Layer 7 for REST Security

Document Sample
Layer 7 for REST Security Powered By Docstoc
					                                                  REST Security Solution Sheet
Standards-based Security for Web Oriented Architectures
A single solution simplifies the implementation of security for both REST and WS-* Web Services

 For RESTful Web services, how can

 • Authenticate/authorize RESTful
   requesters in a uniform manner?

 • Integrate RESTful Web services with
   existing identity and access
   management infrastructure?

 • Monitor and audit access to RESTful
   Web services?

 • Enforce service levels and quotas
   for RESTful Web services?

The Problem
Representational State Transfer (REST) and resource orientation in general provide a lightweight approach to exposing Web
APIs known as RESTful Web services. A key component of Web Oriented Architectures, REST requesters and service
implementations use HTTP to exchange resources formatted using common content types, such as PDF, XML, HTML and
JSON. But while developers appreciate the fact that REST provides them with a quicker and easier way to instantiate Web
services than the more traditional, SOAP-based/WS-* approach, most of them also recognize that REST lacks a well-
articulated security model.

The Layer 7 Solution
RESTful Web services are closely aligned with the Web and, as such, are subject to all the traditional, Web-based threats. Yet,
just as for WS-* services, RESTful Web services can receive payloads and potential message-level threats, such as injections
and parser attacks.

Layer 7’s SecureSpan family of XML Gateways can virtualize service endpoints, ensuring that access to RESTful and WS-* Web
services can only occur via the SecureSpan Gateway. Gateway policies act on each incoming message, validating compliance
with application-specific conditions, such as URI patterns, content level patterns (evaluated using XPath expressions), XML
Schema Definitions (XSD), Schematron, JSON schemas, Regular Expressions (RegEx), HTTP header filtering, and more.

The SecureSpan XML Gateway’s runtime logic also provides integration with IAM infrastructure, enabling authentication of
requesters, as well as centralized management of service access. By delegating authentication and authorization of
requesting entities to SecureSpan, organizations can ensure they are performed in a uniform fashion regardless of the
backend implementing technology. Additionally, SecureSpan XML Gateways can also provide a monitoring layer to validate
Quality of Service (QoS), and enforce service levels in real time.
Key Features
Identity and Message Level Security
Identity-based access to            •    Integration with leading identity, access, SSO and federation systems from Oracle, Sun,
services and operations                  Microsoft, CA, IBM Tivoli, Novell
                                    •    Enforce fine-grained entitlement decisions authored in an XACML PDP
Manage security for cross-          •    Credential chaining, credential remapping and support for federated identity
domain and B2B                      •    Integrated SAML STS issuer featuring support for SAML 1.1/2.0 authentication,
relationships                            authorization and attribute based policies and Security Context Tokens
                                    •    Integrated PKI CA for automated deployment and management of client-side
                                         certificates, and integrated RA for external CAs
                                    •    STS support for WS-Trust and WS-Federation
Secure REST, WSDL and POX           •    Selectively control access to interfaces down to an operation level
interfaces                          •    Create on-the-fly composite WSDL views tailored to specific requestors
                                    •    Out of the box support for popular Cloud & SaaS interfaces from SFDC & Amazon
                                    •    Service look-up and publications using WSIL and UDDI
Audit transactions                  •    Log message-level transaction information
                                    •    Spool log data to off-board data stores and management systems
Threat Protection
Filter XML content for SOA,         •    Configurable validation & filtering of HTTP headers, parameters and form data
Web 2.0 and Cloud                   •    Detection of classified or “dirty” words or arbitrary signatures with subsequent
                                         scrubbing, rejection or redaction of messages
                                    •    Support for REST, AJAX, XML, SOAP, POX and other XML-based services
Prevent XML attack and              •    Protect against XML parsing; XDoS and OS attacks; SQL and malicious scripting language
intrusion                                injection attacks; external entity attacks
                                    •    Protection against XML content tampering and viruses in SOAP attachments
                                    •    DoD STIG vulnerability tested and assured
Transactional Integrity             •    Protect against identity spoofing and session hijacking cluster-wide
Protection                          •    Assure integrity of communication end-to-end
Traffic Management
Throttling                          •    Granular rate limiting and traffic shaping based on number of requests or service
                                         availability across a cluster
Cluster-wide counters               •    Persist message counters across clusters so that rate limiting and traffic shaping can be
                                         strictly enforced in high availability configurations
CoS for XML                         •    Prioritize XML traffic based on Class of Service/Quality of Service preferences
Service availability                •    Manage routing to back-end services based on availability or latency performance
Reporting and analysis              •    Configurable, out-of-the-box reports provide insight into SSG operations, service-level
                                         performance, and user experience
Supported Standards
Certificates, FIPS 140, Kerberos, W3C XML Signature, W3C XML Encryption, SSL/TLS, SNMP, SMTP, POP3, IMAP4,
HTTP/HTTPS, JMS, MQ Series, Tibco EMS, FTP, WS-Security, WS-Trust, WS-Federation, WS-SecureExchange, WS-
Addressing, WS-SecureConversation, WS-MetadataExchange, WS-Policy, WS-SecurityPolicy, WS-PolicyAttachment,

To learn more about Layer 7 call us today at +1 800.681.9377 (toll free within North America) or
+1.604.681.9377. You can also email us at; friend us on; visit us
at, or follow-us on twitter @layer7.

          Copyright © 2011 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
          trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.

Shared By:
Tags: REST, Security
Description: Ensure standards-based security for Web-oriented architectures Representational State Transfer (REST) provides a lightweight approach to exposing APIs as a key component of Web-Oriented Architectures. Developers appreciate the fact that REST provides a relatively quick and easy way to instantiate Web services but most also recognize that REST lacks a well-articulated security model. Layer 7’s SecureSpan Gateways empower these developers to implement standards-based security for RESTful Web services.