Addressing Security, Governance and Performance Issues with an XML Gateway as part of a Service Oriented Architecture. Vic Morris CEO Vordel

Similar documents
Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

IBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights

Forum XWall and Oracle Application Server 10g

BIG-IP V11.3: PRODUCT UPDATE. David Perodin Field Systems Engineer III

Axway API Gateway. Version 7.4.1

IBM SmartCloud Notes Security

Cisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1

Axway Validation Authority Suite

DenyAll Protect. accelerating. Web Application & Services Firewalls. your applications. DenyAll Protect

Sentinet for BizTalk Server SENTINET

CipherCloud CASB+ Connector for ServiceNow

OpenIAM Identity and Access Manager Technical Architecture Overview

Cloud Access Manager Overview

SOA-20: The Role of Policy Enforcement in SOA Management

31M. Emergency Routing Service 24/7/365. Emergency Routing Service (ERS) provides organizations with E9-1-1

PCI DSS Compliance. White Paper Parallels Remote Application Server

TECHNOLOGY LEADER IN GLOBAL REAL-TIME TWO-FACTOR AUTHENTICATION

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

Oracle Access Manager 10g - Oracle Enterprise Gateway Integration Guide

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

Oracle Communications Services Gatekeeper

Sentinet for Microsoft Azure SENTINET

Microsoft Internet Security & Acceleration Server Overview

REVISED 6 NOVEMBER 2018 COMPONENT DESIGN: VMWARE IDENTITY MANAGER ARCHITECTURE

Comprehensive Database Security

Axway API Gateway. Version 7.4.1

SteelGate Overview. Manage perimeter security and network traffic to ensure operational efficiency, and optimal Quality of Service (QoS)

5 OAuth EssEntiAls for APi AccEss control layer7.com

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

Technical Overview. Access control lists define the users, groups, and roles that can access content as well as the operations that can be performed.

App Gateway Deployment Guide

Enterprise Guest Access

Single Sign-On. Introduction

CompTIA Exam CAS-002 CompTIA Advanced Security Practitioner (CASP) Version: 6.0 [ Total Questions: 532 ]

SAS and F5 integration at F5 Networks. Updates for Version 11.6

API Gateway Version October Concepts Guide

Introduction With the move to the digital enterprise, all organizations regulated or not, are required to provide customers and anonymous users alike

Architecting the Right SOA Infrastructure

SD-WAN Transform Your Agency

IBM Tivoli Directory Server

vshield Administration Guide

API s in a hybrid world. Date 28 September 2017

5 OAuth Essentials for API Access Control

DATA SHEET HIGHTLIGHTS Deploying a Single System to Manage All Devices and Services Implementing Service Assurance

Ensuring a Consistent Security Perimeter with CloudGenix AppFabric

Intel Cloud Builders Guide: Cloud Design and Deployment on Intel Platforms

THE API DEVELOPER EXPERIENCE ENABLING RAPID INTEGRATION

Best Practices in Securing Your Customer Data in Salesforce, Force.com & Chatter

Verizon Software Defined Perimeter (SDP).

Dynamic Datacenter Security Solidex, November 2009

WEB-APIs DRIVING DIGITAL INNOVATION

Cirius Secure Messaging Single Sign-On

HDP Security Overview

HDP Security Overview

Pulse Secure Application Delivery

SOA Management and Security Enforcement

Bracing your infrastructure for XML Web Services

WEB-202: Building End-to-end Security for XML Web Services Applied Techniques, Patterns and Best Practices

Managing Your Privileged Identities: The Choke Point of Advanced Attacks

Security in Bomgar Remote Support

Web Services in Cincom VisualWorks. WHITE PAPER Cincom In-depth Analysis and Review

Pulseway Security White Paper

API Gateway. Version 7.5.1

Identity and Client Security for Remote Access Virtual Credential Container

Adding value to your MS customers

O365 Solutions. Three Phase Approach. Page 1 34

SSL VPNs or IPsec VPNs The Challenges of Remote Access. February 2 nd, 2007 Chris Witeck- Director of Product Marketing

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Real-time Communications Security and SDN

Storage Made Easy. SoftLayer

IMS Adoption Fueled by the Open IMS Core Project and MySQL

Critical Infrastructure Protection for the Energy Industries. Building Identity Into the Network

Payment Card Industry and Citrix XenApp and XenDesktop Deployment Scenarios

Microsoft Security Management

Identität und Autorisierung als Grundlage für sichere Web-Services. Dr. Hannes P. Lubich IT Security Strategist

SIEM Solutions from McAfee

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Comprehensive datacenter protection

