Core Feature Comparison between XML / SOA Gateways and Web Application Firewalls Jason Macy jmacy@forumsys.com CTO, Forum Systems
XML Gateway vs Competitive XML Gateways or Complementary? and s are Complementary Solutions
Key Areas of Comparisons Topology Deployment Modes Protocols and Message Formats Standards Protocols Security Threat Mitigation Transaction Privacy Transaction Integrity Identity Access Control SSO Transaction Processing and Mediation Workflow Transformation / Mapping
- Topology Web Application Firewall Security Layer Deployment modes: LOAD BALANCER Non-Inline Mode (50% of deployments) Transparent Proxy Layer 2 Bridge Reverse Proxy SECURITY ACCESS CONTROL WEB SERVERS APPLICATION SERVERS
XML Security Gateway - Topology SECURITY GATEWAY MEDIATION LAYER Mobile Services HTML Portal Servers XML Gateway REST Services LOAD BALANCER XML Gateway Deployment modes: User Services Reverse Proxy Protocol Break FTP Services XML Services SOAP Services ESB APP DB PORTAL ESBS, APP SERVERS PORTALS, DATABASES XML Gateway SECURE API SECURITY IDENTITY ACCESS CONTROL TRANSFORMATION GOVERNANCE BUSINESS LOGIC ORCHESTRATION PROFILE MANAGEMENT SCRIPTING LEGACY APPS
Protocols & Messages PROTOCOLS AND MESSAGE FORMATS XML GATEWAY Protocols & Messages Standards Web 2.0, HTML, XML, JSON, AJAX, FLASH Protocols HTTP, HTTPS SSL / TLS RAW TCP Standards XHTML, XML, SOAP, JSON, AS2, ebxml, SAML, WS-Federation, XML-Sec, WS-Sec, WSDL, XSD, WS-Trust, XACML, WS-Addressing, WS-RM, WS-Policy, Xpath, XSLT Protocols HTTP, HTTPS SSL / TLS JMS (IBM, Tibco, JBoss, Oracle, Active MQ) AMQP FTP/FTPS SFTP SMTP RAW TCP Protocol Conversion: any-to-any
Threat Mitigation (IDP)?? Parse Detect Prevent SECURITY Threat Mitigation Threat Mitigation (IDP)?? Parse Detect Prevent XML GATEWAY HTML Content Aware Intrusion Detection and Prevention (URI patterns) URI rate-based heuristics Vendor Vulnerabilities URL cloaking / rewrite Parameter Inspection Learning mode XML/SOAP/REST Content Aware Intrusion Detection and Prevention (parsing and deep-inspection) Rate-based, Size-Based heuristics Schema Validation Virus detection on XML/SOAP payloads URL cloaking / rewrite XML Parser Attacks
Transaction Privacy SECURITY Transaction Privacy Transaction Privacy XML GATEWAY Content Encoding / Compression HTML Compression, Gzip SSL / TLS Content Encryption XML-Encryption, WS-Security Content Decryption XML-Decryption, WS-Security HTML Compression SHA-2 Hash and BASE64 Encoding SSL / TLS
Transaction Integrity? SECURITY Transaction Integrity Transaction Integrity? XML GATEWAY Session Tracking Cookies, Source/Dest IPs HTTP RFC conformance HTML Form parameter checking Cross-Site Scripting Cookie Signing Digital Signature XML-DSIG, OASIS WS-Security DSIG Signature Verification X509 Path Validation Schema Validation DTD, XSD, JSON HTTP RFC Conformance
Identity & Access Control IDENTITY Identity & Access Control XML GATEWAY Native Identity Integrations AD, LDAP, RADIUS Protocol Tokens Basic, Digest, Form Post, SSL X509, NTLM, Kerberos Identity Integrations AD, LDAP, Siteminder, Tivoli AM, ClearTrust, Kerberos KDC, CoreID, JSAM, WS-Trust, XACML, OAuth Message-Based Tokens WS-Username, WS-Kerberos, WS-X509, SAML, DSIG Protocol Tokens Basic, Digest, Form Post, Cookie, SSL X509, REST URI, NTLM, Kerberos Credential Translation Message-to-Protocol, Protocol-to-Message SSO + Federation Sessions, SAML, STS
Processing & Workflow PROCESSING & WORKFLOW Processing & Workflow XML GATEWAY Workflow Management Allow/Deny URL Rewrite Compression Content Replacement Workflow Management Attribute Mapping Archiving Content-Based Routing Database Mapping Digital Signatures Header and Body Identification Identity Token Conversion Enrichment Data Aggregation Encryption Node Conversion and Encoding Transformation
Conclusion:!= XML Gateway + XML Gateway = Secure Architecture