They carefully planned for days for the worst possible attack. Once their presence was detected, the enemy's agents, who were stealthy and highly intelligent, would surely be drawn to their defensive walls. It would only be a matter of time before the ongoing and relentless probing would begin, eventually finding some unknown and unforeseen weakness in its design. Once compromised, the walls would surely be breached and the eventual plundering and destruction would spell doom for the innocent inhabitants within. Instinctively they knew not to underestimate the dark and ever-present forces residing in the ether...

This may sound like a scene from the latest Lord of the Rings movie. Actually, it depicts an everyday event for Internet service providers - bringing new servers online. In many cases, it only takes a few minutes for the firewall probing to start when a new Web server is indoctrinated to the Internet.

This is the world that global Web services must exist in, and it does not paint a pretty picture. Luckily, standards are emerging to address the numerous issues regarding Web service security (WS-Security, SAML) and new products to implement them. Quadrasis SOAP Content Inspector is one such product to tackle the tough Web service security issues of today.

Overview
The Quadrasis/Xtradyne SOAP Content Inspector (SCI) provides a flexible and comprehensive set of solutions for protecting Web service resources both inside and outside the corporate firewall. It comprises three main components which, depending on installation, can reside on a single server or on separate boxes. The SCI Policy Server manages the various security policies and basically makes all decisions regarding access to resources. The SCI Proxy Server intercepts SOAP requests and, depending on decisions made by the Policy Server, passes the request to the protected Web service or denies access to the service. The final component, the SCI Administration Console, allows you to maintain user names and user groups exercise role-based access control to Web service resources, configure message encryption techniques, and set up event monitoring (see Figure 1).

 

Regarding user stores, you can either use a built-in database for user information or configure SCI to retrieve user information from a directory server (using LDAP). SCI is compatible with several of the leading directory service products including Netscape (iPlanet).

If your security design involves processing SAML assertions with attribute data (i.e., from an LDAP server), you'll need to install an additional product from Quadrasis. I'll have more on that later.

4A Functionality
The functionality provided by Soap Content Inspector can be summarized in four basic functional categories - authentication, authorization, auditing, and administration. Authentication limits access to only those clients that can be certified by several mechanisms including SSL Client certificate, basic HTTP authentication, SAML assertions, or anonymous public access. Basically, you better be who you claim to be or you cannot use the Web service resource.

Authorization will restrict access to an authenticated SOAP client to only the Web service resources spelled out by the policy information stored on the Policy Server. The SCI policy can authorize access down to the SOAP RPC method level and manages access control lists for user and user groups levels.

For SCI auditing capabilities, Soap Content Inspector can log a number of events, including connection establishment, authentication, and authorization results. You have the option of logging to a flat file or to the Windows 2000 event log service.

The last of the 4A feature list, administration, represents the GUI-based SCI Admin Console provided with Soap Content Inspector. The console has two views, professional and expert. The professional view is where you would spend most of your time when setting up your policies and other configuration settings. It sets things up logically according to functionality. The expert view, on the other hand, is essentially one large hierarchically arranged property sheet for the system. You go there only if you need to tweak something that is not normally handled by the professional view. I found the Admin Console fairly straightforward and easy to use. Soap Content Inspector keeps security arrangements at a single policy level and does not include higher levels of abstraction, such as domains and realms, as found in other security policy services. This tends to make configuring and administrating security policies easier to set up.

One last set of features, not really part of the 4A feature list, involves message integrity and validation. Soap Content Inspector is able to detect ill-formed messages by validating the XML inside the SOAP message. It also has the capability of digitally signing the SOAP header and message blocks as a whole, making modification impossible without detection.

Architecture
One of the more interesting features of the SOAP Content Inspector is its flexibility in handling SAML (Security Assertion Markup Language) assertions, one of the emerging standards in Web services today. An assertion essentially provides a mechanism for security information to be passed around from one party to another. A SOAP message containing a SAML assertion (or contained in the Soap header) can provide authentication and authorization information that has been populated ahead of time by some authentication service. The assertion thereby contains proof of the message's authenticity as well as information regarding which Web service resources are authorized for access.

SCI can be set up as a proxy for the Web service, authenticate the client (user) of the message, create and append a SAML assertion to the message, and forward the message to the real Web service application. With the SAML assertion firmly attached to the SOAP message (or Soap header), it can be forwarded to other nested Web services providing a single sign-on mechanism.

In another mode of operation called a Federated Trust, SOAP Content Inspector can be configured on both the client and service sides of the Web service, acting in a sense as a dual proxy (see Figure 2). The client will forward the SOAP message to the client-side proxy, provide the necessary authentication, and attach a SAML assertion to the message. The message is then delivered to the server-side proxy, where the SAML Assertion is processed. If authorized to use the Web service, the validated SAML assertion is retained in the SOAP message and the request is forwarded to the true Web application. The assertion processing occurs under the covers and provides a transparent and secure means for SOAP messages to be delivered over the Internet.

 

Another strength of the SOAP Content Inspector is in its ability to inject attribute information (user e-mail addresses, business addresses, etc.) into SAML assertions. It is currently the only product on the market with this level of functionality. In order for SOAP Content Inspector to do this, you must install and configure EASI Security Unifier, which requires a separate product installation (and licensing) from Quadrasis. With attributes embedded in the SAML assertion, a Web service will not only be guaranteed that the client is authenticated and authorized to use the service, but will have relevant and current user information available for processing. This saves the Web service from having to make separate trips to an LDAP server and from requiring separate LDAP connect, bind, and search configuration settings.

Installation
As of this writing, Soap Content Inspector is only available for installation on Windows 2000, so you better put on your Microsoft administrator's hat. To start off, prior to installation you'll need to download and install the Java 1.3 Runtime Environment (or greater) and several security-related libraries (JSSE, JCE). Check the installation (startup) guide for details. Although Java 1.4 comes bundled with the security class libraries, you still need to separately download and install each security package until version 1.4 is certified by Quadrasis.

Documentation
Soap Content Inspector comes with several well-written guides to help you configure and secure your Web services. I found the Administrator's Guide to be extremely useful, taking you step-by-step through setting up the system and establishing a base set of policies.

Conclusion
Installing and configuring secure Web services is straightforward using Quadrasis Soap Content Inspector. Its policy management is somewhat less complex to configure compared to other security management products, and can essentially run straight out of the box allowing you to get acquainted with security policies first instead of configuring external systems such as database and directory services.

Company Info
Quadrasis, the security division of Hitachi Computer Products (America), Inc.
Software Solutions Division
1601 Trapelo Road
Reservoir Place, 3rd Floor
Waltham, MA 02451
Phone: (781) 890-0444
Facsimile: (781) 890-4998
Web: www.quadrasis.com
E-mail: solutions@quadrasis.com

Evaluation Download
www.quadrasis.com/prod_download/register.asp

Licensing Information
Licensing is on a CPU basis with up to 50 simultaneous connections.
http://www.quadrasis.com/prod_download/register.asp

Testing Environment
OS: Windows-2000 Professional
Hardware: IBM ThinkPad T30