Improving Security in Web Services-Based Services Oriented Architectures - Report Example

Improving Security in Web Services-Based Services Oriented Architectures 1. Introduction : The internet is a complicated and dynamically changing network with a highly complex topology. Such a network may not be expected to respond to the normal network security methods that are applied to small private networks. The communication in the internet is established through the set of protocols called as the Transmission Control Protocol / Internet Protocol (TCP/IP). The growth of internet has provided many opportunities for personal interactions and for new business ventures. Though there are innumerable advantages due to the internet, there are some potential drawbacks like exposure to attacks. These web attacks aim at damaging the confidentiality and integrity of private information. The major security parameters in any computer network are confidentiality, integrity, availability and privacy. These security parameters need to be satisfied in any type of internet application or service. The advent of internet has enabled a wide scope for online business operations. These online operations of enterprises are called web based services, which involve peer to peer communication in enterprise architectures. Such Service Oriented Architectures are more interactive with many standards. One of the main challenges faced by these web based Service Oriented Architectures is the security in the communication between the service provider and the customer. The web services are open for any type of common internet attacks and attacks that specifically target the web services. The communication in these web SOAs are achieved with the help of SOAP and other XML messaging formats. The main terminologies related to web services are Universal Discovery Description and Integration (UDDI), SOAP and Web Services Description Language ( WSDL). UDDI are web service registers maintained by the enterprises. SOAP helps in entering and retrieving information about the web services from an UDDI registry. These web services are defined in the UDDI by WSDL which is in XML format. The specific security attacks on web services include SQL injections and XML injections which becomes the basis for Denial of Service (DoS). The security mechanisms in web services demand the continuous monitoring of the system by system administrators and application developers. This research paper deals with the concepts related to web attacks and the vulnerabilities of web services. The countermeasures to secure these web services against these attacks are also discussed. Also a protecting architecture for the web services has been proposed. 2. Web Attacks : This section initially deals about the various methods of web attacks, later the attacks specific to web services have been discussed. 2.1 Viruses : Viruses are programs that are self replicating in nature. They get attached to a file and run along with the file when it is opened. A multi-partite virus is a highly resistive hybrid virus that attacks the system or boot records. A stealth virus hides itself. An encrypted virus uses encryption to hide itself and decrypts itself while running. According to Bishop. M. (1995), polymorphic viruses are difficult to be eradicated as they change their signatures. Other forms of malicious viruses are macros that propagate through documents. 2.2 Boot record infectors : These viruses attack the master boot record and DOS boot records. They get installed in the boot records and run whenever the computer gets booted. Virus checks in the BIOS helps in eradicating them . 2.3 Eavesdropping : This involves intruding into the communication between two trusted parties by any unauthorized person. In active eavesdropping the intruder can change the messages, while in passive eavesdropping the intruder can only listen to other’s messages. This attack defeats the confidentially and privacy in any internet communication. 2.4 Worms and Trojans : Worms are similar to viruses, but they propagate in a different fashion says Isern.G. (2002). They propagate through mass mailing documents ( Melissa) and through networks. The network aware worms like SQL slammer can cause damage to desktop engine says Wenliang. D. (1998). Worms can also load Trojans into the target system. Frantzen, M. (2001) states that these Trojans generally carry remote access methods. 2.5 IP Spoofing : Spoofing refers to the unauthorized access to others machine by forging as an authorized user. This is done by spoofing the IP address of packets. The present IP protocol methodology cannot eliminate these spoofed packets. Filtering routers help to reduce this attack by reducing the number of IP- spoofed packets. Bishop. M. (1995) states that these filters may not be efficient in filtering IP spoofed packets originating from the source. 2.6 E-mail Bombing, Spamming and Phishing : E –mail bombing is sending a mail repeatedly to a particular e-mail address. Spamming is sending a mail to many thousands of e-mail addresses. Summers.S. (2002) says that these situations become worse when a mailing list explodes. Phishing refers to stealing of important information like credit card numbers, bank accounts, etc. for financial gain. 2.7 Resource exhaustion : This is an important type of Denial of Service attack. This attack aims at exhausting the resources of the service’s processing resource or memory resources or even network bandwidth. This can be done by sending an oversized request message called oversize payload. Since web services use a tree based document order model like structure to store the SOAP messages, the memory consumption is more. Thus by sending a large message the memory can be easily exhausted . 2.8 Coercive Parsing : Parsing is the first step in web service request processing. Later the SOAP messages are transformed so that they are accessible by the web services. When name spaces occur, this parsing and the subsequent transformation becomes complex. This again leads to Denial of Service , in away that the web server does not relieve the connection and is held up indefinitely for many CPU cycles for that request. 