Forum XWall and Oracle Application Server 10g

Transcription

1 Forum XWall and Oracle Application Server 10g technical white paper Forum Systems, Inc. BOSTON, MA 95 Sawyer Road, suite 110 Waltham, MA SALT LAKE CITY, UT 45 West South, suite 415 Sandy, UT TOLL FREE

2 Table of Contents FORUM SYSTEMS AND ORACLE APPLICATION SERVER 10g AUDIENCE CONTACT INFORMATION SCALABLE WEB SERVICES FULFILLMENT Oracle Application Server 10g Forum XWall Web Services Firewall Forum Sentry Web Services Security Gateway ORACLE APPLICATION SERVER 10g AND FORUM SYSTEMS INTEGRATION Oracle HTTP Server Oracle Application Server Web Services Oracle Internet Directory Oracle Application Server Certificate Authority FORUM XWALL XML INTRUSION PREVENTION Forum Complements Oracle Application Server 10g FORUM XWALL EXAMPLE USE-CASES Administration Deployment Options Government Requirements Support FORUM XWall AT NO CHARGE TO QUALIFIED ORACLE USERS ABOUT FORUM SYSTEMS Forum Systems Inc. Release Date: Spring

3 FORUM SYSTEMS AND ORACLE APPLICATION SERVER 10g Enterprises of all sizes are getting committed to Service Oriented Architectures (SOAs) and Web services. Web services will become the standard deployment model for internal-to-external, internal-tointernal and external-to-dmz strategic and tactical applications. Regardless of the specific application, enterprises must quickly identify the best-of-breed infrastructure that will enable the secure and scalable fulfillment of Web services to customers, partners, employees and service providers. The right choice in development tools, architecture frameworks, business processes, application servers and security networking infrastructures will be critical in the success of enterprise Web services. To ensure that deployed Web services do not pose business risk, deliver their return on investment and complement existing IT infrastructures, Forum Systems and Oracle have partnered to deliver a best-of-breed solution for Web services fulfillment. This includes the tools, technology and processes for the development through deployment life-cycle of enterprise Web services. Without doubt, the most significant impediment to Web services deployments is the consistent, managed and reliable implementation of Web services security. The Forum Systems suite of Web services security products builds upon the Oracle Application Server 10g to effectively secure Web services. AUDIENCE This paper is geared toward the developer, application architect, information security manager or network administrator that takes part in the development and deployment life-cycle of secure Web services applications. It introduces the Forum Systems suite of products as a complement to Oracle Application Server 10g delivering secure Web services. CONTACT INFORMATION For more information please contact: Walid Negm Vice President, Product Marketing Forum Systems, Inc. wnegm@forumsys.com WP-ASF-SE

4 SCALABLE WEB SERVICES FULFILLMENT Oracle Application Server 10g Oracle Application Server 10g is an application server that provides a comprehensive set of features built on the Java 2 Platform Enterprise Edition foundation. It includes extended scalability, systems management, Web services support, application integration and specific grid computing features. Forum Systems Forum Systems, Inc. is the leader in Web services security with a comprehensive suite of trust management and threat protection solutions for the Automated Web. Forum Systems flexible hardware, software and embedded products actively protect Web services from the network edge to the application server. Forum XWall Web Services Firewall Forum XWall is the industry s first Web Services Firewall equipped with XML intrusion prevention capabilities to protect enterprises against a new breed of networked threats including XML viruses, data-level invasions and denial of Web service attacks. Forum XWall ensures critical applications are appropriately accessible and continuously available by allowing network administrators to enforce perimeter policies that check the integrity of data and control access to exposed enterprise Web services. The following table illustrates the differences between Forum XWall and traditional firewalls: traditional firewalls web services firewall Objects Controlled Objective Firewall Objective Access Control Object Encryption Attack Protection IP addresses and ports, transport protocols (e.g. HTTP, FTP) and network packet flows Once filtered and authorized network packets can flow into the network Allow or deny packets across the network using rules such as source IP address and port Access control rules are defined using IP addresses, ports, protocols, and where the traffic is originating and destined Encryption is applied on the protocol stream such as SSL Recognize attacks on transport protocols Application URL s, Web services (e.g. operations and messages) and XML/SOAP message flows Once filtered and authorized Web services can flow into the network Allow or deny XML/SOAP messages across the network using rules such as access privileges to specific Web service operations Access control rules are defined using service requester identity and read/write/execute privileges on Web service operations Encryption is applied on entire messages or message elements Recognize attacks on Web service operations and message content 4

