Addressing Security, Governance and Performance Issues
Vic Morris – CEO Vordel
with an XML Gateway as part of a Service Oriented Architecture
Simple projects implement “light weight” application integration
Platform approach allows applications to be aligned with business processes
Extensive use of XML messaging
XML Network Management
Service Oriented Architecture
BeInGrid Barcelona 2008 Page 217/06/2008
Tightly-coupled
Systems
Tactical XML-based
integrationFull Services Oriented
Architecture
Access
Monitoring Performance
Requirements for SOA and XML-based integration
> Remove processing bottlenecks
> Apply AAA to SOA
> Centrally manage policies
> Conditional routing and transformation
> Defend against threats
> Gain visibility on service usage
Governance
BeInGrid Barcelona 2008 Page 317/06/2008
Access Control
Policy ControlXML Networking
Security Governance
Addressing the requirements for XML-based integration and SOA
Addressing the Infrastructure Bottleneck
DMZ Application Oriented Network
XML Firewall
Network FirewallDatabases
QueuesSuppliers
Legacy Systems
XML Gateway
XML Gateway
Application Server
XML Gateway
Application Server
Application Server
Partners
XML Firewall
BeInGrid Barcelona 2008 Page 417/06/2008
XML Screening
Threat Prevention
SSL Termination
Authentication
XML AccelerationApplication OffloadIdentity IntegrationProtocol MediationData Transformation
Content Aware RoutingPlus all the XML Firewall features
XML
Web App Firewall LegacyCustomers
XML
XML Gateway XML Gateway
Application Server
Vordel XML Firewall - Threat protection for XML Applications
› Threat protection for XML applications from malicious attack and unauthorized access
Vordel XML Gateway – Application Level Networking
› XML offload with data transformation, routing and acceleration
Vordel Policy Director – Centralized Policy Management
› Centralized policy creation and management for networks of XML
Vordel Products
BeInGrid Barcelona 2008 Page 517/06/2008
› Centralized policy creation and management for networks of XML firewalls and gateways
Vordel Reporter – Reporting Web Services Metrics
› Full visibility reporting on Web Service usage
Vordel SOAPbox – Testing for XML Applications
› Web Services test tool
The Vordel Governance Solution
Design Time Governance
Vordel Policy Studio to create policies
Vordel Policy Director to store policies
>Stores policies in centralised store or Registry
>Staging of Policies
Vordel Soapbox to test new policies
Run Time Governance
Vordel XML Firewall to protect the perimeter
BeInGrid Barcelona 2008 Page 617/06/2008 commercial in confidence Page 617/06/2008
Vordel XML Firewall to protect the perimeter
>Policy enforcement
>Service Discovery
Vordel XML Gateway to protect the network
>Policy enforcement
>Service Discovery
Vordel Reporter
>Comprehensive usage reports
>Compliance reports
Software
> Solaris
> Linux
> Windows
Appliance
> Deployed in the network as a network device to offload XML processing
> XML performance acceleration and optimisation
Vordel 5 Deployment Platforms
BeInGrid Barcelona 2008 Page 717/06/2008 commercial in confidence Page 717/06/2008
> XML performance acceleration and optimisation
> Hardened appliance with FIPS-Compliant cryptographic acceleration and hardware security module key storage
> Dual power supplies and RAID dual disks for reliability
> VX4000 built on standard hardware platform for ease of maintenance
Case Studies: The role of XML Gateways in Telecoms
• Case Study 1: 911 Emergency Services [USA]
• Case Study 2: Mobile Telecoms Service Delivery Platform (SDP) [Brazil]
• Case Study 3: De-regulation [Canada]
• Case Study 4: Managing IPTV [Italy]
BeInGrid Barcelona 2008 Page 817/06/2008
911 Emergency Services [USA]
The 911 Service Provider provides outsourced emergency telephone services to both fixed-line and VoIP providers including Verizon and Vonage
Customer information is fed to the 911 service provider using XML
The XML messages include:
- Name
- Address
- Preferred First Language
BeInGrid Barcelona 2008 Page 917/06/2008
- Preferred First Language
- Current location
When the customer dials 911, this information is provided to the emergency services [police, fire, ambulance].
The 911 Service Provider receives a regular feed of this customer information. Feeds may contain millions of individual customer details.
911 Emergency Services [USA]
XML processing was placing a heavy load on their application servers.
The customer initially built their own XML Gateway, but it was too slow, and could not be managed.
Large volumes of XML traffic would drastically slow down their Web Services (running on Oracle Application Server 10g)
BeInGrid Barcelona 2008 Page 1017/06/2008
Services (running on Oracle Application Server 10g)
When the client didn’t receive an immediate response, it would re-send the SOAP message. The message re-sends compounded the problem.
- They were being DoS’ed by their own customers!
