|
Security is one of the main issues when deploying Web services in the enterprise. The trade-offs between agent-oriented and appliance architectures lead most security and networking professionals to prefer hardened appliances to optimally secure XML Web services. This white paper discusses the advantages of an appliance over an agent-oriented architecture for Web services security, how cross platform interoperation is immediate with a hardened appliance, and why web services security is different from web server security.
The Secure Web Services Deployment System
The Advantages of a Security Appliance over Agent-oriented Architectures in Web Services Security
While agent oriented architectures have been successful in areas such as application monitoring, there are many applications where an agent oriented approach does not provide a feasible or practical solution. A close comparison of the required features, performance and operational efficiency necessary for scalable Web services security quickly demonstrates that appliances are the lowest cost and lowest risk architecture to address the challenges facing enterprises.
There are many challenges that a security appliance can best solve in an enterprise deployment of Web services, including:
- The heterogeneous nature of Web services platforms
- Performance requirements for security processing
- The costs and administration of ensuring version and update control
- The conflicts between different organizational teams interacting with the application domain.
The Secure Web Services Deployment System
In all of these cases, a robust security appliance provides a solution that is cost effective, delivers high performance, and contains all the required security functionality. The Reactivity Manager and Reactivity Gateway provide functionality as an appliance which can be managed and operated without changes to applications, application servers, or operational processes.
Only a Security Appliance Can Fully Protect a Web Service
Security for XML Web Services is based firmly in emerging standards defining the application of cryptography, identities and access control. However, the unique characteristics of XML and SOAP create uncompromising demands for thorough threat defense against malicious content and XML Denial of Service as well as the need for data security, validation, and extensive mediation. Because an agent resides on the application server, there are several protective security measures that it cannot provide such as detecting and defending against denial of service attacks, hiding the location of the web service itself, and manipulating transactions at the perimeter to ensure policy compliance. An agent cannot prevent a denial of services attack as it can not prevent malicious SOAP messages from reaching the application server. An agent cannot obfuscate the location of the Web service as it is resident on the destination host. An agent cannot enforce a security policy at a perimeter, it can only enforce the policy on a specific server; a policy requiring transactions must contain a SAML assertion before they cross an application boundary cannot be enforced with agents.
XML Web Services infrastructure addresses all these issues. The appliance provides a layer of abstraction for Web services and a security and policy enforcement point across the network.
Reactivity's Gateway provides XML denial of services prevention, XML Virus protection, controlled service disclosure, security, transport protocol & data mediation, and centralized enforcement of security policies.
Packaged Protection in Hardware Protects the Entire Stack
A software agent can only affect the messages that are passed on to it via the network stack, the operating system, and web or application server request queue. An agent cannot recognize and intercept attacks introduced at each of those levels. In addition, an agent leaves the hardening of each of those layers to the security and operations team, a difficult approach to apply consistently across all platforms.
A security appliance provides a packaged, ?black box? enforcement point where the network drivers, operating system, application, message queue, and core XML processing have been hardened to resist the universe of potential attacks and threats.
Reactivity's Gateway provides an out-of-the-box solution with protection for all layers of the stack, and the capability to update XML Virus definitions and tune protection thresholds.
A Security Appliance is the Only Solution that Can Deliver Acceptable Performance
XML and Web services security is processing intensive. The processing power required to enforce a baseline security policy would require that Web services security agent consume most of the processing power on an application server, or reduce the security policy to a bare minimum.
|
