Loading ...
Sorry, an error occurred while loading the content.
 

Re: [service-orientated-architecture] Greenfield on Adolescent WS

Expand Messages
  • Anne Thomas Manes
    As Anil indicated, security should not be implemented just using a framework. An organization should implement a comprehensive security infrastructure, which
    Message 1 of 29 , May 30, 2006
      As Anil indicated, security should not be implemented just using a framework. An organization should implement a comprehensive security infrastructure, which comprises frameworks, mediation systems, shared services, and policy-oriented management and control. (I recommend using a combination of XML gateways and a SOA management system. I don't recommend using the built-in WSS frameworks in web services platforms.)

      An organization should provide training to all folks involved on how to effectively use the security infrastructure, and it should institute governance processes to ensure that security is properly implemented and configured in every application or service before it is promoted to production. I also agree with Andrew that security must be considered at every step in the SDLC -- starting at the requirements stage.

      If you leave security to the whim of the developer, then security is going to be a significant challenge. But security for web services is no more difficult than security for any distributed computing environment. In fact, it might be easier, because products like XML gateways and SOA management can simplify and externalize most of the effort. They even make it relatively simple to integrate with legacy systems that implement proprietary authN and authZ schemes.

      Anne

      On 5/30/06, Dan Creswell <dan@...> wrote:
      Andrew S. Townley wrote:

      [snip]

      > Until everyone considers security at every step of delivering software,
      > security will remain an issue, and the only way it won't be hard anymore
      > is the same way riding a bicycle isn't hard after you've been doing it
      > for a few years.  I don't think we're there yet, and that's why I made
      > the comment I did earlier.
      >

      +1


      Security is notoriously application/service/platform specific and
      doesn't respond well to the framework/standardization approach so often
      applied.

      Note that many services have their own internal authorization models
      (custom permissions etc) which can also be difficult to implement
      appropriately.

      Sure a framework can get you a certain minimum level of security but, if
      you need serious security, this won't cut it.  You'll need go through
      the entire stack, hardware up and that requires some smart people with
      big knowledge.

      Cheers,

      Dan.





      ------------------------ Yahoo! Groups Sponsor --------------------~-->
      Protect your PC from spy ware with award winning anti spy technology. It's free.
      http://us.click.yahoo.com/97bhrC/LGxNAA/yQLSAA/NhFolB/TM
      --------------------------------------------------------------------~->


      Yahoo! Groups Links

      <*> To visit your group on the web, go to:
          http://groups.yahoo.com/group/service-orientated-architecture/

      <*> To unsubscribe from this group, send an email to:
          service-orientated-architecture-unsubscribe@yahoogroups.com

      <*> Your use of Yahoo! Groups is subject to:
          http://docs.yahoo.com/info/terms/




    • Dan Creswell
      ... But before doing any of that, they should be doing threat analysis to determine just what kind of security they need and where which will then drive what
      Message 2 of 29 , May 30, 2006
        Anne Thomas Manes wrote:
        > As Anil indicated, security should not be implemented just using a
        > framework. An organization should implement a comprehensive security
        > infrastructure, which comprises frameworks, mediation systems, shared
        > services, and policy-oriented management and control. (I recommend using
        > a combination of XML gateways and a SOA management system. I don't
        > recommend using the built-in WSS frameworks in web services platforms.)
        >

        But before doing any of that, they should be doing threat analysis to
        determine just what kind of security they need and where which will then
        drive what they decide to do.

        > An organization should provide training to all folks involved on how to
        > effectively use the security infrastructure, and it should institute
        > governance processes to ensure that security is properly implemented and
        > configured in every application or service before it is promoted to
        > production. I also agree with Andrew that security must be considered at
        > every step in the SDLC -- starting at the requirements stage.
        >
        > If you leave security to the whim of the developer, then security is
        > going to be a significant challenge. But security for web services is no

        So I agree re: developers but can you explain more of your thinking
        behind that statement? Where do you think this knowledge is held? Which
        people would you expect to have the necessary skills and influence to
        make this work?

