Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Patterns for content firewalls

1,960 views

Published on

  • Be the first to comment

Patterns for content firewalls

  1. 1. Patterns for Application Firewalls Eduardo B. Fernandez Nelly A. Delessy Gassant
  2. 2. Agenda <ul><li>Introduction </li></ul><ul><li>The Application Firewall Pattern </li></ul><ul><li>The XML Firewall Pattern </li></ul>
  3. 3. Introduction <ul><li>Driven by business imperatives, organizations have to open up their systems to a wide variety of partners, customers or mobile employees. </li></ul><ul><li>Web applications and web services made it possible to easily access their internal network from the outside, introducing new types of threats: </li></ul><ul><ul><li>Increasing number of user categories  misuse more likely </li></ul></ul><ul><ul><li>Each application implements access control  Increased complexity  weakens security of the whole system </li></ul></ul>
  4. 4. Introduction <ul><li>New types of threats: </li></ul><ul><ul><li>New accesses realized by using or by tunneling into existing protocols (HTTP, SMTP, …)  evade access control to services performed by traditional firewalls </li></ul></ul><ul><ul><li>Payload of these messages can embed harmful data </li></ul></ul><ul><li>Common solution: to add an Application Firewall to the traditional line of defense defined by network-based firewalls. </li></ul><ul><li>2 patterns can be abstracted from current commercial offers: </li></ul><ul><ul><li>the Application Firewall (general scheme) </li></ul></ul><ul><ul><li>The XML Firewall (firewall specialization) </li></ul></ul>
  5. 5. The Application Firewall Pattern <ul><li>Intent </li></ul><ul><ul><li>To filter calls and responses to/from user-defined applications, based on an institution access control policies. </li></ul></ul><ul><li>Aka </li></ul><ul><ul><li>Content Firewall </li></ul></ul>
  6. 6. The Application Firewall Pattern <ul><li>Context </li></ul><ul><ul><li>User-defined applications executing in distributed systems accessed through a local network, from the Internet, or from external networks. </li></ul></ul><ul><ul><li>Specific security policies have been defined by the institution, expressed as authorization rules. </li></ul></ul>
  7. 7. The Application Firewall Pattern <ul><li>Problem </li></ul><ul><ul><li>User-defined applications in an organization’s internal network are accessed by a broad spectrum of users that may attempt to abuse its resources (leakage, modification or destruction of data). </li></ul></ul><ul><ul><li>These applications can be numerous, thus implementing access control independently for each of them may make the system more complex, and thus less secure. </li></ul></ul><ul><ul><li>Traditional network firewalls (application layer firewalls or packet filters), do not make it possible to define high level rules (role-based or individual-based rules) that could make the implementation of business security policies easier and simpler. </li></ul></ul>
  8. 8. The Application Firewall Pattern <ul><li>Forces </li></ul><ul><ul><li>There may be many users (subjects) that need to access an application in different ways; the firewall must adapt to this variety. </li></ul></ul><ul><ul><li>There are many ways to filter, we need to separate the filtering code from the application code. </li></ul></ul><ul><ul><li>There may be numerous applications, that may require different levels of security. </li></ul></ul><ul><ul><li>The business policies are constantly changing and are constantly updated; hence it should be easy to change the firewall configuration. </li></ul></ul><ul><ul><li>The number of users and applications may increase ; adding more users or applications should be done transparently and at low cost. </li></ul></ul>
  9. 9. The Application Firewall Pattern <ul><li>Solution </li></ul><ul><ul><li>A client can access a service of an application only if a specific policy authorizes it to do so. </li></ul></ul><ul><ul><li>Policies for each application are centralized within the Application Firewall, in a PolicyDefinitionPoint. </li></ul></ul><ul><ul><li>Each application is accessed by a client through a PolicyEnforcementPoint, that enforces the access control for the applications. </li></ul></ul><ul><ul><li>Enforcement includes authenticating the client through its identity data stored in the PolicyDefinitionPoint and looking for a mapping policy for the request. </li></ul></ul>
