securely managing and exposing web services & applicationswalston+-+layer7+-… ·...
TRANSCRIPT
Securely Managing and Exposing Web Services & Applications
Philip M Walston
June 2008
Philip M Walston
VP Product ManagementLayer 7 Technologies
Layer 7 SecureSpan Products
Suite of security and networking products to address the full spectrum of XML deployments:
• Service Oriented Architectures (SOA)
• Web 2.0 and Web Oriented
June 2008
Securely Managing and Exposing Web Services & Applications
• Web 2.0 and Web Oriented Architectures (WOA)
• AJAX, REST, mainframe andnon-SOAP applications
• ESB, Portal, B2B and Application Oriented Networking
XML Security and Networking Completes SOA Stack
Development Tools &
Application Servers
Service Registry and Usage Policy
Enterprise Service Bus
Web ServicesManagement
XML Security & Networking Gateways
•Microsoft .Net
•IBM WebSphere
•Oracle 10g
•Systinet/HP
•Infravio/SAG
•Flashline
•Sonic/Progress
•IBM ESB
•SAP Netweaver
•Amberpoint
•SOA Software
•Actional
•Layer 7
•DataPower/IBM
•Reactivity/Cisco
SOA Stack
June 2008
Securely Managing and Exposing Web Services & Applications
•Oracle 10g
•BEA WebLogic
•JBoss Opensource
•Eclipse
•Parasoft
•Flashline
•WebLayers
•LogicLibrary
•Microsoft
•IBM
•SAP Netweaver
•Tibco
•CapeClear
•WebMethods/SAG
•BEA Aqualogic
•Sun
•Oracle Fusion
•Cordys
•PolarLake
•Actional
•Oracle WSM
•CA WSDM
•IBM Tivoli Cam
•Blue Titan
•HP SOA Center
•Software AG
•Reactivity/Cisco
•Vordel
Deployment Example – B2B Services
Service Endpoints
(Secure Zone)
Internal Firewall
• Deployed as intermediary
� XML/WS service proxy
• Straddles security/trust boundaries
• Declarative message level security
� Assertion-based policy language
June 2008
Securely Managing and Exposing Web Services & Applications
SecureSpan XML Firewall Cluster
Corporate Identity Server
SecureSpan Manager
Business Partners
External Firewall
DMZ
SecureSpan – Extensible Policy Framework
Access Control Message Validation and Threat Protection
HTTP basic authentication
HTTP digest authentication
HTTP cookie authentication
HTTP client-side certificate authentication
WS-Security Username Token Basic
WS-Security Signature
Encrypted Username Token
SAML Authentication
WS-Trust credential exchange
WS-Federation Passive Credential Request/Exchange
XPath Credentials
SAML Browser Artifact
Throughput quotaValidate schema
Evaluate Request / Response XPath Evaluate regular expression XSL Transformation
Translate HTTP Form to MIME
Translate HTTP Form from MIME
WSI-BSP Compliance
WSI- SAML Compliance
WS-SecurityPolicy Compliance
SQL Attack protection
Request size limit
Document structure threats
June 2008
Securely Managing and Exposing Web Services & Applications
SAML Browser Artifact
WSS KerberosDocument structure threats
Symantec virus scanning
Identity XML Security
Identity in internal provider
Identity in external LDAP provider
Identity in external MS-AD provider
Identity in CA SiteMinder
Identity in Tivoli Access Manager
Identity in RSA ClearTrust
Identity in Sun Java Access Manager
Identity in Tivoli Federated Identity Manager
Identity in Microsoft ADFS
Identity in Oracle Access Manager
Sign request
Encrypt request
Sign response
Encrypt response
Require timestamp in request
Add signed timestamp to response
Request and response signed timestamps
Add signed security token to response
WSS-Replay attack prevention
SecureSpan – Extensible Policy Framework Cont’d
Message Routing Policy Logic
Route to destination using HTTP(S)
Route to destination using SecureSpan Bridge
Route to destination using MQSeries / JMS
Route to destination(s) based on availability
Template Response
Echo Response
Comment
Comparison
Evaluate logical OR
Evaluate logical AND
Continue processing
Stop processing
Set variable
Service Availability Logging and Auditing
Time of day restrictions Audit assertion
June 2008
Securely Managing and Exposing Web Services & Applications
Source IP range restrictions
Throughput quota
Audit detail assertion
Send SNMP trap
Send email message
SecureSpan Manager
June 2008
Securely Managing and Exposing Web Services & Applications
Gateway Scalability and Availability
Horizontal scalability
Replay attack
