Securing Web Services

Curt Marjaniemi

Securing .NET Web Services

1

Securing Web Services

An evaluation of methods for securing web services
introduced in different of the network stack

Curt Marjaniemi

CS522 Semester Project

12/02/06

Curt Marjaniemi

Securing .NET Web Services

2

Agenda

•
Important Security Features When Evaluating
Methods

•
Common Methods for Securing Web Services

•
WS
-
Security

•
SSL

•
IPSec

•
Test Configuration

•
Test Results

•
Analyzing Traffic using Ethereal

•
Future Research/Tests

Curt Marjaniemi

Securing .NET Web Services

3

Important Security Features
When Evaluating Methods

•
Encryption of data

•
Integrity (signing)

•
Non
-
repudiation

Curt Marjaniemi

Securing .NET Web Services

4

Methods Evaluated

•
WS
-
Security

•
IP Security (IPSec)

•
Secure Sockets Layer (SSL)

Curt Marjaniemi

Securing .NET Web Services

5

WS
-
Security

•
Protocol for applying security to
Web Services

•
Originally Developed by IBM,
Microsoft, and VeriSign

•
Contains specifications on how
integrity and confidentiality cab
be enforced

Physical Layer

Data Link (PPP)

Network (IP)

Transport (TCP)

Security (SSL)

Application (HTTP)

Curt Marjaniemi

Securing .NET Web Services

6

WS
-
Security

•
Version 1.1 contain the following
specifications

–
WS
-
SecureConversation

–
WS
-
Federation

–
WS
-
Authorization

–
WS
-
Policy

–
WS
-
Trust

–
WS
-
Privacy

Curt Marjaniemi

Securing .NET Web Services

7

WS
-
Security Implementation

•
Implementation was difficult

•
Microsoft’s Web Service Enhancements
(WSE) 3.0

–
Simplifies development of secure web
services

–
Hides the implementation details of the
WS
-
* specifications

Curt Marjaniemi

Securing .NET Web Services

8

SSL

•
SSL 3.0 most commonly used
version

•
Client and server negotiate a
common secret

•
Each record optionally
compressed, encrypted and
packed with a MAC

•
Supports multiple cryptographic
algorithms, such as Triple DES

Physical Layer

Data Link (PPP)

Network (IP)

Transport (TCP)

Security (SSL)

Application (HTTP)

Curt Marjaniemi

Securing .NET Web Services

9

SSL Implementation

•
Implementation was extremely easy

•
When contacting the web service, just
use HTTPS

Curt Marjaniemi

Securing .NET Web Services

10

IPSec

•
Suite of protocols for
securing IP communications
by encrypting and/or
authenticating each IP
packet

•
Two modes:

–
Transport

–
Tunnel

Physical Layer

Data Link (PPP)

Network (IP)

Transport (TCP)

Security (SSL)

Application (HTTP)

Curt Marjaniemi

Securing .NET Web Services

11

IPSec Implementation

•
Implementation was complex, but not too difficult

•
Windows 2003 IP Security Policy Manager

–
Allows you to create IP Security policies to secure traffic based on
IP, Protocol, Port, etc.

–
Can specify the type of encryption (Triple DES, DES, etc)

–
Can specify the type of authentication (Kerberos, Windows, etc)

–
X.509 certificates for key exchange

Curt Marjaniemi

Securing .NET Web Services

12

Test Configuration

•
Web Service

–
Calculated the Fibonacci sequence

–
Returned 34 K of data

•
Web Client

–
Called the web service using either SSL,
IPSec, WS
-
Security or Nothing

•
Load Tester

–
Simulated 50 concurrent users

Web Service

Windows 2003

IIS 6.0

.NET 2.0

Dual Pentium III 1GHz

1 GB Ram

Web Client

Windows 2003

IIS 6.0

.NET 2.0

Dual Pentium III 1GHz

1 GB Ram

Load Tester

Windows XP

Visual Studio 2005
Test Edition

Pentium III 1.5 GHz

1 GB Ram

Default.aspx

Fibonacci.asmx

Curt Marjaniemi

Securing .NET Web Services

13

Test Results

0
0.2
0.4
0.6
0.8
Avg. Response Time (sec)
WS-Security
IPSec
SSL
Nothing
0
10
20
30
40
50
60
70
Avg. Requests/Sec
WS-Security
IPSec
SSL
Nothing
Curt Marjaniemi

Securing .NET Web Services

14

Analyzing Traffic using Ethereal

•
No Security

–
37,961 bytes

–
46 Packets

–
Protocols

•
2 ARP

•
3 HTTP

•
41 TCP

•
SSL

–
37,457 bytes

–
38 Packets

–
Protocols

•
6 TLS

•
32 TCP

•
IPSec

–
40,447 bytes

–
43 Packets

–
Protocols

•
10 ISAKMP

•
33 ESP (Encapsulating
Security Payload)

•
1 BROWSER

•
WS
-
Security

–
67,004 bytes

–
63 Packets

–
Protocols

•
2 HTTP

•
61 TCP

Curt Marjaniemi

Securing .NET Web Services

15

Future Research/Tests

•
Introduce Load Balancing

•
Add authentication mechanisms

•
Add a third server in
-
between the client
and the service

Curt Marjaniemi

Securing .NET Web Services

16

References

•
Dominick Baier,
Developing More
-
Secure ASP.NET 2.0
Applications
, Microsoft Press

•
Various, WS
-
Security. Retrieved November 25, 2006, from
http://en.wikipedia.org/wiki/WS
-
Security

•
Andrew S. Tanenbaum,
Computer Networks
, Prentice
-
Hall

•
Security in a Web Services World:
A Proposed Architecture and
Roadmap
. Retrieved November 25, 2006 from
http://msdn.microsoft.com/library/default.asp?url=/library/en
-
us/dnwssecur/html/securitywhitepaper.asp

Securing Web Services

Comments 0

Presentation transcript

RESTful Web Services

Web Services for

Internet Information Services (IIS) 6.0 Resource Kit - S3 Tech Training

Network Security Principles and Practices

Open Source Security Tools howlett fm.fm Page i Tuesday, June ...

O'Reilly - Web Security & Commerce

Building Secure ASP.NET Applications

WebSphere Application Server V7.0 Web Services Guide

CentOS Bible

CentOS Bible pdf - EBook Free Download

TCP/IP Tutorial and Technical Overview - Bit-Twist

Improving Web Services Security

HACK PROOFING ColdFusion

Cisco Switch Guide

Why Did I Write This Book?

IBM WebSphere V5.0 Security

Professional Microsoft® IIS 8 - Free

Stay in touch:

Securing Web Services

Comments 0

Presentation transcript

More From insidiousbehavior

Related Content