IBM WebSphere DataPower

WebSphere DataPower Appliance The perfect XML/Web Services security gateway for Cloud environment Service security, service-level management, mediation & policy enforcement Thomas KW Poon Advisory IT Specialist WebSphere

© 2009 IBM Corporation

IBM WebSphere DataPower

IBM’s acquisition of DataPower Software

An SOA Appliance…

Creating customer value through extreme SOA performance and security

Skills & Support

ƒ Simplifies SOA with specialized devices ƒ Accelerates SOA with faster XML/WS throughput ƒ Helps secure SOA XML/WS implementations

WebSphere DataPower SOA Appliances redefine the boundaries of middleware extending the SOA Foundation with specialized, consumable, dedicated SOA appliances that combine superior performance and hardened security for SOA implementations. 2

IBM WebSphere DataPower

WebSphere DataPower SOA Appliance Product Line B2B Appliance XB60

LLM Appliance XM70 ƒ ƒ ƒ ƒ ƒ

High volume, low latency messaging Enhanced QoS and performance Simplified, configuration-driven approach to LLM Publish/subscribe messaging High Availability

ƒ ƒ ƒ ƒ ƒ

B2B Messaging (AS1/AS2/AS3) Trading Partner Profile Management B2B Transaction Viewer Exceptional performance Simplified management and configuration

XML Accelerator XA35 ƒ ƒ ƒ

Offload XML processing No more hand-optimizing XML Lowers development costs

Integration Appliance XI50 ƒ ƒ ƒ ƒ

3

Hardware ESB “Any-to-Any” Conversion at wire-speed Bridges multiple protocols Integrated message-level security

XML Security Gateway XS40 ƒ ƒ ƒ ƒ

Enhanced Security Capabilities Centralized Policy Enforcement Fine-grained authorization Rich authentication

IBM WebSphere DataPower

IBM SOA Appliance Product Line Specialized network devices simplify, help secure & accelerate SOA ƒ

XML Security Gateway XS40

ƒ ƒ ƒ

ƒ

Integration Appliance XI50

ƒ ƒ ƒ

WebSphere CloudBurst Appliance

4

ƒ ƒ ƒ ƒ ƒ

Help secure SOA with XML threat protection and access control Combines Web services security, routing and management functions Drop-in, centralized policy enforcement Easily integrates with exiting infrastructure and processes Transforms messages (Binary to XML, Binary to Binary, XML to Binary) Bridges multiple protocols (e.g. MQ, HTTP, JMS) Routes messages based on content and policy Integrates message-level security and policy functions Secure cloud management appliance Reduce setup time for WebSphere environments Codify your infrastructure for reduced risk Simplified maintenance and management Dispenses WebSphere Application Server Hypervisor Edition

IBM WebSphere DataPower

5

IBM WebSphere DataPower

IBM CloudBurst and WebSphere DataPower 1

2

Request

WAS, MQ etc…

6

client requests, SOAP, HTTP, HTTPS, FTP, NFS, MQ

IBM WebSphere DataPower

Simplify, Integrate and Centralize Core Functions ƒ ƒ ƒ

Centralize - Route, transform, and help secure multiple applications without code changes Simplify - Lower cost and complexity Integrate - Enable new business with unmatched performance

Before SOA Appliances

After SOA Appliances

Authenticate Transform Encrypt/Decrypt Validate Route

Update application servers individually 7

Secure, route, transform all applications instantly No changes to applications

IBM WebSphere DataPower

Today’s DMZ DMZ [Appliances ONLY]

Internet DataPower XS40

monitoring

WebSphere VE (XD) application-aware XDoS transformations protection Security identity policy federation enforcement extensible QoS policy SSL rules enforcement offload Packet Filter

WebSeal Packet Filter

users

intranet [Software + appliances]

load balancing

Fine grain Access control

clouds

traffic WAN and shaping caching connection load optimization balancing intrusion prevention

threats

traffic caching shaping

8 8

data center WS J2EE Web REST

ESB NEPs

XI50, WESB, data WMB center

intrusion detection ISS

internal user IHS plugin, Proxy Server, Edge Server

Increased processing requirements in the DMZ

IBM WebSphere DataPower

DMZ Consolidation with Application Optimization option

DMZ [Appliances ONLY]

intranet [Software + appliances]