prevention across the cluster
June 2008
Securely Managing and Exposing Web Services & Applications
HTTP Load
BalancerTransparent replication of policy across the cluster
Single point of management across cluster
Deployment Example – Government
Internal Firewall
• Layered trust zones with internal firewalls
� Defined security and access protocols
June 2008
Securely Managing and Exposing Web Services & Applications
Internal Firewall
Restricted ZoneTrusted ZonePublic Zone
Deployment Example – Government
• XML Firewalls “straddle” trust zones
� Gate access to applications
� Provide audit trail
June 2008
Securely Managing and Exposing Web Services & Applications
Restricted ZoneTrusted ZonePublic Zone
SecureSpan XML Firewall Cluster
SecureSpan XML Firewall Cluster
Deployment Example – ESB Co-Processor
• Security as service for ESB
� Signing, encryption
� Schema validation, transforms
June 2008
Securely Managing and Exposing Web Services & Applications
SecureSpan XML Accelerator Cluster
Enterprise Service Bus
Deployment Example - Wide-Area Routing Fabric
Business Partner With SecureSpan
Appliances
Business Partner With SecureSpan
Appliances
June 2008
Securely Managing and Exposing Web Services & Applications
Business Partner With SecureSpan
Appliances
SecureSpan XML Networking Gateway Cluster
Case Study – Insurance Self-Service
Client Situation:
• Insurance company with relatively current infrastructure
• Wanted to extend self-service access to policy-related information to three audience – Internal CSRs, existing customers and prospects
� Stated advantage of being secure, auditable and scalable
• Access to information would be gated based on requestor entitlement and could involve confidential/personal information
The Scenario:
June 2008
Securely Managing and Exposing Web Services & Applications
The Scenario:
• Implemented centralized authentication / authorization gateway
� Based on use of existing identity management infrastructure
� Single solution serves Web customers, internal users and applications
� Need common security model − Validation of authentication step
− Entitlement-based authorization
− Audit trail
Scenario 1 – Internal Access to Application(s)
HealthCareBackOffice App
Intranet Zone
‘Service Layer’
SecureSpanXML Firewall
S-API SOAP / SOAP /
June 2008
Securely Managing and Exposing Web Services & Applications
Internal User
S-API SOAP / HTTP(S)
SOAP / HTTP
1. Internal user sends SOAP request to XML Firewall
2. XML Firewall authenticates specific user (or group) against internal LDAP
3. XML Firewall applies appropriate internal group or user policy and forwards to Service Layer
4. Service Layer forwards request to BackOffice application
LDAP
Scenario 2 – External Access to Personal Profile
HealthCareBackOffice App
DMZIntranet Zone
‘Service Layer’
SecureSpanXML Firewall
S-API SOAP / SOAP / HTML /
Frontend Application
June 2008
Securely Managing and Exposing Web Services & Applications
Specific User
S-API SOAP / HTTP(S)
SOAP / HTTP
HTML / HTTP
1. Specific user sends HTML request to web portal
2. Web portal authenticates user, forwards SOAP request and “User” identity via HTTP or HTTPS to XML Firewall
3. XML Firewall applies “Personal Profile” policy, grants access to profile operation and forwards to Service Layer
4. Service Layer formats request with user identity, forwards request to BackOffice application
LDAP
Servlets / JSPTomcat
Scenario 3 – External Access to Policy Premium Calculator
HealthCareBackOffice App
DMZIntranet Zone
‘Service Layer’
SecureSpanXML Firewall
S-API SOAP / SOAP / HTML /
Frontend Application
June 2008
Securely Managing and Exposing Web Services & Applications
Anonymous UserServlets / JSPTomcat
S-API SOAP / HTTP(S)
SOAP / HTTP
HTML / HTTP
1. Anonymous user sends HTML request to web portal
2. Web portal forwards SOAP request via HTTP or HTTPS to XML Firewall
3. XML Firewall applies “Anonymous” policy, grants access to Premium Calculator and forwards to Service Layer
4. Service Layer forwards request to BackOffice application
Internal
Users
Validated
Example Policy – One Policy Supports Three Scenarios
June 2008
Securely Managing and Exposing Web Services & Applications
External
Users
Anon.
