Curt Marjaniemi
Securing .NET Web Services
1
Securing Web Services
An evaluation of methods for securing web services
introduced in different of the network stack
Curt Marjaniemi
CS522 Semester Project
12/02/06
Curt Marjaniemi
Securing .NET Web Services
2
Agenda
•
Important Security Features When Evaluating
Methods
•
Common Methods for Securing Web Services
•
WS
-
Security
•
SSL
•
IPSec
•
Test Configuration
•
Test Results
•
Analyzing Traffic using Ethereal
•
Future Research/Tests
Curt Marjaniemi
Securing .NET Web Services
3
Important Security Features
When Evaluating Methods
•
Encryption of data
•
Integrity (signing)
•
Non
-
repudiation
Curt Marjaniemi
Securing .NET Web Services
4
Methods Evaluated
•
WS
-
Security
•
IP Security (IPSec)
•
Secure Sockets Layer (SSL)
Curt Marjaniemi
Securing .NET Web Services
5
WS
-
Security
•
Protocol for applying security to
Web Services
•
Originally Developed by IBM,
Microsoft, and VeriSign
•
Contains specifications on how
integrity and confidentiality cab
be enforced
Physical Layer
Data Link (PPP)
Network (IP)
Transport (TCP)
Security (SSL)
Application (HTTP)
Curt Marjaniemi
Securing .NET Web Services
6
WS
-
Security
•
Version 1.1 contain the following
specifications
–
WS
-
SecureConversation
–
WS
-
Federation
–
WS
-
Authorization
–
WS
-
Policy
–
WS
-
Trust
–
WS
-
Privacy
Curt Marjaniemi
Securing .NET Web Services
7
WS
-
Security Implementation
•
Implementation was difficult
•
Microsoft’s Web Service Enhancements
(WSE) 3.0
–
Simplifies development of secure web
services
–
Hides the implementation details of the
WS
-
* specifications
Curt Marjaniemi
Securing .NET Web Services
8
SSL
•
SSL 3.0 most commonly used
version
•
Client and server negotiate a
common secret
•
Each record optionally
compressed, encrypted and
packed with a MAC
•
Supports multiple cryptographic
algorithms, such as Triple DES
Physical Layer
Data Link (PPP)
Network (IP)
Transport (TCP)
Security (SSL)
Application (HTTP)
Curt Marjaniemi
Securing .NET Web Services
9
SSL Implementation
•
Implementation was extremely easy
•
When contacting the web service, just
use HTTPS
Curt Marjaniemi
Securing .NET Web Services
10
IPSec
•
Suite of protocols for
securing IP communications
by encrypting and/or
authenticating each IP
packet
•
Two modes:
–
Transport
–
Tunnel
Physical Layer
Data Link (PPP)
Network (IP)
Transport (TCP)
Security (SSL)
Application (HTTP)
Curt Marjaniemi
Securing .NET Web Services
11
IPSec Implementation
•
Implementation was complex, but not too difficult
•
Windows 2003 IP Security Policy Manager
–
Allows you to create IP Security policies to secure traffic based on
IP, Protocol, Port, etc.
–
Can specify the type of encryption (Triple DES, DES, etc)
–
Can specify the type of authentication (Kerberos, Windows, etc)
–
X.509 certificates for key exchange
Curt Marjaniemi
Securing .NET Web Services
12
Test Configuration
•
Web Service
–
Calculated the Fibonacci sequence
–
Returned 34 K of data
•
Web Client
–
Called the web service using either SSL,
IPSec, WS
-
Security or Nothing
•
Load Tester
–
Simulated 50 concurrent users
Web Service
Windows 2003
IIS 6.0
.NET 2.0
Dual Pentium III 1GHz
1 GB Ram
Web Client
Windows 2003
IIS 6.0
.NET 2.0
Dual Pentium III 1GHz
1 GB Ram
Load Tester
Windows XP
Visual Studio 2005
Test Edition
Pentium III 1.5 GHz
1 GB Ram
Default.aspx
Fibonacci.asmx
Curt Marjaniemi
Securing .NET Web Services
13
Test Results
0
0.2
0.4
0.6
0.8
Avg. Response Time (sec)
WS-Security
IPSec
SSL
Nothing
0
10
20
30
40
50
60
70
Avg. Requests/Sec
WS-Security
IPSec
SSL
Nothing
Curt Marjaniemi
Securing .NET Web Services
14
Analyzing Traffic using Ethereal
•
No Security
–
37,961 bytes
–
46 Packets
–
Protocols
•
2 ARP
•
3 HTTP
•
41 TCP
•
SSL
–
37,457 bytes
–
38 Packets
–
Protocols
•
6 TLS
•
32 TCP
•
IPSec
–
40,447 bytes
–
43 Packets
–
Protocols
•
10 ISAKMP
•
33 ESP (Encapsulating
Security Payload)
•
1 BROWSER
•
WS
-
Security
–
67,004 bytes
–
63 Packets
–
Protocols
•
2 HTTP
•
61 TCP
Curt Marjaniemi
Securing .NET Web Services
15
Future Research/Tests
•
Introduce Load Balancing
•
Add authentication mechanisms
•
Add a third server in
-
between the client
and the service
Curt Marjaniemi
Securing .NET Web Services
16
References
•
Dominick Baier,
Developing More
-
Secure ASP.NET 2.0
Applications
, Microsoft Press
•
Various, WS
-
Security. Retrieved November 25, 2006, from
http://en.wikipedia.org/wiki/WS
-
Security
•
Andrew S. Tanenbaum,
Computer Networks
, Prentice
-
Hall
•
Security in a Web Services World:
A Proposed Architecture and
Roadmap
. Retrieved November 25, 2006 from
http://msdn.microsoft.com/library/default.asp?url=/library/en
-
us/dnwssecur/html/securitywhitepaper.asp
Enter the password to open this PDF file:
File name:
-
File size:
-
Title:
-
Author:
-
Subject:
-
Keywords:
-
Creation Date:
-
Modification Date:
-
Creator:
-
PDF Producer:
-
PDF Version:
-
Page Count:
-
Preparing document for printing…
0%
Comments 0
Log in to post a comment