Internet

internal user

SOA/XML

clouds

Packet Filter

Packet Filter

users

data center

SOA/XML

Web Application

Web Application

WS J2EE Web REST

IP/TCP (packets/conns)

ESB threats

IP/TCP (packets/conns)

9

data center

IBM WebSphere DataPower

What is the Option for Application Optimization? ƒ WebSphere DataPower Option for Application Optimization (AO) is a NEW software feature option ƒ The AO option has two key functional features: - Self-balancing – the ability for 2 or more DataPower appliances to distribute load amongst themselves thereby removing the requirement to place traditional server load balancers (SLBs) such as F5, Cisco and Citrix in front of a cluster of DataPower appliances - Intelligent Load Distribution – new load balancing capabilities for distributing load to backend WebSphere ND and other non-WAS environments ƒ ƒ ƒ ƒ

10 10

Dynamically create load balancing groups by interrogating WAS ND cells Retrieve weights from WAS ND cells for load distribution decisions Out of the box support for session affinity with WAS ND members Session affinity with non-WAS application servers

IBM WebSphere DataPower

Why an Appliance for SOA ƒ Hardened, specialized hardware for helping to integrate, secure & accelerate SOA ƒ Many functions integrated into a single device: - Impact: connectivity will require service level management, routing, policy, transformation

ƒ Higher levels of security assurance certifications require hardware: - Example: government FIPS Level 3 HSM, Common Criteria

ƒ Higher performance with hardware acceleration: - Impact: ability to perform more security checks without slow downs

ƒ Addresses the divergent needs of different groups: - Example: enterprise architects, network operations, security operations, identity management, web services developers

ƒ Simplified deployment and ongoing management: - Impact: reduces need for in-house SOA skills & accelerates time to SOA benefits

11

IBM WebSphere DataPower

XML Security Gateway XS40 ƒ

Easy to Use Appliance PurposePurpose-Built for SOA Security

XML/SOAP Firewall: -

ƒ

Data Validation: -

ƒ

Additional security proxy, threat mediation & content processing services for other URL encoded HTTP-based applications

Easy Configuration & Management: -

12

HTTP, HTTPS, SSL

Web Application Firewall Capabilities: -

ƒ

Service Level Management, Service Virtualization, Policy Management

Transport Layer Flexibility: -

ƒ

Sophisticated multi-stage pipeline

Web Services Management: -

ƒ

SAML, LDAP, RADIUS, etc.

MultiStep: -

ƒ

WS-Security, encrypt & sign individual fields, non-repudiation

XML Web Services Access Control/AAA: -

ƒ

Approve incoming/outgoing XML and SOAP at wirespeed

Field Level Security: -

ƒ

Filter on any content, metadata or network variables

WebGUI, CLI, IDE and Eclipse Configuration to address broad organizational needs (Architects, Developers, Network Operations, Security)

IBM WebSphere DataPower

Integration Appliance XI50 ƒ ƒ

DataGlue “Any-to-Any” Transformation Engine Content-based Message Routing: -

ƒ

Centralized Service Level Management, Service Virtualization, Policy Management

Easy Configuration & Management: -

13

Sophisticated multi-stage pipeline

Web Services Management: -

ƒ

SAML, LDAP, RADIUS, etc.

MultiStep: -

ƒ

WS-Security, encrypt & sign individual fields, non-repudiation

XML Web Services Access Control/AAA: -

ƒ

Approve incoming/outgoing XML and SOAP at wirespeed

Field Level Security: -

ƒ

Filter on any content, medata or network variables

Data Validation: -

ƒ

Communicate directly with remote Database instances

XML/SOAP Firewall: -

ƒ

Request-response and sync-async matching

Direct to Database: -

ƒ

Message Enrichment

Protocol Bridging (HTTP, MQ, JMS, FTP, etc.): -

ƒ

Middleware Appliance PurposePurpose-Built for Application Integration

WebGUI, CLI, IDE and Eclipse configuration to address broad organizational needs (Architects, Developers, Network Operations, Security)

