Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

Similar documents
Forum XWall and Oracle Application Server 10g

Pulse Secure Application Delivery

Configuring BIG-IP ASM v12.1 Application Security Manager

Cisco ACE30 Application Control Engine Module

What is New in Cisco ACE 4710 Application Control Engine Software Release 3.1

APPLICATION ACCESS MANAGEMENT (AAM)

Addressing Security, Governance and Performance Issues with an XML Gateway as part of a Service Oriented Architecture. Vic Morris CEO Vordel

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Guide to Deploying NetScaler as an Active Directory Federation Services Proxy

SAML-Based SSO Solution

SAML-Based SSO Solution

How Cisco IT Improves Commerce User Experience by Securely Sharing Internal Business Services with Partners

White paper. Keys to Oracle application acceleration: advances in delivery systems.

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Firewalls for Secure Unified Communications

DenyAll Protect. accelerating. Web Application & Services Firewalls. your applications. DenyAll Protect

Cisco Service-Oriented Network Architecture: Support and Optimize SOA and Web 2.0 Applications

PCI DSS Compliance. White Paper Parallels Remote Application Server

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

Seven Criteria for a Sound Investment in WAN Optimization

Solutions Business Manager Web Application Security Assessment

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Citrix NetScaler AppFirewall and Web App Security Service

Enterprise SOA Experience Workshop. Module 8: Operating an enterprise SOA Landscape

Using the Terminal Services Gateway Lesson 10

Deployment Scenarios for Standalone Content Engines

1Y Citrix NetScaler 12 Essentials and Traffic Management. vmexam.com Exam Summary Syllabus Questions

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Open XML Gateway User Guide. CORISECIO GmbH - Uhlandstr Darmstadt - Germany -

Build application-centric data centers to meet modern business user needs

Cisco Wide Area Application Services: Secure, Scalable, and Simple Central Management

Configuring Virtual Servers

Identity-Enabled Web Services

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Technical Overview. Access control lists define the users, groups, and roles that can access content as well as the operations that can be performed.

Citrix NetScaler 10.5 Essentials for ACE Migration (CNS-208)

Using IBM DataPower as the ESB appliance, this provides the following benefits:

DreamFactory Security Guide

Web Application Firewall for Web Environments

Factsheet of Public Services Infrastructure (PSi) Updated on: 1st Sep 03

describe the functions of Windows Communication Foundation describe the features of the Windows Workflow Foundation solution

Brocade Application Delivery

NetScaler for Apps and Desktops CNS-222; 5 Days; Instructor-led

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Unified Access Gateway Double DMZ Deployment for Horizon. Technical Note 04 DEC 2018 Unified Access Gateway 3.4

INFORMATION EXCHANGE GATEWAYS: REFERENCE ARCHITECTURE

CO Java EE 7: Back-End Server Application Development

Project and Portfolio Management Center

IBM Tivoli Directory Server

NetScaler 2048-bit SSL Performance

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

HPE Project and Portfolio Management Center

SteelGate Overview. Manage perimeter security and network traffic to ensure operational efficiency, and optimal Quality of Service (QoS)

Author: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0

GOING WHERE NO WAFS HAVE GONE BEFORE

Novell Access Manager

WebSphere Application Server, Version 5. What s New?

IBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

Oracle 10g Application Server Suite Deployment with Cisco Application Control Engine Deployment Guide, Version 1.0

Locking down a Hitachi ID Suite server

ORACLE ENTERPRISE COMMUNICATIONS BROKER

Quick Start Access Manager 3.1 SP5 January 2013

OpenIAM Identity and Access Manager Technical Architecture Overview

HP S1500 SSL Appliance. Product overview. Key features. Data sheet

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Axway Validation Authority Suite

Brocade Application Delivery

Web Application Penetration Testing

Implementing a Ground Service- Oriented Architecture (SOA) March 28, 2006

A (sample) computerized system for publishing the daily currency exchange rates

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

AppDirector and AppXcel With Oracle Application Server 10g Release 3 ( ) - Oracle SOA Suite Enterprise Deployment

Business White Paper IDENTITY AND SECURITY. Access Manager. Novell. Comprehensive Access Management for the Enterprise

WEB-APIs DRIVING DIGITAL INNOVATION

Maximum Security, Zero Compromise in Availability and Performance

TIBCO Cloud Integration Security Overview

Configuring SSL Security

CNS-207-2I Implementing Citrix NetScaler 10.5 for App and Desktop Solutions

HP Instant Support Enterprise Edition (ISEE) Security overview

Fundamentals of Windows Server 2008 Network and Applications Infrastructure

CISCO IT DEPARTMENT DEPLOYS INNOVATIVE CISCO APPLICATION- ORIENTED NETWORKING SOLUTION

Siebel CRM. Siebel Security Hardening Guide Siebel Innovation Pack 2015 E

App Gateway Deployment Guide

SOA: Challenges and Solutions

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Certified Secure Web Application Secure Development Checklist

