Addressing Security, Governance and Performance Issues with an XML Gateway as part of a Service Oriented Architecture Vic Morris CEO Vordel
Service Oriented Architecture Simple projects implement light weight application integration Platform approach allows applications to be aligned with business processes Extensive use of XML messaging XML Network Management Tightly-coupled Systems Tactical XML-based integration Full Services Oriented Architecture BeInGrid Barcelona 2008 Page 2
Requirements for SOA and XML-based integration Monitoring Performance > Remove processing bottlenecks > Apply AAA to SOA > Centrally manage policies > Conditional routing and transformation > Defend against threats > Gain visibility on service usage Security Governance Access Control XML Networking Policy Control BeInGrid Barcelona 2008 Page 3
Addressing the Infrastructure Bottleneck Addressing the requirements for XML-based integration and SOA DMZ Application Oriented Network Legacy Systems Application Server Partners Network Firewall XML Gateway XML Gateway Databases XML Firewall Suppliers XML Firewall Application Server Application Server Queues Customers Web App Firewall XML Gateway XML Gateway Legacy XML Screening Threat Prevention SSL Termination Authentication Application Server XML Acceleration Application Offload Identity Integration Protocol Mediation Data Transformation Content Aware Routing Plus all the XML Firewall features XML BeInGrid Barcelona 2008 Page 4
Vordel Products Vordel XML Firewall - Threat protection for XML Applications Threat protection for XML applications from malicious attack and unauthorized access Vordel XML Gateway Application Level Networking XML offload with data transformation, routing and acceleration Vordel Policy Director Centralized Policy Management Centralized policy creation and management for networks of XML firewalls and gateways Vordel Reporter Reporting Web Services Metrics Full visibility reporting on Web Service usage Vordel SOAPbox Testing for XML Applications Web Services test tool BeInGrid Barcelona 2008 Page 5
The Vordel Governance Solution Design Time Governance Vordel Policy Studio to create policies Vordel Policy Director to store policies >Stores policies in centralised store or Registry >Staging of Policies Vordel Soapbox to test new policies Run Time Governance Vordel XML Firewall to protect the perimeter >Policy enforcement >Service Discovery Vordel XML Gateway to protect the network >Policy enforcement >Service Discovery Vordel Reporter >Comprehensive usage reports >Compliance reports commercial BeInGrid Barcelona in confidence 2008 Page 6
Vordel 5 Deployment Platforms Software > Solaris > Linux > Windows Appliance > Deployed in the network as a network device to offload XML processing > XML performance acceleration and optimisation > Hardened appliance with FIPS-Compliant cryptographic acceleration and hardware security module key storage > Dual power supplies and RAID dual disks for reliability > VX4000 built on standard hardware platform for ease of maintenance commercial BeInGrid Barcelona in confidence 2008 Page 7
Case Studies: The role of XML Gateways in Telecoms Case Study 1: 911 Emergency Services [USA] Case Study 2: Mobile Telecoms Service Delivery Platform (SDP) [Brazil] Case Study 3: De-regulation [Canada] Case Study 4: Managing IPTV [Italy] BeInGrid Barcelona 2008 Page 8
911 Emergency Services [USA] The 911 Service Provider provides outsourced emergency telephone services to both fixed-line and VoIP providers including Verizon and Vonage Customer information is fed to the 911 service provider using XML The XML messages include: - Name - Address - Preferred First Language - Current location When the customer dials 911, this information is provided to the emergency services [police, fire, ambulance]. The 911 Service Provider receives a regular feed of this customer information. Feeds may contain millions of individual customer details. BeInGrid Barcelona 2008 Page 9
911 Emergency Services [USA] XML processing was placing a heavy load on their application servers. The customer initially built their own XML Gateway, but it was too slow, and could not be managed. Large volumes of XML traffic would drastically slow down their Web Services (running on Oracle Application Server 10g) When the client didn t receive an immediate response, it would resend the SOAP message. The message re-sends compounded the problem. - They were being DoS ed by their own customers! [DoS = Denial of Service] BeInGrid Barcelona 2008 Page 10
