Secure Web Services

Businesses need to provide their users with a method for securely connecting to their networks while minimizing the costs associated with providing this service - and also providing end users with as much convenience as possible.

As businesses embrace Web services as the method for delivering their applications, they are struggling with security issues. Network World recently reported that the top worry for IT executives deploying Web services is security. SSL (Secure Sockets Layer) can provide a viable alternative to Virtual Private Networking (VPN) companies for securing Web services.

Remote Access
Originally, remote end users connected to their corporate networks using dial-up modem services over POTS (plain old telephone service). This essentially provided businesses with a private connection to an end user, albeit temporary in nature. The primary security concern was one of authentication of the end user - guaranteeing that the business was letting the right people access the network through its modem pool.

As the Internet became ubiquitous, businesses longed for a way to eliminate the long-distance charges generated by their dial-up remote access services. End users were dialing into their ISPs locally to access the Internet with no long distance charges - why not just let them access the corporate network via the Internet? The simple answer was security. VPN companies came to the rescue.

VPNs
VPNs typically put specialized software on the client machines as well as a machine acting as the gateway to the corporate network. These pieces collaborate to encrypt traffic between the end points, guarantee the identity of the remote users accessing the corporate network, and guarantee that end users connect to the right place. Businesses can enjoy the savings of eliminating long-distance charges while maintaining the security of a private connection.

There is, however, a downside. The specialized software that has to go on the client machine costs both time and money. The client software itself must be purchased and installed on every client machine that will be enabled to access the corporate network. Anyone who's been involved in these rollouts knows that words like "incompatible," "conflicting programs," and "pilot error" make the cost of deploying this crucial service much higher than simply the price of the software at the end points - especially when dealing with thousands of remote users.

SSL
The Internet, of course, was (and is) growing by leaps and bounds. But consumers at large were wary of sending their credit card information over the Internet and being defrauded. SSL was popularized as a method to eliminate this concern. As long as the little lock or key icon popped up in the end user's browser, he or she felt more at ease and willing to conduct transactions over the Internet.

Originally, SSL delivered two basic functions:

It allowed the browser to be certain that the site being connected to was genuinely the one requested (by using a form of authentication).
It secured the data that was in transit between a browser and a Web server by using encryption.

SSL allows end users to guarantee the identity of the server to which they're connecting. Certificate authority (CA) companies such as VeriSign sell certificates that are installed on the SSL server. The CA acts as an objective third party that forces the business requesting the certificate to prove its identity prior to being granted a certificate. End users or browsers can verify that the SSL server to which they're connecting has a valid certificate issued by a CA and actually belongs to the business to which they're attempting to connect using SSL. Finally, certificates are the mechanism used to associate a unique key used for encryption with a particular SSL server.

The browser and server exchange keys in order to be able to negotiate an encrypted session. SSL then encrypts data while it's flowing between the end user and the SSL server to secure the traffic while it's in transit.

These functions have been crucial to the success of online business. Without them, end users wouldn't have the peace of mind needed to share information required for completing business transactions over the Internet.

So Why Not Just Use SSL Instead of VPNs?
Every system that's used to connect to the Internet has the client software installed, by default, as SSL into every browser. End users are familiar with it. SSL is a widely adopted standard. There's no cost for the client software. There are no integration issues on either the client or corporate network side. So what's missing?

The majority of the SSL benefits discussed have been end user-centric. In order for SSL to be successfully used as a viable alternative to VPNs, another element is necessary - essentially, a method to control which clients are allowed access to the corporate network. The SSL-based solution must be able to guarantee the identity of the end user attempting to access the corporate network and decide whether he or she is allowed access. This can be accomplished using client certificates. The company can simply act as its own CA and have end users download certificates. This allows coverage of the basic security tenets: "who you are" (typically a user ID), "what you have" (in this case a valid company-issued SSL certificate), and "what you know" (a password).

This method allows the company to guarantee that only end users with valid certificates are able to access the network. The authentication must occur at a gateway point prior to the remote user's actually gaining access to the network. The key is having a gateway solution that allows a business to enforce these policies easily. With that in place, we have the security issues addressed - encrypted traffic between the end points, guaranteed identity of the remote users accessing the corporate network, and a guarantee that end users are connecting to the right place - all without the cost or administration problems associated with VPN solutions.

Coexistence
While the SSL solution works perfectly to secure Web services or Web-enabled applications and address the concerns expressed by IT executives, VPN technologies provide a few things that SSL can't - dictating that the technologies coexist. VPNs provide a solution for applications that aren't Web enabled, such as client/server-based applications, print services, and general file sharing. While SSL can certainly address downloading files through a browser, there isn't a solid solution for the other two applications at this time.

Businesses now have the opportunity to supply an SSL-based solution to the 80% of their user population that likely uses only 20% of the applications available (VPN services will continue to be required for the other 20% of the population). This shift will result in tremendous savings for businesses in terms of both time and money through:

Elimination of costs associated with specialized client software
Reduced help desk calls
Lowered demands on IT
Increased ease of use for remote users

Conclusion
Not exactly "adios VPNs, hello SSL." But as businesses embrace Web services through such efforts as Microsoft's .NET strategy (and J2EE-based platforms for Web services) and the Web enabling of most major business applications available now or within the near future, IT executives will be able to say "adios" to VPNs for a greater percentage of their end users and enjoy the bottom-line benefits as a result.

Reference

Fontana, John. (2002). "Top Web services worry: Security." www.nwfusion.com/news/2002/0121webservices.html?docid=7747

Author Bio
Jeff Browning is a product manager at F5 Networks, Seattle. F5 is a leading provider of integrated products and services that manage, control, and optimize Internet traffic delivery. j.browning@f5.com

Java and Java-based marks are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. SYS-CON Publications, Inc. is independent of Sun Microsystems, Inc.