9. Basic Web Services Model client service service development client development development execution distribution WSDL UDDI SOAP
10. Security Components client service service development client development development security execution distribution WSDL UDDI Services Proxy Gateway Proxy
11.
12. Today client service service development client development development security execution distribution Gateway Gateway
13. Future client service service development client development development security execution distribution Gateway Gateway WS-Policy +
This presentation is intended to facilitate discussion about Entrust’s role in securing the Web-services architecture.
Basic Web-services model SOAP intermediaries may exist in the message path, including in the DMZ Security functions may be performed by a SOAP intermediary
Basic Web-services model SOAP intermediaries may exist in the message path, including in the DMZ Security functions may be performed by a SOAP intermediary
Basic Web-services model SOAP intermediaries may exist in the message path, including in the DMZ Security functions may be performed by a SOAP intermediary
Disadvantages Sensitive information, such as private keys sitting in the DMZ Doesn’t protect applications and data and control access to services from within the perimeter A bottleneck: even messages for low-traffic internal services have to traverse go through this control point Advantages – Enforces a strong security policy for the internal network
Today – policy administrators have to collaborate off-line to ensure compatible policies are implemented at client and service. If an end-point deals with many other end-points, then this collaboration could become burdensome.
One possible solution, particularly likely for B2B applications, the policy administrator in the service domain dictates policy. The client domain simply accepts the policy dictated to it. Some aspects of policy are solely a local matter, e.g. audit policy.
App server vendors may provide application firewalls for their own environments. These may have policy consoles, but they won’t be consistent with the SOAP gateway interfaces.
What is Network Identity? Purpose: To give the audience an idea of what network identity is. Bottom Line Message: Our ‘identity’ involves a lot of personal information about us that is very important to us. We maintain our identity and personal information in many places on the Internet. This represents both a convenience and a challenge. This page provides a definition of what is meant by user identity. You can talk about things such as: Non-network identity - look at how many cards you have in our wallet or purse – each is a separate identity Driver’s license, credit cards, ATM cards, auto insurance cards, employee identification, health insurance cards, motor club cards, membership cards, long distance cards, frequent flyer or hotel cards, etc. Think of all the information about you that exists behind each of these identities Think of all the different places where you maintain identity that is not in your wallet or purse Employment file, health records at your doctors and hospitals, web site accounts, etc
What is Network Identity? Purpose: To demonstrate the different types of identity and personal information that we establish on the Internet and the challenges that maintaining this information on different sites creates. Bottom Line Message: It is difficult, insecure, and an inconvenience to maintain all these identities, user names and passwords, and personal information on multiple sites on the Internet. This slide builds It starts with the title only and then the definition from the last page fades in, with the column to the right empty You need to ‘page down’ or click to have the column fill in with examples of different potential network identities that automatically phase in and are provided in three sections You need to ‘page down’ or click again to have those examples disappear and three bullet points appear one after the other with related points These bullets can be explained stating such things as: When users set up accounts on the Internet, they often tailor each site to meet their own preferences, including different user names and passwords Sometimes these are different and sometimes they are the same from site to site Users have a hard time remembering what they entered in each individual site, especially user names and passwords Users have to maintain the same personal information at multiple sites and when that information changes, they have to change it at each individual site or risk incorrect information existing with different accounts Keeping track of all of this is very difficult