        > more difficult than security for any distributed computing environment.
        > In fact, it might be easier, because products like XML gateways and SOA
        > management can simplify and externalize most of the effort. They even
        > make it relatively simple to integrate with legacy systems that
        > implement proprietary authN and authZ schemes.
        >

        I may be misunderstanding but I've yet to see a successful security
        infrastructure that worked through centralization/externalization into a
        set of products save for a few trivial cases. For example, these
        products don't really help much with issues such as trojan horses or
        back doors - of course that's not a concern for all establishments.

        As I said, real security is a cross-cutting issue that can't be
        centralized. It requires across the board work on OS configuration,
        hardware access, software implementation etc. It's typically achieved
        through a set of inter-locking behaviours (human and computer) that in
        combination provide security.

        For example, authentication is fine as a mechanism but if you're passing
        the information in plain-text you're wasting your time.

        Dan.
      • patrickdlogan
        ... I agree. I mean, I think I disagree that XML gateways move most of the effort out of the business logic per se, neither does it become relatively
        Message 3 of 29 , May 30, 2006
          >> products like XML gateways and SOA management can simplify and
          >> externalize most of the effort. They even make it relatively simple
          >> to integrate with legacy systems that implement proprietary authN
          >> and authZ schemes.
          >
          > I may be misunderstanding but I've yet to see a successful security
          > infrastructure that worked through centralization/externalization
          > into a set of products save for a few trivial cases.

          I agree. I mean, I think I disagree that XML gateways move "most of
          the effort" out of the business logic per se, neither does it become
          "relatively simple". XML gateways do "in transit" kinds of things,
          i.e. they can translate, route, wrap, and unwrap. That can be
          difficult in itself. There is still a need for security, identity,
          roles, etc. in the business logic per se that requires a good bit of
          effort.

          -Patrick
        • Gregg Wonderly
          ... The other day, I made my linux box secure in about 20 seconds. That s pretty fast I think. I just typed shutdown -h now and hit return :-) Seriously,
          Message 4 of 29 , May 30, 2006
            Andrew S. Townley wrote:
            > > Those standards provide enough protection to ensure Web services
            > > security across the Internet. "Security really shouldn't be a major
            > > issue anymore. It's not hard to make Web services secure," writes Anne
            > > Thomas Maines, vice president and research director of application
            > > platform strategies at the Burton Group, in an IM.>>
            >
            > Anne, I'm surprised you would say this sort of thing. Just because we
            > have specifications for implementing secure Web services doesn't mean
            > that the average developer knows how to implement a secure Web service
            > (or any other type of secure service for that matter).

            The other day, I made my linux box secure in about 20 seconds. That's pretty
            fast I think. I just typed "shutdown -h now" and hit return :-) Seriously,
            it's easy to allow no access. It's much harder to allow the right access.

            Gregg Wonderly
          • Anil John
            ... Agreed.. Developing a threat model that identifies vulnerabilities so that you can come up with countermeasures that mitigate them is critically important
            Message 5 of 29 , May 30, 2006
              > But before doing any of that, they should be doing threat
              > analysis to determine just what kind of security they need
              > and where which will then drive what they decide to do.

              Agreed.. Developing a threat model that identifies vulnerabilities so that
              you can come up with countermeasures that mitigate them is critically
              important for any app, and not just for a web service. BTW, WS-I has a good
              document @
              http://www.ws-i.org/Profiles/BasicSecurity/SecurityChallenges-1.0.pdf that
              provides a great starting point identifying web service security challenges.

              >> If you leave security to the whim of the developer, then security is
              >> going to be a significant challenge. But security for web services is no

              >So I agree re: developers but can you explain more of your thinking
              >behind that statement? Where do you think this knowledge is held? Which
              >people would you expect to have the necessary skills and influence to
              >make this work?

              The security architects in your organization. If such a person or persons do
              not exist, in the organization whose primary responsibility is Security, NOT
              development. They must work with the DEVs, but their focus is Security and
              not development.

              >set of products save for a few trivial cases. For example, these
              >products don't really help much with issues such as trojan horses or
              >back doors - of course that's not a concern for all establishments.

              No single product will ever address all concerns, which is why it is
              important to have a defense in depth mentality with the right
              tools/practices/technolgies addressing each of the threats that were
              identified as part of your threat model.