Enhancing Exchange Mobile Device Security with the F5 BIG-IP Platform

XenApp 5 Security Standards and Deployment Scenarios

Introduction to the Cisco ANM Web Services API

Network Security Essentials

Fundamentals of Network Security v1.1 Scope and Sequence

Oracle E-Business Suite 11i with Cisco ACE Series Application Control Engine Deployment Guide, Version 1.0

Web Services in Cincom VisualWorks. WHITE PAPER Cincom In-depth Analysis and Review

Application Firewalls

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

The DNS. Application Proxies. Circuit Gateways. Personal and Distributed Firewalls The Problems with Firewalls

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Cloud, SDN and BIGIQ. Philippe Bogaerts Senior Field Systems Engineer

Transcription:

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway Applying Application Delivery Technology to Web Services Overview The Cisco ACE XML Gateway is the newest technology in the Cisco application network services products. This document explains how to take advantage of the integrated functions of the Cisco ACE Application Switch and Cisco ACE XML Gateway to maximize availability, performance, and security of SOAP and XML (Extensible Markup Language) web services. Challenge As enterprises continue to migrate to service-oriented architectures based on web services, a major challenge is making sure that those services are highly available, meet performance requirements, and are secure from threats at the XML level. Because web services are deep in the network stack, addressing this challenge requires a solution that is fluent in XML and SOAP and that is also highly available and provides optimized HTTP-based application access. The wide variety of technologies used to implement web services compound this challenge, making coordination of security policies across the enterprise difficult. In addition, XML requires more processing power to implement security than other, lower-level protocols do. These challenges make an exclusively software solution impractical and mandate a network infrastructure solution. Business Benefits By using a Cisco ACE Application Switch, either the Cisco ACE Module or the Cisco ACE 4710 Appliance, for Layer 4 to 7 load balancing and optimization and a Cisco ACE XML Gateway for XML processing within the Layer 7 payload, you can achieve the following benefits: Accelerate and optimize access to web services applications: The Cisco ACE Application Switch plus Cisco ACE XML Gateway solution enables acceleration features such as Secure Sockets Layer (SSL) offload, HTTP 1.1 session reuse and multiplexing, and XML transformation and schema validation. Secure access to web services applications: The solution combines the TCP/IP normalization and HTTP RFC compliance functions of Cisco ACE with the industry-leading XML threat-defense capabilities of the Cisco ACE XML Gateway to provide protection from attacks at all levels of the network stack, Layers 4 to 7 and above. One-source solution for XML acceleration, availability, and security needs: Cisco is the only vendor that provides a complete solution. Use of your Cisco ACE investment to meet your web application, web services, and other network protocol needs: Virtualization in the Cisco ACE helps ensure that denial-of-service (DoS) attacks or traffic storms in browser-based applications do not affect your missioncritical web services, without requiring you to invest in separate infrastructure. Combined Cisco ACE Application Switch and Cisco ACE XML Gateway Solution All contents are Copyright 1992 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 5

Figure 1 shows a Cisco ACE Application Switch and Cisco ACE XML Gateway deployed in a combined configuration. Figure 1. Cisco ACE Application Switch and Cisco ACE XML Gateway Deployment In this example, a set of web services providers, using application server technologies such as Java 2 Platform Enterprise Edition (J2EE) or.net, or packaged applications such as those from SAP or Oracle, are exposing web services to be used by a set of web services consumers connecting over a WAN. The consumers generate SOAP requests and send them using HTTP or HTTPS. The Cisco ACE Application Switch and Cisco ACE XML Gateway provide the acceleration, security, and availability functions to ensure that the consumers and providers can communicate. The following sections describe two possible deployment scenarios in this environment: one in which the Cisco ACE Application Switch terminates SSL on behalf of the client, and one in which the Cisco ACE XML Gateway terminates SSL. Either scenario will provide an effective and secure solution, keeping the contents of messages between service consumers and providers private as they cross the WAN. The choice of which to use depends on your application s specific requirements. The configuration of both scenarios is simplified by the integration between the Cisco ACE Application Switch and Cisco ACE XML Gateway. The Web-based user interface for the Cisco ACE XML Gateway allows you to configure both the Layer 7 XML security policy and the Layers 4 through 7 load-balancing and application delivery features of the Cisco ACE Application Switch. Cisco is the only vendor providing a complete solution with integrated management. Other scenarios are possible as well; contact your Cisco representative for more information. In both scenarios, the Cisco ACE Application Switch monitors the availability of both the Cisco ACE XML Gateways and the service providers. In the case of a device failure or overload, the Cisco ACE Application Switch can redirect requests to the remaining devices. Integration with Cisco Global Site Selector (GSS) Software also enables cross-site failover and load balancing for either the Cisco ACE XML Gateways or the web service providers in an integrated package. All contents are Copyright 1992 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 2 of 5

