XML Firewalls Cyber Defense for Net-Centric Applications June 23rd, 2010
XML Firewalls Cyber Defense for Net-Centric Applications June 23rd, 2010 Adam Vincent, Public Sector CTO [email protected] Layer 7 Confidential 1 Agenda • • • • What is a Net-Centric Application Net-Centric Application Threat What is an XML Firewall and why do we need one Overview of Layer 7 Technologies – Example Government Use-case • Conclusion • Backup Slides – Identity and Access Management Layer 7 Confidential 2 Netcentricity – Preface Netcentricity is “The realization of a robust, globally interconnected network environment that includes infrastructure, systems, processes, and people in which data is shared timely and seamlessly among users, applications, and platforms. Net-Centricity will ensure that users of information at any level can both take what they need and contribute what they know.” “It will improve work efficiency and make information more readily available to decision makers, whether they are Department of Defense (DoD) civilian employees developing strategies or warfighters operating on the battlefield.” (Definition from U.S. DoD Website) Service Oriented Architecture and XML have become the de facto standard for enabling Net-Centric Operations Net-centric Policy Framework for Security, Identity, and Governance Layer 7 Confidential 3 Scenario: Fluid Communities Of Interest Situation 1 Organization A Organization B Situation 2 Organization C Net-centric Policy Framework for Security, Identity, and Governance Layer 7 Confidential 4 Scenario: Policy “Layers” in Reality Org Policy Situation 1 Policy Policy Policy Situation 1 Policy Layer Policy Army Org Policy Air Force Org Policy Policy Navy Net-centric Policy Framework for Security, Identity, and Governance Layer 7 Confidential 5 XML Security • Attackers See Opportunities • XML Threat Categories • WS-Security Slides Utilized: OWASP DC Chapter: Web Service Hacking and Hardening 2008 IEEE: What is an XML Firewall Layer 7 Confidential 6 Web Services Hacking Attackers See Opportunities! Web Services offer a entirely new dimension to the traditional security stack. This new layer is a business layer and current security practices DO NOT offer sufficient protection. Why: – Totally new technology, with new comes problems – Operates over common web transports, traditional firewalls are based on the concept of stopping attacks at the OS level not at the Message Level (Layer 3-5). – Automation and Toolkit development (Reuse of these tools) – Standardization of attack vectors, you can attack .NET and Java business applications using the same messages. – Inherent Descriptions (WSDL, Tool kit web pages, etc.) © Adam Vincent - Layer 7 Technologies Layer 7 Confidential 7 7 A Significant Problem in System Distribution The problem with any distributed system is that a single failure within the system can have an unknown impact on the system in its entirety. - Leslie Lamport In the use of Web Services we are adopting a practice of reuse and system distribution that spans one or more networks and potentially the internet. © Adam Vincent - Layer 7 Technologies Layer 7 Confidential 8 8 Web Service Threats Transport Parsing Deployment Focus Needs to be Here! Service Code © Adam Vincent - Layer 7 Technologies Layer 7 Confidential 9 9 What is an XML Firewall and Why do we need one? • What is a Firewall • Categories of Firewalls • What is an XML Firewall Slides Utilized: 2006 MITRE: Class on XML Firewalls 2008 IEEE: What is an XML Firewall Layer 7 Confidential 10 XML Firewalls Overview Traditional Firewalls do very little to mitigate XML vulnerabilities since they are normally configured to allow all ASCII traffic through port 80, and XML is ASCII. XML firewalls are devices for implementing security policies, as specifically applied to XML messages. Layer 7 Confidential 11 What is a Firewall? Firewall Policies Definition: Limits access between networks in accordance with local security policies. Layer 7 Confidential 12 What is an XML Firewall? What should I do with this XML document/message? XML XML Firewall Policies Definition: An XML firewall is a tool that takes as input an XML document/message and enforces security policies