluation of methods for securing web services
introduced in different of the network stack

Curt Marjaniemi

CS522 Semester Project

12/02/06


Curt Marjaniemi

Securing .NET Web Services

2

Agenda


Important Security Features When Evaluating
Methods


Common Methods for Securing Web Services


WS
-
Security


SSL


IPSec


Test Configuration


Test Results


Analyzing Traffic using Ethereal


Future Research/Tests


Curt Marjaniemi

Securing .NET Web Services

3

Important Security Features
When Evaluating Methods



Encryption of data



Integrity (signing)



Non
-
repudiation


Curt Marjaniemi

Securing .NET Web Services

4

Methods Evaluated



WS
-
Security



IP Security (IPSec)



Secure Sockets Layer (SSL)


Curt Marjaniemi

Securing .NET Web Services

5

WS
-
Security


Protocol for applying security to
Web Services


Originally Developed by IBM,
Microsoft, and VeriSign


Contains specifications on how
integrity and confidentiality cab
be enforced

Physical Layer

Data Link (PPP)

Network (IP)

Transport (TCP)

Security (SSL)

Application (HTTP)

Curt Marjaniemi

Securing .NET Web Services

6

WS
-
Security


Version 1.1 contain the following
specifications


WS
-
SecureConversation


WS
-
Federation


WS
-
Authorization


WS
-
Policy


WS
-
Trust


WS
-
Privacy

Curt Marjaniemi

Securing .NET Web Services

7

WS
-
Security Implementation


Implementation was difficult


Microsoft’s Web Service Enhancements
(WSE) 3.0


Simplifies development of secure web
services


Hides the implementation details of the
WS
-
* specifications

Curt Marjaniemi

Securing .NET Web Services

8

SSL


SSL 3.0 most commonly used
version


Client and server negotiate a
common secret


Each record optionally
compressed, encrypted and
packed with a MAC


Supports multiple cryptographic
algorithms, such as Triple DES

Physical Layer

Data Link (PPP)

Network (IP)

Transport (TCP)

Security (SSL)

Application (HTTP)

Curt Marjaniemi

Securing .NET Web Services

9

SSL Implementation


Implementation was extremely easy


When contacting the web service, just
use HTTPS

Curt Marjaniemi

Securing .NET Web Services

10

IPSec


Suite of protocols for
securing IP communications
by encrypting and/or
authenticating each IP
packet


Two modes:


Transport


Tunnel


Physical Layer

Data Link (PPP)

Network (IP)

Transport (TCP)

Security (SSL)

Application (HTTP)

Curt Marjaniemi

Securing .NET Web Services

11

IPSec Implementation


Implementation was complex, but not too difficult


Windows 2003 IP Security Policy Manager


Allows you to create IP Security policies to secure traffic based on
IP, Protocol, Port, etc.


Can specify the type of encryption (Triple DES, DES, etc)


Can specify the type of authentication (Kerberos, Windows, etc)


X.509 certificates for key exchange


Curt Marjaniemi

Securing .NET Web Services

12

Test Configuration


Web Service


Calculated the Fibonacci sequence


Returned 34 K of data


Web Client


Called the web service using either SSL,
IPSec, WS
-
Security or Nothing


Load Tester


Simulated 50 concurrent users

Web Service

Windows 2003

IIS 6.0

.NET 2.0

Dual Pentium III 1GHz

1 GB Ram


Web Client

Windows 2003

IIS 6.0

.NET 2.0

Dual Pentium III 1GHz

1 GB Ram


Load Tester

Windows XP

Visual Studio 2005
Test Edition

Pentium III 1.5 GHz

1 GB Ram


Default.aspx

Fibonacci.asmx

Curt Marjaniemi

Securing .NET Web Services

13

Test Results

0
0.2
0.4
0.6
0.8
Avg. Response Time (sec)
WS-Security
IPSec
SSL
Nothing
0
10
20
30
40
50
60
70
Avg. Requests/Sec
WS-Security
IPSec
SSL
Nothing
Curt Marjaniemi

Securing .NET Web Services

14

Analyzing Traffic using Ethereal


No Security


37,961 bytes


46 Packets


Protocols


2 ARP


3 HTTP


41 TCP



SSL


37,457 bytes


38 Packets


Protocols


6 TLS


32 TCP



IPSec


40,447 bytes


43 Packets


Protocols


10 ISAKMP


33 ESP (Encapsulating
Security Payload)


1 BROWSER



WS
-
Security


67,004 bytes


63 Packets


Protocols


2 HTTP


61 TCP



Curt Marjaniemi

Securing .NET Web Services

15

Future Research/Tests


Introduce Load Balancing


Add authentication mechanisms


Add a third server in
-
between the client
and the service

Curt Marjaniemi

Securing .NET Web Services

16

References


Dominick Baier,
Developing More
-
Secure ASP.NET 2.0
Applications
, Microsoft Press


Various, WS
-
Security. Retrieved November 25, 2006, from
http://en.wikipedia.org/wiki/WS
-
Security


Andrew S. Tanenbaum,
Computer Networks
, Prentice
-
Hall


Security in a Web Services World:
A Proposed Architecture and
Roadmap
. Retrieved November 25, 2006 from
http://msdn.microsoft.com/library/default.asp?url=/library/en
-
us/dnwssecur/html/securitywhitepaper.asp