ibm websphere datapower websphere datapower · pdf fileibm websphere datapower ... example:...
TRANSCRIPT
IBM WebSphere DataPower
© 2009 IBM Corporation
WebSphere DataPower Appliance The perfect XML/Web Services security gateway for Cloud environment Service security, service-level management, mediation & policy enforcement
Thomas KW PoonAdvisory IT SpecialistWebSphere
IBM WebSphere DataPower
2
IBM’s acquisition of DataPower
Software
Skills &Support
An SOA Appliance…
WebSphere DataPower SOA Appliances redefine the boundaries of middleware extending the SOA Foundation with specialized,
consumable, dedicated SOA appliances that combine superior performance and hardened security for SOA implementations.
Simplifies SOA with specialized devices Accelerates SOA with faster XML/WS throughputHelps secure SOA XML/WS implementations
Creating customer value through extreme SOA performance and security
IBM WebSphere DataPower
3
XML Accelerator XA35Offload XML processingNo more hand-optimizing XMLLowers development costs
Integration Appliance XI50Hardware ESB“Any-to-Any” Conversion at wire-speedBridges multiple protocols Integrated message-level security
XML Security Gateway XS40Enhanced Security CapabilitiesCentralized Policy EnforcementFine-grained authorizationRich authentication
WebSphere DataPower SOA Appliance Product LineB2B Appliance XB60
B2B Messaging (AS1/AS2/AS3)Trading Partner Profile ManagementB2B Transaction ViewerExceptional performanceSimplified management and configuration
LLM Appliance XM70High volume, low latency messagingEnhanced QoS and performanceSimplified, configuration-driven approach to LLMPublish/subscribe messagingHigh Availability
IBM WebSphere DataPower
4
IBM SOA Appliance Product Line Specialized network devices simplify, help secure & accelerate SOA
Transforms messages (Binary to XML, Binary to Binary, XML to Binary)Bridges multiple protocols (e.g. MQ, HTTP, JMS)Routes messages based on content and policyIntegrates message-level security and policy functions
Help secure SOA with XML threat protection and access controlCombines Web services security, routing and management functionsDrop-in, centralized policy enforcementEasily integrates with exiting infrastructure and processes
XML Security Gateway XS40
Integration Appliance XI50
WebSphere CloudBurst Appliance Secure cloud management applianceReduce setup time for WebSphere environmentsCodify your infrastructure for reduced riskSimplified maintenance and management Dispenses WebSphere Application Server Hypervisor Edition
IBM WebSphere DataPower
5
IBM WebSphere DataPower
6
2
1 client requests, SOAP, HTTP, HTTPS, FTP, NFS, MQ
Request
IBM CloudBurst and WebSphere DataPower
WAS, MQ etc…
IBM WebSphere DataPower
7
Update applicationservers individually
Before SOA Appliances
Secure, route, transform all applications instantly
No changes to applications
After SOA Appliances
Centralize - Route, transform, and help secure multiple applications without code changesSimplify - Lower cost and complexityIntegrate - Enable new business with unmatched performance
Simplify, Integrate and Centralize Core Functions
Route
Transform
Encrypt/Decrypt
Validate
Authenticate
IBM WebSphere DataPower
8
Today’s DMZ
8
Pack
et
Filte
r
Pack
et
Filte
r
intranet [Software + appliances]Internet
ESB
DMZ [Appliances ONLY]
datacenter
users
internaluser
intrusiondetection
identityfederation
loadbalancing
WAN and connection
optimization
application-awaretransformations
loadbalancing
caching
Security policy
enforcement
monitoring
intrusionprevention
trafficshaping
trafficshaping
DataPowerXS40
ISS
NEPs
caching
NEPs
IHS plugin, Proxy Server,
Edge Server
XDoSprotection
QoS policyenforcement
WebSphere VE (XD)
datacenter
WebSeal
SSL offload
extensible rules
Fine grainAccess control
XI50, WESB, WMB
Increased processing