Layer 7 Confidential 13 Example Deployment Local Area Network Service Enclave Internet Client Client Workstation Server Server Server Server Server Server Client Workstation Internet Packet Firewall Perimeter XML Firewall Enclave XML Firewalls Client Workstation Layer 7 Confidential 14 What Factors Enter into an XML Firewall's Decision? Decisions can be made based upon countless factors, e.g., – Package-based factors: • • • • • Where did the connection/message come from? Who originated the connection/message? Where is its destination? What time did the connection/message arrive? What time was the connection/message sent? • • • • • Is the content of the message acceptable? Is the content a high-value transaction? Is the content a low-value transaction? Is the content of the message structured appropriately? Is the XML security header formatted correctly? – Content-based factors: What is an XML Firewall? Layer 7 Confidential 15 15 What Actions can an XML Firewall Take? If the firewall decides the message/document is not acceptable for propagation, it may: – – – – log the document return the document discard the document Etc. If the firewall decides the message/document is acceptable for propagation, it may: – – – – simply forward it along route it along a special path delay sending it along for a period of time Etc. What is an XML Firewall? Layer 7 Confidential 16 16 XML Acceleration (1 of 2) XML is verbose and processing can be time consuming XML Firewalls provide mechanisms to accelerate XML processing: – – Utilize hardware-based mechanisms to accelerate XML processing Utilize low-level software processing capabilities and pipelining to accelerate XML processing XML New XML Back-end applications XML Firewall Policy Un-verified Policy Verified Policies Back-end applications are relieved from doing all of this XML processing Layer 7 Confidential 17 XML Acceleration (2 of 2) Here’s some XML processing which can be done very quickly with an XML Firewall: – Validate XML Message against an XML Schema – Transform using XSLT an XML input for output to a back-end service – Verify message conforms to WS-Security Specification – XPATH Processing and Content Based Routing What is an XML Firewall? Layer 7 Confidential 18 Threat Detection An XML Firewall can perform detection and mitigation of malicious code using XML as a vector of attack Malicious code is not allowed to pass XML Purchase Order (with Malicious Code) Entity A What is an XML Firewall? XML Firewall Entity B Malicious Code Policy Layer 7 Confidential 19 Access Control An XML Firewall can perform fine grained Authentication and Authorization of a sending, and receiving entity (A) is allowed to send purchase orders to (B) XML Purchase Order Entity A What is an XML Firewall? XML Firewall Entity B Access Control Policy Layer 7 Confidential 20 XML Schema Validation An XML Firewall can determine whether an XML message/document conforms to an XML Schema XML Document Entity A XML Document XML Firewall Entity B XML Schema What is an XML Firewall? Layer 7 Confidential 21 XML Digital Signatures An XML Firewall can determine whether an XML message/documents digital signature is valid and apply digital signatures to an XML message/document XML Document Entity A XML Document XML Firewall Entity B Digital Signature What is an XML Firewall? Layer 7 Confidential 22 XML Encryption An XML Firewall can determine decrypt an XML message/documents and encrypt an XML message/document Encrypted XML Document Entity A Decrypted XML Document XML Firewall Entity B XML Encryption What is an XML Firewall? Layer 7 Confidential 23 XSL Transformation An XML Firewall can change XML messages/documents through an integrated XSLT processor XML Document Entity A New XML Document XML Firewall Entity B XML Schema What is an XML Firewall? Layer 7 Confidential 24 XML Filtering An XML Firewall can filter incoming XML traffic based on message size, disallowed content, other metadata, etc. LARGE XML Document Entity A Message Size Limit Exceeded XML Firewall Entity B Policies What is an XML Firewall? Layer 7 Confidential 25 Dynamic Routing An XML Firewall routes a request based on content, network parameters or other metadata Where should