SecureSpan XML Firewall for Identity-Based Firewalling

Document Sample
SecureSpan XML Firewall for Identity-Based Firewalling Powered By Docstoc
					                                                 Solution Brief:
                                                 Identity-Based XML Firewalling with SecureSpanTM XML Firewall

                                                                                                      SecureSpan XML Firewall
             Consumer                                                                                 clusters, screening XML content,
                                                                                                      centrally controlling service level
                                                                                                      access and enforcing message
                                                                                    Web Service       level security policies like privacy
                                                                                                      and integrity.

                                                      XML Firewall Cluster


The Problem:
Identity is at the heart of SOA security. Identity drives authentication and authorization decisions for
all client-service interactions in an SOA. An ability to validate identity is also central to enforcing
transactional integrity and accountability policies. However, defining and enforcing identity based
security policies is complicated in an SOA. Machine identities for client applications must be reposited
within a centrally accessible directory. Services must have an ability to extract identity information
from credentials passed to it inside a Web services message, validate those credentials against a
centralized identity directory and then enforce a security policy based on the rights associated with
the identity. How a Web services security policy is defined, how to support decision delegation to
existing policy decision points, how to find the credentials in a Web services message, how to assure
compliance with the various WS-* and WS-I security standards, and how to propagate identity context
in multi-hop SOA environments only complicates the application of identity to SOA. This is where an
Identity based XML Firewall product like Layer 7’s can help.

The Layer 7 Solution:
The SecureSpan XML Firewall provides security and SOA architects a centralized integration and
enforcement point for identity based SOA security operations like client authentication, service level
authorization, message privacy and transaction integrity. The SecureSpan XML Firewall integrates with
popular identity and access products including LDAP, MS Active Directory, CA SiteMinder, CA
TransactionMinder, RSA ClearTrust, Tivoli AccessManager, Novell Access Manager, Oracle Access
Manager and Sun Java Access Manager so that an existing identity and access policy store can be
reused for SOA. The SecureSpan XML Firewall also offers hardware accelerated XML parsing, validation
and transformation so that identity credentials can be rapidly extracted, validated and if need be
transformed for downstream authentication. To support emerging single sign-on and federation
standards, the SecureSpan XML Firewall also supports WS-Trust and SAML.
                                              Identity Based XML Firewalling with SecureSpanTM XML Firewall

Innovations and Solution Features:
       Support for access control based on multiple identities/groups/identity sources in a single XML Firewall policy
       Ability to distribute third party Web SSO session cookies to Web services clients
       Optional SecureSpan XML VPN Client automates PKI provisioning to Web Service clients
       Range of credential support including HTTP, WS-S, WS-Trust, Web SSO, and SAML 1.1 / 2.0.
       Built-in PKI subsystem and support for external X.509 certificates
       Standards-based interface to external STS SAML issuers
       Rich credential mining tools
       Policy branching supports any combination of identity and content based message processing

Supported Standards and Specifications:
       XML 1.0, SOAP 1.1, REST, AJAX, XPath 1.0, XSLT 1.0, WSDL 1.1, XML Schema & DTD, LDAP 3.0, SAML 1.1/2.0, PKCS #10, X.509 v3
       Certificates, W3C XML Signature 1.0, W3C XML Encryption 1.0, FIPS 140.2, SSL/TLS 2.0 / 3.0, SNMP, SMTP, FTP, HTTP/HTTPS,
       WS-Security 1.0, WS-Trust 1.0, WS-SecureConversation, WS-MetadataExchange, WS-Policy, WS-Security Policy, WS-Policy,
       WS-Secure Exchange, WSIL, WS-I, WS-I BSP, UDDI 3.0

Key Features
XML Threat Protection                                            Advanced Identity, Credentialing and PKI Support                     General Security
- Infrastructural protections against XML parsing, XDoS and      - Onboard identity store for administrative identities and fast      - Support for XML, SOAP, POX, AJAX, REST and other
OS attacks, • Application protection against XML content         staging of new services, Integration with multiple external         XML-based, services, Configuration wizards simplify
tampering and viruses in SOAP attachments, Protection            identity, access, single sign-on and federation systems including   policy creation and activation, Support for policy
against SQL and malicious script injection attacks,              LDAP, Microsoft (Active Directory and Active Directory Federated    branching based on identity or any message content
Allow / reject messages based on time of day, day of week        Services), Novell Access Manager, Oracle Access Manager, IBM        or context, Support for multiple routing destinations
and IP address, onfigurable throughput restrictions based        Tivoli (Access Manager and Federated Identity Manager), CA          with configurable failover, Policies can be applied to
on requestor or destination prevents downstream XDoS             SiteMinder and TransactionMinder, RSA ClearTrust, Sun Java          request-only, response-only or both request and
                                                                 Access Manager Credential chaining, credential remapping             response messages
Administration Options                                           and support for federated identity, Comprehensive support
- GUI-based SecureSpan Manager deployed as either stand          for SAML 1.1/2.0 authentication, authorization and attribute
alone application (Windows / Linux) or browser-based             based policies Integrated PKI CA for automated deployment
(Internet Explorer / Firefox), Centralized cluster management    and management of client-side certificates and RA ability for
and configuration with delegated administration, Drag and        external CA’s including Verisign
drop policy-based policy configuration, Intelligent, real-time
validation and testing of policies, Logging and audit trapping
of violations and system/user defined events via SNMP and
SMTP, Dashboard for graphical, real-time monitoring of
traffic profiles and security violations, Audit controls

                                                  Web Site:                                                                R

                                                  Phone: 800.681.9377

Shared By:
Tags: Firewall
Description: Enforce identity-based SOA security operations Identity is at the heart of SOA security. Identity drives authentication and authorization decisions for all client-service interactions in a Service-Oriented Architecture. Furthermore, the ability to validate identity is central to enforcing policies related to transactional integrity and accountability.