134 Copyright © 2009 Open Geospatial Consortium, Inc. pattern based communication is an important means in highly reactive and event driven applications such as early warning systems.

12.2 Firewall and NAT

Networks in a private household are usually secured by a firewall and Network Address Translation NAT integrated in a router. In addition also personal software firewalls on each computer may be used. This security solution in general works if communication is initiated from clients inside the private network. Figure 6: Private Network protected by one Firewall When trying to establish notification pattern based communication, the incoming notifications are typically rejected by the firewall. In order to permit the communication requested from the outside, every firewall has to be configured to accept incoming communication. This is usually done on a port basis. Furthermore the Router has to be configured to forward the incoming notifications to the desired consumer computer. This is necessary because the publisher does only know the external IP address of the router but not the internal address of the actual consumer. By adding a static route from the router to a particular computer on the private network, incoming notifications can be delivered to the desired consumer.

12.3 Perimeter networks

More sophisticated security solutions make use of perimeter networks also called Demilitarized Zone, DMZ. Therefore the network is split in two parts the inner network and the DMZ secured using two firewalls the inner and the outer firewall. Figure 7: Firewalls with Perimeter Network The inner network is secured by a highly restrictive inner firewall blocking all direct access to the Internet. Depending on the configuration, communication between the Copyright © 2009 Open Geospatial Consortium, Inc. 135 perimeter network and the inner network is permitted or not. If a component located in the inner network wants to access a resource in the Internet the communication has to be transferred via a proxy in the perimeter network. Furthermore the inner firewall only allows communication initiated by components of the inner network to the perimeter network. The outer firewall secures the perimeter network from the Internet. If this firewall allows notification pattern based communication, it has to be configured as described above to permit the communication into the perimeter network. In this network a proxy server has to be installed accepting and possibly checking the incoming notifications. The notifications cannot be forwarded to a consumer inside the inner network directly if the firewall restricts such communication.

12.4 More restrictive solutions

In more restrictive firewall settings it might be impossible to deliver events to a client in the private network at all. This is the case if communication is permitted through one of the firewalls at a time. In this case a component in the inner network has to send its requests to an agent located in the perimeter network when the inner firewall is permitting communications and the outer firewall is rejecting communication. When the outer firewall permits communication, the inner firewall blocks communication and the agent performs the submitted requests. The results are stored at the agent and can be requested when the firewalls switch back again. In such a system near relative communication is never possible, as the consumer and the publisher do not know the times when the inner or outer firewall gets opened. 136 Copyright © 2009 Open Geospatial Consortium, Inc. 13 Recommendations As a result of this work, mainly based on the evaluation of vulnerabilities and potential attacks for the current OGC Sensor Web Services specifications, we like to give recommendations for implementing a Secure Sensor Web. First of all we like to point out that it is important to implement all relevant requirements and not just one. For example, when implementing access control but the communication is not secured, an attacker could steal security context information such a a session token or an identity token which would most likely cause the access control system to grant requests, based on the stolen security context information. Of course, it is not easy to say in general which requirements are to be implemented and in which way as this depend on many factors: i The architecture itself and which services are deployed in which security domain, ii is there direct trust relationship between security domains, iii which informationobservation shall the system deal with and is it classified, etc. One dominant questions is ―Do I have to use WS-Security with SOAP or can I do HTTP+TLS‖? This mainly depends on the architecture and the orchestration of services. But as a rule of thumb, it is a good idea to use WS-Security and SOAP, even though the other variant using HTTP+TLS might also be applicable. We like to point out the following recommendations knowing that there will always exist specific cases where these recommendations might not represent the most elegant solution. However, the list of recommendation can be understood as a framework for securing the Sensor Web.

13.1 Use Message Level Security