I route this document? Entity A $1,000,000 Purchase Order Firewall Busy Policies Not busy. Document is routed here. What is an XML Firewall? Layer 7 Confidential 26 Service Virtualization/Abstraction Mask back-end resources from external probing “I’m Service (A)” Message to Service (A) XML Firewall This is the actual service (A) Policies The XML Firewall shields the actual service from external attacks by acting as a virtual stand-in to the service. What is an XML Firewall? Layer 7 Confidential 27 Quality of Service (QoS) Enables you to provide service priorities – A $1,000,000.00 transaction will get expedited service, a $2.00 transaction will get regular service On arrival, priority goes to $1,000,000 Purchase Order $2.00 Purchase Order Firewall $1,000,000 Purchase Order Policies What is an XML Firewall? Layer 7 Confidential 28 Auditing Provides service level auditing capabilities – Number of requests – Types of requests – Where requests originate Service 1 Audit Data Firewall Service 2 What is an XML Firewall? Layer 7 Confidential 29 Virus Detection (1 of 2) Many XML Firewalls offer virus detection capabilities – Viruses in attachments (MIME and DIME Messages) – Viruses in XML content Virus Detected! Virus Firewall What is an XML Firewall? Layer 7 Confidential 30 Virus Detection (2 of 2) How XML Firewalls offer Virus Protection External Virus Engine Firewall Symantec/Other Scanner Virus Def Update What is an XML Firewall? Layer 7 Confidential 31 Overview of Layer 7 • Who is Layer 7 • Example of Layer 7 Government Usage • What Products does Layer 7 Offer Layer 7 Confidential 32 Layer 7 History • Layer 7 is the leading vendor of security and governance for: Cloud Revenue Customers SOA XML 2003 2006 2009 Layer 7 Confidential 33 Layer 7 Service Governance Layer 7 Confidential 34 CloudSpan Overview Application APIs Secure Integration SSO Connect Developers CloudConnect Datacenter Safely Consume Cloud Services Mobile Apps Field Deployments Control Protect CloudControl API Publication from your Cloud CloudProtect DMZ-level Security in the Cloud Layer 7 Confidential 35 Layer 7 in Government • Layer 7 is utilized as an XML Firewall and/or one or more of the following: – Policy Enforcement Point (PEP), – Policy Decision Point (PDP), – Attribute Service (AS) • • Layer 7 is utilized a High Performance Mediation Service Layer 7 is used in an integrated fashion with cross domain guards SAP Web Services API Oracle BI App LDAP/ IAM Layer 7 Confidential 36 Layer 7 Confidential 37 Example Government “Policy” – Word Document… Provides additional “Joint DoD/IC acknowledged” flexibility on top of NCES Security Specs and supported by NSA risk analysis. – Control A: No Security Controls • No Security Offered – Control B: Mutually authenticated SSL/TLS Connection • Point-to-point authentication, authorization, integrity, confidentiality, and non-repudiation – Control C: Digital Signatures on four parts of message plus timestamp and unique message id (current NCES message security specification) • Message authentication, authorization, integrity, and non-repudiation – Control D: All C controls plus: encryption of message body • Message authentication, authorization, integrity, non-repudiation and confidentiality of encrypted message body – Control E: Combine B and C • Message authentication, authorization, integrity, non-repudiation and point-to-point confidentiality – Control F: Combine B and D • Double Security through Message authentication, authorization, integrity, non-repudiation, and confidentiality of encrypted message body, along with with point-to-point (transport) authentication, authorization, integrity, confidentiality, and nonrepudiation *As described in appendix D of the Intelligence Community and Department of Defense ServiceOriented Architecture Security Reference Architecture v1.0 document Layer 7 Confidential 38 Layer 7 Implementation of JSS Policy Choose Security Control SOAP Control A Control B Control C Control D Control E Control F Choose Authentication Requirement Digital Signatures and SAML (Optional) Mutually Authenticated SSL LDAP (Optional) Choose Authorization Requirement Local ABAC/RBAC Internal High Speed PDP External PDP Integration