Your SlideShare is downloading. ×
0
Layer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml Firewall
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Layer 7 Technologies: What Is An Xml Firewall

3,087

Published on

Adam Vincent, Layer 7 Federal Technical Director XML Firewall presentation to IEEE DC.

Adam Vincent, Layer 7 Federal Technical Director XML Firewall presentation to IEEE DC.

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,087
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
1
Comments
0
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. What are XML Firewalls Adam Vincent, Layer 7 Technologies Federal Technical Director Prepared for Institute of Electrical and Electronics Engineers (IEEE) Given at IEEE Chapter Meeting on April 17th, 2008 in Mclean, VA
  • 2. Firewalls Overview <ul><li>Traditional Firewalls do very little to mitigate XML vulnerabilities since they are normally configured to allow all ASCII traffic through port 80, and XML is ASCII. </li></ul><ul><li>XML firewalls are devices for implementing security policies, as specifically applied to XML messages. </li></ul><ul><li>The following slides review XML firewalls, with a focus on how they are used to mitigate security risks. </li></ul><ul><li>The focus of this section will be on boundary protection, although when you look at an SOA it is important to look at the entirety of the architecture. </li></ul><ul><li>Providing boundary protection is a necessary step to providing end-to-end security. </li></ul>What is an XML Firewall?
  • 3. What is an XML Firewall? What is a Firewall? Firewall Policies Definition: Limits access between networks in accordance with local security policies .
  • 4. Firewall Implements a Policy <ul><li>The policy </li></ul><ul><ul><li>specifies all the factors that must be considered when making a decision </li></ul></ul><ul><ul><li>what actions should be taken upon making a decision </li></ul></ul><ul><li>The firewall </li></ul><ul><ul><li>implements the policy </li></ul></ul>What is an XML Firewall?
  • 5. Two Categories of Firewalls <ul><li>Network firewalls (a.k.a. IP/port firewalls): </li></ul><ul><ul><li>Decisions are made based purely upon factors relating to the packet’s origin and destination: </li></ul></ul><ul><ul><ul><li>Where did the packet come from? </li></ul></ul></ul><ul><ul><ul><li>Who originated the packet? </li></ul></ul></ul><ul><ul><ul><li>Where is its destination? </li></ul></ul></ul><ul><ul><ul><li>What time did the packet arrive? </li></ul></ul></ul><ul><li>Application firewalls: </li></ul><ul><ul><li>Decisions are made based upon the content of the message: </li></ul></ul><ul><ul><ul><li>Is the content of the message acceptable? </li></ul></ul></ul><ul><ul><ul><li>Is the content of a high-value transaction? </li></ul></ul></ul><ul><ul><ul><li>Is the content of a low-value transaction? </li></ul></ul></ul><ul><ul><ul><li>Is the content of the message structured appropriately? </li></ul></ul></ul>What is an XML Firewall?
  • 6. Two Categories of Firewalls What is an XML Firewall? Check IP/port Network firewalls Check message content Application firewalls Note: many routers already do this checking
  • 7. What is an XML Firewall? What is an XML Firewall? XML Firewall What should I do with this XML document/message? Policies Definition: An XML firewall is a tool that takes as input an XML document/message and enforces security policies XML
  • 8. Example Deployment What is an XML Firewall?
  • 9. XML Firewalls can do IP/Port checking and content checking What is an XML Firewall? Stateful Inspection: Analysis of data within the lowest levels of the protocol stack in order to compare the current session with previous ones for detection of suspicious activity Deep Packet Inspection: Analysis of content of a thru-passing packet, searching for illegal statements to decide if the packet can pass. Check IP/port Packet firewalls Check message content Application firewalls XML Firewalls Note: many routers already do this checking Stateful Inspection Deep Packet Inspection
