There is More to SOA Security Than Authorization and Authentication

You don't have to make your SOA services impenetrable. You simply have to make them harder to crack than everyone else's. Use port knocking as an added level of security and crackers won't even know you're there.

By
Mon, July 28, 2008
. What's this?

CIO — Many years ago, I admired my sister's deadbolt. I made a silly comment as to how it looked like it would be impossible to break into the New York City apartment. My brother-in-law corrected me. "It's not impossible. It doesn't have to be," he said. "It just has to be harder to break into this apartment than into the other apartments." Think of it as a variation on the joke, "I don't have to outrun the bear. I just have to outrun you."

Now consider this facet of SOA. One of the greatest things about SOA services is that they are discoverable. And one of the worst things about SOA—from a security perspective—is that services are discoverable. In many cases, a cracker simply needs to scan for open ports on your servers to find out that you have a service on a given port. After that, the cracker only needs to figure out how to break your authentication mechanism. Depending on the service, the SOA component could give away everything else the cracker needs to know to access sensitive data.

Obviously, you can choose a superb authentication process to shore up your security. That may be enough. But why not add another layer of protection so that your services are harder to crack than the ones next door?

One especially useful technique, especially if you are responsible for building custom client software to access your SOA components, is to hide your services behind a port knocking-protected firewall.

Before we look at how port knocking works, let's have a micro-tutorial on ports. Every network-accessed service on the Internet uses ports. For example, your Web server, if you have one, most likely uses the standard port, which is port 80. Your Internet e-mail server is probably using port 25. There are many standard ports for common services. Some services use non-standard port numbers, and some services even pick a port number almost at random. Crackers can discover what services your company supports by scanning all the ports on your servers. The port scanners simply knock on your server's door at port 1, check for a response, then knock at port 2, check for a response, and so on, sequentially. If your server responds at port 25, then the cracker has most likely discovered not only that you have an email server, but the cracker can also figure out from the response what kind of email server you have, and what types of security you are using.

Continue Reading

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
White Papers »
IDC MarketScape: Worldwide Business Process Platforms 2011 Vendor Analysis
This IDC study uses the IDC MarketScape model to assess the capabilities of vendors to support midrange to complex process improvement scenarios using business process management software.
Top Reasons to Implement an SOA Governance Strategy: A List for IT Executives
Download this white paper, Top Reasons to Implement an SOA Governance Strategy: A List for IT Executives, for a guide to governance that will set you on the right path.
Oracle SOA vs. IBM SOA - Customer Perspectives on Evaluating Complexity and Business Value
With this white paper, Oracle SOA vs. IBM SOA, you'll get a healthy perspective on SOA and figure out which one is best for your organization.
Get Serious About SOA Governance: A Five-Step Action Plan for Executives
Download this whitepaper, Get Serious About SOA Governance: A Five-Step Action Plan for Executives to see why many organizations are reaping the rewards of successful SOA transformations and what you need to do to make yours one of them.
Mobile Middleware Strategies
Learn why a mobile development platform is critical to be able to support today's complex enterprise mobility strategies. Learn what to look for in a mobile development platform and how apply these tools whether you're developing a dedicated app for one device or multiple apps running across multiple devices.
Native & HTML5 Mobile Apps: Not an either or, but a where and when
Learn how developers are using HTML5 and native development methods to build mobile apps. Get practical insights on how these tools are being used, what's driving their usage, and how to choose the best development approach for your business.
Webcasts »
Leverage automation today to reduce IT complexity
Date: Tuesday, June 5, 2012, 2:00 PM EDT

Whether your B2B complexity is caused by multiple technologies due to M&A, business or application specific needs or traditional under investment, the net effect is usually the same: high cost and lower productivity. Enabling business-to-business (B2B) integration using point-to-point EDI translators is usually time intensive and cost prohibitive.

