Patterns for content firewalls

1,751 views

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,751
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
9
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Patterns for content firewalls

  1. 1. Patterns for Application Firewalls Eduardo B. Fernandez Nelly A. Delessy Gassant
  2. 2. Agenda <ul><li>Introduction </li></ul><ul><li>The Application Firewall Pattern </li></ul><ul><li>The XML Firewall Pattern </li></ul>
  3. 3. Introduction <ul><li>Driven by business imperatives, organizations have to open up their systems to a wide variety of partners, customers or mobile employees. </li></ul><ul><li>Web applications and web services made it possible to easily access their internal network from the outside, introducing new types of threats: </li></ul><ul><ul><li>Increasing number of user categories  misuse more likely </li></ul></ul><ul><ul><li>Each application implements access control  Increased complexity  weakens security of the whole system </li></ul></ul>
  4. 4. Introduction <ul><li>New types of threats: </li></ul><ul><ul><li>New accesses realized by using or by tunneling into existing protocols (HTTP, SMTP, …)  evade access control to services performed by traditional firewalls </li></ul></ul><ul><ul><li>Payload of these messages can embed harmful data </li></ul></ul><ul><li>Common solution: to add an Application Firewall to the traditional line of defense defined by network-based firewalls. </li></ul><ul><li>2 patterns can be abstracted from current commercial offers: </li></ul><ul><ul><li>the Application Firewall (general scheme) </li></ul></ul><ul><ul><li>The XML Firewall (firewall specialization) </li></ul></ul>
  5. 5. The Application Firewall Pattern <ul><li>Intent </li></ul><ul><ul><li>To filter calls and responses to/from user-defined applications, based on an institution access control policies. </li></ul></ul><ul><li>Aka </li></ul><ul><ul><li>Content Firewall </li></ul></ul>
  6. 6. The Application Firewall Pattern <ul><li>Context </li></ul><ul><ul><li>User-defined applications executing in distributed systems accessed through a local network, from the Internet, or from external networks. </li></ul></ul><ul><ul><li>Specific security policies have been defined by the institution, expressed as authorization rules. </li></ul></ul>
  7. 7. The Application Firewall Pattern <ul><li>Problem </li></ul><ul><ul><li>User-defined applications in an organization’s internal network are accessed by a broad spectrum of users that may attempt to abuse its resources (leakage, modification or destruction of data). </li></ul></ul><ul><ul><li>These applications can be numerous, thus implementing access control independently for each of them may make the system more complex, and thus less secure. </li></ul></ul><ul><ul><li>Traditional network firewalls (application layer firewalls or packet filters), do not make it possible to define high level rules (role-based or individual-based rules) that could make the implementation of business security policies easier and simpler. </li></ul></ul>
  8. 8. The Application Firewall Pattern <ul><li>Forces </li></ul><ul><ul><li>There may be many users (subjects) that need to access an application in different ways; the firewall must adapt to this variety. </li></ul></ul><ul><ul><li>There are many ways to filter, we need to separate the filtering code from the application code. </li></ul></ul><ul><ul><li>There may be numerous applications, that may require different levels of security. </li></ul></ul><ul><ul><li>The business policies are constantly changing and are constantly updated; hence it should be easy to change the firewall configuration. </li></ul></ul><ul><ul><li>The number of users and applications may increase ; adding more users or applications should be done transparently and at low cost. </li></ul></ul>
  9. 9. The Application Firewall Pattern <ul><li>Solution </li></ul><ul><ul><li>A client can access a service of an application only if a specific policy authorizes it to do so. </li></ul></ul><ul><ul><li>Policies for each application are centralized within the Application Firewall, in a PolicyDefinitionPoint. </li></ul></ul><ul><ul><li>Each application is accessed by a client through a PolicyEnforcementPoint, that enforces the access control for the applications. </li></ul></ul><ul><ul><li>Enforcement includes authenticating the client through its identity data stored in the PolicyDefinitionPoint and looking for a mapping policy for the request. </li></ul></ul>