              >As I said, real security is a cross-cutting issue that can't be
              >centralized.

              I guess this is where we have to agree to disagree. I think it is important
              to centralize the security infrastructure precisely because it is a
              cross-cutting concern and as such the only way to **consistently apply** it
              to across the board is to centralize the policy and guidance around security
              implemenation.

              Regards,

              - Anil
            • Anil John
              ... Implementation of a solid SOA Security Infrastructure is dependent on many things that Enterprises have put into place before SOA came along, such as
              Message 6 of 29 , May 30, 2006
                >I mean, I think I disagree that XML gateways move "most of
                >the effort" out of the business logic per se, neither does it become
                >"relatively simple". XML gateways do "in transit" kinds of things,
                >i.e. they can translate, route, wrap, and unwrap. That can be
                >difficult in itself. There is still a need for security, identity,
                >roles, etc. in the business logic per se that requires a good bit of
                >effort.

                Implementation of a solid SOA Security Infrastructure is dependent on many
                things that Enterprises have put into place before SOA came along, such as
                Identity Management and PKI Infrastructure.

                The attraction that a XML Security Gateway holds for me is two fold:

                1) It is a "Gateway" to my services; As such it is a single point of policy
                enforcement (Of course, it is incumbent on me as I build out my
                infrastructure, to make sure that it is not a single point of failure by
                load balancing/clustering them)
                2) While I could do certain things such as digital signature checking, xml
                schema validation etc. using my Java/.NET service platform, off-loading
                those types of tasks to a hardware device such as an XML Security Gateway
                provides me with a significant increase in performance.

                Regards,

                - Anil
              • Anne Thomas Manes
                In response to my post yesterday on implementing a comprehensive security ... Before attempting to do a threat analysis of an individual service or
                Message 7 of 29 , May 31, 2006
                  In response to my post yesterday on implementing a comprehensive security infrastructure, Dan said:

                  > But before doing any of that, they should be doing threat analysis to
                  > determine just what kind of security they need and where which will then
                  > drive what they decide to do.

                  Before attempting to do a threat analysis of an individual service or application, the security program office must provide guidance on how to do threat assessments, and what mitigation strategies should be applied based on the results of a threat assessment. The security program office should also provide frameworks that make it as easy as possible for developers to then implement those mitigration strategies. The framework in turn use the comprehensive security infrastructure to secure the systems in compliance with the policies defined.

                  A security infrastructure should rely on layered defenses -- a combination of perimeter layer and identity and access layer policy enforcement points (PEP). The perimeter layer (DMZ, firewalls, proxy servers, VPNs, etc) provides identity-independent protection, typically based on location, form, or content. The identity and access layer PEPs control access based on identity, transaction state, or application content.

                  Many organizations deploy an XML gateway in the DMZ as a centralized identity and access layer PEP. I also recommend using XML gateways as an intermediary PEP for internal communications. As Anil says, it's useful to offload expensive processing functions to these appliances, like validation, transformation, encryption, and signature processing. They are also very useful for doing credential mapping, enabling relatively easy cross-domain integration. I recommend using a SOA management system ( e.g., Actional or AmberPoint) to implement endpoint-based PEPs. These PEPs should be responsible for auditing and authorization.

                  Note that both types of products support any type of XML messaging (POX, RSS, SOAP, ebXML, etc). If you are using SOAP, they fully support WS-Security.

                  Anne

                  On 5/30/06, Anil John <aniltj@...> wrote:
                  >I mean, I think I disagree that XML gateways move "most of
                  >the effort" out of the business logic per se, neither does it become
                  >"relatively simple". XML gateways do "in transit" kinds of things,
                  >i.e. they can translate, route, wrap, and unwrap. That can be
                  >difficult in itself. There is still a need for security, identity,
                  >roles, etc. in the business logic per se that requires a good bit of
                  >effort.

                  Implementation of a solid SOA Security Infrastructure is dependent on many
                  things that Enterprises have put into place before SOA came along, such as
                  Identity Management and PKI Infrastructure.

