Securely Managing And Exposing Web Services & Applications
1y ago
19 Views
1 Downloads
7.36 MB
24 Pages
Report/dmca
Download PDF

Transcription

Securely Managing and ExposingWeb Services & ApplicationsPhilip M WalstonVP Product ManagementLayer 7 TechnologiesJune 2008

Layer 7 SecureSpan ProductsSuite of security and networkingproducts to address the full spectrum ofXML deployments: Service Oriented Architectures (SOA) Web 2.0 and Web OrientedArchitectures (WOA) AJAX, REST, mainframe andnon-SOAP applications ESB, Portal, B2B and ApplicationOriented NetworkingJune 2008Securely Managing and Exposing Web Services & Applications

XML Security and Networking Completes SOA StackSOA StackDevelopmentTools &ApplicationServersServiceRegistryand UsagePolicyEnterpriseServiceBusWeb ServicesManagementXML Security &NetworkingGateways Microsoft .Net Systinet/HP Sonic/Progress Amberpoint Layer 7 IBM WebSphere Infravio/SAG IBM ESB SOA Software DataPower/IBM Oracle 10g Flashline SAP Netweaver Actional Reactivity/Cisco BEA WebLogic WebLayers Tibco Oracle WSM Vordel JBoss Opensource LogicLibrary CapeClear CA WSDM Eclipse Microsoft WebMethods/SAG IBM Tivoli Cam Parasoft IBM BEA Aqualogic Blue Titan Sun HP SOA Center Oracle Fusion Software AG Cordys PolarLakeJune 2008Securely Managing and Exposing Web Services & Applications

Deployment Example – B2B Services Deployed as intermediary XML/WS service proxy Straddles security/trust boundaries Declarative message level security Assertion-based policy languageServiceEndpoints(Secure Zone)Internal FirewallExternal FirewallBusiness PartnersCorporateIdentity ServerSecureSpan XMLFirewall ClusterDMZSecureSpanManagerJune 2008Securely Managing and Exposing Web Services & Applications

SecureSpan – Extensible Policy FrameworkAccess ControlMessage Validation and Threat ProtectionHTTP basic authenticationHTTP digest authenticationHTTP cookie authenticationHTTP client-side certificate authenticationWS-Security Username Token BasicWS-Security SignatureEncrypted Username TokenSAML AuthenticationWS-Trust credential exchangeWS-Federation Passive Credential Request/ExchangeXPath CredentialsSAML Browser ArtifactWSS KerberosThroughput quotaValidate schemaEvaluate Request / Response XPathEvaluate regular expressionXSL TransformationTranslate HTTP Form to MIMETranslate HTTP Form from MIMEWSI-BSP ComplianceWSI- SAML ComplianceWS-SecurityPolicy ComplianceSQL Attack protectionRequest size limitDocument structure threatsSymantec virus scanningIdentityXML inininininternal providerexternal LDAP providerexternal MS-AD providerCA SiteMinderTivoli Access ManagerRSA ClearTrustSun Java Access ManagerTivoli Federated Identity ManagerMicrosoft ADFSOracle Access ManagerSign requestEncrypt requestSign responseEncrypt responseRequire timestamp in requestAdd signed timestamp to responseRequest and response signed timestampsAdd signed security token to responseWSS-Replay attack preventionJune 2008Securely Managing and Exposing Web Services & Applications

SecureSpan – Extensible Policy Framework Cont’dMessage RoutingPolicy LogicRoute to destination using HTTP(S)Route to destination using SecureSpan BridgeRoute to destination using MQSeries / JMSRoute to destination(s) based on availabilityTemplate ResponseEcho ResponseCommentComparisonEvaluate logical OREvaluate logical ANDContinue processingStop processingSet variableService AvailabilityLogging and AuditingTime of day restrictionsSource IP range restrictionsThroughput quotaAudit assertionAudit detail assertionSend SNMP trapSend email messageJune 2008Securely Managing and Exposing Web Services & Applications

SecureSpan ManagerJune 2008Securely Managing and Exposing Web Services & Applications

