Securely Managing and Exposing Web Services & Applications Philip M Walston VP Product Management Layer 7 Technologies
Layer 7 SecureSpan Products Suite of security and networking products to address the full spectrum of XML deployments: Service Oriented Architectures (SOA) Web 2.0 and Web Oriented Architectures (WOA) AJAX, REST, mainframe and non-soap applications ESB, Portal, B2B and Application Oriented Networking
XML Security and Networking Completes SOA Stack SOA Stack Development Tools & Application Servers Service Registry and Usage Policy Enterprise Service Bus Web Services Management XML Security & Networking Gateways Microsoft.Net Systinet/HP Sonic/Progress Amberpoint Layer 7 IBM WebSphere Infravio/SAG IBM ESB SOA Software DataPower/IBM Oracle 10g Flashline SAP Netweaver Actional Reactivity/Cisco BEA WebLogic WebLayers Tibco Oracle WSM Vordel JBoss Opensource LogicLibrary CapeClear CA WSDM Eclipse Microsoft WebMethods/SAG IBM Tivoli Cam Parasoft IBM BEA Aqualogic Blue Titan Sun HP SOA Center Oracle Fusion Software AG Cordys PolarLake
Deployment Example B2B Services Deployed as intermediary XML/WS service proxy Straddles security/trust boundaries Declarative message level security Assertion-based policy language Service Endpoints (Secure Zone) Internal Firewall External Firewall Corporate Identity Server Business Partners SecureSpan XML Firewall Cluster DMZ SecureSpan Manager
SecureSpan Extensible Policy Framework Access Control HTTP basic authentication HTTP digest authentication HTTP cookie authentication HTTP client-side certificate authentication WS-Security Username Token Basic WS-Security Signature Encrypted Username Token SAML Authentication WS-Trust credential exchange WS-Federation Passive Credential Request/Exchange XPath Credentials SAML Browser Artifact WSS Kerberos Identity Identity in internal provider Identity in external LDAP provider Identity in external MS-AD provider Identity in CA SiteMinder Identity in Tivoli Access Manager Identity in RSA ClearTrust Identity in Sun Java Access Manager Identity in Tivoli Federated Identity Manager Identity in Microsoft ADFS Identity in Oracle Access Manager Message Validation and Threat Protection Throughput quota Validate schema Evaluate Request / Response XPath Evaluate regular expression XSL Transformation Translate HTTP Form to MIME Translate HTTP Form from MIME WSI-BSP Compliance WSI- SAML Compliance WS-SecurityPolicy Compliance SQL Attack protection Request size limit Document structure threats Symantec virus scanning XML Security Sign request Encrypt request Sign response Encrypt response Require timestamp in request Add signed timestamp to response Request and response signed timestamps Add signed security token to response WSS-Replay attack prevention
SecureSpan Extensible Policy Framework Cont d Message Routing Route to destination using HTTP(S) Route to destination using SecureSpan Bridge Route to destination using MQSeries / JMS Route to destination(s) based on availability Template Response Echo Response Policy Logic Comment Comparison Evaluate logical OR Evaluate logical AND Continue processing Stop processing Set variable Service Availability Time of day restrictions Source IP range restrictions Throughput quota Logging and Auditing Audit assertion Audit detail assertion Send SNMP trap Send email message
SecureSpan Manager
Gateway Scalability and Availability Horizontal scalability Replay attack prevention across the cluster HTTP Load Balancer Transparent replication of policy across the cluster Single point of management across cluster
Deployment Example Government Layered trust zones with internal firewalls Defined security and access protocols Internal Firewall Internal Firewall Public Zone Trusted Zone Restricted Zone
Deployment Example Government XML Firewalls straddle trust zones Gate access to applications Provide audit trail SecureSpan XML Firewall Cluster SecureSpan XML Firewall Cluster Public Zone Trusted Zone Restricted Zone
Deployment Example ESB Co-Processor Security as service for ESB Signing, encryption Schema validation, transforms Enterprise Service Bus SecureSpan XML Accelerator Cluster
Deployment Example - Wide-Area Routing Fabric Business Partner With SecureSpan Appliances Business Partner With SecureSpan Appliances Business Partner With SecureSpan Appliances SecureSpan XML Networking Gateway Cluster