  • 10. What Factors Enter into an XML Firewall's Decision? <ul><li>Decisions can be made based upon countless factors, e.g., </li></ul><ul><ul><li>Package-based factors: </li></ul></ul><ul><ul><ul><li>Where did the connection/message come from? </li></ul></ul></ul><ul><ul><ul><li>Who originated the connection/message? </li></ul></ul></ul><ul><ul><ul><li>Where is its destination? </li></ul></ul></ul><ul><ul><ul><li>What time did the connection/message arrive? </li></ul></ul></ul><ul><ul><ul><li>What time was the connection/message sent? </li></ul></ul></ul><ul><ul><li>Content-based factors: </li></ul></ul><ul><ul><ul><li>Is the content of the message acceptable? </li></ul></ul></ul><ul><ul><ul><li>Is the content a high-value transaction? </li></ul></ul></ul><ul><ul><ul><li>Is the content a low-value transaction? </li></ul></ul></ul><ul><ul><ul><li>Is the content of the message structured appropriately? </li></ul></ul></ul><ul><ul><ul><li>Is the XML security header formatted correctly? </li></ul></ul></ul>What is an XML Firewall?
  • 11. What Actions can an XML Firewall Take? <ul><li>If the firewall decides the message/document is not acceptable for propagation, it may: </li></ul><ul><ul><li>log the document </li></ul></ul><ul><ul><li>return the document </li></ul></ul><ul><ul><li>discard the document </li></ul></ul><ul><ul><li>Etc. </li></ul></ul><ul><li>If the firewall decides the message/document is acceptable for propagation, it may: </li></ul><ul><ul><li>simply forward it along </li></ul></ul><ul><ul><li>route it along a special path </li></ul></ul><ul><ul><li>delay sending it along for a period of time </li></ul></ul><ul><ul><li>Etc. </li></ul></ul>What is an XML Firewall?
  • 12. What is an XML Firewall? Example of a Check that an XML Firewall may Perform &quot;Does the XML conform to the data business rules, i.e., does it validate against a XML Schema defining the business rules?” “ Does the XML contain malicious code” “ Does the Message Level Security component of the message comply with the DoD/IC requirements” “ Authentication/Authorization of the sender/message creator”
  • 13. Policy Enforcement Point (PEP) <ul><li>It enforces that the message adheres to the policy and may per policy take input from one or more external resources to use in its enforcement process </li></ul><ul><li>XML Firewalls provide centralized management and enforcement when acting as a PEP </li></ul>What is an XML Firewall? This is analogous to the PEP.
  • 14. Policy Decision Point (PDP) <ul><li>Makes a decision based upon destination resource and calling entity. It sends the decision to a PEP, which carries out Enforcement </li></ul><ul><li>XML Firewalls can utilize inputs from a PDP, or can act as a PDP when one is not available. </li></ul>What is an XML Firewall? PEP PDP
  • 15. Attribute Services (AS) <ul><li>Provides attributes about resources and/or entities as inputs to a PDP </li></ul><ul><li>XML Firewalls can utilize inputs from an Attribute Service, or can act as a AS when one is not available </li></ul>What is an XML Firewall? PDP AS PEP
  • 16. What is an XML Firewall? Firewalls and PEP/PDP/AS <ul><li>A firewall can act as either a PEP, a PDP, or an AS. </li></ul><ul><ul><li>When a firewall is acting as a PEP, it &quot;consults&quot; a PDP service (externally or internally) and gives it information about what it knows, and asks &quot;What should I do?&quot; Thus, a firewall must always have both a PEP and a PDP. </li></ul></ul><ul><li>A firewall may provide a PEP, PDP, and a AS </li></ul>PDP Traffic inputs Firewall Firewall AS
  • 17. What is an XML Firewall? Firewall acting as a PEP only Firewall (acting as a PEP only) PDP service &quot;Do this&quot; ” Bob wants to Send a message To Service A&quot; Attribute service ” Tell me about Bob” ” Bob is in the Army” Threat Protection, Verify Message Security, Audit, and Call out to PDP Policies doc Policies
  • 18. What is an XML Firewall? More Realistic use of an XML Firewall XML Firewall PDP service Attribute service Threat Protection, Verify Message Security, Audit, Authenticate/Authorize via ABAC Attribute Repository (LDAP) PEP Policies doc
  • 19. XML Acceleration (1 of 2) <ul><li>XML is verbose and processing can be time consuming </li></ul><ul><li>XML Firewalls provide mechanisms to accelerate XML processing: </li></ul><ul><ul><li>Utilize hardware-based mechanisms to accelerate XML processing </li></ul></ul><ul><ul><li>Utilize low-level software processing capabilities and pipelining to accelerate XML processing </li></ul></ul>What is an XML Firewall? XML Firewall Policies Back-end applications are relieved from doing all of this XML processing Policy Verified Policy Un-verified Back-end applications XML New XML