JEDS (Enterprise Attributes) SAML Attributes (Conveyed Attributes) Choose Message Encryption Requirement Message Encrypted Message Not Encrypted Choose Message Security Header Handling (Consumer-Side) Remove Processed Security Header Leave Processed Security Header Layer 7 In-Line Processing Choose Message Security Header Handling (Provider Side) Create New Security Header Choose Outgoing SSL Requirement Forward Processed Security Header (only if message integrity is intact) Mutual SSL No SSL SOAP 39 Layer 7 Confidential 39 How to Introduce Flexibility into a System – Decouple the variable part of an implementation from the invariant part. • Variable: Transport, security, standards compliance, etc. • Invariant: Business functionality – Introduce flexibility into the system through the use of policies: • Decouple the policy part of Web services from the business logic part. Layer 7 Confidential 40 The SecureSpan Manager for Creating Policy Centralized manager for creating, controlling and validating net-centric policies Layer 7 Confidential 41 Layer 7 – XML Gateways Security • • • • Protect attacks & XML exploits against service endpoints Filter & block content leakage based on defined policies Centrally enforces service-level access and entitlements Secure Web 2.0 Compliance • • • • Enforce interoperability of WS* and WS-I standards Provide granular audit trail Insulate endpoints differences (data, transport & protoco Enforce SLAs, throttle and quota requirements XML Accelerator Reliability XML Data Screen XML Firewall • • • • • • Enable secure cross-domain service connectivity Improve partner interoperability Ensure high availability access to services Reduce latency in SOA interactions Improve XML throughput and peak load performance Offload intensive XML operations from software XML Networking Gateway Layer 7 Confidential 42 Layer 7 - Enterprise Service Manager QOS • Evaluate throughput and peak load performance SLA • Ensure high availability access to services • Report on SLAs Message Content • Allow code-free runtime message monitoring • Reduce latency in SOA interactions • Filter & report content leakage based on defined policies Layer 7 Confidential 43 Layer 7 – Value Add Deployment Flexibility • Available as Appliance, VMWare Virtual Appliance, and Software • Clustering for high availability and Failover Policy Agility • Manage the entire lifecycle of policy with Layer 7 ESM • Allow code-free runtime policy changes • Automated policy deployment to Layer 7 XML VPN Interoperability • Insulate endpoints differences (data, transport & protocol) • Improve partner interoperability • Simplify integration with identity, management & governance Layer 7 Confidential 44 Conclusions Questions and Next Steps Layer 7 Confidential 45 Identity and Access Control • Overview of Identity and Access Control • Layer 7 Support • PEP- Authentication and WS-Policy Enforcement – Call-Out to Authorization Services • PDP- Authorization and XACML Enforcement • AS – Attribute Retrieval & SAML 2.0 Profile Slides Utilized: 2010: Layer7 Product Demonstration for JSSWG 2010: JSSWG Reference Architecture Layer 7 Confidential 46 Access Control • Most security conscience Web Service developers employ some mechanism of authentication into deployed web service capabilities. This can be as simple as HTTP Basic or as complex as SAML Holder of Key (HOK). • Authorization can be based on accessing the Web Server itself or more specifically an operation within a service. With web services becoming more sophisticated the later is the recommended method in moving forward. • Even when access control is in place, a defense in depth approach is suggested to alleviate concern when a malicious entity has hijacked an existing authorized identity. © Adam Vincent - Layer 7 Technologies Layer 7 Confidential 47 47 Layer 7 Confidential 48 Configure Policy Enforcement Point (PEP) Optional in-line PDP XACML Query Configuration Layer 7 Confidential 49 Layer 7 Confidential 50 Configure Policy Decision Point (PDP) Or Remote Policy XACML Configuration Layer 7 Confidential 51 Layer 7 Confidential 52 Configure Attribute Services (AS) Attribute Service Wizard Layer 7 Confidential 53
© Copyright 2024