| Author |
Message
|
| fatherjack |
 Posted: Wed Dec 05, 2012 9:59 am Post subject: WMB Web Services Security Architecture |
 |
|
Knight
Joined: 14 Apr 2010
Posts: 522
Location: Craggy Island
|
I've been away from this forum for a while but I'm out of rehab now and not touched a drop for hours.
I know there's been a fair amount of posts on this topic over the years but I was just interested in the ways you guys are implementing Web Services security. For scenarios where WMB is making WS calls out to external providers and where WMB is the web service being called by external consumers. Over the public internet.
For example, do you rely on the WMB SSL capabiities (and firewalls)? Have you implemented some hardware appliance like DataPower? Do you use WS_Security? Do you use a VPN? Are you doing something else?
I'm not after any how-to-do answers here or even any best practices, Just an open discussion about what you're doing and the rationale for doing it.
_________________
Never let the facts get in the way of a good theory. |
|
| Back to top |
|
 |
| Vitor |
| Posted: Wed Dec 05, 2012 10:08 am Post subject: Re: WMB Web Services Security Architecture |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| fatherjack wrote: |
| I've been away from this forum for a while but I'm out of rehab now and not touched a drop for hours. |
I'm pleased to see such a marked improvement.
| fatherjack wrote: |
| For example, do you rely on the WMB SSL capabiities (and firewalls)? Have you implemented some hardware appliance like DataPower? Do you use WS_Security? Do you use a VPN? Are you doing something else? |
All of the above really. All external facing (and most of the internal facing) web services use WS-Security, the external services are fronted by DataPower & we have the usual assortment of SSL, firewalls, DMZs and network bric a brac associated with a large environment.
We don't use VPN (except for staff laptops used off site) but have leased lines with hardware encryption to places we send files to. These also tend to carry WMQ channels to those of our suppliers that have embraced the technology; interestingly the channels use SSL as well which I see as a bit redundant.
Does it sound like this evolved slowly over years with no coherent security plan? It should. But we did get a DoS attack a while back (which made more technical areas of the media) and it pretty much bounced off with no ill effects to customers.
It's not paranoid overkill if they really are after you.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Dec 05, 2012 10:12 am Post subject: Re: WMB Web Services Security Architecture |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| Vitor wrote: |
| interestingly the channels use SSL as well which I see as a bit redundant. |
SSL is not strictly about encryption. It's as much about authentication and authorization as it is about transport encryption.
So it'd be perfectly sensible and not redundant to use MQ channels with SSL enabled over hardware encrypted transport, to provide certificates as asymmetric tokens to assert identity. One would then use a null cipherspec to avoid encrypting the traffic. |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Dec 05, 2012 10:51 am Post subject: Re: WMB Web Services Security Architecture |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mqjeff wrote: |
| So it'd be perfectly sensible and not redundant to use MQ channels with SSL enabled over hardware encrypted transport, to provide certificates as asymmetric tokens to assert identity. One would then use a null cipherspec to avoid encrypting the traffic. |
Except we assert identity by which piece of hardware the line is connected to and specify a cipherspec.
Good information for future readers though, and valid in this discussion . 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| lancelotlinc |
| Posted: Wed Dec 05, 2012 11:02 am Post subject: |
|
|
Jedi Knight
Joined: 22 Mar 2010
Posts: 4941
Location: Bloomington, IL USA
|
Welcome back Jack.
My experience is from AAA-rated medium sized insurance company, a masterful Bank network, an America Bank, and several other insurance providers and state governments.
For business partners of the above mentioned entities, all use a VPN or (if ROI-business rules support it) a direct T3 conx. All SoapRequest node calls are secured through SSL. All incoming traffic including MQ is similarly secured.
We do not process direct public calls on our ESB; rather the public logs into an RBAC, browser or mobile-enabled portal application and through several screens sends a request from that interface into the ESB.
The motto is best reachable security within budget constraints. As with most banking institutions, there is a pack of lawyers just waiting to prosecute any unsavory access to our network.
_________________
http://leanpub.com/IIB_Tips_and_Tricks
Save $20: Coupon Code: MQSERIES_READER |
|
| Back to top |
|
|
| bielesibub |
| Posted: Fri Dec 07, 2012 5:44 am Post subject: |
|
|
Apprentice
Joined: 02 Jul 2008
Posts: 40
Location: Hampshire, UK
|
Nice topic and one that has given me many sleepless nights over the past couple of years!
I've been forced to try to implement almost everything! Transport and message level - remember, you can protect your pipe (TLS/SSL), but that won't stop some bugger intercepting a valid message and attempting to put his own version down it!
Integrity (Endpoint, message signing + encryption) / Authentication (TFIM/TAM) / Authorisation (TFIM/TAM).
SOAP WS-Security, multiple identities (distinguished by actor/role - providing the request is coming from a non .Net source! .Net/WCF doesn't support multiple identities or even being able to alter the role/actor attribute in a WS-Security header) (I'd like to thank Andreas at IBM for helping us with this stuff!)
Identities - x509 / Kerberos / username / SAML (we assert identity internally, as an additional step to check that no one is trying to be naughty!)
SOAP Requests with double hop Kerberos authentication using TFIM.
Transport level, TLS / SSL, with clientAuthentication to ensure both parties know who they are really talking to.
We can do all/some/none of the above - all depends on the sensitivity of the service being accessed.
WMQ / WMB admin security implemented using certificates - be careful not to have identities that are too long! |
|
| Back to top |
|
|
| fatherjack |
| Posted: Wed Dec 12, 2012 9:08 am Post subject: |
|
|
Knight
Joined: 14 Apr 2010
Posts: 522
Location: Craggy Island
|
Thanks for your thoughts ...... and the forthcoming sleepless nights.
I might have to hit the hard stuff again.
_________________
Never let the facts get in the way of a good theory. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Dec 12, 2012 9:13 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| fatherjack wrote: |
| I might have to hit the hard stuff again. |
Just make sure it doesn't hit you back. |
|
| Back to top |
|
|
| fatherjack |
| Posted: Wed Dec 19, 2012 3:51 am Post subject: Re: WMB Web Services Security Architecture |
|
|
Knight
Joined: 14 Apr 2010
Posts: 522
Location: Craggy Island
|
| Vitor wrote: |
| the external services are fronted by DataPower |
Anyone using any other xml firewall/WS security gateway appliance or software solution for this?
How easy are they to install/configure? What sort of learning curve is there?
_________________
Never let the facts get in the way of a good theory. |
|
| Back to top |
|
|
|
|