                  The attraction that a XML Security Gateway holds for me is two fold:

                  1) It is a "Gateway" to my services; As such it is a single point of policy
                  enforcement (Of course, it is incumbent on me as I build out my
                  infrastructure, to make sure that it is not a single point of failure by
                  load balancing/clustering them)
                  2) While I could do certain things such as digital signature checking, xml
                  schema validation  etc. using my Java/.NET service platform, off-loading
                  those types of tasks to a hardware device such as an XML Security Gateway
                  provides me with a significant increase in performance.

                  Regards,

                  - Anil





                  ------------------------ Yahoo! Groups Sponsor --------------------~-->
                  Everything you need is oneclick away. Make Yahoo! your home pagenow.
                  http://us.click.yahoo.com/AHchtC/4FxNAA/yQLSAA/NhFolB/TM
                  --------------------------------------------------------------------~->


                  Yahoo! Groups Links

                  <*> To visit your group on the web, go to:
                      http://groups.yahoo.com/group/service-orientated-architecture/

                  <*> To unsubscribe from this group, send an email to:
                      service-orientated-architecture-unsubscribe@yahoogroups.com

                  <*> Your use of Yahoo! Groups is subject to:
                      http://docs.yahoo.com/info/terms/





                • patrickdlogan
                  ... And so I think we are in agreement. A gateway can translate, wrap, unwrap, and route. But there is a boatload of things that gateways cannot do. What? Do
                  Message 8 of 29 , May 31, 2006
                    > Implementation of a solid SOA Security Infrastructure is...

                    And so I think we are in agreement. A "gateway" can translate, wrap,
                    unwrap, and route. But there is a boatload of things that gateways
                    cannot do.

                    What? Do you sell a gateway or something?

                    -Patrick
                  • Gregg Wonderly
                    ... So what about the path between the XML-SG and your application. How do you secure that and the involved network? How do you limit what administrators can
                    Message 9 of 29 , May 31, 2006
                      Anil John wrote:
                      > 2) While I could do certain things such as digital signature checking, xml
                      > schema validation etc. using my Java/.NET service platform, off-loading
                      > those types of tasks to a hardware device such as an XML Security Gateway
                      > provides me with a significant increase in performance.

                      So what about the path between the XML-SG and your application. How do you
                      secure that and the involved network? How do you limit what administrators can
                      do there and how to you ensure identity of management access in that domain?

                      Gregg Wonderly
                    • Anne Thomas Manes
                      I m an analyst. I sell research, not software products. (Intel, on the other hand does sell a gateway.) I agree that XML gateways can t do everything, but I
                      Message 10 of 29 , May 31, 2006
                        I'm an analyst. I sell research, not software products. (Intel, on the other hand does sell a gateway.)

                        I agree that XML gateways can't do everything, but I view mediation systems as an essential component of service infrastructures, and XML gateways have an advantage over other mediation systems in that they offer significantly better performance than software-based mediators. But also note that my recommendation is to use gateways in combination with SOA management.

                        Anne

                        On 5/31/06, patrickdlogan <patrick.d.logan@...> wrote:
                        > Implementation of a solid SOA Security Infrastructure is...

                        And so I think we are in agreement. A "gateway" can translate, wrap,
                        unwrap, and route. But there is a boatload of things that gateways
                        cannot do.

                        What? Do you sell a gateway or something?

                        -Patrick









                        ------------------------ Yahoo! Groups Sponsor --------------------~-->
                        Everything you need is oneclick away. Make Yahoo! your home pagenow.
                        http://us.click.yahoo.com/AHchtC/4FxNAA/yQLSAA/NhFolB/TM
                        --------------------------------------------------------------------~->


                        Yahoo! Groups Links

                        <*> To visit your group on the web, go to:
                            http://groups.yahoo.com/group/service-orientated-architecture/

                        <*> To unsubscribe from this group, send an email to:
                            service-orientated-architecture-unsubscribe@yahoogroups.com

                        <*> Your use of Yahoo! Groups is subject to:
                            http://docs.yahoo.com/info/terms/





                      • patrickdlogan
                        ... Yes, the Sarvega products. They are pretty good, from what I ve seen of them, as far as they go. ... I think we are in basic agreement on these points. But
                        Message 11 of 29 , May 31, 2006
                          > I'm an analyst. I sell research, not software products. (Intel, on
                          > the other hand does sell a gateway.)

