WS-FIREWALLS Facts

This document provides facts related to WS-FIREWALLS for usage in the written part of my diploma thesis.

Content

General

  • WebServices nutzen meist normalen HTTP-Verkehr (Port 80) ("SOAP bypasses firewalls")
  • Schützt Rechnersystem vor Einbruch
  • Zwischenstation zwischen nicht-vertrauenswürdigen Hosts und internem Netz
  • Angesiedelt in der DMZ (demilitarisierte Zone)
  • Ort für Web-Server, Mailserver, DNS
  • a challenge is to ensure that the firewall rules are in sync with the Web Services themselves - and it seems obvious that UDDI and WSDL should be used for this purpose
  • a challenge is to ensure that only permitted traffic travels out of the network to third-party Web Services (This is the natural evolution of firewall functionality, which began at the network layer and has been "climbing the ladder" of the OSI stack ever since.)

Facts?

Article foundFact
Die Sicherheit hinkt der Funktionalität hinterher (11/2002)
  • [...]Christian Emmerich, Security-Chefberater bei IBM Global Services, regt deshalb die Entwicklung spezieller Soap-Firewalls an.[...]Aber dazu muss man in die übertragenen Nutzdaten hineinschauen, was einen relativ vollständigen Mime- und XML-Parser erfordert [...]Das Ganze wird also ziemlich aufwändig.[...]
  • [...]Sorgen bereitet ihm, dass HTTP für kurze Antwortzeiten ausgelegt ist, komplexe Web-Services-Anwendungen aber eventuell mehrere Minuten pro Antwort brauchen[...]
  • [...]Die Fachleute mahnen zudem, dass es derzeit noch keine einsatzfähigen Ansätze gibt, wie bei der Koppelung von Anwendungen sich die beteiligten Server gegenseitig authentifizieren und so sicherstellen, dass kein Unbefugter aus der Ferne Prozesse anstößt.[...]
Security for Parlay-X - challenges and solutions [Eckardt] Web Services are too firewall-friendly!
  • HTTP increasingly used as universal, firewall-outwitting tunnel!
  • HTTP not properly filtered by most standard firewalls!
  • SOAP not filtered at all by standard firewalls!

Paket Filtering Firewalls

Article foundFact
Web Service Security [On02]
  • works at layer 3 (Network) - the lowest layer a firewall works
  • checks if the information packets are from a trusted source and is not concerned with the content of the packets
  • usually part of a router
  • IP packets are compared to a set of criteria (f.e. source or destination IP, source or destination port, protocol used, format of the IP-packet) and dropped or forwarded accordingly
Sicherung von Web Services durch Firewalls [JZ03]
  • Steuerung des Datenverkehrs
    • Paket an Ziel weiterleiten
    • Paket verwerfen (keine Information für Sender)
    • Paket zurückweisen (Information für Sender)
    • Paket verändern
    • Paket an anderes Ziel leiten (Lastverteilung)
    • Information aufzeichnen
    • Alarm auslösen
    • Filterregeln ändern
  • Regeln
    • Protokoll
    • Quell-Netzwerkadresse
    • Ziel-Netzwerkadresse
    • Quell-Port
    • Ziel-Port
    • Paketgröße
  • Zustandslose Paketfilter
  • Zustandsgesteuerte oder dynamische Paketfilter
    • Verfolgen des Netzverkehrs
    • Dynamische Paketbehandlung
  • Intelligente Paketfilter
    • Inspektion von Paketinhalten, möglicherweise Modifikationen daran

Circuit-Level Firewalls

Article foundFact
Web Service Security [On02]
  • works at layer 4 (Transport)
  • filters traffic based on more sophisticated criteria
  • monitors TCP handshaking to determine a session's legitimacy
  • Information about the protected network they are protecting is hidden, because packets appear to originate from the firewall and not from an address inside the protected network
  • do not filter individual packets; rather, filtering is based on the rules of the TCP session, including who initiated the session and at what time
  • prevent "session hijacking" - sending an IP packed that is intended to appear as if it belongs to a trusted session.
  • hides an internal network from an attacker who wishes to scan it for vulnerabilities.