Join IDC's Maureen Fleming and SAP for an insightful Webcast on the different approaches companies are taking to B2B integration and how you can ask the right questions to reassess you B2B approach.
Delivery Management -- Extending Lifecycle Management
Date: Wednesday, June 20, 2012, 1:00 PM EDT

Siloed organizations continue doing the wrong things and doing things wrong, leading to increased costs, project delays, lower quality, and time-to-market delays. Providing a collaborative platform where the whole organization can prioritize, share and manage deliveries with more transparency can help the organizations make more informed decisions at all levels, and greatly improve communications and traceability between teams. Hear from application lifecycle management experts how to increase delivery efficiency and effectiveness with a new approach to Delivery Management.
Operational Analytics - Changing the Competitive Dynamics of the Business
Date/Time: June 5, 2012, 11:00 a.m., EDT, 4:00 p.m. BST / 3:00 p.m. UTC

Please join us for this webcast, as Dr. Barry Devlin, Founder and Principal, 9sight Consulting, describes what operational analytics can do for your business and reviews an architectural approach that will enable you to make it a reality.
BMC Control-M - Single Point of Control Demo
With BMC Control-M, you schedule and manage everything - down to the very last platform and application - from one simple interface. It's the foundation of workload automation, really - the ability to run application and business processes as one. Siloed job schedulers can't do it. BMC Control-M can.
Sun Chemical Customer Success Story
Sun Chemical, the world's largest producer of printing inks and pigments, quadrupled its complex batch environment with zero extra headcount using BMC Control-M's Automated File Transfer features.
Spear Phishing and the Modern Cyber Attack
Learn how IT teams can protect against spear phishing tactics. Harry Sverdlove, chief technology officer of Bit9 offers a frank discussion about spear phishing - the most common technique used in today's advanced attacks. Learn how spear phishing works and three recommendations for IT to protect against modern threats.
Newsletter Sign-Up »

Receive the latest news test, reviews and trends on your favorite technology topics

Choose a newsletter
  11. View all Newsletters | Privacy Policy
White Papers » All White Papers

IDC MarketScape: Worldwide Business Process Platforms 2011 Vendor Analysis

Top Reasons to Implement an SOA Governance Strategy: A List for IT Executives

Oracle SOA vs. IBM SOA - Customer Perspectives on Evaluating Complexity and Business Value

Get Serious About SOA Governance: A Five-Step Action Plan for Executives

Mobile Middleware Strategies

Native & HTML5 Mobile Apps: Not an either or, but a where and when

The Evolution of Enterprise Mobile App Development

AlertBoot Case Study

Gilt Groupe Case Study

See Tickets Case Study

STA Travel Case Study

Socialbomb Case Study

Triboo Case Study

PCI DSS Compliance with Stingray Application Firewall Module

PCI DSS Compliance with Stingray Application Firewall Module

Traffic Valuation and Prioritization with Riverbed Stingray Traffic Manager

Virtualization: Benefits, Challenges, and Solutions

Dynamic Video Collaboration in SharePoint

HP Reference Configuration for Premium OLTP

Accelerate Online Transaction Processing (OLTP) database workloads
Sponsored Links

High performance. Delivered. Click to see Accenture's client successes

Master the cloud with the power of convergence from HP

Connect with IT leaders redefining mobility at the Enterprise Mobile Hub

Choose New and manage one device instead of 170

Choose New for 8x the firewall and NAT performance

Check out a smart way of mobilizing your business with enterprise-ready Samsung Mobile.

Redefine your data center with HP servers.

Enhance your business with Windstream IT Solutions. Speak to someone local.

BlackBerry® Mobile Fusion. Different mobile devices. One platform.

CYBERMARYLAND | Learn Why Maryland is the Epicenter for Cybersecurity

Get Ethernet speeds from 1 Mbps to 10 Gbps - Comcast Business Class

Cognizant. Leading in Business, Application & Technology Services

Collaboration: driving better business outcomes

Gain cutting-edge insights at MIT in 2-5 day executive programs.

Click to see how Accenture has delivered high performance to clients

Complimentary Gartner Report on BYOD: Media Tablets & Beyond. View Now

Elevate storage agility and efficiency with HP 3PAR storage.

Choose New and slash the number of devices you manage

Customized information views & Twitter events at New Fulcrum Point

Splunk translates machine data into "aha" moments for IT and the business.

ManageEngine Desktop Central - Automate and Audit Your Desktop Management! Learn More...

Cloud Readiness Starts with Intel® Technology

Visit the Virtually There Learning Page to learn how to use virtualization to your competitive advantage.

Free: Hunter Muller's "The Transformational CIO."

Join us for an upcoming Microsoft 365 live online demo event.

Discover your easiest path to unified communications

Virtualizing Your Infrastructure Just Got Easier

Connect with global CIOs now at Enterprise CIO Forum

Resource Center
buy a link »
Ads by TechWords