ebook img

Security for Service Oriented Architectures PDF

336 Pages·2014·5.175 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Security for Service Oriented Architectures

Security for Service Oriented Architectures OTHER INFORMATION SECURITY BOOKS FROM AUERBACH Advances in Biometrics for Secure Human Intrusion Detection Networks: Authentication and Recognition A Key to Collaborative Security Dakshina Ranjan Kisku, Phalguni Gupta, Carol Fung and Raouf Boutaba and Jamuna Kanta Sing (Editors) ISBN 978-1-4665-6412-1 ISBN 978-1-4665-8242-2 Iris Biometric Model for Secured Anonymous Communication Networks: Network Access Protecting Privacy on the Web Franjieh El Khoury Kun Peng ISBN 978-1-4398-8157-6 ISBN 978-1-4665-0213-0 Automatic Defense Against Zero-day Managing Risk and Security in Outsourcing Polymorphic Worms in Communication IT Services: Onshore, Offshore and the Cloud Networks Frank Siepmann Mohssen Mohammed and Al-Sakib Khan Pathan ISBN 978-1-4398-7909-2 ISBN 978-1-4665-5727-7 PCI Compliance: The Definitive Guide Conflict and Cooperation in Cyberspace: Abhay Bhargav The Challenge to National Security ISBN 978-1-4398-8740-0 Panayotis A. Yannakogeorgos and Adam B. Lowther ISBN 978-1-4665-9201-8 Responsive Security: Be Ready to Be Secure Conducting Network Penetration and Meng-Chow Kang Espionage in a Global Environment ISBN 978-1-4665-8430-3 Bruce Middleton Security and Privacy in Smart Grids ISBN 978-1-4822-0647-0 Yang Xiao Core Software Security: ISBN 978-1-4398-7783-8 Security at the Source Security for Service Oriented Architectures James Ransome and Anmol Misra ISBN 978-1-4665-6095-6 Walter Williams ISBN 978-1-4665-8402-0 Data Governance: Creating Value from Information Assets Security without Obscurity: A Guide to Neera Bhansali Confidentiality, Authentication, and Integrity ISBN 978-1-4398-7913-9 J.J. Stapleton Developing and Securing the Cloud ISBN 978-1-4665-9214-8 Bhavani Thuraisingham The Complete Book of Data Anonymization: ISBN 978-1-4398-6291-9 From Planning to Implementation Effective Surveillance for Homeland Security: Balaji Raghunathan Balancing Technology and Social Issues ISBN 978-1-4398-7730-2 Francesco Flammini, Roberto Setola, and Giorgio Franceschetti The Frugal CISO: Using Innovation and ISBN 978-1-4398-8324-2 Smart Approaches to Maximize Your Enterprise Architecture and Information Security Posture Assurance: Developing a Secure Foundation Kerry Ann Anderson James A. Scholz ISBN 978-1-4822-2007-0 ISBN 978-1-4398-4159-4 The State of the Art in Intrusion Prevention Information Security Fundamentals, and Detection Second Edition Al-Sakib Khan Pathan Thomas R. Peltier ISBN 978-1-4822-0351-6 ISBN 978-1-4398-1062-0 Trade Secret Theft, Industrial Espionage, Intrusion Detection in Wireless Ad-Hoc Networks and the China Threat Nabendu Chaki and Rituparna Chakiv Carl Roper ISBN 978-1-4665-1565-9 ISBN 978-1-4398-9938-0 AUERBACH PUBLICATIONS www.auerbach-publications.com • To Order Call: 1-800-272-7737 • E-mail: [email protected] Security for Service Oriented Architectures Walter Williams CRC Press Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2014 by Taylor & Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S. Government works Version Date: 20140404 International Standard Book Number-13: 978-1-4665-8404-4 (eBook - PDF) This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, micro- filming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://www. copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750- 8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identi- fication and explanation without intent to infringe. Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the CRC Press Web site at http://www.crcpress.com Contents Preface ix In GratItude xi chaPter 1 IntroductIon 1 chaPter 2 four KInds of archItectures 3 2.1 Architecture 3 2.2 infrastructure 4 2.3 Software Architectures 9 2.3.1 Key Principles 10 2.3.2 Presentation Layer 13 2.3.3 Business Layer 15 2.3.4 Data Layer 16 2.3.5 Workflow 19 2.3.6 Communications and Messaging 20 2.3.7 Service Layer 21 2.4 Service-Oriented Architecture 22 2.4.1 Distributed Computing and Services 23 2.4.2 Process-Oriented SOA 25 2.4.3 Web Services or an Externally Focused SOA 27 2.4.4 Enterprise Service Bus 30 2.5 Security Architecture 30 2.5.1 Construction of a Security Architecture 33 2.5.2 Risk Management 34 2.5.3 Organization and Management 36 2.5.4 Third Parties 37 2.5.5 Asset Management 38 v vi Contents 2.5.6 information Classification 39 2.5.7 identity Management 41 2.5.8 Security Awareness and Training 44 2.5.9 Physical Security 44 2.5.10 Communications and Operations Management 45 2.5.11 Perimeters and Partitioning 46 2.5.12 Access Control 48 2.5.13 Authentication 48 2.5.14 Authorization 50 2.5.15 Separation of Duties 51 2.5.16 Principles of Least Privilege and Least Authority 51 2.5.17 Systems Acquisition, Development, and Maintenance 52 2.5.18 Confidentiality Models 52 2.5.18.1 Lattice Models 52 2.5.19 Nonrepudiation 53 2.5.20 integrity Models 53 2.5.21 Service Clark–Wilson integrity Model 54 2.5.22 Security Assessments and Audits 58 2.5.23 incident Management 58 2.5.24 Business Continuity 59 2.5.25 Compliance 60 2.6 Data Architectures 61 chaPter 3 ImPlementInG and securInG soa 65 3.1 Web Services 65 3.2 Extensible Markup Language 66 3.2.1 Signing xML 68 3.2.1.1 xML Digital Signature 68 3.2.2 xML Encryption 74 3.2.3 Key Management 79 3.2.3.1 Key information 79 3.2.3.2 Location 79 3.2.3.3 Validation 80 3.2.3.4 Binding 80 3.2.3.5 Key Registration 80 3.2.4 xML and Databases 82 3.2.4.1 A Database Query Language for xML 82 3.2.4.2 xML Databases 83 3.2.5 UDDi 83 3.2.6 WSDL 84 3.3 SOAP 87 3.3.1 SOAP Roles and Nodes 89 3.3.2 SOAP Header Blocks 90 3.3.3 SOAP Fault 90 3.3.4 SOAP Data Model 91 3.3.5 SOAP Encoding 91 Contents vii 3.3.6 Bindings 92 3.3.7 Documents and RPC 93 3.3.8 Messaging 95 3.4 WS-Security 99 3.4.1 WS-Trust 107 3.4.2 WS-Policy 116 3.4.3 WS-SecureConversation 129 3.4.4 WS-Privacy and the P3P Framework 133 3.4.4.1 POLiCiES 135 3.4.5 WS-Federation 144 3.4.5.1 Pseudonyms 153 3.4.5.2 Authorization 162 3.4.6 Authorization without WS-Federation 173 3.4.7 WS-Addressing 178 3.4.8 WS-ReliableMessaging 183 3.4.9 WS-Coordination 191 3.4.10 WS-Transaction 193 3.5 SAML 195 3.5.1 Assertions 197 3.5.2 Protocol 205 3.5.2.1 Assertion Query and Request Protocol 207 3.5.2.2 Authentication Request Protocol 209 3.5.2.3 Artifact Resolution Protocol 212 3.5.2.4 N ame identifier Management Protocol 212 3.5.2.5 Single-Logout Protocol 213 3.5.2.6 Name identifier Mapping Protocol 214 3.5.3 Authentication Context 214 3.5.4 Bindings 218 3.5.5 Profiles 226 3.5.6 Metadata 229 3.5.7 Versions 240 3.5.8 Security and Privacy Considerations 241 3.6 Kerberos 244 3.7 x509v3 Certificates 246 3.8 OpeniD 246 chaPter 4 Web 2.0 249 4.1 HTTP 249 4.2 REST 250 4.3 WebSockets 251 chaPter 5 other soa Platforms 253 5.1 DCOM 253 5.2 CORBA 253 5.3 DDS 254 viii Contents 5.4 WCF 255 5.5 .Net Passport, Windows LiveiD 256 5.6 WS-BPEL 257 chaPter 6 audItInG servIce-orIented archItectures 271 6.1 Penetration Testing 272 6.1.1 Reconnaissance 272 6.1.2 injection Attacks 277 6.1.3 Attacking Authentication 278 6.1.4 Attacking Authorization 284 6.1.5 Denial-of-Service Attacks 286 6.1.6 Data integrity 286 6.1.7 Malicious Use of Service or Logic Attacks 288 6.1.8 Poisoning xML Schemas 289 chaPter 7 defendInG and detectInG attacKs 291 7.1 SSL/TLS 291 7.2 Firewalls, iDS, and iPS 294 chaPter 8 archItecture 297 8.1 Example 1 297 8.2 Example 2 300 8.3 Example 3 305 8.4 Example 4 307 bIblIoGraPhy 317 Index 323 Preface As applications become more complex and distributed, it is increasingly important that security be considered during the design phases. While there are a lot of books and articles on point solutions that would flow from this integration, such as threat profiling and how to block injec- tion attacks, there is more to consider in the design of an application than how to leverage some of the excellent tools that have been devel- oped to enhance the security of our applications. Applications, especially those that are distributed across corporate boundaries, benefit from being developed within a comprehensive design or an architecture. While there is a lot of literature on how to develop these software architectures and service-oriented architec- tures (SOAs), their treatment of security is focused on the use of tools within the architecture. information security also benefits from an architecture. However, traditional security architectures are most often focused on infra- structure and consider software as no more than applications that require integration into the policies and standards of an organization, leveraged within approved procedures. This volume seeks to provide both security and software architects with a bridge between these two architectures, with the goal of pro- viding a means to develop software architectures that leverage secu- rity architectures. ix

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.