  10. 10. The Application Firewall Pattern checkAccess 1 1 * * * communicatesThrough Application * Service serviceId executeService() Client id credentials PoliciesDefinitionPoint authenticate() grantAccess() log() definePolicy() defineUser() defineRole() removeUser() removeRole() PolicyBase IdentityBase PoliciesEnforcementPoint interceptMessage() controlAccess(url, id, credentials) Identity id credentials roles Policy serviceId role predicate 1 accessService * * Application Firewall 1 * 1 1 * Role * * memberOf * Application Level Implementation Level requestService Message
  11. 11. The Application Firewall Pattern <ul><li>Dynamics: Filtering a Client’s Request </li></ul>:Client : Policies EnforcementPoint : Policies DefinitionPoint : IdentityBase : PolicyBase :Application interceptMessage() checkAccess(uri, id, credentials) requestService(uri, id, credentials) authenticate(id, credentials) userAuthenticated grantAccess(uri, roles) getRoles(id) roles accessGranted accessGranted accessService log() :ApplicationFirewall requestService(uri, id, credentials) requestAccepted
  12. 12. The Application Firewall Pattern <ul><li>Dynamics: Adding a new Policy </li></ul>addPolicy(policy) : PolicyBase :ApplicationFirewall : Administrator checkDuplicate(policy) CheckDuplicate == True addPolicy(policy) PolicyAdded PolicyAdded
  13. 13. The Application Firewall Pattern <ul><li>Consequences </li></ul><ul><ul><li>Advantages </li></ul></ul><ul><ul><ul><li>The institution policies to control access are easily defined and administered, as the policies are centralized. This makes the whole system less complex, and thus more secure. </li></ul></ul></ul><ul><ul><ul><li>This facilitates the detection of possible attacks. An Intrusion Detection System can be combined with this firewall. In turn, the IDS can help the firewall block suspicious requests. </li></ul></ul></ul><ul><ul><ul><li>The firewall lends itself to a systematic logging of incoming and outgoing messages. </li></ul></ul></ul><ul><ul><ul><li>As authentication of Clients is performed, it holds regular users responsible of their actions. </li></ul></ul></ul><ul><ul><ul><li>New applications are easily integrated into the system by adding their specific policies. </li></ul></ul></ul><ul><ul><ul><li>New clients can de accommodated by adding new policies to the policy base of an application. </li></ul></ul></ul>
  14. 14. The Application Firewall Pattern <ul><li>Consequences </li></ul><ul><ul><li>Possible liabilities </li></ul></ul><ul><ul><ul><li>The application could affect the performance of the protected system as it is a bottleneck in the network. This can be improved by considering the firewall a virtual concept and using several firewalls for implementation. </li></ul></ul></ul><ul><ul><ul><li>The solution is intrusive for existing applications that already implement their own access control. </li></ul></ul></ul><ul><ul><ul><li>The application itself must be built in a secure way or normal access to commands could allow attacks through the requests. </li></ul></ul></ul><ul><ul><ul><li>We still need the Operating System to be secure. </li></ul></ul></ul>
  15. 15. The Application Firewall Pattern <ul><li>Implementation </li></ul><ul><ul><li>Define users. </li></ul></ul><ul><ul><li>Define policies for the institution and hold policy base (Use Case 2). </li></ul></ul><ul><ul><li>Add/Remove policies when needed </li></ul></ul>
  16. 16. The Application Firewall Pattern <ul><li>Known Uses </li></ul><ul><ul><li>Cerebit innerGuard </li></ul></ul><ul><ul><li>Netegrity SiteMinder </li></ul></ul><ul><ul><li>Reactivity XML Firewall </li></ul></ul><ul><ul><li>Vordel XML security server </li></ul></ul><ul><ul><li>Westbridge XML Message Server </li></ul></ul><ul><ul><li>Netegrity TransactionMinder </li></ul></ul>
  17. 17. The Application Firewall Pattern <ul><li>Related Patterns </li></ul><ul><ul><li>The Authorization pattern defines the security model for the Application Firewall. </li></ul></ul><ul><ul><li>The Role-Based Access Control pattern, a specialization of the authorization pattern, is applicable if the business policies are respectively defined in terms of roles and rights . </li></ul></ul><ul><ul><li>The Application Firewall pattern is a special case of the Single-Point of-Access. </li></ul></ul>
  18. 18. The XML Firewall Pattern <ul><li>Intent </li></ul><ul><ul><li>To filter XML messages to/from user-defined applications, based on the business access control policies and the content of the message. </li></ul></ul><ul><li>Context </li></ul><ul><ul><li>User-defined applications executing in distributed systems accessed through a local network, from the Internet, or from external networks. </li></ul></ul><ul><ul><li>These applications communicate through XML messages and could be web services or applications using web services. </li></ul></ul><ul><ul><li>Specific security policies have been defined by the institution, expressed as authorization rules. </li></ul></ul>