  10. 10. The Application Firewall Pattern checkAccess 1 1 * * * communicatesThrough Application * Service serviceId executeService() Client id credentials PoliciesDefinitionPoint authenticate() grantAccess() log() definePolicy() defineUser() defineRole() removeUser() removeRole() PolicyBase IdentityBase PoliciesEnforcementPoint interceptMessage() controlAccess(url, id, credentials) Identity id credentials roles Policy serviceId role predicate 1 accessService * * Application Firewall 1 * 1 1 * Role * * memberOf * Application Level Implementation Level requestService Message
  11. 11. The Application Firewall Pattern <ul><li>Dynamics: Filtering a Client’s Request </li></ul>:Client : Policies EnforcementPoint : Policies DefinitionPoint : IdentityBase : PolicyBase :Application interceptMessage() checkAccess(uri, id, credentials) requestService(uri, id, credentials) authenticate(id, credentials) userAuthenticated grantAccess(uri, roles) getRoles(id) roles accessGranted accessGranted accessService log() :ApplicationFirewall requestService(uri, id, credentials) requestAccepted
  12. 12. The Application Firewall Pattern <ul><li>Dynamics: Adding a new Policy </li></ul>addPolicy(policy) : PolicyBase :ApplicationFirewall : Administrator checkDuplicate(policy) CheckDuplicate == True addPolicy(policy) PolicyAdded PolicyAdded
  13. 13. The Application Firewall Pattern <ul><li>Consequences </li></ul><ul><ul><li>Advantages </li></ul></ul><ul><ul><ul><li>The institution policies to control access are easily defined and administered, as the policies are centralized. This makes the whole system less complex, and thus more secure. </li></ul></ul></ul><ul><ul><ul><li>This facilitates the detection of possible attacks. An Intrusion Detection System can be combined with this firewall. In turn, the IDS can help the firewall block suspicious requests. </li></ul></ul></ul><ul><ul><ul><li>The firewall lends itself to a systematic logging of incoming and outgoing messages. </li></ul></ul></ul><ul><ul><ul><li>As authentication of Clients is performed, it holds regular users responsible of their actions. </li></ul></ul></ul><ul><ul><ul><li>New applications are easily integrated into the system by adding their specific policies. </li></ul></ul></ul><ul><ul><ul><li>New clients can de accommodated by adding new policies to the policy base of an application. </li></ul></ul></ul>
  14. 14. The Application Firewall Pattern <ul><li>Consequences </li></ul><ul><ul><li>Possible liabilities </li></ul></ul><ul><ul><ul><li>The application could affect the performance of the protected system as it is a bottleneck in the network. This can be improved by considering the firewall a virtual concept and using several firewalls for implementation. </li></ul></ul></ul><ul><ul><ul><li>The solution is intrusive for existing applications that already implement their own access control. </li></ul></ul></ul><ul><ul><ul><li>The application itself must be built in a secure way or normal access to commands could allow attacks through the requests. </li></ul></ul></ul><ul><ul><ul><li>We still need the Operating System to be secure. </li></ul></ul></ul>
  15. 15. The Application Firewall Pattern <ul><li>Implementation </li></ul><ul><ul><li>Define users. </li></ul></ul><ul><ul><li>Define policies for the institution and hold policy base (Use Case 2). </li></ul></ul><ul><ul><li>Add/Remove policies when needed </li></ul></ul>
  16. 16. The Application Firewall Pattern <ul><li>Known Uses </li></ul><ul><ul><li>Cerebit innerGuard </li></ul></ul><ul><ul><li>Netegrity SiteMinder </li></ul></ul><ul><ul><li>Reactivity XML Firewall </li></ul></ul><ul><ul><li>Vordel XML security server </li></ul></ul><ul><ul><li>Westbridge XML Message Server </li></ul></ul><ul><ul><li>Netegrity TransactionMinder </li></ul></ul>
  17. 17. The Application Firewall Pattern <ul><li>Related Patterns </li></ul><ul><ul><li>The Authorization pattern defines the security model for the Application Firewall. </li></ul></ul><ul><ul><li>The Role-Based Access Control pattern, a specialization of the authorization pattern, is applicable if the business policies are respectively defined in terms of roles and rights . </li></ul></ul><ul><ul><li>The Application Firewall pattern is a special case of the Single-Point of-Access. </li></ul></ul>
  18. 18. The XML Firewall Pattern <ul><li>Intent </li></ul><ul><ul><li>To filter XML messages to/from user-defined applications, based on the business access control policies and the content of the message. </li></ul></ul><ul><li>Context </li></ul><ul><ul><li>User-defined applications executing in distributed systems accessed through a local network, from the Internet, or from external networks. </li></ul></ul><ul><ul><li>These applications communicate through XML messages and could be web services or applications using web services. </li></ul></ul><ul><ul><li>Specific security policies have been defined by the institution, expressed as authorization rules. </li></ul></ul>
