Securely Managing and Exposing Web Services & Applications

Philip M Walston

June 2008

Philip M Walston

VP Product ManagementLayer 7 Technologies

Layer 7 SecureSpan Products

Suite of security and networking products to address the full spectrum of XML deployments:

• Service Oriented Architectures (SOA)

• Web 2.0 and Web Oriented

June 2008

Securely Managing and Exposing Web Services & Applications

• Web 2.0 and Web Oriented Architectures (WOA)

• AJAX, REST, mainframe andnon-SOAP applications

• ESB, Portal, B2B and Application Oriented Networking

XML Security and Networking Completes SOA Stack

Development Tools &

Application Servers

Service Registry and Usage Policy

Enterprise Service Bus

Web ServicesManagement

XML Security & Networking Gateways

•Microsoft .Net

•IBM WebSphere

•Oracle 10g

•Systinet/HP

•Infravio/SAG

•Flashline

•Sonic/Progress

•IBM ESB

•SAP Netweaver

•Amberpoint

•SOA Software

•Actional

•Layer 7

•DataPower/IBM

•Reactivity/Cisco

SOA Stack

June 2008

Securely Managing and Exposing Web Services & Applications

•Oracle 10g

•BEA WebLogic

•JBoss Opensource

•Eclipse

•Parasoft

•Flashline

•WebLayers

•LogicLibrary

•Microsoft

•IBM

•SAP Netweaver

•Tibco

•CapeClear

•WebMethods/SAG

•BEA Aqualogic

•Sun

•Oracle Fusion

•Cordys

•PolarLake

•Actional

•Oracle WSM

•CA WSDM

•IBM Tivoli Cam

•Blue Titan

•HP SOA Center

•Software AG

•Reactivity/Cisco

•Vordel

Deployment Example – B2B Services

Service Endpoints

(Secure Zone)

Internal Firewall

• Deployed as intermediary

� XML/WS service proxy

• Straddles security/trust boundaries

• Declarative message level security

� Assertion-based policy language

June 2008

Securely Managing and Exposing Web Services & Applications

SecureSpan XML Firewall Cluster

Corporate Identity Server

SecureSpan Manager

Business Partners

External Firewall

DMZ

SecureSpan – Extensible Policy Framework

Access Control Message Validation and Threat Protection

HTTP basic authentication

HTTP digest authentication

HTTP cookie authentication

HTTP client-side certificate authentication

WS-Security Username Token Basic

WS-Security Signature

Encrypted Username Token

SAML Authentication

WS-Trust credential exchange

WS-Federation Passive Credential Request/Exchange

XPath Credentials

SAML Browser Artifact

Throughput quotaValidate schema

Evaluate Request / Response XPath Evaluate regular expression XSL Transformation

Translate HTTP Form to MIME

Translate HTTP Form from MIME

WSI-BSP Compliance

WSI- SAML Compliance

WS-SecurityPolicy Compliance

SQL Attack protection

Request size limit

Document structure threats

June 2008

Securely Managing and Exposing Web Services & Applications

SAML Browser Artifact

WSS KerberosDocument structure threats

Symantec virus scanning

Identity XML Security

Identity in internal provider

Identity in external LDAP provider

Identity in external MS-AD provider

Identity in CA SiteMinder

Identity in Tivoli Access Manager

Identity in RSA ClearTrust

Identity in Sun Java Access Manager

Identity in Tivoli Federated Identity Manager

Identity in Microsoft ADFS

Identity in Oracle Access Manager

Sign request

Encrypt request

Sign response

Encrypt response

Require timestamp in request

Add signed timestamp to response

Request and response signed timestamps

Add signed security token to response

WSS-Replay attack prevention

SecureSpan – Extensible Policy Framework Cont’d

Message Routing Policy Logic

Route to destination using HTTP(S)

