WS-SecurityPolicy Decision and Enforcement for Web Service Firewalls

A known weakness of Web Services is their vulnerability to Denial of Service attacks exploiting XML processing characteristics. To protect Web Services from these attacks, extended validation of SOAP messages—considering WS-Security and WS-SecurityPolicy—is made. For SOAP security is message oriented, the processing of the security content itself is vulnerable to Denial of Service attacks. Hence, it is necessary to combine WS-Security processing and DoS protection. In this paper, we present our solution for WS-SecurityPolicybased policy decision within Web Service Firewalls. For this, we give a technical description and an algorithm addressing major parts of policy decision, as well as a proposal for enhancing message signature identification. Further, we argue for advancing protection of Web Services by improved policy enforcement. This paper contributes to understanding the complexity of protecting Web Services by security gateways.