requirements in the DMZ
clouds
threats
WSJ2EEWebREST
IBM WebSphere DataPower
9999
Pack
et
Filte
r
Pack
et
Filte
r
intranet [Software + appliances]
Internet
ESB
DMZ [Appliances ONLY]
datacenter
users
internaluser
datacenter
clouds
threats
SOA/XML
Web Application
IP/TCP(packets/conns)
WSJ2EEWebREST
SOA/XML
Web Application
IP/TCP(packets/conns)
DMZ Consolidation with Application Optimization option
IBM WebSphere DataPower
1010
What is the Option for Application Optimization?WebSphere DataPower Option for Application Optimization (AO) is a NEW software feature option
The AO option has two key functional features:-
Self-balancing – the ability for 2 or more DataPower appliances to distribute load amongst themselves thereby removing the requirement to place traditional server load balancers (SLBs) such as F5, Cisco and Citrix in front of a cluster of DataPower appliances
-
Intelligent Load Distribution – new load balancing capabilities for distributing load to backend WebSphere ND and other non-WAS environments
Dynamically create load balancing groups by interrogating WAS ND cellsRetrieve weights from WAS ND cells for load distribution decisionsOut of the box support for session affinity with WAS ND members Session affinity with non-WAS application servers
IBM WebSphere DataPower
11
Why an Appliance for SOA
Hardened, specialized hardware for helping to integrate, secure & accelerate SOAMany functions integrated into a single device:-
Impact: connectivity will require service level management, routing, policy, transformation
Higher levels of security assurance certifications require hardware:-
Example: government FIPS Level 3 HSM, Common CriteriaHigher performance with hardware acceleration:-
Impact: ability to perform more security checks without slow downsAddresses the divergent needs of different groups:-
Example: enterprise architects, network operations, security operations, identity management, web services developers
Simplified deployment and ongoing management:-
Impact: reduces need for in-house SOA skills & accelerates time to SOA benefits
IBM WebSphere DataPower
12
XML Security Gateway XS40Easy to Use Appliance PurposeEasy to Use Appliance Purpose--BuiltBuilt
for SOA Securityfor SOA SecurityXML/SOAP Firewall: -
Filter on any content, metadata or network variablesData Validation:-
Approve incoming/outgoing XML and SOAP at wirespeedField Level Security:-
WS-Security, encrypt & sign individual fields, non-repudiationXML Web Services Access Control/AAA:-
SAML, LDAP, RADIUS, etc.MultiStep:-
Sophisticated multi-stage pipelineWeb Services Management: -
Service Level Management, Service Virtualization, Policy ManagementTransport Layer Flexibility:-
HTTP, HTTPS, SSLWeb Application Firewall Capabilities:-
Additional security proxy, threat mediation & content processing services for other URL encoded HTTP-based applications
Easy Configuration & Management: -
WebGUI, CLI, IDE and Eclipse Configuration to address broad organizational needs (Architects, Developers, Network Operations, Security)
IBM WebSphere DataPower
13
Integration Appliance XI50Middleware Appliance PurposeMiddleware Appliance Purpose--Built forBuilt for
Application IntegrationApplication IntegrationDataGlue “Any-to-Any” Transformation Engine Content-based Message Routing:-
Message EnrichmentProtocol Bridging (HTTP, MQ, JMS, FTP, etc.):-
Request-response and sync-async matchingDirect to Database:-
Communicate directly with remote Database instancesXML/SOAP Firewall:-
Filter on any content, medata or network variables
Data Validation:-
Approve incoming/outgoing XML and SOAP at wirespeedField Level Security:-
WS-Security, encrypt & sign individual fields, non-repudiationXML Web Services Access Control/AAA:-
SAML, LDAP, RADIUS, etc.MultiStep:-
Sophisticated multi-stage pipeline
Web Services Management:-