                          Yes, the Sarvega products. They are pretty good, from what I've seen
                          of them, as far as they go.

                          > I agree that XML gateways can't do everything, but I view mediation
                          > systems as an essential component of service infrastructures, and
                          > XML gateways have an advantage over other mediation systems in that
                          > they offer significantly better performance than software-based
                          > mediators. But also note that my recommendation is to use gateways
                          > in combination with SOA management.

                          I think we are in basic agreement on these points. But my real issue
                          is with any claim expressed or inferred on my part that these are
                          sufficient and that these move all security issues out of the service
                          implementations per se. There is still a lot of hard work necessary in
                          some of many of these service implementations.

                          -Patrick
                        • Anil John
                          ... Not disagreeing with you on this point. But there are a boatload of things that they do well as well. ... No. I am an implementer who neck deep in
                          Message 12 of 29 , May 31, 2006
                            >But there is a boatload of things that gateways cannot do.
                             
                            Not disagreeing with you on this point. But there are a boatload of things that they do well as well.
                             
                            >What? Do you sell a gateway or something?
                             
                            No. I am an implementer who neck deep in evaluating and deploying products/technologies that do mediation (as one component of a SOA infrastructure). Given the overlap in functionality between in this category of products and the service platforms themselves, I am trying to find the best way to partition tasks across them taking into account security, performance, managebility and a host of other factors.
                             
                            Regards,
                             
                            - Anil


                             
                            On 5/31/06, patrickdlogan <patrick.d.logan@...> wrote:
                            > Implementation of a solid SOA Security Infrastructure is...

                            And so I think we are in agreement. A "gateway" can translate, wrap,
                            unwrap, and route. But there is a boatload of things that gateways
                            cannot do.

                            What? Do you sell a gateway or something?


                            -Patrick


                          • Anil John
                            ... An option to consider for that would be 2-Way SSL for data in transit protection and machine-to-machine authentication. ... By making sure that processes
                            Message 13 of 29 , May 31, 2006
                              On 5/31/06, Gregg Wonderly <gergg@...> wrote:
                              >So what about the path between the XML-SG and your application
                               
                              An option to consider for that would be 2-Way SSL for data in transit protection and machine-to-machine authentication.
                               
                              >How do you limit what administrators can
                              >do there and how to you ensure identity of
                              >management access in that domain?
                               
                              By making sure that processes are in place to assure that one has competent, well trained and hopefully trustworthy individuals who are doing the administration and putting in place a solid auditing/logging functionality :-)
                               
                              Regards,
                               
                              - Anil
                            • patrickdlogan
                              ... Ah, thanks. That will be valuable information. -Patrick
                              Message 14 of 29 , May 31, 2006
                                > I am trying to find the best way to partition tasks across them
                                > taking into account security, performance, managebility and a host
                                > of other factors.

                                Ah, thanks. That will be valuable information.

                                -Patrick
                              • Andrew S. Townley
                                Funny you should mention this, because on Tuesday after this started, I got to thinking about this very topic. It took me longer than I expected (real work
                                Message 15 of 29 , Jun 1, 2006
                                  Funny you should mention this, because on Tuesday after this started, I
                                  got to thinking about this very topic. It took me longer than I
                                  expected (real work got in the way a few times... :), but I've pulled
                                  together what I consider to be some of the issues and considerations if
                                  you were going to use one of these critters in anger.

                                  Comments, flames, etc. appreciated.

                                  http://atownley.org/2006/06/are-xml-gateways-really-the-answer/

                                  ast

                                  On Wed, 2006-05-31 at 19:57, patrickdlogan wrote:
                                  > > I am trying to find the best way to partition tasks across them
                                  > > taking into account security, performance, managebility and a host
                                  > > of other factors.
                                  >
                                  > Ah, thanks. That will be valuable information.
                                  >
                                  > -Patrick
                                  >
                                  >
                                  >
                                  >
                                  >
                                  >
                                  >
                                  >
                                  >
                                  >
                                  >
                                  > Yahoo! Groups Links
                                  >
                                  >
                                  >
                                  >
                                  >
                                  >
                                  ***************************************************************************************************
                                  The information in this email is confidential and may be legally privileged Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system.
                                  ***************************************************************************************************
                                • patrickdlogan
                                  ... It looks useful. And prolific. It s on my list. -Patrick
                                  Message 16 of 29 , Jun 1, 2006
                                    > Comments, flames, etc. appreciated.
                                    >
                                    > http://atownley.org/2006/06/are-xml-gateways-really-the-answer/

                                    It looks useful. And prolific. It's on my list.