Gateway Scalability and ntionacross theclusterHTTPLoadBalancerTransparentreplicationof policyacross theclusterSingle point ofmanagementacross clusterJune 2008Securely Managing and Exposing Web Services & Applications

Deployment Example – Government Layered trust zones with internal firewalls Defined security and access protocolsInternal FirewallInternal FirewallPublic ZoneTrusted ZoneRestricted ZoneJune 2008Securely Managing and Exposing Web Services & Applications

Deployment Example – Government XML Firewalls “straddle” trust zones Gate access to applications Provide audit trailSecureSpan XMLFirewall ClusterSecureSpan XMLFirewall ClusterPublic ZoneTrusted ZoneRestricted ZoneJune 2008Securely Managing and Exposing Web Services & Applications

Deployment Example – ESB Co-Processor Security as service for ESB Signing, encryption Schema validation, transformsEnterprise Service BusSecureSpan XMLAccelerator ClusterJune 2008Securely Managing and Exposing Web Services & Applications

Deployment Example - Wide-Area Routing FabricBusiness PartnerWith SecureSpanAppliancesBusiness PartnerWith SecureSpanAppliancesSecureSpanXML NetworkingGateway ClusterBusiness PartnerWith SecureSpanAppliancesJune 2008Securely Managing and Exposing Web Services & Applications

Case Study – Insurance Self-ServiceClient Situation: Insurance company with relatively current infrastructure Wanted to extend self-service access to policy-related informationto three audience – Internal CSRs, existing customers and prospects Stated advantage of being secure, auditable and scalable Access to information would be gated based on requestorentitlement and could involve confidential/personal informationThe Scenario: Implemented centralized authentication / authorization gateway Based on use of existing identity management infrastructure Single solution serves Web customers, internal users andapplications Need common security model Validation of authentication stepEntitlement-based authorizationAudit trailJune 2008Securely Managing and Exposing Web Services & Applications

Scenario 1 – Internal Access to Application(s)Intranet ZoneHealthCareBackOffice App‘ServiceLayer’S-APISecureSpanXML FirewallSOAP /HTTP(S)SOAP /HTTPInternal UserLDAP1. Internal user sends SOAP request to XML Firewall2. XML Firewall authenticates specific user (or group) against internal LDAP3. XML Firewall applies appropriate internal group or user policy and forwards to Service Layer4. Service Layer forwards request to BackOffice applicationJune 2008Securely Managing and Exposing Web Services & Applications

Scenario 2 – External Access to Personal ProfileDMZIntranet ZoneHealthCareBackOffice eSpanXML FirewallSOAP /HTTP(S)SOAP /HTTPHTML /HTTPServlets / JSPTomcatSpecific UserLDAP1. Specific user sends HTML request to web portal2. Web portal authenticates user, forwards SOAP request and “User” identity via HTTP or HTTPS to XML Firewall3. XML Firewall applies “Personal Profile” policy, grants access to profile operation and forwards to Service Layer4. Service Layer formats request with user identity, forwards request to BackOffice applicationJune 2008Securely Managing and Exposing Web Services & Applications

Scenario 3 – External Access to Policy Premium CalculatorDMZIntranet ZoneHealthCareBackOffice eSpanXML FirewallSOAP /HTTP(S)SOAP /HTTPServlets / JSPTomcatHTML /HTTPAnonymous User1. Anonymous user sends HTML request to web portal2. Web portal forwards SOAP request via HTTP or HTTPS to XML Firewall3. XML Firewall applies “Anonymous” policy, grants access to Premium Calculator and forwards to Service Layer4. Service Layer forwards request to BackOffice applicationJune 2008Securely Managing and Exposing Web Services & Applications

Example Policy – One Policy Supports Three xternalUsersJune 2008Securely Managing and Exposing Web Services & Applications

Intermediary Deployment Model - TelecomMessage level intermediarybetween services pplicationConsumersServicesJune 2008Securely Managing and Exposing Web Services & Applications