  • 20. XML Acceleration (2 of 2) <ul><li>Here’s some XML processing which can be done very quickly with an XML Firewall: </li></ul><ul><ul><li>Validate XML Message against an XML Schema </li></ul></ul><ul><ul><li>Transform using XSLT an XML input for output to a back-end service </li></ul></ul><ul><ul><li>Verify message conforms to WS-Security Specification </li></ul></ul><ul><ul><li>XPATH Processing and Content Based Routing </li></ul></ul>What is an XML Firewall?
  • 21. Threat Detection <ul><li>An XML Firewall can perform detection and mitigation of malicious code using XML as a vector of attack </li></ul>What is an XML Firewall? XML Firewall Malicious Code Policy Malicious code is not allowed to pass Entity A Entity B XML Purchase Order (with Malicious Code)
  • 22. Access Control <ul><li>An XML Firewall can perform fine grained Authentication and Authorization of a sending, and receiving entity </li></ul>What is an XML Firewall? XML Firewall Access Control Policy <ul><li>is allowed to send purchase orders to (B) </li></ul>Entity A Entity B XML Purchase Order
  • 23. Complex Access Control What is an XML Firewall? Organization Green Michelle Dimitri Program X Organization Blue Policy Enforcement Point Secure Token Server (STS) for Federation Policy Application Point WS-MetadataExchange of WS-Policy Documents WS-Trust Token Requests WSS secure SOAP messages with bound SAML tokens Policy Administration
  • 24. XML Schema Validation <ul><li>An XML Firewall can determine whether an XML message/document conforms to an XML Schema </li></ul>What is an XML Firewall? XML Firewall XML Schema Entity A Entity B XML Document XML Document
  • 25. XSL Transformation <ul><li>An XML Firewall can change XML messages/documents through an integrated XSLT processor </li></ul>What is an XML Firewall? XML Firewall XML Schema Entity A Entity B XML Document New XML Document
  • 26. XML Filtering <ul><li>An XML Firewall can filter incoming XML traffic based on message size, disallowed content, other metadata, etc. </li></ul>What is an XML Firewall? XML Firewall Policies Message Size Limit Exceeded Entity A Entity B LARGE XML Document
  • 27. Dynamic Routing <ul><li>An XML Firewall routes a request based on content, network parameters or other metadata </li></ul>What is an XML Firewall? Firewall Where should I route this document? Policies Busy Not busy. Document is routed here. Entity A $1,000,000 Purchase Order
  • 28. Service Virtualization/Abstraction <ul><li>Mask back-end resources from external probing </li></ul>What is an XML Firewall? XML Firewall Policies “ I’m Service (A)” This is the actual service (A) The XML Firewall shields the actual service from external attacks by acting as a virtual stand-in to the service. Message to Service (A)
  • 29. Quality of Service (QoS) <ul><li>Enables you to provide service priorities </li></ul><ul><ul><li>A $1,000,000.00 transaction will get expedited service, a $2.00 transaction will get regular service </li></ul></ul>What is an XML Firewall? Firewall On arrival, priority goes to $1,000,000 Purchase Order Policies $1,000,000 Purchase Order $2.00 Purchase Order
  • 30. Auditing <ul><li>Provides service level auditing capabilities </li></ul><ul><ul><li>Number of requests </li></ul></ul><ul><ul><li>Types of requests </li></ul></ul><ul><ul><li>Where requests originate </li></ul></ul>What is an XML Firewall? Firewall Audit Data Service 2 Service 1
  • 31. Virus Detection (1 of 2) <ul><li>Many XML Firewalls offer virus detection capabilities </li></ul><ul><ul><li>Viruses in attachments (MIME and DIME Messages) </li></ul></ul><ul><ul><li>Viruses in XML content </li></ul></ul>What is an XML Firewall? Firewall Virus Detected! Virus
  • 32. Virus Detection (2 of 2) <ul><li>How XML Firewalls offer Virus Protection </li></ul>What is an XML Firewall? Firewall External Virus Engine Symantec/Other Scanner Virus Def Update
  • 33. Conclusions <ul><li>Whew…. </li></ul><ul><li>You now know everything  …Just kidding </li></ul><ul><li>Keep in mind that SOA is a moving target and changes by the Day! </li></ul><ul><li>Questions & Comments: </li></ul><ul><li>Adam Vincent </li></ul><ul><li>[email_address] </li></ul><ul><li>703-965-1771 </li></ul>What is an XML Firewall?

×