Case Study Insurance Self-Service Client Situation: Insurance company with relatively current infrastructure Wanted to extend self-service access to policy-related information to three audience Internal CSRs, existing customers and prospects Stated advantage of being secure, auditable and scalable Access to information would be gated based on requestor entitlement and could involve confidential/personal information The Scenario: Implemented centralized authentication / authorization gateway Based on use of existing identity management infrastructure Single solution serves Web customers, internal users and applications Need common security model Validation of authentication step Entitlement-based authorization Audit trail
Scenario 1 Internal Access to Application(s) Intranet Zone HealthCare BackOffice App Service Layer SecureSpan XML Firewall S-API SOAP / SOAP / HTTP(S) HTTP Internal User LDAP 1. Internal user sends SOAP request to XML Firewall 2. XML Firewall authenticates specific user (or group) against internal LDAP 3. XML Firewall applies appropriate internal group or user policy and forwards to Service Layer 4. Service Layer forwards request to BackOffice application
Scenario 2 External Access to Personal Profile Intranet Zone DMZ HealthCare BackOffice App Service Layer SecureSpan XML Firewall Frontend Application S-API SOAP / SOAP / HTML / HTTP(S) HTTP HTTP Servlets / JSP Tomcat Specific User LDAP 1. Specific user sends HTML request to web portal 2. Web portal authenticates user, forwards SOAP request and User identity via HTTP or HTTPS to XML Firewall 3. XML Firewall applies Personal Profile policy, grants access to profile operation and forwards to Service Layer 4. Service Layer formats request with user identity, forwards request to BackOffice application
Scenario 3 External Access to Policy Premium Calculator Intranet Zone DMZ HealthCare BackOffice App Service Layer SecureSpan XML Firewall Frontend Application S-API SOAP / SOAP / HTML / HTTP(S) HTTP HTTP Servlets / JSP Tomcat Anonymous User 1. Anonymous user sends HTML request to web portal 2. Web portal forwards SOAP request via HTTP or HTTPS to XML Firewall 3. XML Firewall applies Anonymous policy, grants access to Premium Calculator and forwards to Service Layer 4. Service Layer forwards request to BackOffice application
Example Policy One Policy Supports Three Scenarios Internal Users Validated External Users Anon. External Users
Intermediary Deployment Model - Telecom Message level intermediary between services and requesters Internal Application Consumers External Application Consumers Services
Telecom Use Case: Security - Validate XML is correctly structured before it is routed to services - Guard against malicious code attacks - Implement message level security including WS* and WS-I compliance - Leverage existing identity, SSO and PKI infrastructures Security requirements defined by an administrator Policies become effective independently of the actual services IPTV SMS MMS Ringtones
Telecom Use Case: Service Virtualization - Same service viewed differently for provisioning and for consumption purposes - Each virtual version limits allowed operations based on requester Virtual Services Service Provisioning Service Consumption Requests and responses can be transformed to accommodate older versions of clients Newer Version
Telecom Use Case: Service Aggregation - Provide requestors a single, unchanging interface to a set of services - Use appliances to map virtual interface to real interfaces - Have appliance handle associated routing, data transformation 1. Browse available TV shows 2. Predefined xpath [s:body/tvs:browse/tvs:provider] 3. Choose endpoint based on XPath result Telecom Gateway 4. Transform request to comply with particular provider (XSLT) Transparent aggregation of provider channels Channel provider connectors
Telecom Use Case: SLA Enforcement - Control service requests based on IP, time of day, requestor, etc. - Centrally define and enforce SLA contracts for XML interactions - Monitor / report message throughput and service performance metrics Gets 1 free TV show per month 1. Define WS-Policy Compliant SLA Definition 2. Publish to SLA Policy / Contract to UDDI Quincy Gets unlimited SMS per month Telecom Gateway XML appliance shares parameters across service policies to enable virtual coordination. 3. Enforce SLA Policy / Contract Pascal IPTV SMS MMS Ringtones
Some Observations XML Gateways / Firewalls provide effective tool for enforcing security and controlling access to services The declarative, non-programmed model provides a great deal of flexibility Deployment patterns can be quite diverse DMZ deployment Spanning trust zones XML/WS co-processor Security policies tend to include some element of identity IP address, UID/PWD, SSO or federation token Requires some interaction with identity infrastructure Key standards are still evolving but include: WS-Policy, WS-SecurityPolicy, UDDI, SAML
Philip M Walston VP Product Management Layer 7 Technologies +1.604.681.9377 pwalston@layer7tech.com