                                    -Patrick
                                  • Gregg Wonderly
                                    ... Yes, that can work as long as you avoid man in the middle attacks... ... That s probably okay for the mom-and-pop web shop, but what about billing or other
                                    Message 17 of 29 , Jun 1, 2006
                                      Anil John wrote:
                                      > On 5/31/06, Gregg Wonderly <gergg@...> wrote:
                                      >
                                      >> So what about the path between the XML-SG and your application
                                      >
                                      > An option to consider for that would be 2-Way SSL for data in transit
                                      > protection and machine-to-machine authentication.

                                      Yes, that can work as long as you avoid man in the middle attacks...

                                      >> How do you limit what administrators can
                                      >> do there and how to you ensure identity of
                                      >> management access in that domain?
                                      >
                                      > By making sure that processes are in place to assure that one has
                                      > competent,
                                      > well trained and hopefully trustworthy individuals who are doing the
                                      > administration and putting in place a solid auditing/logging functionality
                                      > :-)

                                      That's probably okay for the mom-and-pop web shop, but what about billing or
                                      other monetary or highly secure environments? Wouldn't you want to make sure
                                      that all of your services provided secure management endpoints that included
                                      true authentication?

                                      Gregg Wonderly
                                    • Stefan Tilkov
                                      ... I ve turned it into a news item: http://www.infoq.com/news/Are-XML- Gateways-The-Answer Which gives me a good chance to plug InfoQ ;-) Find out more
                                      Message 18 of 29 , Jun 2, 2006
                                        On Jun 2, 2006, at 12:47 AM, patrickdlogan wrote:

                                        >> Comments, flames, etc. appreciated.
                                        >>
                                        >> http://atownley.org/2006/06/are-xml-gateways-really-the-answer/
                                        >
                                        > It looks useful. And prolific. It's on my list.
                                        >
                                        > -Patrick
                                        >

                                        I've turned it into a news item: http://www.infoq.com/news/Are-XML-
                                        Gateways-The-Answer
                                        Which gives me a good chance to plug "InfoQ" ;-) Find out more here:
                                        http://www.infoq.com/news/InfoQ-Unlaunched

                                        Best regards,
                                        Stefan


                                        >
                                        >
                                        >
                                        >
                                        >
                                        >
                                        >
                                        >
                                        >
                                        > ------------------------ Yahoo! Groups Sponsor --------------------
                                        > ~-->
                                        > Everything you need is one click away. Make Yahoo! your home page
                                        > now.
                                        > http://us.click.yahoo.com/AHchtC/4FxNAA/yQLSAA/NhFolB/TM
                                        > --------------------------------------------------------------------
                                        > ~->
                                        >
                                        >
                                        > Yahoo! Groups Links
                                        >
                                        >
                                        >
                                        >
                                        >
                                        >
                                        >
                                        >
                                      • Anil John
                                        Gregg, ... The point of 2-Way SSL is not just protection of data in transit, but strong mutual authenticaion (at the machine level), which is one of the ways
                                        Message 19 of 29 , Jun 2, 2006
                                          Gregg,
                                           
                                          >>> So what about the path between the XML-SG and your application
                                          >>
                                          >> An option to consider for that would be
                                          2-Way SSL for data in transit
                                          >> protection and machine-to-machine
                                          authentication.

                                          >Yes, that can work as long as you avoid man in the
                                          middle attacks...