5 Forum Sentry Web Services Security Gateway Forum Sentry is a comprehensive Web Services Security Gateway that functions as a trusted intermediary for exchanging secure Web services between an enterprise and its business partners. Sentry enables enterprises to achieve a higher ROI through secure e-business process integration. Forum Sentry supports WS-Security with Digital Signatures, XML-Encryption, WS-Security Header and SAML. Forum Sentry also includes protocol gateway support for FTP, HTTP(S), Tibco Rendezvous and IBM WebSphere Message Queues. ORACLE APPLICATION SERVER 10g AND FORUM SYSTEMS INTEGRATION Oracle HTTP Server The Forum XWall Web Services Firewall provides proxy capability to intercept HTTP messages between a client and a back end web server. Security policies can be built to interpret the HTTP payloads and perform operations on the data stream between client and server (request), and between server and client (response). The Oracle HTTP Server s full support for HTTP(S), Basic Authentication and SOAP / XML messaging interoperates with Forum XWall s proxy mode deployment including HTTP with and without basic authentication and HTTPs with and with and without basic authentication. HTTPs interoperability includes SSL initiation and X.509 certificate path validation on the Oracle HTTP Server X.509 certificate. Oracle Application Server Web Services Oracle Application Server Web Services can be deployed and accessed through the Forum XWall Web Services Firewall using the Oracle Application Server generated client. Additionally, the Oracle Application Server WS client can be used to access Oracle Application Server Web Service through Forum XWall. Web Services and SOAP messages can be processed through XWall against the WS-I Basic Profile 1.0, SOAP validation, Archiving, XSLT Transformation, WS-Signature, WS-Encryption, WSDL Policy, and WSDL Access Control. The Forum XWall Web Services Firewall has full WSDL support to build security policies for the defined services, ports and operations of a published Web Service. The defined security policies can be applied to intercepted request and response messages in the Web Service SOAP message stream. Oracle Internet Directory The Oracle Internet Directory can be configured for users and groups that are subsequently imported into the Forum XWall for policy configuration. XWall uses LDAP for user and group management, X.509 certificate import, and Certificate Revocation List (CRL) retrieval. 5

6 Oracle Application Server Certificate Authority X.509 Certificates can be generated using the Oracle Application Server CA with PKCS#10 CSR requests which are generated by Forum XWall. The certificates are published to the Oracle Internet Directory and subsequently imported onto Forum XWall using the LDAP protocol. Security policies are built using Oracle CA X.509 certificates including SSL Authentication. All X.509 certificate revocation checking is performed using CRLs published to the Oracle Internet Directory from the Oracle CA. The following diagram illustrates the network architecture with the above components: high level invocation path 1. Forum intercepts in-bound request 2. Forum proxies request to Oracle Application Server 10g 3. Oracle Application Server 10g executes web service operation 4. Forum intercepts out-bound response 5. Forum proxies response to consumer 6

7 The following table lists the benefits of Forum XWall as an in-line policy enforcement server for Web services security: A. SSL Concentration Point Terminate (as well initiate) SSL with acceleration Mutual client and server authentication Hardened key storage and certificate management B. Bi-Directional XML Proxy Trusted and centralized policy enforcement Parse, inspect and validate messages XML Schema Validation SOAP attachments, WSDL, WS-I Basic Profile and SOAP filtering C. XML Intrusion Prevention WSDL-based protection to control accessibility to Web services Protect against XML-parser vulnerabilities Guard against XML-related attacks D. Transactional Authorization Fine-grained message-level access control Privileges to read/write/execute Web services operations FORUM XWALL XML INTRUSION PREVENTION An administrator would rely on Forum XWall to apply security checks on, for example, purchase order data flows that exceed a specific total amount. The administrator can configure granular rules that are more or less restrictive. For example, SOAP Header elements can be sanity checked as SOAP 1.1/1.2 documents. Constraint-based filtering applied to attributes of SOAP Body elements trap (allow/deny or quarantine) targeted document instances. Purchase order messages could also be blocked if they contain unrecognized, unapproved or forbidden data within the transport protocol (e.g. HTTP). If a breach is detected, such as message traffic rates have increased beyond a specific threshold, XML anomaly detection rules alert an administrator, quarantine requests and prevent further similar requests from entering the network. The administrator could also configure a policy to automatically trigger more restrictive rules processing such as XML Schema validation as a precautionary measure if, for example, risk levels are elevated. Forum XWall makes it simple for IT to manage and maximize the flow of Web services according to system resources and business priorities. 7

