There is More to SOA Security Than Authorization and Authentication

You don't have to make your SOA services impenetrable. You simply have to make them harder to crack than everyone else's. Use port knocking as an added level of security and crackers won't even know you're there.

By
Mon, July 28, 2008

CIO — Many years ago, I admired my sister's deadbolt. I made a silly comment as to how it looked like it would be impossible to break into the New York City apartment. My brother-in-law corrected me. "It's not impossible. It doesn't have to be," he said. "It just has to be harder to break into this apartment than into the other apartments." Think of it as a variation on the joke, "I don't have to outrun the bear. I just have to outrun you."

Now consider this facet of SOA. One of the greatest things about SOA services is that they are discoverable. And one of the worst things about SOA—from a security perspective—is that services are discoverable. In many cases, a cracker simply needs to scan for open ports on your servers to find out that you have a service on a given port. After that, the cracker only needs to figure out how to break your authentication mechanism. Depending on the service, the SOA component could give away everything else the cracker needs to know to access sensitive data.

Obviously, you can choose a superb authentication process to shore up your security. That may be enough. But why not add another layer of protection so that your services are harder to crack than the ones next door?

One especially useful technique, especially if you are responsible for building custom client software to access your SOA components, is to hide your services behind a port knocking-protected firewall.

Before we look at how port knocking works, let's have a micro-tutorial on ports. Every network-accessed service on the Internet uses ports. For example, your Web server, if you have one, most likely uses the standard port, which is port 80. Your Internet e-mail server is probably using port 25. There are many standard ports for common services. Some services use non-standard port numbers, and some services even pick a port number almost at random. Crackers can discover what services your company supports by scanning all the ports on your servers. The port scanners simply knock on your server's door at port 1, check for a response, then knock at port 2, check for a response, and so on, sequentially. If your server responds at port 25, then the cracker has most likely discovered not only that you have an email server, but the cracker can also figure out from the response what kind of email server you have, and what types of security you are using.