IBM WebSphere DataPower

Hardware Device for Improved Security ƒ

Sealed network-resident device: -

ƒ

Optimized hardware, firmware, embedded OS Single signed/encrypted firmware upgrade only, not arbitrary software High assurance, “default off” locked-down configuration Security vulnerabilities minimized (few 3 party components) Hardware storage of encryption keys, locked audit log No drives/USB ports, tamper-proof case

Third party certification: - FIPS 140-2 level 3 HSM (option) - Under evaluation by Common Criteria EAL4

ƒ

Large financial and government customers

“The DataPower [XS40]... is the most hardened ... it looks and feels like a datacenter appliance, with no extra ports or buttons exposed and no rotating media. " - InfoWorld

14

IBM WebSphere DataPower

XML Threat Protection ( Built-in supported by DP ) ƒ XML Entity Expansion and Recursion Attacks

ƒ Data Tampering

ƒ XML Document Size Attacks

ƒ XPath Injection

ƒ XML Document Width Attacks

ƒ SQL injection

ƒ XML Document Depth Attacks

ƒ WSDL Enumeration

ƒ XML Wellformedness-based Parser Attacks

ƒ Routing Detour

ƒ Jumbo Payloads

ƒ Malicious Morphing

ƒ Recursive Elements

15

ƒ Message Snooping

ƒ Schema Poisoning

ƒ MegaTags – aka Jumbo Tag Names

ƒ Malicious Include – also called XML External Entity (XXE) Attack

ƒ Public Key DoS

ƒ Memory Space Breach

ƒ XML Flood

ƒ XML Encapsulation

ƒ Resource Hijack

ƒ XML Virus

ƒ Dictionary Attack

ƒ Falsified Message

ƒ Message Tampering

ƒ Replay Attack

IBM WebSphere DataPower

Performance Cost of XML Policy Processing Performance is key to security & mediation

Parsing

1

Schema Validation

3

XPath Filtering

5

Time

Processing Steps* XML Decryption

Signature Verification

Parsing

8

1

8

Software only

ƒ ƒ ƒ

16

Schema XML XML XML Validation Transformation Signing Encryption

3

10

6

Software w/ DataPower* Crypto Acceleration

Each security function requires XML processing Must implement all services without any compromise Need ability to scale as content and user base grows

* Representative of softwaresoftware-based systems. For demonstration only. Actual processing time varies depending on application.

8

IBM WebSphere DataPower

Access Control Enforce Who can access Which Web service & When ƒ ƒ

Deploy as a high-speed access policy enforcement point Modular authentication/authorization architecture: -

ƒ

Identity examples include: -

ƒ

x = extract-identity() z = extract-resource() zm = map-resource(z) y = authenticate(x); if (y = null) reject ym = map-credentials-attributes(y) allowed = authorize(ym, zm); if (!allowed) reject audit-and-post-processing(); WS-Security user/pass token SSL client certificate SAML assertion HTTP basic-auth IP Address Proprietary SSO cookie/token

Resource examples: - URL - SOAP method

17

IBM WebSphere DataPower

Access Control (2) Leading Standards and Third-party Integration Support ƒ

Access control policy: -

ƒ

Standards-based integration: -

ƒ

LDAP (for CRL, authentication, authorization) RADIUS (authentication) XKMS (for CRL, authentication) SAML (consume, authentication, authorization, produce) WS-Security, WS-Trust, WS-*, XACML Outbound SOAP or HTTP call

Integration with access management solutions: -

18

On-board: certs, XML file [can start simple] Off-board: external access control servers

Tivoli Access Manager Tivoli Federated Identity Manager RSA ClearTrust Microsoft Active Directory Sun Identity Server Netegrity SiteMinder CA eTrust …others including custom integration with any customer environment

