Ensuring Trusted Web Services

SAN JOSE, CALIF., Feb. 18, 2002 — At the RSA Conference 2002, the world’s largest computer-security show, Microsoft announced today the offering of a new sample XML filter as a way to help customers prepare to secure their networks as they adopt Web services. The new XML filter is a free download designed to run on Microsofts enterprise firewall, Microsoft Internet Security and Acceleration (ISA) Server. It demonstrates a thought-leading principle that analysts and Web-services architects agree will be important to securing any network that uses Web services.

XML Web services make business-to-business (B2B) transactions simpler, more seamless and more efficient than ever. XML (eXtensible Markup Language), built on open industry standards that enable Internet based data transfer across any platform or application, is fast becoming the common language of the Web.

Security experts say the success of XML Web services makes them likely to attract attention from those who see them as an opportunity for malicious intent. Chris Christiansen, program director of Internet security at analyst group IDC Research, says its only a matter of time before a virus, denial-of-service attack or other threats target XML Web services.

“The level of XML traffic will continue to increase, encouraging an attack to occur in the next six to 12 months, if not sooner,”
Christiansen says.
“What is really worrisome is that an XML-based attack could make current HTML malicious code threats look benign by comparison.”

Microsoft — as part of its industry-leadership role in advancing such Web services standards as XML and SOAP (Simple Object Access Protocol) — also anticipates the need to stay a step ahead of would-be hackers and mischief-makers.

Because of the companys long-term commitment to what Microsoft calls “Trustworthy Computing,” the ISA Server team began some deeper thinking about how to improve the function and security of Microsoft’s .NET platform. That led to discussions about how to proactively secure Web services.

“The extensible application-layer filtering capability of ISA Server, already an important competitive advantage in defending networks against the increasingly common application layer attacks such as Nimda and Code Red, made building an XML filter a natural extension of the product’s native ability to secure a network,”
says Zachary Gutt, technical product manager for ISA Server. The filter was created using the ISA Server Software Development Kit (SDK) and Microsoft Visual Studio .NET, and is now available free on the development section of the ISA Server Web site.

“The Internet is changing with the growth of Web services,”
Gutt says.
“And that means security will have to adapt and take on a new form as well. Security is a journey, and we’re helping customers prepare for the road ahead. Customers require defense-in-depth when it comes to security, and XML filtering will eventually become a requirement when it comes to securing XML Web services.”

The ISA Server team is demonstrating the new sample XML filter this week in San Jose at RSA Conference 2002. The demonstration shows a Web service being protected from unauthorized access and denial-of-service attacks using ISA Server and the sample XML filter to screen and inspect incoming SOAP and XML data. This demonstration is about showing what is possible when it comes to making XML Web services more secure,

Gutt says.

“This is sample code, and it is not meant to be put into a production environment. We just want to show that ISA Server is capable of doing this kind of filtering today, and how important that capability will be to securing Web services in the future. With the included SDK, a filter like this can be quickly written by any developer and tailored to their specific environment, and we really encourage that.”

One of the benefits of XML is that it allows access to, and analysis of, data via the Internet in the user’s choice of application. For example, a company might develop a purchasing application which could automatically obtain price information from a variety of vendors, allow the user to select a vendor, submit the order and then track the shipment until it is received. The vendor application, in addition to making its services available on the Web, might in turn use a number of XML Web services to accomplish different parts of the transaction, such as checking the customer’s credit, charging the customer’s account and setting up the shipment with a shipping company. In order to deliver this effectively, companies will need to integrate security into their deployment of Web services.

As with any system connected over the Internet to other systems, security experts worry about threats everyday including content corruption, unauthorized access, fraudulent transactions, denial of service, malicious code such as Trojans, and illegal data collection. It is this set of challenges that ISA Server was meant to tackle, both today and, with the release of technologies such as XML filtering, in the rapidly developing world of Web services.

Companies building solutions with XML Web services realize that trust is of paramount importance. San Francisco-based Avinon, for example, develops interactive, XML-based Web services applications for enterprises. These include self-directed policy administration and claims-adjuster servicing portals for large insurance carriers, or warranty and other extended services marketing for high-tech product manufacturers.

“If you think about any of the online business processes you want extend to core constituencies, you’re going be careful about how you enable access to those processes,”
says David Ruiz, vice president of Product Marketing at Avinon.

XML Web services and composite processes must ultimately enable security, privacy and integrity protections not just around them but within them. For example, if I’m a trading partner trying to conduct commerce, I not only need to be authenticated as a partner but have my process validated, the tasks I need to perform validated and my business rules validated.

“For both technical and business reasons, we believe XML filtering will be fundamental to achieving true Web services security,”
Ruiz continues.
“This allows you to go well beyond content, because everyone secures content to some degree. Now, you can get into the core of the process you’re conducting and do step-wise authentication, step-wise control of that experience end-to-end.”

XML Filter Provides Granular Protection

Many organizations already have firewalls in place to scan and filter incoming data at the
“packet”
level. However, issues arise with Hypertext Transfer Protocol (HTTP), which is fast becoming a universal protocol for communication among applications. For example, Microsoft Outlook Web Access gives users access to corporate e-mail over HTTP, and Microsoft BizTalk Server uses HTTP to send the XML that enables B2B transactions.

Packet filtering allows HTTP traffic to pass through a firewall without inspection of its content. While HTTP may be an easier transport for B2B interactions, hackers also target HTTP as a transport to bypass firewall security. That could provide an avenue for improper use of network systems, including viruses or other malicious code, content theft or corruption, unauthorized access, fraudulent transactions, and denial of service attacks. An XML filter on the firewall is able to monitor and inspect content sent over HTTP at the application level, before it ever reaches computers in the internal network.

The sample XML filter developed by Microsoft uses a simple algorithm to decide whether an XML request is valid: it determines if the user is allowed to access the Web service behind the firewall, and if the structure and content of the XML document are valid. The protection is two-fold: both unauthorized access and attacks using malformed XML are prevented. Valid XML data passes through to the Web service computer, and unwanted traffic is dropped by the firewall, never even allowed into the internal network. Microsoft’s sample code also includes the associated components necessary to demonstrate the use of the filter in a lab environment, so anyone can test it.

“We think it’s important for anyone using Web services to have the tools available to protect themselves from possible threats,”
Microsoft’s Gutt says.
“The creation of our sample XML filter is evidence of Microsoft’s long-term commitment to Trustworthy Computing. We see it as our responsibility to help customers secure their business-computing environment by making XML-based Web services safer on a global scale.”

IDC analyst Christiansen applauds the sample XML filter’s creation and free distribution as a welcome measure.
“It is encouraging to see Microsoft’s proactive efforts in this area,”
he says.