Layer 7 Technologies: What Is An Xml Firewall

3,373
-1

Published on

Adam Vincent, Layer 7 Federal Technical Director XML Firewall presentation to IEEE DC.

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,373
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
1
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Layer 7 Technologies: What Is An Xml Firewall

  1. 1. What are XML Firewalls Adam Vincent, Layer 7 Technologies Federal Technical Director Prepared for Institute of Electrical and Electronics Engineers (IEEE) Given at IEEE Chapter Meeting on April 17th, 2008 in Mclean, VA
  2. 2. Firewalls Overview <ul><li>Traditional Firewalls do very little to mitigate XML vulnerabilities since they are normally configured to allow all ASCII traffic through port 80, and XML is ASCII. </li></ul><ul><li>XML firewalls are devices for implementing security policies, as specifically applied to XML messages. </li></ul><ul><li>The following slides review XML firewalls, with a focus on how they are used to mitigate security risks. </li></ul><ul><li>The focus of this section will be on boundary protection, although when you look at an SOA it is important to look at the entirety of the architecture. </li></ul><ul><li>Providing boundary protection is a necessary step to providing end-to-end security. </li></ul>What is an XML Firewall?
  3. 3. What is an XML Firewall? What is a Firewall? Firewall Policies Definition: Limits access between networks in accordance with local security policies .
  4. 4. Firewall Implements a Policy <ul><li>The policy </li></ul><ul><ul><li>specifies all the factors that must be considered when making a decision </li></ul></ul><ul><ul><li>what actions should be taken upon making a decision </li></ul></ul><ul><li>The firewall </li></ul><ul><ul><li>implements the policy </li></ul></ul>What is an XML Firewall?
  5. 5. Two Categories of Firewalls <ul><li>Network firewalls (a.k.a. IP/port firewalls): </li></ul><ul><ul><li>Decisions are made based purely upon factors relating to the packet’s origin and destination: </li></ul></ul><ul><ul><ul><li>Where did the packet come from? </li></ul></ul></ul><ul><ul><ul><li>Who originated the packet? </li></ul></ul></ul><ul><ul><ul><li>Where is its destination? </li></ul></ul></ul><ul><ul><ul><li>What time did the packet arrive? </li></ul></ul></ul><ul><li>Application firewalls: </li></ul><ul><ul><li>Decisions are made based upon the content of the message: </li></ul></ul><ul><ul><ul><li>Is the content of the message acceptable? </li></ul></ul></ul><ul><ul><ul><li>Is the content of a high-value transaction? </li></ul></ul></ul><ul><ul><ul><li>Is the content of a low-value transaction? </li></ul></ul></ul><ul><ul><ul><li>Is the content of the message structured appropriately? </li></ul></ul></ul>What is an XML Firewall?
  6. 6. Two Categories of Firewalls What is an XML Firewall? Check IP/port Network firewalls Check message content Application firewalls Note: many routers already do this checking
  7. 7. What is an XML Firewall? What is an XML Firewall? XML Firewall What should I do with this XML document/message? Policies Definition: An XML firewall is a tool that takes as input an XML document/message and enforces security policies XML
  8. 8. Example Deployment What is an XML Firewall?
  9. 9. XML Firewalls can do IP/Port checking and content checking What is an XML Firewall? Stateful Inspection: Analysis of data within the lowest levels of the protocol stack in order to compare the current session with previous ones for detection of suspicious activity Deep Packet Inspection: Analysis of content of a thru-passing packet, searching for illegal statements to decide if the packet can pass. Check IP/port Packet firewalls Check message content Application firewalls XML Firewalls Note: many routers already do this checking Stateful Inspection Deep Packet Inspection