  19. 19. The XML Firewall Pattern <ul><li>Problem </li></ul><ul><ul><li>Some user-defined applications use tunneling into authorized flows (HTTP, SMTP,…) to communicate with the outside. They use higher level protocols such as SOAP and communicate through XML documents. </li></ul></ul><ul><ul><li>The XML documents in these messages can contain harmful data and can be used to perform attacks against applications. </li></ul></ul><ul><ul><li>Network firewalls provide infrastructure security but become useless when these high level protocols and formats are used. </li></ul></ul>
  20. 20. The XML Firewall Pattern <ul><li>Forces </li></ul><ul><ul><li>Document formats are subject to change, some new ones may appear (XML dialects); the firewall must adapt easily to these changes. </li></ul></ul><ul><ul><li>New types of harmful data may be used by attackers, the firewall must adapt easily to these new types of attacks. </li></ul></ul><ul><ul><li>There are many ways to filter, we need to separate the filtering code from the application code. </li></ul></ul><ul><ul><li>There may be numerous applications, that may require different levels of security. </li></ul></ul><ul><ul><li>New applications may be integrated into the system after the firewall has been put into operation. This integration should not require additional costs. </li></ul></ul>
  21. 21. The XML Firewall Pattern <ul><li>Solution </li></ul><ul><ul><li>A client can access a service of an application only if a specific policy authorizes it to do so and if the content of the message sent is considered to be safe for the applications. </li></ul></ul><ul><ul><li>Policies for each application are centralized within the Application Firewall, in a PolicyDefinitionPoint. </li></ul></ul><ul><ul><li>Each application is accessed by a client through a PolicyEnforcementPoint, that enforces the access control for the applications, by: </li></ul></ul><ul><ul><ul><li>authenticating the client through its identity data stored in the PolicyDefinitionPoint </li></ul></ul></ul><ul><ul><ul><li>looking for a mapping policy for the request </li></ul></ul></ul><ul><ul><ul><li>checking the content of the message: Its structure is validated through a database of valid XML schemas, and the data it conveys is checked through a HarmfulDataDetector. </li></ul></ul></ul>
  22. 22. The XML Firewall Pattern * * * communicatesThrough Application * Service uri executeService() Client id credentials PolicyBase IdentityBase Identity id credentials roles Policy serviceId role predicate 1 accessService * * 1 * 1 1 * Role * * memberOf * 1 PolicyEnforcementPoint interceptMessage() controlAccess(url, id, credentials) ContentInspector PolicyDefinitionPoint authenticate() grantAccess() log() definePolicy() defineUser() defineRole() removeUser() removeRole() SchemaDatabase addSchema() removeSchema() updateSchema() XMLSchemaValidator HarmfulDataDetector 1 1 XMLMessage Application Level Implementation Level checkAccess 1 1 1 XML Firewall requestService
  23. 23. The XML Firewall Pattern <ul><li>Dynamics: Filtering a Client’s Request </li></ul>:Client : Policies EnforcementPoint : Policies DefinitionPoint :Application controlAccess requestService accessGranted accessService :XMLApplicationFirewall checkContent requestAccepted : Content Inspector : XMLSchema Validator : Harmful DataDetector validateSchema schemaValidated checkData dataChecked contentChecked checkAccess
  24. 24. The XML Firewall Pattern <ul><li>Consequences </li></ul><ul><ul><li>Additional advantage </li></ul></ul><ul><ul><ul><li>Provides a higher level of security than the Application Firewall because it inspects the complete XML message (This only applies to XML messages). </li></ul></ul></ul><ul><ul><li>Possible liabilities: </li></ul></ul><ul><ul><ul><li>The application could to affect the performance of the protected system as it is a bottleneck in the network, and as the XML content checking may create a large overhead. </li></ul></ul></ul><ul><ul><ul><li>The solution is intrusive for existing applications that already implement their own access control. </li></ul></ul></ul>
  25. 25. The XML Firewall Pattern <ul><li>Known Uses </li></ul><ul><ul><li>Reactivity’s XML Firewall </li></ul></ul><ul><ul><li>Vordel’s XML Security Server </li></ul></ul><ul><ul><li>Netegrity’s TransactionMinder </li></ul></ul>
  26. 26. The XML Firewall Pattern <ul><li>Related Patterns </li></ul><ul><ul><li>Application Firewall </li></ul></ul>

×