5 Pillars of API. management

SoftLayer Security and Compliance:

Single Sign-On. Introduction. Feature Sheet

Security Assessment Checklist

Level 1 Technical. Microsoft Lync Basics. Contents

Changing face of endpoint security

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

How were the Credit Card Numbers Published on the Web? February 19, 2004

The SonicWALL SSL-VPN Series

Protection Service with Continuity

Security

Siebel CRM. Siebel Security Hardening Guide Siebel Innovation Pack 2015 E

zentrale Sicherheitsplattform für WS Web Services Manager in Action: Leitender Systemberater Kersten Mebus

WHITE PAPER. Applying Software-Defined Security to the Branch Office

UTM Firewall Registration & Activation Manual DFL-260/ 860. Ver 1.00 Network Security Solution

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

The Top 6 WAF Essentials to Achieve Application Security Efficacy

Identity-Enabled Web Services

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

Simplifying Information Sharing Across Security Boundaries. Deep-Secure Overview 12 th November 2013, Prague. Presentation to.

PROTECT WORKLOADS IN THE HYBRID CLOUD

The McAfee MOVE Platform and Virtual Desktop Infrastructure

Transcription:

Addressing Security, Governance and Performance Issues with an XML Gateway as part of a Service Oriented Architecture Vic Morris CEO Vordel

Service Oriented Architecture Simple projects implement light weight application integration Platform approach allows applications to be aligned with business processes Extensive use of XML messaging XML Network Management Tightly-coupled Systems Tactical XML-based integration Full Services Oriented Architecture BeInGrid Barcelona 2008 Page 2

Requirements for SOA and XML-based integration Monitoring Performance > Remove processing bottlenecks > Apply AAA to SOA > Centrally manage policies > Conditional routing and transformation > Defend against threats > Gain visibility on service usage Security Governance Access Control XML Networking Policy Control BeInGrid Barcelona 2008 Page 3

Addressing the Infrastructure Bottleneck Addressing the requirements for XML-based integration and SOA DMZ Application Oriented Network Legacy Systems Application Server Partners Network Firewall XML Gateway XML Gateway Databases XML Firewall Suppliers XML Firewall Application Server Application Server Queues Customers Web App Firewall XML Gateway XML Gateway Legacy XML Screening Threat Prevention SSL Termination Authentication Application Server XML Acceleration Application Offload Identity Integration Protocol Mediation Data Transformation Content Aware Routing Plus all the XML Firewall features XML BeInGrid Barcelona 2008 Page 4

Vordel Products Vordel XML Firewall - Threat protection for XML Applications Threat protection for XML applications from malicious attack and unauthorized access Vordel XML Gateway Application Level Networking XML offload with data transformation, routing and acceleration Vordel Policy Director Centralized Policy Management Centralized policy creation and management for networks of XML firewalls and gateways Vordel Reporter Reporting Web Services Metrics Full visibility reporting on Web Service usage Vordel SOAPbox Testing for XML Applications Web Services test tool BeInGrid Barcelona 2008 Page 5

The Vordel Governance Solution Design Time Governance Vordel Policy Studio to create policies Vordel Policy Director to store policies >Stores policies in centralised store or Registry >Staging of Policies Vordel Soapbox to test new policies Run Time Governance Vordel XML Firewall to protect the perimeter >Policy enforcement >Service Discovery Vordel XML Gateway to protect the network >Policy enforcement >Service Discovery Vordel Reporter >Comprehensive usage reports >Compliance reports commercial BeInGrid Barcelona in confidence 2008 Page 6

Vordel 5 Deployment Platforms Software > Solaris > Linux > Windows Appliance > Deployed in the network as a network device to offload XML processing > XML performance acceleration and optimisation > Hardened appliance with FIPS-Compliant cryptographic acceleration and hardware security module key storage > Dual power supplies and RAID dual disks for reliability > VX4000 built on standard hardware platform for ease of maintenance commercial BeInGrid Barcelona in confidence 2008 Page 7

Case Studies: The role of XML Gateways in Telecoms Case Study 1: 911 Emergency Services [USA] Case Study 2: Mobile Telecoms Service Delivery Platform (SDP) [Brazil] Case Study 3: De-regulation [Canada] Case Study 4: Managing IPTV [Italy] BeInGrid Barcelona 2008 Page 8

911 Emergency Services [USA] The 911 Service Provider provides outsourced emergency telephone services to both fixed-line and VoIP providers including Verizon and Vonage Customer information is fed to the 911 service provider using XML The XML messages include: - Name - Address - Preferred First Language - Current location When the customer dials 911, this information is provided to the emergency services [police, fire, ambulance]. The 911 Service Provider receives a regular feed of this customer information. Feeds may contain millions of individual customer details. BeInGrid Barcelona 2008 Page 9