  10. 10. What Factors Enter into an XML Firewall's Decision? <ul><li>Decisions can be made based upon countless factors, e.g., </li></ul><ul><ul><li>Package-based factors: </li></ul></ul><ul><ul><ul><li>Where did the connection/message come from? </li></ul></ul></ul><ul><ul><ul><li>Who originated the connection/message? </li></ul></ul></ul><ul><ul><ul><li>Where is its destination? </li></ul></ul></ul><ul><ul><ul><li>What time did the connection/message arrive? </li></ul></ul></ul><ul><ul><ul><li>What time was the connection/message sent? </li></ul></ul></ul><ul><ul><li>Content-based factors: </li></ul></ul><ul><ul><ul><li>Is the content of the message acceptable? </li></ul></ul></ul><ul><ul><ul><li>Is the content a high-value transaction? </li></ul></ul></ul><ul><ul><ul><li>Is the content a low-value transaction? </li></ul></ul></ul><ul><ul><ul><li>Is the content of the message structured appropriately? </li></ul></ul></ul><ul><ul><ul><li>Is the XML security header formatted correctly? </li></ul></ul></ul>What is an XML Firewall?
  11. 11. What Actions can an XML Firewall Take? <ul><li>If the firewall decides the message/document is not acceptable for propagation, it may: </li></ul><ul><ul><li>log the document </li></ul></ul><ul><ul><li>return the document </li></ul></ul><ul><ul><li>discard the document </li></ul></ul><ul><ul><li>Etc. </li></ul></ul><ul><li>If the firewall decides the message/document is acceptable for propagation, it may: </li></ul><ul><ul><li>simply forward it along </li></ul></ul><ul><ul><li>route it along a special path </li></ul></ul><ul><ul><li>delay sending it along for a period of time </li></ul></ul><ul><ul><li>Etc. </li></ul></ul>What is an XML Firewall?
  12. 12. What is an XML Firewall? Example of a Check that an XML Firewall may Perform &quot;Does the XML conform to the data business rules, i.e., does it validate against a XML Schema defining the business rules?” “ Does the XML contain malicious code” “ Does the Message Level Security component of the message comply with the DoD/IC requirements” “ Authentication/Authorization of the sender/message creator”
  13. 13. Policy Enforcement Point (PEP) <ul><li>It enforces that the message adheres to the policy and may per policy take input from one or more external resources to use in its enforcement process </li></ul><ul><li>XML Firewalls provide centralized management and enforcement when acting as a PEP </li></ul>What is an XML Firewall? This is analogous to the PEP.
  14. 14. Policy Decision Point (PDP) <ul><li>Makes a decision based upon destination resource and calling entity. It sends the decision to a PEP, which carries out Enforcement </li></ul><ul><li>XML Firewalls can utilize inputs from a PDP, or can act as a PDP when one is not available. </li></ul>What is an XML Firewall? PEP PDP
  15. 15. Attribute Services (AS) <ul><li>Provides attributes about resources and/or entities as inputs to a PDP </li></ul><ul><li>XML Firewalls can utilize inputs from an Attribute Service, or can act as a AS when one is not available </li></ul>What is an XML Firewall? PDP AS PEP
  16. 16. What is an XML Firewall? Firewalls and PEP/PDP/AS <ul><li>A firewall can act as either a PEP, a PDP, or an AS. </li></ul><ul><ul><li>When a firewall is acting as a PEP, it &quot;consults&quot; a PDP service (externally or internally) and gives it information about what it knows, and asks &quot;What should I do?&quot; Thus, a firewall must always have both a PEP and a PDP. </li></ul></ul><ul><li>A firewall may provide a PEP, PDP, and a AS </li></ul>PDP Traffic inputs Firewall Firewall AS
  17. 17. What is an XML Firewall? Firewall acting as a PEP only Firewall (acting as a PEP only) PDP service &quot;Do this&quot; ” Bob wants to Send a message To Service A&quot; Attribute service ” Tell me about Bob” ” Bob is in the Army” Threat Protection, Verify Message Security, Audit, and Call out to PDP Policies doc Policies
  18. 18. What is an XML Firewall? More Realistic use of an XML Firewall XML Firewall PDP service Attribute service Threat Protection, Verify Message Security, Audit, Authenticate/Authorize via ABAC Attribute Repository (LDAP) PEP Policies doc
  19. 19. XML Acceleration (1 of 2) <ul><li>XML is verbose and processing can be time consuming </li></ul><ul><li>XML Firewalls provide mechanisms to accelerate XML processing: </li></ul><ul><ul><li>Utilize hardware-based mechanisms to accelerate XML processing </li></ul></ul><ul><ul><li>Utilize low-level software processing capabilities and pipelining to accelerate XML processing </li></ul></ul>What is an XML Firewall? XML Firewall Policies Back-end applications are relieved from doing all of this XML processing Policy Verified Policy Un-verified Back-end applications XML New XML
  20. 20. XML Acceleration (2 of 2) <ul><li>Here’s some XML processing which can be done very quickly with an XML Firewall: </li></ul><ul><ul><li>Validate XML Message against an XML Schema </li></ul></ul><ul><ul><li>Transform using XSLT an XML input for output to a back-end service </li></ul></ul><ul><ul><li>Verify message conforms to WS-Security Specification </li></ul></ul><ul><ul><li>XPATH Processing and Content Based Routing </li></ul></ul>What is an XML Firewall?
  21. 21. Threat Detection <ul><li>An XML Firewall can perform detection and mitigation of malicious code using XML as a vector of attack </li></ul>What is an XML Firewall? XML Firewall Malicious Code Policy Malicious code is not allowed to pass Entity A Entity B XML Purchase Order (with Malicious Code)
  22. 22. Access Control <ul><li>An XML Firewall can perform fine grained Authentication and Authorization of a sending, and receiving entity </li></ul>What is an XML Firewall? XML Firewall Access Control Policy <ul><li>is allowed to send purchase orders to (B) </li></ul>Entity A Entity B XML Purchase Order
  23. 23. Complex Access Control What is an XML Firewall? Organization Green Michelle Dimitri Program X Organization Blue Policy Enforcement Point Secure Token Server (STS) for Federation Policy Application Point WS-MetadataExchange of WS-Policy Documents WS-Trust Token Requests WSS secure SOAP messages with bound SAML tokens Policy Administration
  24. 24. XML Schema Validation <ul><li>An XML Firewall can determine whether an XML message/document conforms to an XML Schema </li></ul>What is an XML Firewall? XML Firewall XML Schema Entity A Entity B XML Document XML Document
  25. 25. XSL Transformation <ul><li>An XML Firewall can change XML messages/documents through an integrated XSLT processor </li></ul>What is an XML Firewall? XML Firewall XML Schema Entity A Entity B XML Document New XML Document
  26. 26. XML Filtering <ul><li>An XML Firewall can filter incoming XML traffic based on message size, disallowed content, other metadata, etc. </li></ul>What is an XML Firewall? XML Firewall Policies Message Size Limit Exceeded Entity A Entity B LARGE XML Document
  27. 27. Dynamic Routing <ul><li>An XML Firewall routes a request based on content, network parameters or other metadata </li></ul>What is an XML Firewall? Firewall Where should I route this document? Policies Busy Not busy. Document is routed here. Entity A $1,000,000 Purchase Order
  28. 28. Service Virtualization/Abstraction <ul><li>Mask back-end resources from external probing </li></ul>What is an XML Firewall? XML Firewall Policies “ I’m Service (A)” This is the actual service (A) The XML Firewall shields the actual service from external attacks by acting as a virtual stand-in to the service. Message to Service (A)
  29. 29. Quality of Service (QoS) <ul><li>Enables you to provide service priorities </li></ul><ul><ul><li>A $1,000,000.00 transaction will get expedited service, a $2.00 transaction will get regular service </li></ul></ul>What is an XML Firewall? Firewall On arrival, priority goes to $1,000,000 Purchase Order Policies $1,000,000 Purchase Order $2.00 Purchase Order
  30. 30. Auditing <ul><li>Provides service level auditing capabilities </li></ul><ul><ul><li>Number of requests </li></ul></ul><ul><ul><li>Types of requests </li></ul></ul><ul><ul><li>Where requests originate </li></ul></ul>What is an XML Firewall? Firewall Audit Data Service 2 Service 1
  31. 31. Virus Detection (1 of 2) <ul><li>Many XML Firewalls offer virus detection capabilities </li></ul><ul><ul><li>Viruses in attachments (MIME and DIME Messages) </li></ul></ul><ul><ul><li>Viruses in XML content </li></ul></ul>What is an XML Firewall? Firewall Virus Detected! Virus
  32. 32. Virus Detection (2 of 2) <ul><li>How XML Firewalls offer Virus Protection </li></ul>What is an XML Firewall? Firewall External Virus Engine Symantec/Other Scanner Virus Def Update
  33. 33. Conclusions <ul><li>Whew…. </li></ul><ul><li>You now know everything  …Just kidding </li></ul><ul><li>Keep in mind that SOA is a moving target and changes by the Day! </li></ul><ul><li>Questions & Comments: </li></ul><ul><li>Adam Vincent </li></ul><ul><li>[email_address] </li></ul><ul><li>703-965-1771 </li></ul>What is an XML Firewall?

×