Docstoc

XML Cross Domain Solutions

Document Sample
XML Cross Domain Solutions Powered By Docstoc
					XML-Aware Cross Domain Solutions
CDS/XML Firewall Integration




                               Layer 7 Technologies

                  White Paper
XML-Aware Cross Domain Solutions


Contents

Introduction .................................................................................................................................................. 3
   CDS-XML Firewall Integration ................................................................................................................... 3
Architectural Options .................................................................................................................................... 4
   Co-Processor Deployment Model ............................................................................................................. 4
   Sandwich Deployment Models ................................................................................................................. 5
   Integrated XML Cross Domain Solution .................................................................................................... 5
The Layer 7 XML Firewall .............................................................................................................................. 6
Conclusions ................................................................................................................................................... 7
About Layer 7 Technologies .......................................................................................................................... 8
Contact Layer 7 Technologies ....................................................................................................................... 8
Legal Information .......................................................................................................................................... 8




                                    © Copyright 2009 by Layer 7 Technologies, Inc. (www.layer7tech.com)                                                        2
XML-Aware Cross Domain Solutions


Introduction
Government Organizations have traditionally employed Cross Domain Solutions (CDSs) to enforce security policies
between disparate information systems residing in different classification levels. These Cross Domain Solutions
have been certified and accredited to protect the sensitive domain from attack and to protect sensitive
information from being leaked across classification boundaries.

However, with XML becoming the de facto language of information exchange, governments have begun looking at
XML and Service Oriented Architecture (SOA) enabled technologies and products, like Web Services and Enterprise
Service Buses (ESBs). Unfortunately, the current generation of XML-based cross-domain solutions fails to
completely support Web services-oriented standards. While there are solutions that provide basic and very limited
data validation and sanitization capabilities, they fail to address the commensurate problem of coordinating
security and integration policy between interacting classification domains.

Therefore, to enable service-oriented business processes to span security domains and organizational boundaries,
a new technology is required that can protect, connect and validate transactions across these boundaries.

Rather than place responsibility on the CDS vendor for enablement of messaging, security, standards compliance,
and interoperability around service-oriented capabilities and XML, the quickest way forward is to leverage
Commercial Off The Shelf (COTS) technologies to bridge the gaps between what CDSs do today and what is
required for XML and SOA enablement.

In the private sector, when secure cross boundary information sharing is required, organizations look solely to
firewall-type devices and a defense in depth network architecture to meet their requirements. In the government
however, where classification domains are prevalent, this concept is further complicated with the need for high
assurance guards, processes, policies, and governance organizations like the Unified Cross Domain Management
Office (UCDMO). The following paper focuses on XML Firewalls for use in augmenting existing certified and
UCDMO acknowledged guards however in situations where there is no requirement for a existing acknowledged
guard an XML Firewall may be used directly to enforce cross domain security policy, especially if the XML Firewall
leverages a trusted operating system and was able to meet the scrutiny of cross domain certification.

CDS-XML Firewall Integration
The availability of COTS XML firewall products provides the opportunity to improve existing ASCII-based high-
assurance CDSs by offloading SOA approaches and technologies such as Web Services (UDDI, SOAP, and WSDL),
REST, AJAX, and Web 2.0 to a purpose-built device. In addition, the standards-based capabilities of XML firewall
products substantially improves the standards compliance of CDSs. An integrated CDS/XML firewall solution is
capable of processing SOAP, WSDL, WS-Security, XML Encryption, XML Digital Signature, and Security Assertion
Markup Language (SAML).




                         © Copyright 2009 by Layer 7 Technologies, Inc. (www.layer7tech.com)                       3
XML-Aware Cross Domain Solutions


Architectural Options
Figure 1 illustrates two options for integrating a CDS with XML firewall appliances, plus a third option representing
an XML-enabled CDS that incorporates all of the functionality of an XML firewall onto the CDS platform.




