; 1400pm-1430pm_Simple_way_to_secure_your_IT_environment_with_SOA_appliance_Singapore
Learning Center
Plans & pricing Sign in
Sign Out
Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>



  • pg 1
									Simple way to secure your IT
environment with SOA appliance

WebSphere DataPower SOA Appliances

    Charles Yeo
    Senior WebSphere Technical Specialist: yeochc@sg.ibm.com
Security concerns
• Physical access to server with sensitive
• Un-patch security exposure (already
• Data content
  – Confidentiality
  – Integrity
  – Executable content that causes security threat
• Authentication, Authorization and Audit
WebSphere DataPower SOA Appliance
Basic Use Cases
Internet          DMZ               Trusted Domain


            1 B2B Gateway          3 Low Latency Gateway

            2 Secure Gateway       4 Internal Security
              (Web Services,
               Web Applications)   5 Enterprise Service Bus
                                   6 Web Service Management
Consumer                           7 Legacy Integration
                                   8 XML Acceleration           System z
WebSphere DataPower SOA Appliance
Product Line
                  XM70                                                 XB60
      High volume, low latency messaging                    B2B Messaging (AS2/AS3)
      Enhanced QoS and performance                          Trading Partner Profile Management
      Simplified, configuration-driven approach to          B2B Transaction Viewer
       LLM                                                   Unparalleled performance
      Publish/subscribe messaging                           Simplified management and
      High Availability                                      configuration

                           Offload XML processing                              XS40
                           No more hand-optimizing XML              Enhanced Security
                           Lowers development costs                  Capabilities
                                                                     Centralized Policy
      Hardware ESB                                                  Fine-grained authorization
      “Any-to-Any” conversion at wire-speed                         Rich authentication
      Bridges multiple protocols
      Integrated message-level security
Appliance with Improved Performance and
           DataPower’s Hardware Device                      XML Security Server Appliance

                            Configuration               Config        Config     Config    Config

                                                    Proprietary      Web Application
                                                     Software        Server          Database

                       Firmware                     XML      C          Dev                Config
                                                   Library Library    Platform
                                                                                  Server Daemon
                                                                  Operating system

         XML         Crypto                                 CD       USB
                                   Hardware        Floppy                      Disk   Hardware
      Acceleration Acceleration                             Rom      Port

  •     Optimized hardware, firmware, embedded OS
  •     High assurance locked-down configuration
  •     Security vulnerabilities minimized (open source, Trojan horses, Java/C++ libraries)
  •     Hardware storage of encryption keys, locked audit log
  •     No drives/USB ports, tamper-proof case
  • FIPS level 3, Under evaluation by Common Criteria EAL4
  • Large financial and government customers
XML security threats are growing
DataPower provides hardened real-time protection
 •   XML Entity Expansion and Recursion   •   Message Snooping
     Attacks                              •   XPath Injection
 •   XML Document Size Attacks            •   SQL injection
 •   XML Document Width Attacks           •   WSDL Enumeration
 •   XML Document Depth Attacks           •   Routing Detour
 •   XML Wellformedness-based Parser      •   Schema Poisoning
     Attacks                              •   Malicious Morphing
 •   Jumbo Payloads                       •   Malicious Include – also
 •   Recursive Elements                       called XML External Entity
 •   MegaTags – aka Jumbo Tag Names           (XXE) Attack
 •   Public Key DoS                       •   Memory Space Breach
 •   XML Flood                            •   XML Encapsulation
 •   Resource Hijack                      •   XML Virus
 •   Dictionary Attack                    •   Falsified Message
 •   Message Tampering                    •   Replay Attack
 •   Data Tampering                       •   …others
XML Structural Exploit: Billion Laughs
    <?xml version="1.0" encoding="UTF-8" ?>
    <!DOCTYPE getCustomerFullName[
    <!ELEMENT billion (#PCDATA)>
    <!ENTITY laugh0 "ha">
    <!ENTITY laugh1 "&laugh0;&laugh0;">
    <!ENTITY laugh2 "&laugh1;&laugh1;">
    <!ENTITY laugh3 "&laugh2;&laugh2;">
    ... and so on ...
    <!ENTITY laugh127 "&laugh126;&laugh126;">
      <customerId xsi:type="xsd:string">111-11-1111</customerId>
(Mis)use-case: XML Denial Of Service
(xDoS)                                                      Heap Dump


 • Structural XML exploits. E.g.                Application/XML Server
    – XML Document Width attacks
    – XML Entity Recursion (“Billion Laughs”)
 • SOAP passes through firewalls, DMZ
 • Result:
    – High CPU utilization: 100% by App
      Server process
    – Out-of-Memory Error in App Server logs
    – Service outage & heap dump
XML Threat Solution: xDoS Protection

  Hacker                XML Security Appliance                        Web Service

 • XML Attacks are stopped & logged
 • Protects any App Server hosting
   Web Services
 • Non-invasive, Drop-in solution
 • Existing Apps: minimal changes
 • New Apps: reusable QoS
DataPower: Security Benefits
Flexible Message-level Security
Configurable cryptographic actions

• Promote PCI and other confidentiality requirements
• Easily sign, verify, decrypt and decrypt any content
• Configure XML Encryption & XML Digital Signature at:
    – Message-level
    – Part-of-message or field-level
    – Headers, as building block of other security specs
• Verify-all option (data-driven verification of all signatures)
• Secure Attachment Processing:
    – Supports the full SOAP with Attachments specification
    – WS-Security
• Last-mile Security for SOA
DataPower Advantage: Security & Scalability XML
WS Security is XML Processing
                                                                                            Approved, decrypted and
  Encrypted & Signed
                                                                                             validated SOAP/XML
  SOAP/XML Transaction

             Schema       XPath        XML         Signature              Schema           XML          XML        XML
            Validation   Filtering   Decryption        g Steps
                                                                         Validation   Transformation   Signing   Encryption

   1          3           5            8              8         1            3            10             6          8

 • Performance is key to security
           – Each security function requires XML processing
           – Must implement all services without any compromise
           – Need ability to scale as content and user base grows
XML Security Performance Analysis
                                                                            Contribution of XML
                Basic XML Processing                         1.2
                                                                           Processing to Security

          0.8                                                0.8                    XML                     Proc.


