La importancia de la nutrición fetal en los comportamientos antisociales.

There are a number of security technologies that repeatedly arise in diverse corporations when they identify their security requirements. We provide an overview of these com- mon security requirements, explain how the collection of security technologies solves a host of diverse problems, and offer some general recommendations on their use.

Figure 3.1 expands on the description of the enterprise security technologies that were introduced in Chapter 1, “Overview of Web Services Security.” As you may recall, perimeter security serves as the first line of defense and primarily protects against hos- tile attackers outside of an organization. Mid-tier security serves as the second line of defense, providing another layer of protection against external attackers, and also pro- tecting against attackers who are located within an organization. Back-office security provides the third layer of defense by protecting the back-office legacy servers that contain an organization’s most valuable resources. The combination of these three tiers of security makes it extremely difficult to mount an attack; even if one tier fails, the other tiers will still serve to defend against the vast majority of attacks.

There are a number of security services that are used within these tiers. These secu- rity services include:

■■ Cryptography, which protects communications from disclosure or modification by using encryption or digital signatures

■■ Authenticationof principals by means of passwords, tokens, public key certifi- cates, or secret keys

■■ Authorizationof access to resources, including sending/receiving packet trans- missions, access to a specified Uniform Resource Locator (URL), invocations on a target component interface/operation, or access to a back-office resource (that is, a file or database record)

■■ Security association to establish trust between client and target components ■■ Delegation, which allows a delegated principal to use the identity or privileges

of an initiating principal so that the delegate may act on behalf of the initiating principal

■■ Accountability, which provides a record of security-related events to permit the monitoring of a client invoking on a target or accessing back-office resources ■■ Security administration,which maintains the security policy embodied in user profiles, access control lists (ACLs), passwords, and other data relevant to the security technology

Figure 3.1 Enterprise security technologies.

Security services in the perimeter tier face outward toward an external network, which is typically the Internet. Because the perimeter may need to accommodate requests from virtually any client on the Internet, perimeter security mechanisms are designed for high performance and are usually coarse-grained. By coarse-grained, we mean that the decision of whether a client is authorized to perform a request is based on a simple criterion, such as whether the client may use a protocol on a specified port. Perimeter security services focus on cryptography, authentication, and authorization. Technologies that support the security services at the perimeter include operating systems, Web servers, single sign-on (SSO), cryptographic protocols, firewalls/VPNs, and intrusion detection. Since this chapter concentrates on the basics of Web Services security, we focus our discussion on several of these perimeter technologies that are needed in virtually any Web Services deployment. We discuss firewalls/VPNs and intrusion detection in Chapter 12, “Planning and Building a Secure Web Services Architecture.”

Next, we briefly describe mid-tier and back-office security so you have some per- spective on how Web Services security relates to other security mechanisms used throughout the enterprise. For more advanced applications, you’ll need to understand in more detail how Web Services security fits together with other security technologies as part of a complete end-to-end solution. Chapter 12 discusses this topic in depth in the context of building integrated Web Services systems.

Security services in the mid-tier provide a general set of protection mechanisms for the business logic. Mid-tier security technologies are, in effect, extensions to the underly- ing operating system because they provide security at the application layer similar to the security that operating systems provide to protect underlying platform resources (for example, files and devices). Mid-tier security does not focus on providing protection

HTTP Client Data Stores Web Server Application Server Application Server Application Server Data Access Legacy Connectors Mid-tier Security Second line of defense; protection against insider attacks: Component-based security Cryptography Entitlement servers Back-office Security Third line of defense; protection of back-end servers: Mainframe security Database security Perimeter Security

First line of defense; protection against external hackers: Firewalls/VPNs Cryptography Web-based security servers Intrusion detection

against outside attackers, as is the case in perimeter security. Instead, mid-tier security treats all business components as potentially suspicious, and generally requires security checks as part of any component-to-component interaction. Mid-tier security services focus on cryptography, authentication, authorization, security association, delegation, and accountability.

Technologies that support mid-tier security services include component-based secu- rity servers, cryptographic protocols, and entitlement servers. We discuss component- based security servers extensively in Chapter 7, “Security of Infrastructures for Web Services,” since much of the security infrastructure for Web Services is built on top of component-based systems such as J2EE, COM+, .NET, and CORBA.

Security services in the back-office tier protect the resources in back-end servers. The security mechanisms that protect back-office legacy systems have been in place for a long time and are quite mature. In the past, these security mechanisms have been used to guard against direct client/server access to sensitive back-office server resources. Today, enterprises are adapting the same mechanisms to guard against back-office server access via the perimeter and middle tiers. Back-office tier security services focus on cryptography, authentication, authorization, and accountability.

Technologies supporting back-office security services include mainframe security and database security, which we discuss in Chapter 12.

In the sections that follow, we provide the basics on a set of security technologies for the perimeter tier that will be enough to get you started with Web Services security. We concentrate on technologies supporting cryptography and authorization, but we also give you an overview of authorization.