Terminating SSL on the Cisco ACE XML Gateway In this scenario, shown in Figure 2, the web services clients generate an SSL request to the virtual IP address (VIP) exposed on the Cisco ACE Application Switch (connection 1). After defending against attacks at the TCP/IP layer in the request, the Cisco ACE Application Switch makes a load-balancing decision about which Cisco ACE XML Gateway to forward the request to, on the basis of your configured policy and the state of the individual Cisco ACE XML Gateways (connection 2). Because this forwarding occurs at Layer 4, the Cisco ACE XML Gateway has full access to the SSL client certificate. This allows the XML Gateway to perform strong authentication of the client, first by validating the certificate was signed by a trusted certificate authority, and then by querying an identity store such as Lightweight Directory Access Protocol (LDAP) to authorize that client s access to the requested services. Figure 2. Scenario 1: Terminating SSL on the Cisco ACE XML Gateway Because web services applications often involve repeated messages between consumers and providers, SSL must be optimized to take advantage of session reuse, allowing the consumer to send a new request to the application without the need for a full SSL connection negotiation. The Cisco ACE Application Switch monitors the session identifiers negotiated between the service consumer and the Cisco ACE XML Gateway and ensures that repeated SSL connections with the same session identifier are always directed to the same Cisco ACE XML Gateway. The Cisco ACE XML Gateway also performs threat defense on the incoming request, looking for attacks at the SOAP layer that are opaque to most network devices. These attacks include general application attacks such as Structured Query Language (SQL) injection and buffer overflow as well as XML-based attacks such as entity expansion and overly recursive documents. Because the Cisco ACE XML Gateway understands XML natively, it can thwart attempts to use entity encoding or packet fragmentation to bypass threat defense. After authenticating the client and determining that the message is not malicious, the Cisco ACE XML Gateway initiates a new connection to a second VIP exposed on the Cisco ACE Application Switch that faces the web service providers (connection 3). Because the Cisco ACE XML Gateway acts as a full proxy, it can perform HTTP multiplexing, handling simultaneous requests from hundreds or thousands of web services consumers and limiting the connection load on individual web service providers. It can also throttle the number of messages sent to each provider, protecting them from out-of-memory and overload conditions. All contents are Copyright 1992 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 3 of 5

Terminating SSL on the Cisco ACE Application Switch In an alternative implementation, shown in Figure 3, the architecture can be set up so that SSL is terminated at the Cisco ACE Application Switch instead of at the Cisco ACE XML Gateway. In this case, the Cisco ACE Application Switch makes a Layer 7 load-balancing decision, negotiating the SSL session with the client directly (connection 1) and then forwarding the HTTP request to the Cisco ACE XML Gateway unencrypted (connection 2). The Cisco ACE XML Gateway continues to perform its threat defense and HTTP 1.1 multiplexing of the request back to the web service providers (connection 3). This approach allows you to consolidate all SSL server certificates for both XML- and browser-based applications in a single device, especially useful in situations where the web service is public or authenticated using a password instead of an SSL client certificate. The approach can also be useful in situations where Web Services Security (WS-Security) signatures and encryption are in use, reserving the cryptographic capacity of the Cisco ACE XML Gateway for message-level security. Figure 3. Scenario 2: Terminating SSL on the Cisco ACE Application Switch Because the Cisco ACE Application Switch can examine the HTTP headers to make its routing decision, it can also handle applications that combine XML and browser-based access. Such a combination is an increasingly important part of Web 2.0 Asynchronous JavaScript and XML (AJAX) based applications, where HTML, XML, and JavaScript are used together to provide a rich, interactive application experience to users. The Cisco ACE Application Switch can forward XML-formatted requests, based on the requested URL or the content type of the request, to the Cisco ACE XML Gateway for XML-specific processing. This processing may include message transformation, allowing browsers to access rich, SOAP-based web services from the service providers. Intelligent Networking The combination of the Cisco ACE Application Switch and the Cisco ACE XML Gateway is a critical infrastructure component of a service-oriented networking architecture (SONA), combining high availability and HTTP acceleration with XML-specific security and optimization. As XML becomes the default encoding for all business data, the capability to handle it natively within the network will become a distinct competitive advantage for those enterprises that want to increase the agility of their IT infrastructure. All contents are Copyright 1992 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 4 of 5

Why Cisco? Cisco is the only vendor that offers a combined solution for web application and web services security and optimization. The Cisco ACE Application Switch and the Cisco ACE XML Gateway have been proven in the marketplace by Fortune 100 enterprises wanting to secure web services handling billions of dollars in transactions, from financial services, to consumer media, to manufacturing. The integration of the Cisco ACE XML Gateway with the Cisco ACE product line makes Cisco the leading vendor of application delivery solutions at Layers 4 to 7 of the network stack and above. For More Information To learn more about the Cisco ACE Application Switch and the Cisco ACE XML Gateway, visit: http://www.cisco.com/go/ace. Printed in USA C22-416510-01 01/08 All contents are Copyright 1992 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 5 of 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback