Intorduction to Datapower

  • View

  • Download

Embed Size (px)



Text of Intorduction to Datapower

  • 1. DataPower Introduction

2. DataPower SOA Appliance An SOA Appliancecreates customer value through extreme SOA performance, connectivity, and security. Simplifies SOA and accelerates time to value Helps secure SOA XML implementations Governs and enforces SOA/Web Services policiesDataPower SOA Appliances redefine the boundaries of middleware extending the SOA Foundation with specialized, consumable, and dedicated SOA Appliances that simplify and combine superior performance, hardened security, and integration for SOA implementations. 2 3. Why an Appliance for SOA? Hardened, specialized hardware for helping to integrate, secure & accelerate SOA Many functions in a single device Service level management, dynamic routing, policy enforcement, transformation Higher levels of security assurance certification FIPS 140-2 Level 3, Common Criteria EAL4 Higher performance with hardware acceleration facilitates security enforcementAddresses the divergent needs of different groups Enterprise architects, network operations, security operations, web services developersSimplified deployment and ongoing management Drop-in appliance, secures traffic in minutes, integrates with existing operations3 4. What is DataPower ? Provides the flexibility of software in a hardware footprint Is quick to deploy configuration NOT coding or programming Typically takes days to integrate NOT weeks or months Is a 1U 19 Rack Mounted appliance Looks like a routerHas minimal components and has no stack of software. Consequently DataPower is highly secure As attack points are minimised DataPower is undergoing accreditation to Common Criteria EAL4 This is globally recognised check by an impartial third party that warrants the security claims made by IBM4 5. What Does DataPower Address ? XML is the language of Web Services and SOA XML is pervasive in a matter of years, it will fuel every application, device, and document found in enterprise networksXML challenges XML is very Verbose XML is bandwidth intensive Has a direct impact on Application Server performance XML processing requires significant processor cycles and memory resources XML is effectively Human readable Text It has no native security mechanisms It is readily understood and vulnerable to interception Security can be implemented on the application server but this is additional XML processing and adds to the performance problem SOA is not just Web Services and XML Customers need to integrate existing legacy systems, messaging formats and protocols into the SOA architecture. The ability to transform legacy systems into the XML format is needed.5 6. What Does DataPower Address ? XML Performance How ? by offloading XML processing from the Application Server to DataPower in optimised hardware Thereby greatly reducing the required number of Application ServersXML Security How ? by offloading XML security to DataPower Provide standards based security WS SecurityIntegrating XML and legacy systems How ? by using DataPower to transform XML to legacy message formats and protocols e.g XML < > Cobol Copybook (brings a Mainframe into SOA Architecture) XML > HMTL (renders HTML content to Portal very rapidly) XML < > MQ MessagingAll of this is done at WIRESPEED6 7. WebSphere DataPower SOA Appliance Product Line XM70 XB60High volume, low latency messaging Enhanced QoS and performance Simplified, configuration-driven approach to LLM Publish/subscribe messaging High Availability B2B Messaging (AS2/AS3) Trading Partner Profile Management B2B Transaction Viewer Unparalleled performance Simplified management and configurationXA35 Offload XML processing No more hand-optimizing XML Lowers development costsXS40 Enhanced Security Capabilities Centralized Policy Enforcement Fine-grained authorization Rich authenticationXI50 Hardware ESB Any-to-Any conversion at wire-speed Bridges multiple protocols Integrated message-level security7 8. WebSphere DataPower Basic Use Cases InternetDMZTrusted DomainApplicationConsumer1 B2B Gateway3 Low Latency GatewayApplication2 Secure Gateway (Web Services, Web Applications)Consumer4 Internal Security 5 Enterprise Service Bus 6 Web Service Management 7 Legacy Integration 8 XML AccelerationSystem z8 9. XML Accelerator XA35 Purpose-built hardware for presentation-tier transformation The Original DataPower XML Appliance Defines high performance architecture for allDataPower SOA Appliances Processes XML operations at wire-speed Ideal in an XSL-intensive HTTP presentation tier XML Pipeline processing accelerates XML/XSLT/XPath evaluation,increasing throughput and decreasing latency by offloading XML operations to the network Innovative drag-and-drop policy editor accelerates time to value and simplifies configuration and deployment Logical application domains allow individual sandboxes and facilitate configuration management through import/export features Multiple management interfaces serve varying needs of an organization, including browser-based WebGUI, command line CLI, and scriptable Web Services 9 10. XML Security Gateway XS40 Purpose-built hardware for assuring confidentiality, authenticity, and nonrepudiation Native support for WS-Security policy enforcement Extremely secure hardware design Integrate with a variety of authentication andauthorization systems for real-time protection Ideal in front-line DMZ or internal security gateway XML/SOAP Firewall capabilities enable Layer 7 filtering on any content,metadata or network variable in a message Web Application Firewall service offers additional security, threat mediation, and content processing for other URL encoded HTTP-based applications Easily configurable field-level security options allow flexible enforcement of confidentiality, authenticity, and non-repudiation requirements Low latency architecture leverages hardware-acceleration for cryptographic operations 10 11. Hardware Device for Improved Security Sealed network-resident appliance Optimized hardware, firmware, embedded OS Single signed/encrypted firmware upgrade only No arbitrary software High assurance, default off locked-down configuration Security vulnerabilities minimized (few 3 party components) Hardware storage of encryption keys, locked audit log No USB ports, tamper-proof caseThird party certification FIPS 140-2 level 3 HSM (option) Common Criteria EAL4The DataPower [XS40]... is the most hardened ... it looks and feels like a datacenter appliance, with no extra ports or buttons exposed " - InfoWorld 11 12. XML security threats are growing DataPower provides hardened real-time protection XML Entity Expansion and Recursion Attacks XML Document Size Attacks XML Document Width Attacks XML Document Depth Attacks XML Wellformedness-based Parser Attacks Jumbo Payloads Recursive Elements MegaTags aka Jumbo Tag Names Public Key DoS XML Flood Resource Hijack Dictionary Attack Message Tampering Data Tampering Message Snooping XPath Injection SQL injection WSDL Enumeration Routing Detour Schema Poisoning Malicious Morphing Malicious Include also called XML External Entity (XXE) Attack Memory Space Breach XML Encapsulation XML Virus Falsified Message Replay Attack others12 13. Gartner: Web Services Security Best Practices Provide System Security Inspect ALL traffic Transform all messages Mask internal resources Implement XML filtering Secure logging Protect against XML DoS Require good authentication mechanisms Provide Message Security Sign all messages Validate messages (Inbound+Outbound) Time-stamp all messages Ask for Compatibility SSL MA, SAML, x.509. WS-Security WS-* extensions Build Expertise/Design From Strength Educate Business Leaders Build Centralized Infrastructure SSL is key Use management/security platforms Manage your identities You may need PKITrust (Really) Your Partners Use OTS Web Services with Caution Monitor and ControlTherefore, enterprises should investigate tools such as security gateways, SSL concentrators and accelerators, and wire-speed SOAP/XML inspection hardware. -- John Pescatore, Gartner13 14. Access Control Integration Framework (AAA) Transport Headers URL SOAP Method XPathInput MessageExtract ResourceWS-Security SAML X.509 Kerberos Proprietary TokensExtract IdentityLDAP ActiveDirectory SAML Tivoli CA eTrust/Netegrity RSA Entrust Novell RACFAuthenticateMap ResourceLDAP ActiveDirectory SAML Tivoli CA eTrust/Netegrity RSA Entrust Novell ProprietaryAuthorizeSAML Assertion Credential Mediation IDS Integration MonitoringAudit & AccountingOutput MessageAuthenticate, Authorize, AuditMap CredentialsExternal Access Control Server or Onboard Identity Management Store 14 15. Web Application Firewall URL-encoded HTTP application protection in addition to XML Web Services firewall security Protection for static or dynamic HTMLbased applications Supports browser-based clients and HTTP/HTTPS backend servers Wizard-driven configuration Cross-site scripting and SQL Injection protection AAA framework support for web applications General name-value criteria boundary profiles for: Query string and form parameters HTML Input Conversion Maps for form processing and handling Cookie watermarking (sign and/or encrypt) Rate limiting and traffic throttling/shaping HTTP header stripping, injection and rewriting HTTP protocol and method filtering Content-type filtering Dynamic routing and load balancing Session handling policies SSL Acceleration & Termination (Link) XML and non-XML processing policies Customizable error handling HTTP headers Cookies15 16. Integration Appliance XI50 Purpose-built hardware for Enterprise Service Bus functionality Web Service virtualization for legacy applications Enforce high levels of security independent ofprotocol or payload format Integrate with enterprise monitoring systems Service level management options to shape tra