Telecom Use Case: Security- Validate XML is correctly structured before it is routed to services- Guard against malicious code attacks- Implement message level security including WS* and WS-I compliance- Leverage existing identity, SSO and PKI infrastructuresSecurity requirementsdefined by anadministratorPolicies becomeeffective independentlyof the actual servicesIPTVSMSMMSSecurely Managing and Exposing Web Services & ApplicationsRingtonesJune 2008

Telecom Use Case: Service Virtualization- Same service viewed differently for provisioning and for consumption purposes- Each virtual version limits allowed operations based on ConsumptionRequests and responsescan be transformed toaccommodate olderversions of clientsNewer VersionJune 2008Securely Managing and Exposing Web Services & Applications

Telecom Use Case: Service Aggregation- Provide requestors a single, unchanging interface to a set of services- Use appliances to map virtual interface to real interfaces- Have appliance handle associated routing, data transformation2. Predefined xpath[s:Body/tvs:browse/tvs:provider]1. Browseavailable TVshows3. Choose endpoint based onXPath resultTelecom Gateway4. Transform request to complywith particular provider (XSLT)Transparent aggregationof provider channelsChannel provider connectorsSecurely Managing and Exposing Web Services & ApplicationsJune 2008

Telecom Use Case: SLA Enforcement- Control service requests based on IP, time of day, requestor, etc.- Centrally define and enforce SLA contracts for XML interactions- Monitor / report message throughput and service performance metrics1. Define WS-Policy Compliant SLA DefinitionGets 1 free TVshow permonth2. Publish to SLAPolicy / Contractto UDDI3. Enforce SLAPolicy / ContractQuincyGets unlimitedSMS per monthTelecom GatewayXML appliance shares parameters across servicepolicies to enable virtual coordination.PascalIPTVSMSMMSSecurely Managing and Exposing Web Services & ApplicationsRingtonesJune 2008

Some Observations XML Gateways / Firewalls provide effective tool for enforcingsecurity and controlling access to services The declarative, non-programmed model provides a great dealof flexibility Deployment patterns can be quite diverse DMZ deployment Spanning trust zones XML/WS co-processor Security policies tend to include some element of identity IP address, UID/PWD, SSO or federation token Requires some interaction with identity infrastructure Key standards are still evolving but include: WS-Policy, WS-SecurityPolicy, UDDI, SAMLJune 2008Securely Managing and Exposing Web Services & Applications

Philip M WalstonVP Product ManagementLayer 7 Technologies 1.604.681.9377pwalston@layer7tech.comJune 2008

Symantec virus scanning Identity XML Security Identity in internal provider . Send email message. . June 2008 Securely Managing and Exposing Web Services & Applications. Gateway Scalability and Availability Horizontal scalability Replay attack prevention across the cluster June 2008 Securely Managing and Exposing Web Services & Applications

Related Books

Evolution of The World Wide Web: From Web 1.0 to 6

Evolution of The World Wide Web: From Web 1.0 to 6

"The CSI Effect": Exposing the Media Myth

The Google Hacking Database: A Key Resource to Exposing . - StickyMinds

The Google Hacking Database: A Key Resource to Exposing . - StickyMinds

EVOLUCIÓN DE LA WEB - Universidad Técnica Federico Santa María

EVOLUCIÓN DE LA WEB - Universidad Técnica Federico Santa María

ASP Web API - riptutorial

ASP Web API - riptutorial

From Web Content Mining to Natural Language Processing

From Web Content Mining to Natural Language Processing

Agent for SAP Web AS Guide - Broadcom Inc.

Agent for SAP Web AS Guide - Broadcom Inc.

Create a Web Page Using Microsoft Office Suite - Illinois State Board .

Create a Web Page Using Microsoft Office Suite - Illinois State Board .

An Efficient Web Service Selection using Hadoop ecosystem based . - IJEDR

An Efficient Web Service Selection using Hadoop ecosystem based . - IJEDR

ISO/IEC 27001:2013 - BSI Group

ISO/IEC 27001:2013 - BSI Group

By Chen Zou ishipdocs Product Manager chen.zou@e-arc

By Chen Zou ishipdocs Product Manager chen.zou@e-arc

PopularTags

Recent Views