Continue Reading

White Papers »
IDC MarketScape: Worldwide Business Process Platforms 2011 Vendor Analysis
This IDC study uses the IDC MarketScape model to assess the capabilities of vendors to support midrange to complex process improvement scenarios using business process management software.
Oracle SOA vs. IBM SOA - Customer Perspectives on Evaluating Complexity and Business Value
With this white paper, Oracle SOA vs. IBM SOA, you'll get a healthy perspective on SOA and figure out which one is best for your organization.
Top Reasons to Implement an SOA Governance Strategy: A List for IT Executives
Download this white paper, Top Reasons to Implement an SOA Governance Strategy: A List for IT Executives, for a guide to governance that will set you on the right path.
Get Serious About SOA Governance: A Five-Step Action Plan for Executives
Download this whitepaper, Get Serious About SOA Governance: A Five-Step Action Plan for Executives to see why many organizations are reaping the rewards of successful SOA transformations and what you need to do to make yours one of them.
Accelerate time to application value
For your IT organization to keep pace with the business, you need a new, faster approach to infrastructure deployment-an approach that increases agility and accelerates time to application value. That's HP Converged Systems. Built on Converged Infrastructure, these systems deliver the industry's first portfolio of pre-integrated, tested, and optimized infrastructure solutions for applications running in virtual, cloud, dedicated, or hybrid environments.
Top 10 Myths About Virtualizing Business-Critical Applications
Even though virtualization has brought positive change to enterprise IT over the last decade, some skepticism remains about how valuable virtualization can be in the way companies deliver and run business applications. Uncover the truth about how you can run your business critical applications with confi dence without sacrifi cing
availability or service quality-and at lower costs.
Webcasts »
Apps QuickStart Series Part 2: Designing and Deploying SQL Server on VMware vSphere
Download this webcast to learn about the design considerations for virtualizing SQL workloads, performance and scalability information and high-availability options, as well as support considerations
Apps QuickStart Series Part 1: Designing and Deploying Exchange 2010 on VMware vSphere
Download this webcast to learn the virtual hardware design considerations for Exchange 2010, deployment using the building block approach, options for high-availability and disaster recovery and support considerations.
Virtualize Business-Critical Applications with Confidence
Virtualizing business-critical applications has become a key focus for organizations as they move along their virtualization journey. With the launch of VMware vSphere® 5, VMware is helping customers accelerate the deployment of business-critical applications, including Exchange, SQL, SAP and Oracle.
Discover the Benefits of Virtualization for Federal Applications
Want to say goodbye to missed SLAs? VMware can help you virtualize mission-critical applications such as Oracle, MS Exchange and SharePoint to achieve dramatic improvements in uptime, performance and responsiveness. In this webcast, we'll discuss the key benefits of virtualizing your agency's most critical applications and Oracle databases as a necessary first step in fulfilling OMB's mandate to move IT services to the cloud. With VMware, you'll be on the way to quick, effective and full compliance.
When Java EE Is Overkill: Lightweight Application Server Benefits
The complexity, cost and technological bloat of traditional Java EE application servers are often barriers to running a lean and efficient IT organization. Increased need for scalability and rapid application delivery are driving businesses to reconsider the platform they use for application deployment. By combining the portability and agility of the Spring framework with a lightweight application server, your organization can meet business demands while staying within budget constraints. VMware vFabric™ tc Server is a modern, lightweight Java application server based on Apache Tomcat. It improves developer productivity, control and manageability-and is the most flexible platform for virtualizing Java applications and workloads for the cloud. View this webcast to learn about real-world examples of companies that have adopted VMware vFabric tc Server and how to plan for future cloud deployments.
Introduction to VMware vCenter Site Recovery Manager 5
Traditional disaster recovery solutions are often too expensive, complex and unreliable to meet business requirements. As a result, IT departments are hesitant to expand disaster protection beyond their most critical applications, largely because they are uncertain whether the quality of the protection is really worth its cost. VMware vCenter™ Site Recovery Manager 5 is the market-leading disaster recovery product that addresses this situation for organizations of all kinds. It complements VMware vSphere to ensure the simplest and most reliable disaster protection for all virtualized applications.
Newsletter Sign-Up »

Receive the latest news test, reviews and trends on your favorite technology topics

Choose a newsletter
  11. View all Newsletters | Privacy Policy
White Papers » All White Papers

IDC MarketScape: Worldwide Business Process Platforms 2011 Vendor Analysis

Oracle SOA vs. IBM SOA - Customer Perspectives on Evaluating Complexity and Business Value

Top Reasons to Implement an SOA Governance Strategy: A List for IT Executives

Get Serious About SOA Governance: A Five-Step Action Plan for Executives

Accelerate time to application value

Top 10 Myths About Virtualizing Business-Critical Applications

The Hidden Truth About Virtualizing Business-Critical Applications

Enterprise Java Applications on VMware: Unix to Linux Migration Guide

Virtualizing Tier 1 Applications: A Critical Step on the Journey Toward the Private Cloud  

Best Practices Guide: Microsoft Exchange 2010 on VMware

Google: Security for Google Apps Messaging & Collaboration

Forrester: Economic Impact of Switching to Google Apps

ESG Analyst White Paper - VMware's vSphere Storage Appliance: High Availability for Small IT Operations

Lightweight Application Development Systems Ride the Cloud: IDG Report

Modernizing Application Platforms for Cost-Effective Cloud Readiness

VMware View Optimization Guide for Windows 7

VMware View Optimization Guide for Windows 7

A Guide for Enterprise VMware ThinApp Deployments

NetApp, VMware, Cisco, Wyse, Fujitsu 50,000 Seat VMware View deployment

Licensing for SaaS Applications: ISVs Take to the Cloud
Resource Center
buy a link »
Ads by TechWords