IBM WebSphere DataPower

Access Control (3) AAA Framework Diagram - Authenticate, Authorize, Audit

DataPower AAA Framework Extract Resource

SOAP/ XML Message

Map Resource

Web Service URI SOAP op name Transfer amount

Extract Identity

SAML assertion Non-repudiation Monitoring

Authorize

Authenticate

Map Credentials

SAML WS-Security SSL client cert HTTP Basic-Auth

External Access Control Server or On-Board Policy

19

Audit & Accounting

SOAP/ XML Message

IBM WebSphere DataPower

MultiStep & XML Routing Flexible Drag & Drop Message Processing and Policy Creation ƒ ƒ

Basic routing capability similar to XML Filtering Arbitrary steps of message processing: - Encrypt, Decrypt, Sign, Verify - Access control, Filter, Validate - Route (e.g., route-set https://soapfoobar.com:321), T-Route, Rewrite, (e.g. headerrewrite X-foo (.*) now) - Call out or Fetch artifacts such as XSLT,XSD,XML, WSDL, etc - Custom error handling – create policies to respond to processing errors - Callable rules - Transform (XML or legacy data) - Logging – log individual transactions (including message) for analysis and archiving - Service Level Management – shape and monitor traffic and/or send alerts based on transactional data and context - XPath extract (e.g. extract INPUT three //games/url var://local/urls)

ƒ

Full variables and state: - Scope: context / session / multistep-scope - Accessible both in config and from within XPath

20

IBM WebSphere DataPower

Packet Level Security vs. Application Level Security end-to-end

WS-Security XML DSig

XML Encryption

XML Access Control

SOAP Sender

HTTPS point-to-point

HTTPS Intermediary

point-to-point

ƒ SSL is not enough XML-level threats and XML-aware security securing stored or spooled messages multi-party transactions, multi-hop networks 21

Receiver

IBM WebSphere DataPower

Web Services Management

WSM

Service Level Management ƒ ƒ ƒ ƒ ƒ

22

Configure and install in minutes Hierarchical Service Level at WSDL, service, port, operational level Flexible actions when reaching a threshold: notify/alert, shape, throttle Threshold for both overall requests and failures Graphical display

IBM WebSphere DataPower

Web Services Management (2)

WSM

Service Level Management ƒ

Configure Policies: -

ƒ ƒ ƒ

23

Based on any parameter: WSDL; Service Endpoint; Operation; Credential Based on Rate (TPS) or Count by Time (Outlook like Calendar) Based on Request; Response; Fault; XPath Support for enforcement across a pool of devices Action: Notify (Alert); Shape (Slow Down); Throttle (Reject) Notify other applications such as billing, audit, etc.

SLM is a verb in the policy pipeline Support for WSDM, Web services management standards, … Allow subscription to SLM for alerts, logging, etc.

IBM WebSphere DataPower

IBM Tivoli Composite Application Manager Simplify Web Services Management and SOA Deployment ƒ ƒ

Composite view of both Web services and IT infrastructure ITCAM for SOA Event Correlation Branch Office

Central Office

SOA Appliance

es vic er rS ito on

Deployment Example

24

Medi ate

M

Client

ns tio c sa an r rol T ont e C ac icy Tr Pol

IBM Tivoli Composite Application Manager

IBM WebSphere DataPower

Event Correlation ITCAM for SOA Dashboard

25

IBM WebSphere DataPower

Content-based Routing Features ƒ Dynamically route based on context (e.g. originating URL, protocol headers and attributes, etc.) and message content (both legacy and XML): - XPath-based routing against any part of the message content or context - XPath statements can point to dynamically set URLs and/or message queues (MQ, JMS) - Routing may be one way (a response from the service may not be necessary)

ƒ XI50 can be configured to accept a routing table where routing parameters are supplied using XML: - A table results in extremely fast turnaround of routing changes, including transport protocol conversions

ƒ XI50 can dynamically retrieve routing information from other systems: - Databases, web servers, file servers, etc.