Centralized Service Level Management, Service Virtualization, Policy ManagementEasy Configuration & Management:-
WebGUI, CLI, IDE and Eclipse configuration to address broad organizational needs (Architects, Developers, Network Operations, Security)
IBM WebSphere DataPower
14
Hardware Device for Improved Security
Sealed network-resident device:-
Optimized hardware, firmware, embedded OS-
Single signed/encrypted firmware upgrade only, not arbitrary software-
High assurance, “default off” locked-down configuration-
Security vulnerabilities minimized (few 3 party components)-
Hardware storage of encryption keys, locked audit log-
No drives/USB ports, tamper-proof caseThird party certification:-
FIPS 140-2 level 3 HSM (option)-
Under evaluation by Common Criteria EAL4Large financial and government customers
“The DataPower [XS40]... is the most hardened ... it looks and feels like a datacenter appliance, with no extra ports or buttons exposed and no rotating media. "
- InfoWorld
IBM WebSphere DataPower
15
XML Threat Protection ( Built-in supported by DP )XML Entity Expansion and Recursion AttacksXML Document Size AttacksXML Document Width AttacksXML Document Depth AttacksXML Wellformedness-based Parser AttacksJumbo Payloads Recursive Elements MegaTags – aka Jumbo Tag Names Public Key DoS XML FloodResource Hijack Dictionary AttackMessage Tampering
Data Tampering Message Snooping XPath Injection SQL injectionWSDL EnumerationRouting DetourSchema Poisoning Malicious Morphing Malicious Include – also called XML External Entity (XXE) AttackMemory Space Breach XML EncapsulationXML Virus Falsified Message Replay Attack
IBM WebSphere DataPower
16
Performance Cost of XML Policy Processing Performance is key to security & mediation
Processing Steps*
Schema Validation
ParsingParsing XPath Filtering
XML Decryption
XML Encryption
SignatureVerification
Schema Validation
XML Transformation
XMLSigning
1 3 5 8 8 1 3 10 6 8Tim
e
Softwareonly
Software w/ Crypto Acceleration
DataPower*
* Representative of software* Representative of software--based systems. based systems. For demonstration only. Actual processing For demonstration only. Actual processing
time varies depending on application. time varies depending on application.
Each security function requires XML processingMust implement all services without any compromiseNeed ability to scale as content and user base grows
IBM WebSphere DataPower
17
Access Control Enforce Who can access Which Web service & When
Deploy as a high-speed access policy enforcement pointModular authentication/authorization architecture:-
x = extract-identity()-
z = extract-resource()-
zm = map-resource(z)-
y = authenticate(x); if (y = null) reject-
ym = map-credentials-attributes(y)-
allowed = authorize(ym, zm); if (!allowed) reject-
audit-and-post-processing();Identity examples include:-
WS-Security user/pass token-
SSL client certificate-
SAML assertion-
HTTP basic-auth-
IP Address-
Proprietary SSO cookie/tokenResource examples:-
URL-
SOAP method
IBM WebSphere DataPower
18
Access Control (2) Leading Standards and Third-party Integration Support
Access control policy:-
On-board: certs, XML file [can start simple]-
Off-board: external access control serversStandards-based integration:-
LDAP (for CRL, authentication, authorization)-
RADIUS (authentication) -
XKMS (for CRL, authentication)-
SAML (consume, authentication, authorization, produce)-
WS-Security, WS-Trust, WS-*, XACML-
Outbound SOAP or HTTP callIntegration with access management solutions:-
Tivoli Access Manager-
Tivoli Federated Identity Manager-
RSA ClearTrust-
Microsoft Active Directory-
Sun Identity Server-
Netegrity SiteMinder-
CA eTrust-
…others including custom integration with any customer environment
IBM WebSphere DataPower
19
Access Control (3) AAA Framework Diagram - Authenticate, Authorize, Audit