8 Forum Complements Oracle Application Server 10g Oracle Application Server 10g application developers and IT deployment can rely on Forum XWall and Forum Sentry to provide threat-side and trust-side Web services security including: DATA LEVEL NETWORKING Protocol Gateway HTTP (S) FTP Tibco/Rv IBM WebSphere MQ Routing/Quality of Service Message Transformation Transport Level Security SSL Encryption SSL X.509 Authentication HTTP Authentication Session Access Control Application Level Protection URI Virtualization URI Filtering URI Access Control WEB SERVICES SECURITY Threat Protection Web Service Cloaking Message Filtering Message Validation Service Access Control XML Intrusion Prevention Rules Trust Services WS-Security Authentication WS-Security Identity Mgmt / Access Control WS-Security Federation/Trust WS-Security Encryption Message Archiving Compliance FIPS Level III HSM JITC DoD PKI Certification WS-I Basic Profile Enforcement MANAGEMENT & ADMINISTRATION Policy Management Roles based access control WSDL Authoring Model Policy Variability Control Rules-driven policies Deployment In-Line Policy Enforcement Shared Service Global Device Management Software, Appliance, PCI-Blade Enterprise Security Infrastructure Integration Hardened Security Hardware Acceleration FIPS Level III HSM DoD PKI Certification Secure Operating Environment 8

9 FORUM XWall EXAMPLE USE-CASES The Forum XWall administrator has the flexibility to configure any number of content security processing rules as well as associated action rules. Together, these rules make up a comprehensive Web services security policy within Forum XWall. Processing rules identify and control access to specific web services requests and responses, and include deep content filtering, web services access management and XML intrusion prevention rules. A. DEEP CONTENT FILTERING Inspect and Validate Content This phase allows the administrator to rapidly sanitize data flows for unwanted or forbidden messages, or to target specific messages for further content security processing: i. Auto-validation, compliance and conformance (WS-I Basic Profile, XML 1.0, SOAP 1.1/1.2, SOAP w/attachments, WSDL Types) ii. XML Schema Validation iii. Regular Expression Matching iv. XPath Query B. WEB SERVICES ACCESS MANAGEMENT Provision and Authorize Messages This phase allows the administrator to control which requesters have appropriate read/write/execute permissions on exposed Web services. This phase allows the administrator to go beyond session access control to set fine-grained, message-level access control privileges: i. SSL X.509 Authentication ii. HTTP Basic Authentication iii. Service provisioning (deploy, activate, deactivate) iv. Session, service-, operation- and message-level access control C. XML INTRUSION PREVENTION Prevent against XML-related Threats This phase allows the administrator to trap malicious or hazardous content and requests from reaching the application. This phase also allows the administrator to prevent specific attack possibilities and protect against well-known Web services threats: i. Pre-defined detection settings ii. Preventative countermeasure settings Action rules control the passage of message instances in and out of the network and include the following self-descriptive rules that apply to identified or targeted message instances: Log and continue data flow Log and halt data flow Allow message Deny message Deny by default data flow Block message Stealth Block message Quarantine message Alert Notification Throttle data flow 9

10 Administration All Forum products share an enterprise-class management interface that offers advanced, easeof-use capabilities that simplify the complexities of configuring, monitoring and deploying security policies for XML encryption, authentication, access control, schema validation and XML Intrusion Prevention. The management scheme is based on distributed policy management architecture with a policy creation console, policy storage/server, policy decision point and policy enforcement point. These components operate as one integrated proxy server at the edge of the network. However, there will be instances when policies may be stored within a third-party s systems management environment. Forum XWall supports this type of model which leverages existing infrastructure investment. Forum Systems products can be configured using three interfaces: Command Line Interface Web-based Administration SOAP Web Services The administration is based on roles and responsibilities and can be performed on a single product/ multiple product instance(s) for global management. The global management capability enables a policy profile to be replicated (with or without customization) across a distributed cluster of product instances. The administration can be delegated to third party products such as Web services management, Identify Management and Access Control or traditional Systems Management products using third-party agent software resident on the product instances and a SOAP Web services API. Deployment Options All Forum products are available in three form factors: software, PCI card and hardware appliance. Forum XWall is a Web services firewall proxy that provides inbound and outbound processing of Web services traffic deployed in front of or behind the network firewall as a proxy or in-line gateway. Forum Sentry is a Web services security gateway that provides inbound and outbound processing of Web services traffic deployed in front or behind the network firewall as a proxy, inline gateway or an adjunct network service. The Sentry application transport protocol support includes HTTP(S), FTP, Tibco Rendezvous and IBM WebSphere MQ. The in-line network configuration is a physical bridge between two networks to create a single entry and exit point for all traffic. The shared-service mode allows Sentry to respond as a co-processor where the calling application can request (in-process) the Forum product to perform a specific operation, such as Digitally Sign a SOAP message. The API is HTTP-based with centralized policies controlling the action to be performed. 10

