|
Special Advantages, Special Risks
The universal nature of the Internet enables these unscrupulous users to intercept legitimate communications and connect The great advantage of the Internet is that it is universally to others' systems. Similarly, the standardization of Internet accessible. Because it consists of thousands of freely-protocols and data formats enables them to read, understand, communicating networks all over the world, the Internet and even forge communications between legitimate users. provides a communication infrastructure that reaches everyone, an infrastructure that a business can use without significant new capital investment.
Fed Gov
Similarly, Internet standards define communication protocols and data formats that enable anyone to make network connections and transmit data, and rely on the fact that their messages will be received and understood.
XML files so applications running on different systems can suc-connections (i.e., HTTP over SSL [HTTPS]) and information in cessfully pass information back and forth. Web services designed transit. It's important, but not enough. Simply relying on HTTPS to communicate with partners and customers increasingly use creates three problems.
Group predicted in October 2003 that, by 2005, Web services destinations of the XML message. Security tokens can be as will have reopened 70 percent of the attack paths closed by simple as a name, IP address, and password; more complex, network security infrastructure. such as a Public Key Infrastructure (PKI) certificate; or as comprehensive as a SAML assertion. New XML and Web services expose critical corporate assets to customers and business partners. For example, worms Finally, SAML is used for user identity assertions and for and viruses have the potential to create disastrous business asserting actions performed by various elements of an conditions. Combining easy access with human-readable data enterprise infrastructure. For example, if a Web services security formats and open integration standards creates an almost gateway performs the necessary authentication, authorization, irresistible attraction for malicious hackers. Malicious Web encryption, digital signature, and other security functions, it can services threats typically fall into one of three categories: insert a SAML token that's accepted by a Web service, asserting that it can accept and process the message.
An authenticated user obtains access that he should not have to services, that each authenticated user has access to just the appropriate data, or other resources. If the service allows the access, the attacker can resources and no others. then collect all accessible confidential data, access sensitive systems, issue dangerous commands, and so on. For example, attackers often use compromised machines to launch attacks on other systems, covering their tracks by using someone else's systems to do their dirty work.
Content format attack that exploits vulnerabilities in the ways A brilliant feature of the Web is that it uses standard ports for all that services read content formats (document types, element communications-generally port 80 for all HTTP traffic. Port 80 names, attribute names, etc.) before they examine the actual is typically opened to the world, while other ports, such as File content. Web services integration relies upon standards Transfer Protocol (FTP), are guarded more closely. The port 80 to structure interactions between parties. To exchange problem? is that viruses and malicious content can be included information, applications format content in their requests and in innocuous legitimate content and tunneled through port responses according to supported standards.
|