                                          The point of 2-Way SSL is not just protection of data in transit, but strong mutual authenticaion (at the machine level), which is one of the ways that you mitigate this type of attack. I am probably missing something in your question.. BTW, you did mean Digital Signature by "XML-SG" right?  Also, keep in mind that the Gateway does not strip off the Signature.. You can also verify it further in.
                                           
                                          >other monetary or highly secure environments?  Wouldn't you want to make sure
                                          >that all of your services provided secure management
                                          endpoints that included
                                          >true
                                          authentication?

                                          Certainly. I would make sure that all of my endpoints have a PEP. Depending on how that PEP is implemented would determine how I manage it. e.g. If that PEP was implemented in software by the service platform, it would make things a lot more complex. The XML Security Gateway really does not do anything for me at the endpoints.
                                           
                                          Regards,
                                           
                                          - Anil
                                        • Gregg Wonderly
                                          ... People with the knowledge of being in that environment have extra opportunities to be the man in the middle. Mutual authentication with SSL implies that
                                          Message 20 of 29 , Jun 3, 2006
                                            Anil John wrote:
                                            >>Yes, that can work as long as you avoid man in the middle attacks...
                                            >
                                            > The point of 2-Way SSL is not just protection of data in transit, but strong
                                            > mutual authenticaion (at the machine level), which is one of the ways that
                                            > you mitigate this type of attack. I am probably missing something in your
                                            > question.. BTW, you did mean Digital Signature by "XML-SG" right? Also,
                                            > keep in mind that the Gateway does not strip off the Signature.. You can
                                            > also verify it further in.

                                            People with the knowledge of being in that environment have extra opportunities
                                            to be the man in the middle. Mutual authentication with SSL implies that the
                                            two machines on each end are the only machines in the network path which know
                                            each other... I'm suggesting that there is a certain level of paranoia which is
                                            healthy to maintain about security. And no, I would not say that XML-SG is what
                                            I mean by digital-signature. I don't use XML over the wire...

                                            > Certainly. I would make sure that all of my endpoints have a PEP. Depending
                                            > on how that PEP is implemented would determine how I manage it. e.g. If that
                                            > PEP was implemented in software by the service platform, it would make
                                            > things a lot more complex. The XML Security Gateway really does not do
                                            > anything for me at the endpoints.

                                            This is my point. You can put in all these devices that defend you from the
                                            world, but you still need to defend yourself from internal attacks. Once you've
                                            done that, there's often no direct advantage to these devices. The only reason
                                            that these devices seem useful is if you've chosen XML and a 3rd party platform
                                            which provides you limited control over endpoint management and security at the
                                            service.

                                            Gregg Wonderly
                                          • Anil John
                                            ... Gregg, of your perspective on that subject, I am very aware :-) ... Never mind... Bit slow to catch up, but I figured out that you meant to shorten XML
                                            Message 21 of 29 , Jun 3, 2006
                                              >I don't use XML over the wire...
                                               
                                              Gregg, of your perspective on that subject, I am very aware :-)
                                               
                                              > would not say that XML-SG is what I mean by digital-signature
                                               
                                              Never mind... Bit slow to catch up, but I figured out that you meant to shorten "XML Security Gateway".
                                               
                                              >only reason that these devices seem useful is if you've chosen XML
                                               
                                              I have chosen XML and this discussion has centered on web services security.
                                               
                                              >This is my point.  You can put in
                                              all these devices that defend you from the
                                              >world, but you still need to defend
                                              yourself from internal attacks.
                                               
                                              I, for one, have no disagreements with you on this point. In fact, I am in violent agreement!
                                               
                                              It would appear that the inital focus of this discussion thread has veered off-course (Not a new thing for this list). As noted in my inital response (which was a reply to a comment that the exisiting web service security standards are not mature enough), I believe that the current web service security standards are mature enough for building a defense-in-depth implementation of a web service security infrastructure.  I also believe that in implementing this defense-in-depth strategy, at the current stage of technology, a XML Security Gateway does have a role (There are others who disagree.. C'est la vie). There are other processes and mechanisms that need to put in place to fully implement this at the Network, Host and Application levels so that security is considered in a holistic manner and not as a bolt-on. Again very true and is something I am fully in agreement with.
                                               
                                              Regards,
                                               
                                              - Anil
                                            Your message has been successfully submitted and would be delivered to recipients shortly.