Adam Vincent, Layer 7 Federal Technical Director XML Firewall presentation to IEEE DC.

1. What are XML Firewalls Adam Vincent, Layer 7 Technologies Federal Technical Director Prepared for Institute of Electrical and Electronics Engineers (IEEE) Given at IEEE Chapter Meeting on April 17th, 2008 in Mclean, VA

3. What is an XML Firewall? What is a Firewall? Firewall Policies Definition: Limits access between networks in accordance with local security policies .

6. Two Categories of Firewalls What is an XML Firewall? Check IP/port Network firewalls Check message content Application firewalls Note: many routers already do this checking

7. What is an XML Firewall? What is an XML Firewall? XML Firewall What should I do with this XML document/message? Policies Definition: An XML firewall is a tool that takes as input an XML document/message and enforces security policies XML

8. Example Deployment What is an XML Firewall?

9. XML Firewalls can do IP/Port checking and content checking What is an XML Firewall? Stateful Inspection: Analysis of data within the lowest levels of the protocol stack in order to compare the current session with previous ones for detection of suspicious activity Deep Packet Inspection: Analysis of content of a thru-passing packet, searching for illegal statements to decide if the packet can pass. Check IP/port Packet firewalls Check message content Application firewalls XML Firewalls Note: many routers already do this checking Stateful Inspection Deep Packet Inspection

12. What is an XML Firewall? Example of a Check that an XML Firewall may Perform "Does the XML conform to the data business rules, i.e., does it validate against a XML Schema defining the business rules?” “ Does the XML contain malicious code” “ Does the Message Level Security component of the message comply with the DoD/IC requirements” “ Authentication/Authorization of the sender/message creator”

17. What is an XML Firewall? Firewall acting as a PEP only Firewall (acting as a PEP only) PDP service "Do this" ” Bob wants to Send a message To Service A" Attribute service ” Tell me about Bob” ” Bob is in the Army” Threat Protection, Verify Message Security, Audit, and Call out to PDP Policies doc Policies

18. What is an XML Firewall? More Realistic use of an XML Firewall XML Firewall PDP service Attribute service Threat Protection, Verify Message Security, Audit, Authenticate/Authorize via ABAC Attribute Repository (LDAP) PEP Policies doc

23. Complex Access Control What is an XML Firewall? Organization Green Michelle Dimitri Program X Organization Blue Policy Enforcement Point Secure Token Server (STS) for Federation Policy Application Point WS-MetadataExchange of WS-Policy Documents WS-Trust Token Requests WSS secure SOAP messages with bound SAML tokens Policy Administration