US Intelligence Community
Secure Information Sharing with Layer 7 Oracle Service Bus Appliance
The US federal government is one of the largest and most complex organizations
ESBs in the DMZ on the planet. By extension, the US Intelligence Community is one of the most
The US Intelligence Community has complex information gathering, processing and disseminating organizations in the
always operated as silo’ed
world. By augmenting the power of the US’s military forces, the intelligence
repositories of information. Post-
9/11, those silos had to come down.
community has enabled the US to more effectively project the presence of the only
conventional super power left on the globe. But in the post-911 world of
Sharing information between
agencies would require a SOA-
nonconventional forces, that’s not enough.
based approach to mediate September 11, 2001 brought intelligence sharing to the forefront. The sheer scale
between disparate systems: an
and complexity of the US military forces presents potential weaknesses that
ESB. But to meet federal
guidelines, those ESBs would need terrorists can take advantage of, so in an effort to coordinate against potential
to be secured in the DMZ. threats, the US government formed the position of the Director of National
Layer 7 OSB Appliance provided Intelligence. As publicly stated by Bob Jordan, head of the FBI's Information Sharing
the perfect congruence of a Task Force, “Our missions and priorities are being redefined to better reflect the
government-approved security post-9/11 realities… A substantial component of this approach is information
vendor + a SOA integration solution sharing, not only at the federal level but also within the entire law enforcement
in a security-hardened appliance. 1
and intelligence communities.”
Goal: Cross Domain Information Sharing
Each organization within the intelligence community has a number of intelligence sharing services that have long
been made available within and across their own organization. To open these services to other entities of the
greater intelligence sharing community means interconnecting disparate systems that were never created to be
interoperable across organizational or jurisdictional boundaries. And that, of course, means opening them up to
potential intrusion by third parties. Selectively exposing information services to partners while locking them down
to others is a problem familiar to many commercial organizations, but on a vastly more complex scale than
securing a supply chain, for example. So the US government turned to the experts.
The federal Systems Integrator (SI) community is both wide and deep, encompassing a range of experienced
organizations like Booz Allen Hamilton, Raytheon, General Dynamics, Lockheed Martin, SAIC, and a host of others
that have been a key part of building the federal government’s electronic infrastructure for decades. “We have a
lot of technology, but a lot of it is still point solutions focused on just one of those problems, not at the integration
in an enterprise or at a national security level. We have a lot of crypto devices, firewalls, identity and access
management, including biometrics, smart cards and audit software to see what is going on in the network. My real
concern is the integration of that technology.” Natalie Givans, Vice President, Booz Allen Hamilton.
Problem: Securing ESBs in the DMZ
The US Intelligence Community information sharing project required the implementation of a rapidly deployable,
highly secure, perimeter-based solution for delivery of services protected within a high security enclave. Given the
wide range of services provided by the intelligence community, as well as the diverse systems (both modern and
legacy) on which those services depended, the solution initially required support for a variety of protocols and
transports (including secure FTP, email, HTTP/S and JMS), while subsequent phases of the project would require
the flexibility to expand support to include non-standard means. For this reason, a SOA integration solution like
Oracle Service Bus (OSB) would need to be central to the solution in order to provide the messaging and
connectivity support required. However, sharing silo’ed information securely across organizational boundaries
means securing the DMZ – an area in which OSB is not traditionally deployed.
Solution: Layer 7 Oracle Service Bus Appliance Proves Key
Organizations that try to leverage middleware products within a DMZ often face significant resistance from their
information assurance and operations departments due to the cost and risks associated with testing and certifying
the solution. As a result, usually only pre-approved devices like routers, firewalls and web servers are allowed in
US Intelligence Community & L7 OSB Appliance
the DMZ. A SOA environment exposing messaging and application-specific operations within the application
enclave poses a security risk by potentially allowing forged/malicious requests from beyond the enterprise
perimeter into the depths of the organization most vulnerable computing resources.
The Layer 7 Oracle Service Bus Appliance (L7 OSB Appliance) from Layer 7 Technologies and Oracle offers the
approved vendor leading security
perfect congruence of a government-approved security vendo and a market-leading ESB in a security-hardened
appliance format, creating a DMZ-ready SOA development platform. As a pre-integrated solution delivered in an
appliance form factor, the customer’s SI was able to quickly install L7 OSB Appliance in the rack; connect power
and network cables; assign an IP address, and make the platform quickly available for use.
The L7 OSB Appliance provides acceleration of CPU-intensive operations like message parsing, data validation and
XML transformation, while the integral Layer 7 XML Firewall provides DMZ class threat protection, advanced
identity integration and message level security capabilities to address the broadest range of external threats. By
performing these tasks in a hardware appliance L7 OSB Appliance ensures latency is reduced, applications aren’t
overloaded and service endpoints can offload computationally intensive operations to hardware. The OSB’s wide
box “any-to-any” transport/protocol meant the solution
range of out-of-the-box adapters and ability to translate “any
would be able to connect to the diversity of legacy services offered by the Intelligence Community today, while
retaining the flexibility to support future transports.
Due to the security requirements of the US national computing infrastructure, L7 OSB Appliance is configured to
address Denial of Service (DoS), attached viruses and code injection attacks, as well as ensure message
integrity and confidentiality. The L7 OSB Appliance also provides runtime control over federated
authentication/authorization of external agencies and partners who seek connectivity to the composite
application/messaging capabilities provided by the solution.
Given that this project was awarded as a firm, fixed price contract, the SI was forced to do more with less. In this
scenario the L7 OSB Appliance was a game changer providing the means to profitably deliver the project by
leveraging an out-of-the-box SOA platform in order to build out a solution much quicker than any alternatives.
As a pre-integrated SOA development platform L7 OSB Appliance provided the SI with a significant head start on
the project by reducing installation, deployment and configuration work. Additional they were able to take
advantage of the pre-existing appliance lockdowns making certification and accreditation much simpler.
As a result, L7 OSB Appliance dramatically decreased total cost of implementation and time to market, while
improving business agility through the OSB connectivity adapters and split/join orchestration capabilities.
Copyright © 2011 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are
trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners. 2