XML-based standard faces trust issue

ORLANDO – Security managers at last week’s InfoSec Conference swapped ideas about network defense and raised sharp questions about problems they see with newer technologies such as VoIP and Web services.

Dan Houser, security architect at Nationwide Insurance Enterprises, talked about Web services and the value of the XML-based standard Security Assertions Markup Language (SAML) in facilitating authentication and authorization across companies to do business through a Web portal. Houser said his year-long experience in operating a SAML-based portal has shown additional standards are needed to tackle underlying problems in assuring trust. Nationwide is organizing a group called the Xota Consortium to develop such standards.

“There’s been a tremendous acceleration in e-business in the last 10 years, and the latest is being brought about by Web services,” Houser said.

Web services and the SAML standard let businesses connect directly using cross-company authentication. Nationwide set up a Web portal based on RSA Security ClearTrust software for this SAML-based federated identity authentication with three business partners. But the technology has so far failed to address several practical concerns, he noted.

Federated identity gives users single-sign-on access to multiple sites, but asking one organization to trust the authentication provided by others raises wide-ranging issues, Houser said. These issues include the need to know if and how an organization checks the background of users, if users’ industry license requirements are up to date, and how Web site service-level agreements and time synchronization apply across multiple sites.

Lawyers at Nationwide are deeply involved in trying to pull back on what business managers and IT staff want to do with Web services and SAML until lengthy contracts are concluded among all the partners in Web services.

“A business agreement must define this, but business and legal are tugging at different directions, and it’s taking months to work through it,” said Houser, who added that he thinks Nationwide was the first business to operate a SAML-based Web services portal.

Nationwide says there are many Web services business-trust issues that would benefit from building a consensus. That’s the goal of the Xota Consortium, which also plans to develop XML-based software to enforce Web services trust arrangements.

“Trust policies are harder than the technology,” Houser added.

Some of the sharpest security critiques at InfoSec were aimed at VoIP equipment based on Session Initiation Protocol (SIP).

“The threat is that there is a lack of authentication on the phone,” said Guy Hadsall, senior consultant in the security and fraud division of Telcordia Technologies. “The SIP phones – Nortel and Cisco in particular – have had issues with end-user authentication and ways to hack them.”

“Phreakers [those who target entry through phone systems] and hackers have united globally over the last few years, and they’re still after your voice-mail system,” Hadsall said.

He said every Telcordia evaluation of VoIP gateways and switch equipment showed that resellers are shipping VoIP equipment with default passwords turned on, which makes it easy for hackers to break in.

Hadsall also pointed out that the type of IP attacks seen on the Internet today, including worms and denial-of-service (DoS) attacks, can be expected to be a problem in VoIP networks. Launching a DoS attack against VoIP phones and gateway controllers is “child’s play,” he said.

Although VoIP products are getting better, interoperability challenges remain in getting VoIP phone components to work across vendor product lines, he added. The global standards group International Telecommunication Union has a draft recommendation out, X.805, that defines the basic security challenges and recommends policies, incident response and recovery.