No Slide Title

Download Report

Transcript No Slide Title 

NEbraskaCERT CSF
Web Services
Matthew G. Marsh
Chief Scientist,
NEbraskaCERT
March 2003 CSF
Slide 1
Overview
 Web Services
– What is it
– Why is it
– Who cares
 Styles of Web Services
– XML, SOAP, WSDL, UDDI
• and other picture postcards…
– REST
• On easy street…
 Architecture(z)
– These are words with a Z this time…
March 2003 CSF
Slide 2
Web Services
 What is it
– Services you get over the Web
• What s’matta – you deef… Sheesh.
• Web – you know – that Netscape OS thingie
– QoS – Mass entertainment
 Why is it
– Good buzzword for sales pitches
– You don’t understand - Mr. Sales Puppet does!
 Who cares
– Your Boss read about it in an airline magazine
– So now you care
March 2003 CSF
Slide 3
Web Services – Part Deux
 Data Representation
– What is the definition of data
 Intercommunication
– How do I manipulate data
 Description
– What does my data look like
 Discovery
– Where is my data
March 2003 CSF
Slide 4
Styles of Web Services - .1
 XML, SOAP, WSDL, UDDI
– XML – eXtensible Markup Language
• Same as SGML only k3w1r
– SOAP – Simple Object Access Protocol
• Uh-huh – Remember ASN.1 …
– WSDL – Web Services Description Language
• The XML way to say “Web Site”
– UDDI – Universal Description Discovery Integration
• X.500 is simple by comparison
March 2003 CSF
Slide 5
Styles of Web Services - .01
– XML – Defines your Data!
• In a separate file of course
• And what happens if that file is corrupt…
– SOAP – Remember RPC – this is RPC!
• Only better because it comes in over port 80 and you
cannot tell what it is doing unless you run it.
• Bye Bye Filtering Proxy…
– WSDL – XML to define your Web Site
• And what if I change one wee little bit
• Oh naughty – don’t do that!
– UDDI – X.500 taken to the logical extreme
• So you know where the site is that specifies where all the
other k3w1 sites are but you would not touch that… I mean
that would be like making free long distance calls by
whistling into the phone dude….
March 2003 CSF
Slide 6
Styles of Web Services - .2
 REST - Representational State Transfer
– Remember GOPHER protocol
• Ahhh Archie and Veronica
 What made the WWW take off back in 1991
– URL – Uniform Resource Location
– HTTP – HyperText Transfer Protocol
 The core of the WWW is the combination of a
global resource location scheme using DNS
(URI/URL) with a simple and easy resource
consumption mechanism (HTTP).
March 2003 CSF
Slide 7
Styles of Web Services –
0xff
 Consider how you as graphical consumer know
how the web page you are looking at was created
 No peeking at the source!!
 Hmmm – no clue – eh?
 Was it static or dynamic?
 How do you tell?
The internal representation of a resource is
IRRELEVANT!
 So why would you want to use an externally
defined, RPC driven “service” that requires a
complex fat client merely to display your warez?
March 2003 CSF
Slide 8
The Answer
Because you want to violate something!
After all – Security is just a cost center
March 2003 CSF
Slide 9
Architecture
 Traditional Web Services must only run in a n-tier
environment
• That is pronounced “ahn – tear” “ehn-virulent”
March 2003 CSF
Slide 10
Architecture - Concepts
 n-Tier Architecture
– Traditional separation of processing duty.
– Similar to the concept of an exploded mainframe
• Presentation (Green Screen)
• Processing (COBOL)
• DataBase (oh yuck – pick your own horror…)
 But since this is “exploded” we can actually
obtain access to the points in between
 Even better we can slip in and reside within the
middle or back systems
 Consider the difference between a SOAP
procedure to index your DB and Melissa LovinU…
 Personally I can wait to see the first SOAP virii…
March 2003 CSF
Slide 11
Architecture - Concepts
 Protection Mechanisms
– Document your software
• Yes – this means UML and Data Flow Diagrams
– Unified Modeling Language
– Good Programming and Design Practices
– Respect GIGO
– Leverage the Synergy of Parallelistic Realities
• Ummm – y’know – use _lots_ of Snort probes…
– Consider the simplest representation of the data
• AND USE IT
– Try to constrain data type flow
• SOAP in – XML out
– Understand the systematic structure
– Strive for ISN or at least respect PoI
March 2003 CSF
Slide 12
This is The
March 2003 CSF
Slide 13