Securing web services is usually realized by hardening application-level and network-level. Explain in details how each of these aspects can influce the security of web service and how it is implemented?

 

Web services security is the technical and administrative processes applied to the system to guarantee integrity, confidentiality, and the availability of the information shared by the Web service. Security seems to have the inherent nature of covering several various levels of the web services structure. Vulnerabilities in the web services may be available in the network, database, operating system, maybe in the web server or the application server.  

As we know that the Internet security frameworks provide an IP layer (network) with IP security (IPsec).IPsec provides packet-level encryption and authentication and is usually applied at the level of the operating system. IPsec is a service which is open to all type of applications accessing the Internet, including the Web servers. In fact, although this ensures that IPsec connection is usually part of a different security setup among communication parties. In other terms, for the web services using the IPsec, an IPsec interaction session must be formed in advance of executing a web service, normally by the consumer, so nothing in the web services framework is used to set up the IPsec session. IPsec has been most widely found in the Virtual Private Network and the Firewall software, which many businesses use to encrypt the communications among the remote users and corporate networks. Many VPN solutions are still commonly used as the security foundation for Web services, much like they would be used for any other Web application.

Application-level security depends on XML structures that describe message integrity, confidentiality, and authenticity (also recognized as the message security), the message structure, infrastructure security, and the federation. At the application level, the WS-Security structure specifies the SOAP headers which contain the information required to encrypt messages. The web services Security specification specifies the protection header for the SOAP messages and also what may be used in the header. The Related Requirements specify the elements of SOAP Security Headers as well as the processing rules. Since Web servers expose links to programs and the data stores, their uses introduce external security conditions. In comparison, complicated web services can span numerous network positions that have been actively discovered or merged into larger interactions including the process flow. Web providers require an end-to-end security architecture for the whole conversation, since confidential information may be transmitted from service to service. Interactions with Web providers can often potentially include several entities using various security-related technologies.

Please see the attached file for the complete solution