Databases Reference
In-Depth Information
Securing services
Having looked at the additional complications that SOA brings to the security
infrastructure, let us examine how SOA Suite enables us to secure our services. We
will look at securing services based on what application is calling them as well as
securing services based on the end user for whom the request is being made.
We will also look at the best places to apply security to our services.
Security outside the SOA Suite
There are several things we can do to secure our services without using the facilities
available in the SOA Suite. The following are some of the ways in which we may
provide security by configuration of the network and server environment in which
our services execute.
Network security
An integral part of an SOA solution will usually be firewalls, which restrict access
to different networks within the enterprise. A common model is to have a front-side
network that receives requests from external clients and a back-side network that
can receive requests from other services but cannot be accessed directly by external
clients. Machines that need to be accessed externally will have access to both the
front-side and the back-side networks and will act as application bridges between
the two, as there is no network-level connection between them.
Preventing message interception
We can improve security by encrypting all messages between services by using
SSL
(
Secure Socket Layer
). This requires the web servers hosting our services to
be configured with certificates and only to accept requests across SSL connections.
Basically, this means disabling HTTP access and only allowing HTTPS access to our
servers. This has a performance overhead, as all messages must be encrypted before
leaving the client machine and decrypted on arriving at the server machine. The
server-side encryption may be reduced by the use of hardware accelerators, either
embedded in the network card or in the network.
If all the machines are on the same physical switch, then messages between services
are effectively secure because they can only be seen by the client and server
machines. This allows us to configure our servers to accept HTTP requests from
machines on the same switch, but only accept HTTPS requests from machines that
are not on the same switch.