911 Emergency Services [USA] XML processing was placing a heavy load on their application servers. The customer initially built their own XML Gateway, but it was too slow, and could not be managed. Large volumes of XML traffic would drastically slow down their Web Services (running on Oracle Application Server 10g) When the client didn t receive an immediate response, it would resend the SOAP message. The message re-sends compounded the problem. - They were being DoS ed by their own customers! [DoS = Denial of Service] BeInGrid Barcelona 2008 Page 10

XML Message Flooding Java code on the Oracle Application Server was validating the incoming XML, and authenticating the sender. Unfortunately, it ran slowly and would fall over under stress. BeInGrid Barcelona 2008 Page 11

Solution Architecture Failover Development, Staging, and production Heavy XML processing offloaded from app server. BeInGrid Barcelona 2008 Page 12

Solution: XML Offload Vordel s XML Gateway takes the XML heavy-lifting off the app server Before: Read XML into memory Check XML is wellformed Validate against a Schema Transform XML using XSLT Perform Business Logic After: Read XML into memory Check XML is wellformed Validate against a Schema Transform XML using XSLT Perform Business Logic Offloaded onto XML Gateway BeInGrid Barcelona 13 2008 Page 13

Solution Benefits Message retries are automatically detected and throttled Responses are cached so that retries do not have to touch the application server XML is validated and screened for threats before it reaches the application server Security policies are now in the hands of Operations staff Policies are no longer baked into code at the application server Policies can be backed-up, updated, rolled-back, archived A full evidential (signed) audit trail is provided BeInGrid Barcelona 2008 Page 14

Case Study 2: Service Delivery Platform Vordel s products are an integral component of the Ericsson Service Delivery Platform which uses XML to link telecoms systems together Parlay-X is the XML standard used Required validation of the Parlay-X traffic Required lookup of subscriber information from databases, and the on-the-fly population of subscriber data into XML fields BeInGrid Barcelona 2008 Page 15

Solution Architecture BeInGrid Barcelona 2008 Page 16

Solution benefit: XML Enrichment Before: Everything on the application server Read XML into memory Look up customer in LDAP directory Look up customer info in database Operate based on customer info After: XML enrichment happens at the XML Gateway Enrich XML Enrich XML Passed to Read XML Operate with with application into based on customer customer server memory customer data from data from info directory database Offloaded onto XML Gateway BeInGrid Barcelona 2008 Page 17

Case Study 3: De-regulation [Canada] Largest Canadian telecommunications company provides connectivity to residential and business customers. Must provide an interface to CLECs (Competitive Local Exchange Carriers) in a deregulated telecoms environment. They had an existing Web portal which enables CLECs to access information using a Web browser. But they wanted automated B2B access using XML. 500,000 portal users, with an additional 5,000 users being added monthly. Launch of new B2B XML Web Services, alongside the portal, to allow larger customers and partners to integrate their back office systems directly into the telecom provider s own systems. Vordel products integrated with Web SSO (Entrust) and Enterprise AV (McAfee). BeInGrid Barcelona 2008 Page 18

Deployment: De-regulation [Canada] BeInGrid Barcelona 2008 Page 19

Case Study 4: IPTV [Italy] Large Italian mobile telco Trialing IPTV services. XML messages are used to order IPTV programmes and clips XML Gateways process incoming XML messages which contain credit card details, co-marketing codes (for partners), and details of requested TV programmes The XML Gateway allows the credit card data to be selectively encrypted using XML Encryption. XML data is validated against Schemas and is scanned for threats. Integration into CA SiteMinder ensures that all traffic is authenticated and authorised BeInGrid Barcelona 2008 Page 20

Requirement for Identity Federation SiteMinder is used for all authentication and authorization at the telco side At the client side, SiteMinder is usually not present. But, usually a directory such as Active Directory is present The customer decided to use a Security Token Service (STS) to issue SAML tokens at the client side, and these are passed to the XML Gateway at the telco side. This allows for Identity Federation to occur. The same end-user may have a different identity at the telco side, compared to their identity at the client side. This requires the XML Gateway to perform identity mapping. At the telco side, the user is logged into a SiteMinder session, based on their identity at the telco. BeInGrid Barcelona 2008 Page 21

Case Study 4: IPTV with identity federation BeInGrid Barcelona 2008 Page 22

Addressing Security, Governance and Performance Issues with an XML Gateway as part of a Service Oriented Architecture Vic Morris CEO Vordel BeInGrid Barcelona 2008 Page 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback