Network Approach in enabling SOA
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
Cheng Jang Thye
Business Development Manager
Applications Are Changing
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
� Collaborative (Web 2.0 and SOA)
– Applications componentized with extensive app-to-app communication and data sharing
– Rich Interactive UI (AJAX, JS)
– Web Services or XML interface
– Significantly greater challenges with Scalability, Security, Visibility, Control
� Client-Server/Silo-ed (Web 1.0)
– Limited data sharing between applications
– Static web pages
– Internet enabled
– Challenges with Scalability, Security, Visibility, Control
Verify CustomerCredit
Determine ProductAvailability
Check CustomerAddress
Look-upStore Sales
What is SOA All About?
Client
Web Services
Enterprise applications required repetitive coding
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3
Data Data Data Data
Business
IntelligenceFinance Custom Call Center
DataAccess
DataAccess
DataAccess
DataAccess
Credit Availability AddressStore Sales
Data Tier
Applications
SOA enables reuse of data and business logic
Exploring a Web 2.0 User Interface
Web 1.0 Web 2.0
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4
Impact of Web 2.0 User Interfaces
Web 1.0
Web 2.0
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 5
Web 2.0 clients increase server processing and network traffic
Web 2.0
Typical Enterprise Application Architecture:Some Important Challenges to Consider
User Activation Web Services
Internet
Payment & Billing Services
Business App
XML Messages introduce new
security threats
XML Messages are ASCII and 3-10X larger than their binary equivalent
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6
Internet Services
CRM Services
Business App
XML will be 50% of network traffic, up from 15% in 2005 – 451 GroupKey Considerations: With XML traffic new XML security threats arise and
application performance deteriorates
Access control must be enforced to prevent
malicious users
Mission critical applications
require that Web services be
reliable
How to Web-Service Enable Your Apps
� Build new application servers with Web Service Interfaces
Pro: Clean extension
Cons: Expensive
� Extend current applications with Web Service
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 7
� Extend current applications with Web Service Interfaces
Pro: Dependency on versions of applications
Cons: Cheaper
� Use a gateway to provide Web Service Interface
Pro: No touch to existing application
Cons: New gateway
Other Challenges
� Web Service/XML Security
Authentication, Authorization, Encryption
Firewall, DOS
Other Threats
� Server Performance
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 8
� Server Performance
� Web Service Management
� Federation
XML Introduces New Security Threats
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 9
Source: WhiteHat Security
Most Common Web Application Vulnerabilities
XML Threat Categories
� Format Attacks
Main focus: Buffer overflow, Overload and Denial of Service
Documents of extreme depth, breadth, length, number of nodes
� Content Attacks
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 10
Main focus: Command execution
Exploiting insecure business logic (e.g. SQL Injection)
� Denial of Service
Main focus: Consuming all system resources
Exploiting processing issues to overwhelm capacity
Content Attack: SQL Injection
Strategy: insert SQL statements into otherwise valid XML to cause problems on database back end
<customer>
<customerName>BigCo</customerName>
<customerID>12345</customerID>
</customer>
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 11
<customer>
<customerName>BigCo</customerName>
<customerID>12345; drop table users; --</customerID>
</customer>
� Eg. of a general class of threats: Command Injection, LDAP…
SqlQuery = “Select * from userTable where ID =“
+ myCustomer.CustomerID + “;”
XML Denial of Service (XDoS)
� Swamping a server with illegitimate messages that consume resources that would otherwise be used to process legitimate messages
� Resources
Server CPU (parsing, SSL processing, signature validation, etc.)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 12
Server CPU (parsing, SSL processing, signature validation, etc.)
Server network Connections
Server memory
Server storage
� Inadvertent, non-malicious XDoS is just as bad as intentional XDoS
XML Threats Are Already Here!
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 13
http://www.webservicessummit.com/Vulnerabilities.htm
XML Processing Increases Server Cost
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 14
Biz Logic
Overhead
Server CPU Utilization(without XML)
Biz Logic Overhead
Schema Validation Parsing
Data Transformation Encryption
Decryption Content-based Routing
Protocol Mediation
Server CPU Utilization(with XML)
Application servers cost on a “per CPU” basis
I’ll add more servers to address performance, not application delivery infrastructure
It is more cost-effective to deploy high performance dedicated XML processing appliances than new servers to improve performance.
Response
Objection
I don’t think I need application security, I have firewallsObjection
Typical objections and responses
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 15
I don’t think I need application security, I have firewalls
ResponseBasic firewalls don’t fully protect against application-layer attacks – true security is L2-L7, a Cisco strength
I only do Web Services with business partners I trust. They would never attack me anyway.
Response
Objection
Who controls the quality of their software front end? What if a few input validation inputs slip through the cracks? What if someone compromises their infrastructure, or intercepts the messages in flight?
Challenges with Today’sDistributed, Heterogeneous SOA
Interoperability Multiple implementations of core standards means interoperability is a challenge
Availability Services must be made universally available and callable across heterogeneous implementations
Manageability and Visibility
Distributed, loosely coupled applications across platforms, domains, geographies difficult to see
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 16
and Visibility platforms, domains, geographies difficult to see and manage effectively
Security Application messages traversing multiple protocols (incl. HTTP) introduce new security challenges
Scalability Higher volume XML/ Web Services traffic creating server processing overhead
Reliability Transaction-level reliability is required for messages traversing multiple protocols (e.g., HTTP)
EDITelephonyBusinessIntelligence
Custom ProtocolWeb
Service
SOA
Compression ASP
Leveraging the Strengths of an Intelligent Network to enable SOA
Benefits of a Network
Based Approach:
� High Performance, as resources are dedicated for that function
� No new intermediary layers or components
B2B Links
Partners
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 17
RemoteEnvironments
MessageBroker
LegacyApps
Security
B2B Gateway
BAM
TransformationBusiness
RulesMobile
Services
Event Capture
RFID
ComplianceLogging
DatabaseLookup
Load Balancing
EAI
Service
Adapters
Standards
Compression
ESB
J2EE
.Net
ASP
MQSeries
� No changes required to applications
� Network and applications can work together
� Simplifies infrastructure
� Leverages investment
Data Center
Branch Offices
Distribution
Extranet
Field Organizations
Past Examples:
� Firewall, Proxy, VPN, SSL Accelerator
Introducing the ACE XML Gateway
Improve the performance of SOA / Web 2.0 applications while securing XML data and offloading XML processing from application servers
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 18
Prevent threats to application – XML Firewall, Deep message inspection, Access control
Improve Server UtilizationOffload XML and message processing from
application servers
Secure SOA/Web 2.0 applications
The highest performance XML switch in the market!
ACE XML Manager
Development Integration Security Operations
Federated message policy
workflow
Deployment, auditing, and management
ACE XML Gateway and Manager
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 19
ACE XML Gateways
Inboundmessages
Outboundmessages
workflow
Transformation and mediation
Identity and access enforcement
Message transport, security, and routing
Message Policy Enforcement & Analysis
Secure, high-performance XML processing pipeline
Best of breed platform
XML Firewall
XML denial of service
Content screeningXML attack detection
Access Enforcement
WS-SecurityAuthenticationAuthorizationIAM integration
LW security token service (STS)Multi-level credential collection
HTTP/S HTTP/S
Authentication, Transformation, & Management API’s/SDK
Cisco ACE XML Gateway Functionality
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 20
XML Message ProcessingXML schema, encryption/ signing,
transformation, mediation, acceleration, XML traffic monitoring
Content/IP/header based routing,Enterprise class management,
Auditing & forensics
detectionAttachment anti-virus protection,
Privacy enforcement
Multi-level credential collectionIdentity-based reporting & alerting
Identity-based routingCompliance reporting
SSL termination
SMTP
MQ
TIBCO
JMS
Custom
Inboundmessages
SMTP
MQ
TIBCO
JMS
Custom
Outboundmessages
Network Deployment
XML W
eb Services
Aware ApplicationsNetwork
Firewall
ACE XMLManagerInternet
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 21
XML W
eb Services
Aware Applications
Identity Mgt Systems
External XMLWeb Services Consumers
DMZ DATA CENTER
PortalACE ApplicationSwitches
ACE XMLGateway
ACE XMLGateway
ACE XMLGateway
Perimeter Security XML Offload
ACE
1. Perimeter Security (e.g. Web and XML Firewall protection for applications)
2. XML Offload (e.g. XML processing offload from servers)
Validated By Customers
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 22
Demo
� Environment
J2EE Application Server with JAX-WS (VM) running web services:
Web Service #1: Add 2 numbers
Web Service #2: Concatenate 2 strings
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 23
Web Service #2: Concatenate 2 strings
AXG 6.0 (VM)
Gateway and Manager
� Demos
Browser -> Manager - (WS) - > Gateway -> J2EE App Server
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 24