Global Sources
EE Times-Asia
Stay in touch with EE Times Asia
EE Times-Asia > Networks

XML services call for security checks

Posted: 03 Nov 2003 ?? ?Print Version ?Bookmark and Share

Keywords:xml? network security? ip? web service? internet?

Nothing has done more to erode the enterprise security perimeter than the rise of XML Web services. Designed to bypass the existing enterprise Internet Protocol (IP)-based network security infrastructure, Web services create a sea of security vulnerabilities. Addressing those threats requires a new approach and a high-performance technology.

By way of a concise introduction, here are the most significant Web services operations:

  • XML parsing is the first step of converting the XML text into some internal form required to perform any subsequent processing.

  • XML schema validation determines whether the structure of XML data matches the predefined specification.

  • XPath filtering allows complex conditions to be applied to messages.

  • XML encryption provides data privacy at a message or field level by using asymmetric or symmetric encryption.

  • WS-Security can be thought of as a higher-level specification for combining Soap, XML digital signature and XML encryption to provide interoperable message-level security.

    Where message-level security should be carried out is another area of contention, but it is increasingly certain that in many cases it will have to be done on dedicated network appliances that act as Soap proxies. These XML security gateways can be used to secure multiple applications at once and are designed to be managed by the network or the security group.

    There are no fewer than four vendors currently offering such products, and XML-aware network security is a natural continuation of the application-level security trend. Nonetheless, the technology required is so different that it is disruptive. To apply security policy to an XML message, it is necessary to parse the message and then perform five or six XML processing steps. That means that any message-level Soap security solution must include a complete XML engine, hardened Soap stack and XML security engine.

    Compatibility first

    Since XML is built for compatibility, not speed, it is not surprising that XML security processing is resource-intensive. Compare the work required with the tasks of a typical HTTP-aware application security device scanning for code-red signatures. The initial setup and handshake processing is the same. Then the application security device has to examine the HTTP header and compare it to a relatively small set of attack signatures and validity rules. Once that check is complete, there is no further interest in the HTTP message content.

    If persistent HTTP connections are being used, there may be some need to scan the message for the next HTTP header, but that is relatively inexpensive. Since these are generally incoming Web requests, the messages themselves are either empty or quite small, carrying the contents of a Web form.

    By comparison, a WS-Security gateway has to parse the entire contents of the XML message, which can be anywhere from several kilobytes to a megabyte; perform schema validation; apply complex XPath filters to the content; verify one or more XML digital signatures; transform the content and finally send it to the destination. The filtering alone is more sophisticated than a simple pattern match, allowing for arbitrary traversals of nodes in the XML tree structure.

    Digital signatures require XPath, XML canonicalization, cryptographic hashing and public-key operations. The message content is almost certainly modified several times before it leaves an XML gateway. The contrast in the amount of data processed and the complexity of processing is responsible for the difference in overhead between "HTTP application security" and XML-aware security of an order of magnitude or more.

    Every EE knows that any slow networking function is simply asking for hardware acceleration. But besides RSA and other cryptographic operations, old accelerator technology is not applicable to XML WS-Security. Packet filtering and other IP-layer technology is of no use at the Soap layer, above HTTP.

    The HTTP and virus-scanning technologies were designed to do flat text string searches, which do not help with either parsing XML or evaluating XPath expressions. So while existing technologies can accelerate SSL handshakes, TCP termination, HTTP header parsing and common cryptographic operations, a new, XML-specific acceleration technology is required.

    - Eugene Kuznetsov

    Chairman and CTO

    DataPower Technology Inc.

  • Article Comments - XML services call for security check...
    *? You can enter [0] more charecters.
    *Verify code:


    Visit Asia Webinars to learn about the latest in technology and get practical design tips.

    Back to Top