Route to destination using SecureSpan Bridge

Route to destination using MQSeries / JMS

Route to destination(s) based on availability

Template Response

Echo Response

Comment

Comparison

Evaluate logical OR

Evaluate logical AND

Continue processing

Stop processing

Set variable

Service Availability Logging and Auditing

Time of day restrictions Audit assertion

June 2008

Securely Managing and Exposing Web Services & Applications

Source IP range restrictions

Throughput quota

Audit detail assertion

Send SNMP trap

Send email message

SecureSpan Manager

June 2008

Securely Managing and Exposing Web Services & Applications

Gateway Scalability and Availability

Horizontal scalability

Replay attack

prevention across the cluster

June 2008

Securely Managing and Exposing Web Services & Applications

HTTP Load

BalancerTransparent replication of policy across the cluster

Single point of management across cluster

Deployment Example – Government

Internal Firewall

• Layered trust zones with internal firewalls

� Defined security and access protocols

June 2008

Securely Managing and Exposing Web Services & Applications

Internal Firewall

Restricted ZoneTrusted ZonePublic Zone

Deployment Example – Government

• XML Firewalls “straddle” trust zones

� Gate access to applications

� Provide audit trail

June 2008

Securely Managing and Exposing Web Services & Applications

Restricted ZoneTrusted ZonePublic Zone

SecureSpan XML Firewall Cluster

SecureSpan XML Firewall Cluster

Deployment Example – ESB Co-Processor

• Security as service for ESB

� Signing, encryption

� Schema validation, transforms

June 2008

Securely Managing and Exposing Web Services & Applications

SecureSpan XML Accelerator Cluster

Enterprise Service Bus

Deployment Example - Wide-Area Routing Fabric

Business Partner With SecureSpan

Appliances

Business Partner With SecureSpan

Appliances

June 2008

Securely Managing and Exposing Web Services & Applications

Business Partner With SecureSpan

Appliances

SecureSpan XML Networking Gateway Cluster

Case Study – Insurance Self-Service

Client Situation:

• Insurance company with relatively current infrastructure

• Wanted to extend self-service access to policy-related information to three audience – Internal CSRs, existing customers and prospects

� Stated advantage of being secure, auditable and scalable

• Access to information would be gated based on requestor entitlement and could involve confidential/personal information

The Scenario:

June 2008

Securely Managing and Exposing Web Services & Applications

The Scenario:

• Implemented centralized authentication / authorization gateway

� Based on use of existing identity management infrastructure

� Single solution serves Web customers, internal users and applications

� Need common security model − Validation of authentication step

− Entitlement-based authorization

− Audit trail

Scenario 1 – Internal Access to Application(s)

HealthCareBackOffice App

Intranet Zone

‘Service Layer’

SecureSpanXML Firewall

S-API SOAP / SOAP /

June 2008

Securely Managing and Exposing Web Services & Applications

Internal User

S-API SOAP / HTTP(S)

SOAP / HTTP

1. Internal user sends SOAP request to XML Firewall

2. XML Firewall authenticates specific user (or group) against internal LDAP

3. XML Firewall applies appropriate internal group or user policy and forwards to Service Layer

4. Service Layer forwards request to BackOffice application

LDAP

Scenario 2 – External Access to Personal Profile

HealthCareBackOffice App

DMZIntranet Zone

‘Service Layer’

SecureSpanXML Firewall

S-API SOAP / SOAP / HTML /

Frontend Application

June 2008

Securely Managing and Exposing Web Services & Applications

Specific User

S-API SOAP / HTTP(S)

SOAP / HTTP

HTML / HTTP

1. Specific user sends HTML request to web portal

2. Web portal authenticates user, forwards SOAP request and “User” identity via HTTP or HTTPS to XML Firewall

3. XML Firewall applies “Personal Profile” policy, grants access to profile operation and forwards to Service Layer

4. Service Layer formats request with user identity, forwards request to BackOffice application

LDAP

Servlets / JSPTomcat

Scenario 3 – External Access to Policy Premium Calculator

HealthCareBackOffice App

DMZIntranet Zone

‘Service Layer’