Application-Level Gateways

Article foundFact
Web Service Security [On02]
  • works at layer 7 (Application)
  • are aware of what traffic meant for specific applications should look like (f.e it knows the difference between Web traffic and telnet traffic, even though both use TCP/IP.)
  • Application-specific commands and user activity can be logged
  • relatively processor-intensive

Stateful-Inspection Firewalls

Article foundFact
Web Service Security [On02]
  • operate at multiple levels and include much of the functionality of packet-filtering firewalls, circuit-level firewalls, and application-level gateways
  • complex and powerful, but tend to be difficult to configure

Application Layer Firewalls

Article foundFact
Web Service Security [On02]
  • many firewalls have been configured to only allow Web (HTTP, SSL) and e-mail (POP, SMTP) traffic to pass.
  • It has become standard practice to "tunnel" other applications through the Web ports (80 for HTTP, 443 for SSL), effectively disguised as normal Web traffic. This is generally not done for malicious reasons, but rather for pragmatic reasons, because all other ports are blocked. In particular, SOAP is very frequently bound to HTTP. [...] SOAP promises to enable the explosive growth of application communication over the Web ports.
  • A SOAP-level firewall should be able to:
    • Identify whether the incoming SOAP request is targeted at a Web Service that is intended to be available.
    • Identify whether the content of the SOAP message is valid. This is analogous to what happens at the network layer, where IP packet contents are examined. However, at the application layer it requires knowledge of what data the Web Service expects.

Content Filtering

Article foundFact
Web Service Security [On02]
  • Web Services present a new avenue of attack into the enterprise.
  • some of the tactics are familiar: feeding unexpected data to an application in order to confuse it, or disable it
  • Details of WSDL-files can be used to attack with inappropriate data
  • It is important, therefore, that "sanity checks" are performed on incoming data directed to Web Services (f.e. against the XML-Schema)
  • XML Schema validation is processor-intensive
  • In addition, certain portions of a SOAP message may be volatile, meaning that they change while in transit between the SOAP requester and the Web Service. Volatile portions of a SOAP message include the header, which may contain routing information that changes as the message is routed
  • Another aspect of content filtering is ensuring that only valid Web Services are called. Firewalls must be able to distinguish SOAP requests from invalid requests
Sicherung von Web Services durch Firewalls [JZ03]
  • Vorteile:
    • Paketfilterung weit verbreitet (Router, kommerzielle und freie Produkte)
    • Einfacher Paketfilter arbeitet sehr effizient
  • Nachteile:
    • Filterregeln oft schwer konfigurierbar und testbar
    • Komplexe Filter erzeugen Last
    • Nicht alle Policies durch Filterregeln durchführbar

      (z.B. Benutzerauthentisierung); hier Einsatz von intelligenten Filtern nötig

Proxy

Article foundFact
Sicherung von Web Services durch Firewalls [JZ03]
  • The Meaning of "Proxy" (Oxford Advanced Learner's Dictionary of Current English, 4th Edition):
    1. Person authorized to act on behalf of another
    2. Authority to represent somebody else
  • Transparenter Stellvertreter für Benutzer oder Dienst
  • Application Level Gateway
  • Entgegennahme von Benutzeranfragen
  • Weiterleitung der Anfragen an den Dienst
  • Einsatz auch für Cachingzwecke
  • Mischsysteme: Paketfilter und Proxy
    • Paketfilter fängt Verbindung ab und leitet sie an Proxy weiter oder fungiert selbst als solcher
  • Treffen von Entscheidungen bei eingehenden Anfragen
    • Verschiedene Hosts: unterschiedliche Fähigkeiten
    • Weiterleitung von Anfragen
    • Benutzerauthentisierung
  • Für ausgehenden Datenverkehr: gängig

    Für nach innen gerichtete Verbindungen einsetzbar zur Lastverteilung und Erhöhung der Sicherheit
  • Vorteile:
    • Möglichkeit zur intelligenten Filterung
    • Benutzer-Authentisierung
    • Verständnis des Anwendungsprotokolls ermöglicht effektive Protokollierung
  • Nachteile:
    • Schlechte Verfügbarkeit für neue oder selten eingesetzte Protokolle (Dienste)
    • Installation und Konfiguration aufwendig