Routing Policy

IBM SOA Appliance Unclassified Requests 26

Service Providers

IBM WebSphere DataPower

Protocol Bridging ƒ ƒ

First-class support for message and transport protocol bridging Protocol mediation with simple configuration: - HTTPÅÆ MQ ÅÆ WebSphere JMS ÅÆ FTP ÅÆ Tibco EMS

ƒ ƒ

Request-response and sync-async matching Able to configure to preserve fully guaranteed, once-and-only-once delivery WAS JMS ODBC

DB2 Oracle Sybase

FTP

JMS FTP/ FTP over SSL/Streaming XML

XI50 3rd-party JMS

3rd-Party App Server

27

MQ

MQ MQ

HTTP/HTTPS

Web

IBM WebSphere DataPower

Award-Winning WebGUI: Ease of Use ƒ ƒ ƒ ƒ

WSDL-based policy creation Hierarchical policies applied at WSDL, service, port, operation level Drag & drop policy creation screen allows flexible chaining of operations Configure and install in minutes

Ease of Use Example – Graphical User Interface providing drag and drop services, in order desired, for XML filtering, signing, verification, schema validation, encryption, decryption, transformation, routing, access control, service level monitoring, and advanced operations

28

IBM WebSphere DataPower

Configuration & Administration Fits Into Existing Environments ƒ ƒ

Depth of functionality to scale to full operational complexity Web-based GUI: -

ƒ ƒ

Eclipse/Rational Application Developer Altova XML Spy SNMP `

Easy integration into home-grown mgmt systems or top products Programmatic access to all status and config

Integration For Management strategy: -

29

100% of config exposed in both GUI & CLI

CLI familiar to network operators XPath / XML config files SNMP SOAP management interface: -

ƒ

SOAP Interface

ITCAM SE for DataPower Multi-box Management IDE integration: -

ƒ ƒ ƒ ƒ

3rd Party IDEs

Eclipse

Industry leading integration support across IBM and 3rd party application, security, identity management and networking infrastructure

XI50

ITCAM SE for DataPower

Command Line Interface

Other integration & interops

Data Management Store

Other Integration / Interops

IBM WebSphere DataPower

Hardware Reliability ƒ

Dual swappable power supplies: - Separate power cords, designed for high availability

ƒ

Careful thermal design: - Multiple fans & high air flow capacity

ƒ ƒ

No hard disks or rotating media for higher reliability: Integrated failover or Active-Active self-balancing option: - VRRP-like failover ensures systems defaults to redundant appliance without service

interruption ƒ ƒ

Works seamlessly with existing load balancers, firewalls, routers and other network infrastructure No spooled application messages on device: - Prevents stored message loss in the unlikely event of device failure

ƒ ƒ

30

Internal self-monitoring & self-healing features Extensive utilization monitoring & alerts (see Configuration & Logging)

IBM WebSphere DataPower

Security Selling Domain Topics: Physical Device Security ƒ With Server Appliance products, which are based general purpose computing platforms, physical device security is always a major “Achilles Heel” - All bets are off when I can walk up to the device and boot a CDROM or USB drive - Boot CDROM, peruse filesystem, install trojans, blah, blah, blah, Yippee!

ƒ DataPower is a fully secure platform, including physical security -

No CDROM No USB Ports No way to boot external media All firmware is encrypted and digitally signed with the DataPower root certificate There is no way to make a DataPower device run anything other than legal DataPower firmware from IBM ƒ No way to run compromised, altered, or 3rd party firmware

ƒ Critical when “locking the device in a room” isn’t possible ƒ Critical when you don’t trust those who do have physical access to the device ƒ There isn’t a single DataPower competitor that has anything close our level of physical device security – they are all based on commodity HW 31

IBM WebSphere DataPower

Summary – IBM SOA Appliances ƒ Hardened, specialized product for helping integrate, secure & accelerate SOA ƒ Many functions integrated into a single device ƒ Broad integration with both non-IBM and IBM software ƒ Higher levels of security assurance certifications require hardware ƒ Higher performance with hardware acceleration ƒ Simplified deployment and ongoing management http://www.ibm.com/software/integration/datapower/

SOA Appliances: Creating customer value through extreme SOA performance and security ƒ Simplifies SOA with specialized devices ƒ Accelerates SOA with faster XML throughput ƒ Helps secure SOA XML implementations

32

IBM WebSphere DataPower

Thank You

33