                                                             0.6         XML
                                `                                                  Tasks
                                                                       Security             `                   XML
          0.4                                                0.4        Tasks                                   Proc.
          0.2                  X10*                          0.2                    XML
                Software    DataPower
                Impact of Crypto Accel.                       1.2
                                                                            DataPower Advantage

           1                                                       1


          0.8                                                 0.8

          0.6                                                 0.6
                                      `                                                         `
          0.4                                                 0.4

          0.2                                                 0.2

           0                                                       0
                Software   Software w/                                 Software    Software w/      DataPower
                             Crypto                                                  Crypto
                           Acceleration                                            Acceleration
                                      *For demonstration only. Actual processing
                                         time varies depending on application.
Access Control Integration Framework
Authenticate, Authorize, Audit (AAA)

                 Transport Headers                                             LDAP
                 URL                                                           ActiveDirectory
                 SOAP Method                                                   SAML
                 XPath                                                         Tivoli
                                                                               CA eTrust/Netegrity
                  Extract                                         Map          RSA                   SAML Assertion
                                                                               Entrust               Credential Mediation
                 Resource                                       Resource       Novell                IDS Integration

                                                                                                                            Output Message
 Input Message

                                      ActiveDirectory                          Proprietary           Monitoring
                                                                                                      Audit &
                 WS-Security          CA eTrust/Netegrity                       Authorize
                 SAML                 RSA                                                            Accounting
                 X.509                Entrust
                 Kerberos             Novell
                 Proprietary Tokens   RACF

                   Extract                                        Map
                   Identity                                    Credentials

                                                             External Access Control Server or
                                                            Onboard Identity Management Store
Web Application Firewall
•   URL-encoded HTTP application             HTML Input Conversion Maps for form
    protection in addition to XML Web         processing and handling
    Services firewall security               Cookie watermarking (sign and/or encrypt)
•   Protection for static or dynamic         Rate limiting and traffic throttling/shaping
    HTML-based applications
                                             HTTP header stripping, injection and rewriting
•   Supports browser-based clients
    and HTTP/HTTPS backend servers           HTTP protocol and method filtering
•   Wizard-driven configuration              Content-type filtering
•   Cross-site scripting and SQL             Dynamic routing and load balancing
    Injection protection
                                             Session handling policies
•   AAA framework support for web
                                             SSL Acceleration & Termination (Link)
•   General name-value criteria              XML and non-XML processing policies
    boundary profiles for:                   Customizable error handling
     –   Query string and form parameters
     –   HTTP headers
     –   Cookies
Configuration & Administration
Fits into existing environments
•   Depth of functionality to scale to full operational complexity
•   Multiple administration consoles
     – WebGUI – 100% availability of functions in all consoles
     – CLI – Familiar to network operators
     – SOAP interface – Programmatic access to all config for easy scripting
•   IDE integration
     – Eclipse/Rational Application Developer                                  SNMP

     – Altova XML Spy

•   WAS 7 Admin Console for Multi-box Management
•   Easy export/import for configuration promotion
•   Standard operational interfaces
     – SNMP, syslog, etc.
•   Industry leading integration support across IBM and 3rd party application,
    security, identity management, and networking infrastructure
    Simple Appliance Configuration for
    Robust Connectivity Functionality
Fits into your existing environment
•   Address broad organizational needs
    (Architects, Developers, Network
    Operations, Security)

•   Complete Configuration from GUI or
    CLI interface

•   IDE integration/Eclipse plug-in

•   XPath / XML config files

•   SNMP

•   SOAP management interface
DataPower Multistep Processing
• Sample Multistep policy with dynamic

                                 Authenticates user
                              credentials in message                                 Routes the message
       Schema validates                                     Transforms the
                                    using LDAP;                                    based on an XPath rule
    message with cached                                   message using an
                               subsequent messages                                    that interrogates a
    XSD that was originally                               XSLT file that was
                              from the same user can                                cached XML file using
     retrieved from off-box                            originally retrieved from
                                  be authenticated                                  content from the input
           web server                                     off-box web server
                                 against the cached                                        message.
Summary – IBM Specialized Hardware for
Secure, Smart SOA Connectivity
  •   Hardened, specialized product for helping integrate, secure &
      accelerate SOA
  •   Many functions integrated into a single device
  •   Broad integration with both non-IBM and IBM software
  •   Higher levels of security assurance certifications require hardware
  •   Higher performance with hardware acceleration
  •   Simplified deployment and ongoing management

                                SOA Appliances: Creating customer value
                                through extreme SOA performance,
                                connectivity, and security
                                 Simplifies SOA and accelerates time to value
                                 Helps secure SOA XML implementations
                                 Governs and enforces SOA/Web Services policies

Thank You

To top