Extract Identity
Extract Resource
Authenticate
Authorize Audit &Accounting
SAMLWS-SecuritySSL client certHTTP Basic-Auth
SAML assertionNon-repudiationMonitoring
Web Service URISOAP op nameTransfer amount
DataPower AAA Framework
SOAP/XML
Message
SOAP/XML
Message
External Access Control Server or On-Board Policy
Map Credentials
Map Resource
IBM WebSphere DataPower
20
MultiStep & XML Routing Flexible Drag & Drop Message Processing and Policy Creation
Basic routing capability similar to XML FilteringArbitrary steps of message processing: -
Encrypt, Decrypt, Sign, Verify-
Access control, Filter, Validate-
Route (e.g., route-set https://soapfoobar.com:321), T-Route, Rewrite, (e.g. header- rewrite X-foo (.*) now)
-
Call out or Fetch artifacts such as XSLT,XSD,XML, WSDL, etc-
Custom error handling – create policies to respond to processing errors-
Callable rules-
Transform (XML or legacy data)-
Logging – log individual transactions (including message) for analysis and archiving-
Service Level Management – shape and monitor traffic and/or send alerts based on transactional data and context
-
XPath extract (e.g. extract INPUT three //games/url var://local/urls)Full variables and state:-
Scope: context / session / multistep-scope-
Accessible both in config and from within XPath
IBM WebSphere DataPower
21
Packet Level Security vs. Application Level Security
Receiver
SOAP
HTTPS
Intermediary
HTTPS
WSWS--SecuritySecurityXML DSigXML DSig
point-to-point point-to-point
Sender
end-to-end
XML EncryptionXML Encryption XML Access ControlXML Access Control
SSL is not enoughXML-level threats and XML-aware securitysecuring stored or spooled messagesmulti-party transactions, multi-hop networks
IBM WebSphere DataPower
22
Web Services Management Service Level Management
WSM
Configure and install in minutesHierarchical Service Level at WSDL, service, port, operational levelFlexible actions when reaching a threshold: notify/alert, shape, throttleThreshold for both overall requests and failuresGraphical display
IBM WebSphere DataPower
23
Web Services Management (2) Service Level Management
Configure Policies:-
Based on any parameter: WSDL; Service Endpoint; Operation; Credential -
Based on Rate (TPS) or Count by Time (Outlook like Calendar)-
Based on Request; Response; Fault; XPath-
Support for enforcement across a pool of devices-
Action: Notify (Alert); Shape (Slow Down); Throttle (Reject)-
Notify other applications such as billing, audit, etc.SLM is a verb in the policy pipelineSupport for WSDM, Web services management standards, …Allow subscription to SLM for alerts, logging, etc.
WSM
IBM WebSphere DataPower
24
Central Office
Client
Branch Office
SOA Appliance
IBM Tivoli Composite Application Manager
Deployment Example
IBM Tivoli Composite Application Manager Simplify Web Services Management and SOA Deployment
Trace Transactions
Policy Control
Monitor Services
Med
iate
Composite view of both Web services and IT infrastructureITCAM for SOA Event Correlation
IBM WebSphere DataPower
25
Event Correlation ITCAM for SOA Dashboard
IBM WebSphere DataPower
26
Content-based Routing Features
Dynamically route based on context (e.g. originating URL, protocol headers and attributes, etc.) and message content (both legacy and XML):-
XPath-based routing against any part of the message content or context-
XPath statements can point to dynamically set URLs and/or message queues (MQ, JMS)-
Routing may be one way (a response from the service may not be necessary)
XI50 can be configured to accept a routing table where routing parameters are supplied using XML:-
A table results in extremely fast turnaround of routing changes, including transport protocol conversions
XI50 can dynamically retrieve routing information from other systems:-
Databases, web servers, file servers, etc.