XML Message Flooding Java code on the Oracle Application Server was validating the incoming XML, and authenticating the sender. Unfortunately, it ran slowly and would fall over under stress. BeInGrid Barcelona 2008 Page 11
Solution Architecture Failover Development, Staging, and production Heavy XML processing offloaded from app server. BeInGrid Barcelona 2008 Page 12
Solution: XML Offload Vordel s XML Gateway takes the XML heavy-lifting off the app server Before: Read XML into memory Check XML is wellformed Validate against a Schema Transform XML using XSLT Perform Business Logic After: Read XML into memory Check XML is wellformed Validate against a Schema Transform XML using XSLT Perform Business Logic Offloaded onto XML Gateway BeInGrid Barcelona 13 2008 Page 13
Solution Benefits Message retries are automatically detected and throttled Responses are cached so that retries do not have to touch the application server XML is validated and screened for threats before it reaches the application server Security policies are now in the hands of Operations staff Policies are no longer baked into code at the application server Policies can be backed-up, updated, rolled-back, archived A full evidential (signed) audit trail is provided BeInGrid Barcelona 2008 Page 14
Case Study 2: Service Delivery Platform Vordel s products are an integral component of the Ericsson Service Delivery Platform which uses XML to link telecoms systems together Parlay-X is the XML standard used Required validation of the Parlay-X traffic Required lookup of subscriber information from databases, and the on-the-fly population of subscriber data into XML fields BeInGrid Barcelona 2008 Page 15
Solution Architecture BeInGrid Barcelona 2008 Page 16
Solution benefit: XML Enrichment Before: Everything on the application server Read XML into memory Look up customer in LDAP directory Look up customer info in database Operate based on customer info After: XML enrichment happens at the XML Gateway Enrich XML Enrich XML Passed to Read XML Operate with with application into based on customer customer server memory customer data from data from info directory database Offloaded onto XML Gateway BeInGrid Barcelona 2008 Page 17
Case Study 3: De-regulation [Canada] Largest Canadian telecommunications company provides connectivity to residential and business customers. Must provide an interface to CLECs (Competitive Local Exchange Carriers) in a deregulated telecoms environment. They had an existing Web portal which enables CLECs to access information using a Web browser. But they wanted automated B2B access using XML. 500,000 portal users, with an additional 5,000 users being added monthly. Launch of new B2B XML Web Services, alongside the portal, to allow larger customers and partners to integrate their back office systems directly into the telecom provider s own systems. Vordel products integrated with Web SSO (Entrust) and Enterprise AV (McAfee). BeInGrid Barcelona 2008 Page 18
Deployment: De-regulation [Canada] BeInGrid Barcelona 2008 Page 19
Case Study 4: IPTV [Italy] Large Italian mobile telco Trialing IPTV services. XML messages are used to order IPTV programmes and clips XML Gateways process incoming XML messages which contain credit card details, co-marketing codes (for partners), and details of requested TV programmes The XML Gateway allows the credit card data to be selectively encrypted using XML Encryption. XML data is validated against Schemas and is scanned for threats. Integration into CA SiteMinder ensures that all traffic is authenticated and authorised BeInGrid Barcelona 2008 Page 20
Requirement for Identity Federation SiteMinder is used for all authentication and authorization at the telco side At the client side, SiteMinder is usually not present. But, usually a directory such as Active Directory is present The customer decided to use a Security Token Service (STS) to issue SAML tokens at the client side, and these are passed to the XML Gateway at the telco side. This allows for Identity Federation to occur. The same end-user may have a different identity at the telco side, compared to their identity at the client side. This requires the XML Gateway to perform identity mapping. At the telco side, the user is logged into a SiteMinder session, based on their identity at the telco. BeInGrid Barcelona 2008 Page 21
Case Study 4: IPTV with identity federation BeInGrid Barcelona 2008 Page 22
Addressing Security, Governance and Performance Issues with an XML Gateway as part of a Service Oriented Architecture Vic Morris CEO Vordel BeInGrid Barcelona 2008 Page 23