2.9 WSDL Scanning : The utilities in java and .NET change the request or response messages into WSDL file. All important details about the web services are stored by the WSDL. Some of the handlers, data types, parameters, methods, etc. may be listed from the files of WSDL says Shreeraj S (2008) . Among these some are supposed to be operated from internal LAN, while others are meant to be operated from external networks. The WSDL contains all of these, so any intruder from external network can access all of these internal methods and parameters also. Even if the external operations are separated from the internal operations, the intruder can guess the missing parameters and use them. This type of attack is refered to as WSDL scanning. 2.10 SOAP message attacks : Methods of attacking the SOAP messages include tampering of the parameters and replay attacks. According to Sacha.F.( 2005) parameter tampering which is also known as SQL injection does not validate the input, so there can be problems with database returns. By carefully analyzing the WSDL file the inputs, other parameters , methods of internal processing and the database server characteristics can be identified. Moreover if the web service gets data from a LDAP server, then the service becomes susceptible to SQL injection also. In Replay attacks the attacker sends repeated SOAP messages and floods the web service. This attack is difficult to be recognized due to valid source IP, valid behavior of network packets, and valid request. 2.11 Attacks on UDDI : Generally the web service clients send queries to the UBR to get details on the web service like service name, service publisher, WSDL file information , etc. The UDDI server gives responses to queries on a ‘whois’ basis says Shreeaj .S. ( 2008). The UBR’s created by companies like Microsoft, IBM, SAP can be queried by the attacker with some APIs to get all the details about these companies. Also using the toolkits their APIs can be invoked by SOAP messages to these TCP/IP clients. 3. Counter Measures for attacks : This section discusses the counter measures available for basic internet facility and specifically the counter measures for web services security. 3.1 Internet Security : The security tools in the internet are capable of identifying the attack, filtering malicious packets, blocking packets, providing authentication and encryption. Some standard techniques are firewalls, systems using cryptography, Intrusion Detection Systems ( IDS), scanners, anti-malware softwares, Internet Protocol Security (IPSec.) and Secure Socket Layer (SSL). While these techniques provide secured internet communication, web services demand confidentiality, integrity and privacy. Some of these are satisfied by IPSec and SSL. Olalekan.A. (2008) says that web servers provide SSL-encrypted communication on port 443 while other internet services are done on port 80. Roland and Newcomb ( 2003) say that IPSec gives more confidentiality and integrity. The IPSec is defined by RFC2401 architecture and it works at the IP layer says Kent and Atkinson (1998). The web services need specific protection with respect to it’s technologies like WSDL, XML, UDDI, SOAP. These are discussed below. 3.2 XML Schema monitoring : XML schema can be attacked by a message that deviates from the WSDL protocol syntax says Leiwo et al (2000). Such attacks can be avoided by validating the XML schema. This method of validating the incoming XML messages lead to CPU loading and memory wastage. Hence this validation mechanism is not activated in default condition. Using this mechanism also helps in avoiding attacks related to SQL injection says Chris. A. (2002). Nils and Norbert (2006) state that removing the non-public operations in the XML schema can help in avoiding the attacks on XML schema. They call this as Schema Hardening. 3.3 UDDI Protection : The UDDI acts as the beginning of any web service as all services are registered in the UBR. The public accessibility of the UBRs make them vulnerable to web service attacks. To avoid attack on UDDI registers their accessibility must be restricted. Unauthorized persons must be denied access to these registers. The access control method must be flexible to allow potential users but it must restrict unregistered users. 3.4 Protection against WSDL attacks : All information about a web service and how to use them are present in the WSDL files. In other words, the WSDL file gives the entire profile of a web service. By restricting access to UDDI, access to WSDL files can also be restricted. But if an intruder manages to reach the WSDL then he can manipulate the data. To control this a manual inspection of the WSDL files by the developer has to be done. In this inspection the developer has to remove unwanted or more specific internal information like debugging methods and other important functions which can be vital for any attacker says Alex et al (2005). 3.5 SOAP Protection : Generally XML messages that are based on SOAP are allowed through the firewalls, so tampering the SOAP could result in web service attack. The .NET of Microsoft has interfaces like IHTTP handler and IHTTP module which enable to verify the HTTP request before passing it on to the server. Also an event-based XML model like SAX as prescribed by SAX project ( 2002) can be used to identify invalid SOAP messages. According to Nils et al (2006) this SAX also enables event based schema validation and even WS – Security. Also Navya and Jigang (2007) say that Apache’s mod security facility uses regular SOAP expressions to match and identify patterns of malicious messages. Using this mod security does not affect the source code rather it can be used as an additional protecting feature. 