[DoS = Denial of Service]
XML Message Flooding
BeInGrid Barcelona 2008 Page 1117/06/2008
Java code on the Oracle Application Server was validating the incoming XML, and authenticating the sender.
Unfortunately, it ran slowly and would fall over under stress.
Solution Architecture
• Failover
• Development, Staging, andproduction
• Heavy XML processingoffloaded fromapp server.
BeInGrid Barcelona 2008 Page 1217/06/2008
Solution: XML Offload
Vordel’s XML Gateway takes the XML heavy-lifting off the app server
• Before:
• After:
Read
XML
into
memory
Check
XML is
well-
formed
Validate
against a
Schema
Transform
XML using
XSLT
Perform
Business
Logic
BeInGrid Barcelona 2008 Page 1317/06/2008
• After:
13
Read
XML
into
memory
Check
XML is
well-
formed
Validate
against a
Schema
Transform
XML using
XSLT
Perform
Business
Logic
Offloaded onto XML Gateway
Solution Benefits
• Message retries are automatically detected and throttled
• Responses are cached so that retries do not have to touch the application server
• XML is validated and screened for threats before it reaches the application server
• Security policies are now in the hands of Operations staff
BeInGrid Barcelona 2008 Page 1417/06/2008
• Policies are no longer baked into code at the application server
• Policies can be backed-up, updated, rolled-back, archived
• A full evidential (signed) audit trail is provided
Case Study 2: Service Delivery Platform
Vordel’s products are an integral component of the Ericsson “Service
Delivery Platform” which uses XML to link telecoms systems together
• Parlay-X is the XML standard used
• Required validation of the Parlay-X traffic
• Required lookup of subscriber information from databases, and the on-the-fly population of subscriber data into XML fields
BeInGrid Barcelona 2008 Page 1517/06/2008
Solution Architecture
BeInGrid Barcelona 2008 Page 1617/06/2008
Solution benefit: “XML Enrichment”• Before: Everything on the application server
• After: XML enrichment happens at the XML Gateway
Read
XML
into
memory
Look up
customer
info in
database
Operate
based on
customer
info
Look up
customer
in LDAP
directory
Enrich XML Enrich XML Read XML Operate Passed to
BeInGrid Barcelona 2008 Page 1717/06/2008
Enrich XML
with
customer
data from
directory
Enrich XML
with
customer
data from
database
Read XML
into
memory
Offloaded onto XML Gateway
Operate
based on
customer
info
Passed to
application
server
Case Study 3: De-regulation [Canada]
Largest Canadian telecommunications company provides connectivity to
residential and business customers.
• Must provide an interface to CLECs (Competitive Local Exchange Carriers) in a deregulated telecoms environment.
• They had an existing Web portal which enables CLECs to access information using a Web browser. But they wanted automated B2B access using XML.
• 500,000 portal users, with an additional 5,000 users being added monthly.
BeInGrid Barcelona 2008 Page 1817/06/2008
• 500,000 portal users, with an additional 5,000 users being added monthly.
• Launch of new B2B XML Web Services, alongside the portal, to allow larger customers and partners to integrate their back office systems directly into the telecom provider’s own systems.
• Vordel products integrated with Web SSO (Entrust) and Enterprise AV (McAfee).
Deployment: De-regulation [Canada]
BeInGrid Barcelona 2008 Page 1917/06/2008
Case Study 4: IPTV [Italy]
Large Italian mobile telco
• Trialing IPTV services. XML messages are used to order IPTV programmes and clips
• XML Gateways process incoming XML messages which contain credit card details, co-marketing codes (for partners), and details of requested TV programmes
• The XML Gateway allows the credit card data to be selectively encrypted using XML Encryption.
BeInGrid Barcelona 2008 Page 2017/06/2008
XML Encryption.
• XML data is validated against Schemas and is scanned for threats.
• Integration into CA SiteMinder ensures that all traffic is authenticated and authorised
Requirement for Identity Federation
• SiteMinder is used for all authentication and authorization at the telco side
• At the client side, SiteMinder is usually not present. But, usually a directory such as Active Directory is present
• The customer decided to use a Security Token Service (STS) to issue SAML tokens at the client side, and these are passed to the XML Gateway at the telco side.
• This allows for Identity Federation to occur. The same end-user may have a
BeInGrid Barcelona 2008 Page 2117/06/2008
• This allows for Identity Federation to occur. The same end-user may have a different identity at the telco side, compared to their identity at the client side. This requires the XML Gateway to perform identity mapping.
• At the telco side, the user is logged into a SiteMinder session, based on their identity at the telco.
Case Study 4: IPTV with identity federation
BeInGrid Barcelona 2008 Page 2217/06/2008
Addressing Security, Governance and Performance Issues
with an XML Gateway as part of a Service Oriented
BeInGrid Barcelona 2008 Page 2317/06/2008
Vic Morris – CEO Vordel
with an XML Gateway as part of a Service Oriented Architecture