                          Figure 1: Options for XML-based Cross Domain Solutions (CDSs)


Co-Processor Deployment Model
The co-processor deployment model is closest to the way CDSs are deployed today, in which applications in
separate domains can only interact via the CDS using supported connectivity options. In this case, the XML firewall
is deployed to handle any XML content not supported by the CDS, which may include encoded XML data, SOAP
security headers, encrypted/digitally-signed content, as well as various others. The solution functions similar to a
standalone CDS with its various content filters, but in this case the CDS leverages the XML firewall’s set of tools for
processing XML. The resulting solution provides superior capabilities when it comes to handling Net-Centric
technologies and standards, all without incurring a substantial CDS development effort.




                          © Copyright 2009 by Layer 7 Technologies, Inc. (www.layer7tech.com)                         4
XML-Aware Cross Domain Solutions

Sandwich Deployment Models
Figure 2 depicts two methods of integrating a CDS with XML firewalls in a sandwich deployment.




                                      Figure 2: Sandwich Deployment Models

Deployment model #1 utilizes an in-line approach, in which the high and low side XML firewalls are directly
connected to the CDS. In this configuration, no system other than the XML firewall can access the CDS. Although
this configuration affords some degree of protection to the CDS, ultimately it may prove more of a limitation than
a benefit because the cross domain solution will not be accessible by applications that cannot interface with the
XML firewalls.

Deployment model #2 utilizes the XML firewall in an out-of-band configuration, in which a combination of network
switch configurations and transport/message layer security capabilities allow the XML firewalls and CDS to be
physically separated within their corresponding classification domains. Generally, this deployment approach is
best suited to situations in which XML firewall knowledgeable personnel are not available at the CDS deployment
location, or when legacy applications (i.e., non-XML or non-SOA-based applications, connections types or formats)
must connect to the CDS This option additionally allows the XML firewall to be owned, deployed, and managed by
a local Application Provider, which can be useful when working with enterprise-deployed cross domain capabilities.

In either case, applications that interface with an XML firewall are insulated from communicating directly with the
CDS. In this way, the CDS can continue to work with legacy applications while taking advantage of XML firewall
functionality to introduce new integration capabilities.

It should be noted that although XML firewalls can be deployed anywhere within a network and still maintain a
sandwich architecture, physical security of all components will need to be maintained.

Integrated XML Cross Domain Solution
The ultimate goal for the CDS community is to achieve the single box vision of an XML CDS (XCDS). Due to the cost
and complexity involved in creating a standards-compliant XCDS, no vendor currently offers an off-the-shelf
product. Compared to existing CDSs, XML firewalls with their SOA, Web Services, and Web 2.0 integration and
content processing capabilities may offer the best starting point from which to cost-effectively achieve the XCDS



                          © Copyright 2009 by Layer 7 Technologies, Inc. (www.layer7tech.com)                         5
XML-Aware Cross Domain Solutions

goal. In the meantime, a hybrid approach that combines the high assurance of a CDS with the XML capabilities of
an XML firewall remains the best option.

The XCDS option builds upon the lessons learned in the sandwich and co-processor deployment models. However,
rather than relying on the hardware-based firewall appliance this option deploys XML firewall software directly on
the CDS platform. In this configuration, the core functionality of the CDS remains unchanged while the
connectivity, integration, and processing capabilities running in each classification domain are augmented based
on the capabilities of the XML firewall software. This option is the solution of choice for situations in which heat,
weight and power are limited.

Layer 7 Technologies is currently working with the leading CDS vendors to provide XCDS capabilities with the goal
of allowing government organizations to purchase a turnkey XCDS solution.


The Layer 7 XML Firewall
Layer 7’s XML firewall solution provides quick-to-market CDS integration through its adaptive policy language and
a Software Development Kit (SDK) for extensibility.

Based on a scalable appliance model, the Layer 7 XML firewall solution consists of three components:
•   The SecureSpan XML Networking Gateway (Gateway) – an XML Firewall or Policy Enforcement Point (PEP)
    designed for policy enforcement of Web Services.
•   The SecureSpan Manager (Manager) – an XML compliance solution for managing and verifying Web service
    policy across domain boundaries.
•   The SecureSpan XML VPN Client (XVC) – an XML VPN or Policy Application Point (PAP) for enabling secure
    Partner and Business to Business connectivity.