SecureSpanXML Firewall

S-API SOAP / SOAP / HTML /

Frontend Application

June 2008

Securely Managing and Exposing Web Services & Applications

Anonymous UserServlets / JSPTomcat

S-API SOAP / HTTP(S)

SOAP / HTTP

HTML / HTTP

1. Anonymous user sends HTML request to web portal

2. Web portal forwards SOAP request via HTTP or HTTPS to XML Firewall

3. XML Firewall applies “Anonymous” policy, grants access to Premium Calculator and forwards to Service Layer

4. Service Layer forwards request to BackOffice application

Internal

Users

Validated

Example Policy – One Policy Supports Three Scenarios

June 2008

Securely Managing and Exposing Web Services & Applications

External

Users

Anon.

External

Users

Intermediary Deployment Model - Telecom

Internal

Application

Consumers

Message level intermediary between services and requesters

June 2008

Securely Managing and Exposing Web Services & Applications

ServicesExternal

Application

Consumers

Telecom Use Case: Security

- Validate XML is correctly structured before it is routed to services- Guard against malicious code attacks- Implement message level security including WS* and WS-I compliance- Leverage existing identity, SSO and PKI infrastructures

Security requirements

defined by an

administrator

Policies become

June 2008

Securely Managing and Exposing Web Services & Applications

Policies become

effective independently

of the actual services

IPTV SMS MMS Ringtones

- Same service viewed differently for provisioning and for consumption purposes- Each virtual version limits allowed operations based on requester

Service

Provisioning

ServiceRequests and responses

Virtual

Services

Telecom Use Case: Service Virtualization

June 2008

Securely Managing and Exposing Web Services & Applications

Service

Consumption

Newer Version

Requests and responses

can be transformed to

accommodate older

versions of clients

Telecom Use Case: Service Aggregation

1. Browse

available TV

2. Predefined xpath[s:Body/tvs:browse/tvs:provider]

- Provide requestors a single, unchanging interface to a set of services- Use appliances to map virtual interface to real interfaces- Have appliance handle associated routing, data transformation

June 2008

Securely Managing and Exposing Web Services & Applications

available TV

shows 3. Choose endpoint based on

XPath result

Transparent aggregation

of provider channels

4. Transform request to comply

with particular provider (XSLT)

Channel provider connectors

Telecom Gateway

Telecom Use Case: SLA Enforcement

- Control service requests based on IP, time of day, requestor, etc.- Centrally define and enforce SLA contracts for XML interactions- Monitor / report message throughput and service performance metrics

1. Define WS-Policy Compliant SLA Definition

2. Publish to SLA Policy / Contract

to UDDI

Gets 1 free TV

show per

month

June 2008

Securely Managing and Exposing Web Services & Applications

Telecom Gateway

3. Enforce SLA Policy / Contract

Pascal

Quincy

Gets unlimited

SMS per month

IPTV SMS MMS Ringtones

XML appliance shares parameters across service

policies to enable virtual coordination.

Some Observations

• XML Gateways / Firewalls provide effective tool for enforcing security and controlling access to services

• The declarative, non-programmed model provides a great deal of flexibility

• Deployment patterns can be quite diverse

� DMZ deployment

� Spanning trust zones

June 2008

Securely Managing and Exposing Web Services & Applications

� Spanning trust zones

� XML/WS co-processor

• Security policies tend to include some element of identity

� IP address, UID/PWD, SSO or federation token …

� Requires some interaction with identity infrastructure

• Key standards are still evolving but include:

� WS-Policy, WS-SecurityPolicy, UDDI, SAML

Philip M Walston

VP Product Management

Layer 7 Technologies

+1.604.681.9377

pwalston@layer7tech.com

June 2008

pwalston@layer7tech.com