  19. 19. The XML Firewall Pattern <ul><li>Problem </li></ul><ul><ul><li>Some user-defined applications use tunneling into authorized flows (HTTP, SMTP,…) to communicate with the outside. They use higher level protocols such as SOAP and communicate through XML documents. </li></ul></ul><ul><ul><li>The XML documents in these messages can contain harmful data and can be used to perform attacks against applications. </li></ul></ul><ul><ul><li>Network firewalls provide infrastructure security but become useless when these high level protocols and formats are used. </li></ul></ul>
  20. 20. The XML Firewall Pattern <ul><li>Forces </li></ul><ul><ul><li>Document formats are subject to change, some new ones may appear (XML dialects); the firewall must adapt easily to these changes. </li></ul></ul><ul><ul><li>New types of harmful data may be used by attackers, the firewall must adapt easily to these new types of attacks. </li></ul></ul><ul><ul><li>There are many ways to filter, we need to separate the filtering code from the application code. </li></ul></ul><ul><ul><li>There may be numerous applications, that may require different levels of security. </li></ul></ul><ul><ul><li>New applications may be integrated into the system after the firewall has been put into operation. This integration should not require additional costs. </li></ul></ul>
  21. 21. The XML Firewall Pattern <ul><li>Solution </li></ul><ul><ul><li>A client can access a service of an application only if a specific policy authorizes it to do so and if the content of the message sent is considered to be safe for the applications. </li></ul></ul><ul><ul><li>Policies for each application are centralized within the Application Firewall, in a PolicyDefinitionPoint. </li></ul></ul><ul><ul><li>Each application is accessed by a client through a PolicyEnforcementPoint, that enforces the access control for the applications, by: </li></ul></ul><ul><ul><ul><li>authenticating the client through its identity data stored in the PolicyDefinitionPoint </li></ul></ul></ul><ul><ul><ul><li>looking for a mapping policy for the request </li></ul></ul></ul><ul><ul><ul><li>checking the content of the message: Its structure is validated through a database of valid XML schemas, and the data it conveys is checked through a HarmfulDataDetector. </li></ul></ul></ul>
  22. 22. The XML Firewall Pattern * * * communicatesThrough Application * Service uri executeService() Client id credentials PolicyBase IdentityBase Identity id credentials roles Policy serviceId role predicate 1 accessService * * 1 * 1 1 * Role * * memberOf * 1 PolicyEnforcementPoint interceptMessage() controlAccess(url, id, credentials) ContentInspector PolicyDefinitionPoint authenticate() grantAccess() log() definePolicy() defineUser() defineRole() removeUser() removeRole() SchemaDatabase addSchema() removeSchema() updateSchema() XMLSchemaValidator HarmfulDataDetector 1 1 XMLMessage Application Level Implementation Level checkAccess 1 1 1 XML Firewall requestService
  23. 23. The XML Firewall Pattern <ul><li>Dynamics: Filtering a Client’s Request </li></ul>:Client : Policies EnforcementPoint : Policies DefinitionPoint :Application controlAccess requestService accessGranted accessService :XMLApplicationFirewall checkContent requestAccepted : Content Inspector : XMLSchema Validator : Harmful DataDetector validateSchema schemaValidated checkData dataChecked contentChecked checkAccess
  24. 24. The XML Firewall Pattern <ul><li>Consequences </li></ul><ul><ul><li>Additional advantage </li></ul></ul><ul><ul><ul><li>Provides a higher level of security than the Application Firewall because it inspects the complete XML message (This only applies to XML messages). </li></ul></ul></ul><ul><ul><li>Possible liabilities: </li></ul></ul><ul><ul><ul><li>The application could to affect the performance of the protected system as it is a bottleneck in the network, and as the XML content checking may create a large overhead. </li></ul></ul></ul><ul><ul><ul><li>The solution is intrusive for existing applications that already implement their own access control. </li></ul></ul></ul>
  25. 25. The XML Firewall Pattern <ul><li>Known Uses </li></ul><ul><ul><li>Reactivity’s XML Firewall </li></ul></ul><ul><ul><li>Vordel’s XML Security Server </li></ul></ul><ul><ul><li>Netegrity’s TransactionMinder </li></ul></ul>
  26. 26. The XML Firewall Pattern <ul><li>Related Patterns </li></ul><ul><ul><li>Application Firewall </li></ul></ul>

×