It is important to note that one of the main focuses of the Sentry XML appliance is, and has always been, XML security. Right out of the box there are many security features enabled by default, and the fact that your clients are accessing Sentry and not your back-end service directly is a major security benefit in itself. Forum Sentry is the industry's only patented XML Security Gateway that is both FIPS 140-2 certified and DoD PKI certified. For a good overview of Sentry's focus on security please click here.
You can also find many whitepapers regarding security around XML and Web Services here. We recommend starting with the "Best Practices in Deploying SOA Gateways" and the "Attacking and Defending Web Services" papers for a good introduction.
There are many features of Sentry related to securing XML that SHOULD always be utilized. These features include:
- SSL (with or without Mutual Auth)
- XML Encryption/Decryption
- XML Signature/Verification
- Intrusion Detection and Prevention (IDP Rules)
- Pattern Matching
- Anti Virus scanning
- Identity and Access Control (many different ways to accomplish this)
- Use SSL with all externally facing services. All network listeners should use SSL (HTTPS). Start by enable SSL, and then consider enabling SSL with Mutual Authentication. SSL with client/server auth allows you to verify the client cert (and tie it to a specific user). At the very least, the network listeners should be HTTPS (SSL). For FTP traffic, Sentry supports FTPS (TLS or SSL) and OpenPGP encryption, decryption, signatures, verification.
- Use IP ACLs on your network listener policies to only allow incoming traffic from specific IP addresses or IP ranges. If a client tries to connect from an unknown IP range the connection will be rejected.
- Tighten existing IDP rule thresholds or add new IDP rules depending on your specific criteria.
- Enable Anti Virus Scanning.
- Consider creating custom Pattern Match policies to catch specific text strings. This helps to ensure no confidential data is leaked out with the response messages and prevents any harmful XML attacks coming into the service.
- Consider using XML encryption and XML decryption with your trading partners. The trading partners would encrypt the request data before sending to Sentry, the request data is then decrypted on Sentry. For response processing, Sentry would encrypt the response data before sending it back to the client.
- Consider using Schema Tightening and advanced validation options with your WSDL policies.
- Utilize Sentry's built in PKI infrastructure. Create, import, and store all keys related to the security of your services within Sentry. For added PKI security upgrade to the Sentry appliances that include the FIPS Level III HSM.
How to tell if your services are secure?
In addition to the recommendations above for tightening the security of your services with Sentry, we strongly recommend you perform some security/vulnerability/penetration testing of your services hosted on Sentry. You can use SOAPSonar from Crosscheck Networks to perform this testing. This is a great tool for functional and performance testing as well, but there is patented technology focused on security/vulnerability testing that you won't find with any other SOA test tools.
For instance, SOAPSonar includes a Vulnerability mode that enables the user to run scans against your services and report any potential issues - and explain how to fix them! In addition, if you configure SSL, encryption/decryption, or other WS Security features on Sentry, you can use this tool to test these features.
You can download a free evaluation of SOAPSonar here.