                            Figure 3: Components of the Layer 7 XML Firewall Solution

The SecureSpan Gateway is a Policy Enforcement Point (PEP) which proxies and inspects every message destined
for and/or returned from a Gateway-protected service, based on a user-defined set of policies. Policies can
incorporate any combination of identity, authentication protocol, time of day, IP address, message count, message
content or routing parameters. The Gateway optimizes message processing through a combination of built-in
Layer 7 stream processor logic and hardware-based XML acceleration. Gateways can be clustered in a peered




                          © Copyright 2009 by Layer 7 Technologies, Inc. (www.layer7tech.com)                       6
XML-Aware Cross Domain Solutions

arrangement for high throughput or high availability applications, as well as geographical separation in
preparedness for complete downtime of a single deployment location.

Policies are defined using an extensible palette of drag and drop policy assertions within the SecureSpan Manager.
Policies are displayed as easily readable, hierarchical, graphical collections of assertions, which can also be grouped
with conditional branching. Policies can be created to implement basic security and access control, XML threat
protection, message integrity and encryption, message transformation, SLA monitoring and enforcement,
credential mapping, service fail-over, and more. Changes in policy are replicated automatically between Gateways
in near real-time. The Manager also provides a wide variety of message and event logging, Gateway cluster
management and auditing functions.

The SecureSpan XML VPN Client is a Policy Application Point (PAP), and is an optional product that functions much
like a VPN client for Web services. The XVC is deployed with client applications, establishing a connection to a
Gateway or cluster of Gateways based on the policy defined for a service. The XVC automatically downloads
policies from the Gateway and applies any transport, authentication, integrity, encryption or PKI requirements
defined in the policy to all messages originating from the Web services consumer. The XVC functions as a client-
side proxy requiring no changes to the underlying client software – the Web services consumer is simply
reconfigured to direct all messages to a local host where the XVC intercepts them.


Conclusions
By integrating a COTS XML firewall with an existing guard, organizations can quickly realize a cost-effective XML-
enabled CDS solution. The sandwich approach provides the ability to offload many of the non-security oriented
cross domain tasks (connectivity, formatting, etc.) from the CDS, and allows an existing certified cross domain
solution to be utilized as part of a more responsive system in order to rapidly address the needs of the community.
This approach will in turn increase the flexibility of the system and as such reduce the cost of ownership.




                          © Copyright 2009 by Layer 7 Technologies, Inc. (www.layer7tech.com)                         7
XML-Aware Cross Domain Solutions


About Layer 7 Technologies
Layer 7 Technologies is the leader in security and governance for application services, whose turnkey solutions
feature sophisticated runtime governance, agent-less Web services management and industry-leading XML
security. Founded in 2003, Layer 7’s products include the SecureSpan™ family of XML appliances, which help
organizations address security, visibility and governance issues. Layer 7 enables organizations to monitor, adapt
and control their Web services, no matter where they originate – in the enterprise or in the cloud. For more
information, visit us at www.layer7tech.com.


Contact Layer 7 Technologies
Layer 7 Technologies welcomes your questions, comments, and general feedback.

Email:
info@layer7tech.com

Web Site:
www.layer7tech.com

Phone:
604-681-9377
1-800-681-9377 (toll free)

Fax:
604-681-9387

Address:
Layer 7 Technologies
1200 G Street, NW, Suite 800
Washington, DC 20005

Canada Office
Suite 405-1100 Melville Street
Vancouver, BC
V6E 4A6 Canada


Legal Information
Copyright © 2009 by Layer 7 Technologies, Inc. (www.layer7tech.com). Contents confidential. All rights reserved.
SecureSpan™ is a registered trademark of Layer 7 Technologies, Inc. All other mentioned trade names and/or
trademarks are the property of their respective owners.




                             © Copyright 2009 by Layer 7 Technologies, Inc. (www.layer7tech.com)                    8