简体繁体 English

应如何保护* Intranet * REST API调用？

[英]How should *intranet* REST API calls be secured?

原文 2013-09-11 19:28:20 4 3 security/ rest/ ssl/ certificate

Here's the scenario. 这是场景。 A user outside the firewall takes a UI action in the browser. 防火墙外的用户在浏览器中执行UI操作。 The browser makes a REST API call to system A (and is authenticated and authorized at or near the point of entry past the firewall). 浏览器对系统A进行REST API调用（并在通过防火墙的入口点或附近进行身份验证和授权）。 System A (inside the corporate network firewall) makes a REST API call to system B (also inside the corporate network firewall). 系统A（在公司网络防火墙内）对系统B（也在公司网络防火墙内）进行REST API调用。

How much security is sufficient for the "internal" REST API call from system A to system B, considering that authentication and authorization already occurred at the entry point to system A? 考虑到在系统A的入口点已经发生了身份验证和授权，从系统A到系统B的“内部”REST API调用有多少安全性？

3 个解决方案

Like anything else, it depends on the sensitivity of the data involved, and the level of risk vs. how much the organization wants to spend. 与其他任何事情一样，它取决于所涉及数据的敏感程度，以及风险水平与组织希望花费多少。

Usually, using strongish SSL (https connection) is considered good enough. 通常，使用强大的SSL（https连接）被认为是足够好的。 You may need to include an authentication mechanism, if you need to audit which System A submitted the request -- for this you could use any of: client cert, HTTP Auth (basic or digest), username/password as request parameters, IP-address mapping, API keys etc. 您可能需要包含身份验证机制，如果您需要审核哪个System A提交了请求 - 为此您可以使用以下任何一个：客户端证书，HTTP身份验证（基本或摘要），用户名/密码作为请求参数，IP-地址映射，API密钥等

For system->system calls, if the client system doesn't change (ie not a web browser or actively changing clientbase), you don't even need "real" certificates -- a strong self signed certificate is good enough, and because you distribute it to your client systems, they all know the source is valid without a 3rd party signature. 对于系统 - >系统调用，如果客户端系统没有更改（即不是Web浏览器或主动更改客户端库），您甚至不需要“真正的”证书 - 强大的自签名证书就足够了，因为您将它分发到您的客户端系统，他们都知道源没有第三方签名是有效的。

If the data are very sensitive, you might dedicate connections between the client(s) and server, either using a physically separated network, or VPN. 如果数据非常敏感，您可以使用物理上分离的网络或VPN来专用客户端和服务器之间的连接。

For starters, if both are in a private subnet, then already thats a decent amount of security. 对于初学者来说，如果两者都在私有子网中，那么已经有了相当大的安全性。 If you have any reason to believe outside people can connect to that API, then go ahead an implement a secure API key that is checked before any call is allowed to execute. 如果您有任何理由相信外面的人可以连接到该API，那么请在允许执行任何调用之前检查一个安全的API密钥。

The new (2018+) best practice would be to secure the internal services in exactly the same way that you'd secure external services. 新的（2018+）最佳实践是以与您保护外部服务完全相同的方式保护内部服务。

Why? 为什么？

Because upwards of 60% of data disclosures come from internal sources. 因为超过60％的数据披露来自内部资源。 Internal systems are just as likely to breach data as external systems, so you need to have the same controls that you would for external systems. 内部系统与外部系统一样可能会破坏数据，因此您需要拥有与外部系统相同的控制。