External
Users
Intermediary Deployment Model - Telecom
Internal
Application
Consumers
Message level intermediary between services and requesters
June 2008
Securely Managing and Exposing Web Services & Applications
ServicesExternal
Application
Consumers
Telecom Use Case: Security
- Validate XML is correctly structured before it is routed to services- Guard against malicious code attacks- Implement message level security including WS* and WS-I compliance- Leverage existing identity, SSO and PKI infrastructures
Security requirements
defined by an
administrator
Policies become
June 2008
Securely Managing and Exposing Web Services & Applications
Policies become
effective independently
of the actual services
IPTV SMS MMS Ringtones
- Same service viewed differently for provisioning and for consumption purposes- Each virtual version limits allowed operations based on requester
Service
Provisioning
ServiceRequests and responses
Virtual
Services
Telecom Use Case: Service Virtualization
June 2008
Securely Managing and Exposing Web Services & Applications
Service
Consumption
Newer Version
Requests and responses
can be transformed to
accommodate older
versions of clients
Telecom Use Case: Service Aggregation
1. Browse
available TV
2. Predefined xpath[s:Body/tvs:browse/tvs:provider]
- Provide requestors a single, unchanging interface to a set of services- Use appliances to map virtual interface to real interfaces- Have appliance handle associated routing, data transformation
June 2008
Securely Managing and Exposing Web Services & Applications
available TV
shows 3. Choose endpoint based on
XPath result
Transparent aggregation
of provider channels
4. Transform request to comply
with particular provider (XSLT)
Channel provider connectors
Telecom Gateway
Telecom Use Case: SLA Enforcement
- Control service requests based on IP, time of day, requestor, etc.- Centrally define and enforce SLA contracts for XML interactions- Monitor / report message throughput and service performance metrics
1. Define WS-Policy Compliant SLA Definition
2. Publish to SLA Policy / Contract
to UDDI
Gets 1 free TV
show per
month
June 2008
Securely Managing and Exposing Web Services & Applications
Telecom Gateway
3. Enforce SLA Policy / Contract
Pascal
Quincy
Gets unlimited
SMS per month
IPTV SMS MMS Ringtones
XML appliance shares parameters across service
policies to enable virtual coordination.
Some Observations
• XML Gateways / Firewalls provide effective tool for enforcing security and controlling access to services
• The declarative, non-programmed model provides a great deal of flexibility
• Deployment patterns can be quite diverse
� DMZ deployment
� Spanning trust zones
June 2008
Securely Managing and Exposing Web Services & Applications
� Spanning trust zones
� XML/WS co-processor
• Security policies tend to include some element of identity
� IP address, UID/PWD, SSO or federation token …
� Requires some interaction with identity infrastructure
• Key standards are still evolving but include:
� WS-Policy, WS-SecurityPolicy, UDDI, SAML
Philip M Walston
VP Product Management
Layer 7 Technologies
+1.604.681.9377
June 2008