Service Providers
IBM SOAAppliance
UnclassifiedRequests
Routing Policy
IBM WebSphere DataPower
27
First-class support for message and transport protocol bridgingProtocol mediation with simple configuration:- HTTP MQ WebSphere JMS FTP Tibco EMS
Request-response and sync-async matchingAble to configure to preserve fully guaranteed, once-and-only-once delivery
Protocol Bridging
XI50
FTP
WAS JMS
ODBC
Web3rd-PartyApp Server MQ
MQ
3rd-party JMS MQ HTTP/HTTPS
FTP/ FTP over SSL/Streaming XMLJMS
DB2OracleSybase
IBM WebSphere DataPower
28
Award-Winning WebGUI: Ease of Use
Ease of Use Example – Graphical User Interface providing drag and drop services, in order desired, for XML filtering, signing, verification, schema validation, encryption, decryption, transformation, routing, access control, service level monitoring, and advanced operations
WSDL-based policy creationHierarchical policies applied at WSDL, service, port, operation levelDrag & drop policy creation screen allows flexible chaining of operationsConfigure and install in minutes
IBM WebSphere DataPower
29
Configuration & Administration Fits Into Existing Environments
Depth of functionality to scale to full operational complexityWeb-based GUI:-
100% of config exposed in both GUI & CLI
ITCAM SE for DataPower Multi-box ManagementIDE integration:-
Eclipse/Rational Application Developer-
Altova XML Spy
CLI familiar to network operatorsXPath / XML config filesSNMPSOAP management interface:-
Easy integration into home-grown mgmt systems or top products-
Programmatic access to all status and config
Integration For Management strategy:-
Industry leading integration support across IBM and 3rd party application, security, identity management and networking infrastructure
DataManagement
Store` XI50
SNMP
Other Integration /
Interops
Other integration& interops
CommandLine
Interface
ITCAM SE for
DataPower
Eclipse 3rd PartyIDEs
SOAPInterface
IBM WebSphere DataPower
30
Hardware Reliability
Dual swappable power supplies:- Separate power cords, designed for high availability
Careful thermal design:- Multiple fans & high air flow capacity
No hard disks or rotating media for higher reliability:Integrated failover or Active-Active self-balancing option:
- VRRP-like failover ensures systems defaults to redundant appliance without service interruption
Works seamlessly with existing load balancers, firewalls, routers and other network infrastructureNo spooled application messages on device:
- Prevents stored message loss in the unlikely event of device failureInternal self-monitoring & self-healing featuresExtensive utilization monitoring & alerts (see Configuration & Logging)
IBM WebSphere DataPower
31
Security Selling Domain Topics: Physical Device Security
With Server Appliance products, which are based general purpose computing platforms, physical device security is always a major “Achilles Heel”-
All bets are off when I can walk up to the device and boot a CDROM or USB drive-
Boot CDROM, peruse filesystem, install trojans, blah, blah, blah, Yippee!DataPower is a fully secure platform, including physical security-
No CDROM-
No USB Ports-
No way to boot external media-
All firmware is encrypted and digitally signed with the DataPower root certificate-
There is no way to make a DataPower device run anything other than legal DataPower firmware from IBM
No way to run compromised, altered, or 3rd party firmware
Critical when “locking the device in a room” isn’t possibleCritical when you don’t trust those who do have physical access to the deviceThere isn’t a single DataPower competitor that has anything close our level of physical device security – they are all based on commodity HW
IBM WebSphere DataPower
32
Summary – IBM SOA Appliances
Hardened, specialized product for helping integrate, secure & accelerate SOAMany functions integrated into a single deviceBroad integration with both non-IBM and IBM softwareHigher levels of security assurance certifications require hardwareHigher performance with hardware acceleration Simplified deployment and ongoing management
http://www.ibm.com/software/integration/datapower/
Simplifies SOA with specialized devices Accelerates SOA with faster XML throughputHelps secure SOA XML implementations
SOA Appliances: Creating customer value through extreme SOA performance and security
IBM WebSphere DataPower
33
Thank You