3.6 The WS – Security Policy : Giovanni et al (2005) say that WS – Security policy is a specification on how to specify the security options in a web service . This is specified by Microsoft, VeriSign, IBM and others. The aim of this policy is secured web service by attaching the security policies with SOAP messages. This policy is structured based on the WSDL descriptions, UDDI services, SOAP framework. If WS-Security definition is not correct then there are possibilities of attacks like XML rewriting says Michael.M. and Paula.A. (2005). Also according to Karthikeyan. B. (2005) WS-Security uses security tokens for authorizing the users. This controlled access is seldom useful in B2B communications. In general the WS security can check the SOAP messages for conformance to security policy, which improves the security. 4. Protecting Architecture : As discussed above there are numerous types of web service attacks that are challenging. The counter measures to protect a web service from these attacks as discussed above need to be used effectively. The approach proposed in this research paper addresses these attacks and provides a secured web service. The protection mechanism include monitoring the XML schema, protecting UDDI registers, inspecting WSDL files for manipulation, checking SOAP messages, confirming to WS-Security policy. The architecture frame work for this proposed system is shown in fig.1. below. Fig. 1. Architecture for SECURED WEB SERVICE. This architecture for web service protection seems to be reliable and versatile. 5. Conclusion and Future work : In this paper an overview of the common existing internet attack methods have been discussed. The attacks related to web services have been dealt in detail and the counter measures have also been discussed. The technologies of present day’s web services like UDDI, WSDL, SOAP and XML are all vulnerable to various types of attacks. Since these technologies are highly interoperable, they are more exposed to attacks of all types. This paper proposes a new architecture for securing a web service from attacks of all kinds. The protection system aims at securing all the web server technologies. Thus protecting the web services needs to be a continuous process with many changes according to the growing new types of attacks. The proposed future development is this research is concerned about the protection of the UDDI registers which act as the starting point for any web server attack. References : 1. Alex Stamos, Scott Stender, BlackHat , Attacking web services-The Next generation of Vulnerable Enterprise, 2005. http://www.blackhat.com/presentations/bh-usa-05/bh-us-05- stamos.pdf Site last accessed 15th November 2008. 2. Bishop. M., Taxonomy of (UNIX) System and Network Vulnerabilities. Technical Report CSE9510, Department of Computer Science, University of California at Davis, May 1995. 3. Chris Anley, Advanced SQL injection in SQL server applications., Technical report, NGSSoftware Insight Security Research, 2002. 4. Frantzen. M., A framework for understanding vulnerabilities in firewalls using a dataflow model of firewall internals, Computers and Security, vol. 20, no. 3, pp., May 2001. 5. Giovanni Della-Libera et al , Web Services Security policy language-WS-Security-Policy, Version 1.1,July 2005. 6. Isern. G., Internet Security Attacks at the Basic Levels, ACM SIGOPS Operating Systems Review, 32(2):4–15, 2002. 7. Karthikeyan Bhargavan, Cedric Fournet, Andrew D. Gordon, and Greg O’Shea. An advisor for Web Services security policies. In SWS ’05: Proceedings of the 2005 workshop on Secure web services, pages 1–9, New York, NY, USA, 2005. ACM Press. 8. Kent.S. and Atkinson.R. , Security architecture for the internet protocol, RFC 2401, Internet Engineering Task Force, Nov. 1998. 9. Leiwo. P. Nikander and T. Aura., Towards network denial of service resistant protocols. In Proc. of the 15th International Information Security Conference (IFIP/SEC), 2000. 10. Michael McIntosh and Paula Austel. , XML signature element wrapping attacks and countermeasures. In SWS ’05: Proceedings of the 2005 workshop on Secure web services, pages 20–27, New York, NY, USA, 2005. ACM Press. 11. Navya Sidharth and Jigang Liu , IAPF : A Framework for Enhancing Web Services Security, 31st Annual International Computer Software and Applications Conference ( COMPSAC 2007), IEEE Computer Society, 2007. 12. Nils Gruschka, Norbert Luttenberger, and Ralph Herkenh¨oner. , Eventbased SOAP message validation for WS-SecurityPolicy-Enriched web services. In Proceedings of the 2006 International Conference on Semantic Web & Web Services, 2006. 13. Nils Gruschka and Norbert Luttenberger. Protecting Web Services from DoS Attacks by SOAP Message Validation. In Proceedings of the IFIP TC-11 21. International Information Security Conference (SEC 2006), 2006. 14. Olalekan Adeyinka, Internet Attack Methods and Internet Security Technology, School of Computing and Technology, University of East London, Proceedings of the IEEE Computer Society, 978-0-7695-3136-6, 2008. 15. Roland. J.F., and Newcomb. M.J., CSVPN Certification Guide, CISCO Press, 2003. 16. Sacha Faust ., Blind SQL Injection: Are your web applications vulnerable? SPI Dynamics, 2005. http://www.spidynamics.com/whitepapers/WhitepaperSQLIn jection.pdf. Site last accessed 11th November 2008. 17. Shreeraj Shah , Web Services: Enumeration and Profiling, http://www.netsquare.com/whitepapers/WebServices_Profiling.pdf Site last accessed 10th November 2008. 18. Shreeraj Shah., Web Services- Attacks and Defense, Information Gathering Methods: Footprints, Discovery and Fingerprints, http://www.netsquare. com/whitepapers/WebServices_Info_Gathering.pdf Site last accessed 19th November 2008. 19. Summers, S. , Secure Computing Threats and Safeguards.” McGraw-Hill , 2002. 20. The SAX Project. Simple API for XML–SAX 2.0.1. http://www.saxproject.org/, 2002. 21. Wenliang. D., Categorization of software errors that led to security breaches, Proceedings of the 21st National Information Systems Security Conference (NISSC'98), 1998. Read More