How to secure Intranet Web Services (Transport Lay

2019-08-04 11:07发布

问题:

how do you secure your Intranet Webservices? On our company we are stuck in a discussion what level of security is necessary to protect our Webservices.

  • Message Encryption
  • HTTPS (TLS)
  • Both?

Is it useful to make high secure Webservices which will nobody use because its so difficult to implement them?

Do you have any experiences or some Resources (Links / White paper) for me?

Thanks for your help!

回答1:

I can vouch that WS-Security can be difficult to implement but has much more control over the level of security around your message:

  • Encrypt parts separately header / body
  • Message expiration
  • Digital signatures
  • Authentication
  • More control over encryption and signature algorithms

But if you are looking at internal web services I find that SSL/TLS is easier to implement but will still provide strong encryption. If you want to add authentication you can accomplish that with basic auth on the server.

I doubt you would need to use both WSS and TLS, but some of those info sec people will come around shouting defense-in-depth, and say it's a good idea in case someone can decrypt your HTTPS session. I used to be one of those guys and probably said that, but I was looking for reasons to justify my boss's consulting fees.

So it really comes down to business requirements and what kind of data you're looking at.

Also I would consider that a malicious person on an internal network would probably go after your data sources rather than your data in transit.

A little personal experience:

I've implemented WS-Security for government web services but they can go across the public internet. The internal services I've worked on for a financial institution met the audit requirements with HTTPS and basic auth.

Cheers!