11 Forum XWall should be on a different host than the Application Server for effective XML threat mitigation. XML Intrusions prevention consumes CPU cycles as the system processes malicious messages. Forum XWall on a separate host such as an appliance or on a PCI card maintains Application Server performance. The following diagram illustrates three physical deployment options: The following diagram illustrates a high availability deployment scenario: front end destination virtual IP 1:443 cisco CS 1150 series layer 4.7 content switch back end destination: virtual IP 2:80 soa 1 firewall ids 1 VIP 1 F1:443 F2:443 F3:443 3 VIP 2 SOA1:80 SOA2:80 SOA3:80 l2 switch 4 soa 2 soa 3 Recommended Deployment Architecture with a Load Balancer Single Load balancer for in-bound and outbound traffic Forum Systems terminates and initiates SSL Architecture scales horizontally ssl F1 initiation / termination ssl F2 initiation / termination 2 ssl F3 initiation / termination Example Traffic Flow Scenario: 1. SSL connection arrives at VIP 1 2. VIP 1 request gets redirected to the least loaded Forum Appliance e.g. F2 3. Forum Appliance F2 terminates SSL, performs content security processing and forwards the request to VIP 2 which sends request to least loaded Application Server e.g. SOA 3 4. SOA 3 responds back to the Forum Appliance requested session. 11

12 Government Requirements Support Forum Systems supports the following key government requirements: DoD PKI Certification - The Forum Sentry 1504G appliance has met 100% of the requirements of the Department of Defense Class 3 Public Key Infrastructure Public Key-Enabled Application Requirements, version July 2000 in the following areas: Retrieving Certificates, Importing Keys and Certificates, Storing Trust Points, Verifying Communication Protocols, Checking Certificate Status, Path Development and Processing, Application Configuration and Application Documentation. Integrated FIPS Compliance - The Forum Systems Appliance contains an integrated Hardware Security Module (HSM) that is FIPS Level III validated. The HSM provides all sensitive cryptographic operations and hardware key storage for both SSL operations and WS-Security operations. Digital Signatures - Digital Signatures are digital codes that can be attached to an electronic transmission or document that uniquely identifies the sender. Forum Systems enables Digital Signatures that are essential to secure transmission of content over intranets or the Internet. Public Key Infrastructure (PKI) Enablement - PKI employs a two-step approach to protect the security of communications and business transactions on the Internet. A PKI enabled application must be able to support and work within a Public Key Infrastructure. Federal Enterprise Architecture (FEA) - The FEA is an initiative of the federal government whose framework is designed to improve communication flow and efficiency via integration of disparate systems. It will also enhance cost savings through reuse of technology and components. Transaction Archive - A Transaction Archive is a repository for recording the history of XML and non-xml transactions and storing them in an external database. Government agencies must continuously record and audit their mission-critical electronic business transactions to support regular security reviews of all programs and systems. By archiving XML transactions and other content, it is possible to analyze security breaches, maximize operational performance and maintain regulatory compliance. FORUM XWALL SOFTWARE DOWNLOAD Thank you for your interest in Forum XWall Web Services Firewall. To obtain your FREE TRIAL software please complete the request form located at: 12

13 ABOUT FORUM SYSTEMS, INC. Forum Systems, Inc. is the leader in Web services security with a comprehensive suite of trust management and threat protection solutions for the automated web. Forum Systems hardware, software and embedded products actively protect Web services from the networks edge to the application server. Forum Systems products are winners of Network Computing Magazine s Editor s Choice Award for 2003, Network Magazine s Product of the Year 2003 Award, DEMO 2004 Innovation and finalist for Network Computing Magazine s 2003 and 2004 Well-Connected Awards. Products: Forum Sentry is a comprehensive Web Services Security Gateway that functions as a trusted intermediary for exchanging secure Web services between an enterprise and its business partners. Sentry enables enterprises to achieve a higher ROI through secure e-business process integration. Forum Presidio is a comprehensive secure content exchange platform that allows enterprises to immediately comply with Government privacy regulations using a low cost and easy to manage centralized solution. Presidio can be used as a legacy-to-xml security bridge for a smooth migration to XML Web Services. Forum XWall is the industry s first Web Services Firewall equipped with XML intrusion prevention capabilities to protect enterprises against a new breed of networked threats including XML viruses, data-level invasions and denial of Web service attacks. XWall ensures critical applications are appropriately accessible and continuously available by allowing network administrators to enforce perimeter policies that check the integrity of data and control access to exposed enterprise Web services. Forum FIA (Federal Information Assurance Gateway) actively guard s information as it moves between and within federal agencies for secure information sharing. Forum FIA meets 100% of the DoD s PKI interoperability testing including FIPS Level III Validation Forum Systems, Inc. All right reserved. 13