Layer 7 & Oracle: Cyber Defense for SOA & REST


Published on

Oracle & Layer 7 presentation on deploying Oracle Service Bus in DMZ with Layer 7’s OSB Appliance.

Published in: Technology

Layer 7 & Oracle: Cyber Defense for SOA & REST

  1. 1. <Insert Picture Here> Cyber Defense for SOA & REST Bob Glass, Oracle - Principal Middleware Solution Architect Adam Vincent, Layer 7 Technologies - CTO Public Sector
  2. 2. Agenda • OSBA Overview • SOA & REST Security 101 • OSBA Use-Cases • Security • Performance • Customization • Monitoring • Conclusions
  3. 3. The “Extended” Enterprise Cloud Computing (SaaS, PaaS, IaaS) Industry Trends Customization, Security, Performance, Availability, Regulatory SOA & REST - Across Enterprise Boundaries Customization, Security, Performance, Availability, Regulatory SOA & REST – Inside the Organization Distributed Applications and Shared Services
  4. 4. Introducing the Oracle Service Bus Appliance Best of breed XML Gateway + Best of breed ESB for XML security and acceleration for mediation and adaptive connectivity 1. Easy Deployment 2. Simple Configuration 3. DMZ-class Security 4. Extreme XML Performance
  5. 5. Easy Deployment & Simple Configuration • With OSB Appliances the Customer can • Remove the appliance from the shipping carton, install it in the rack, • Connect power and network cable(s), assign an IP address, and turn the appliance on. • At that point it configures itself to run on the network. Concluding initial XML firewalling policy configuration your Service Bus Appliance is ready to use The entire process takes less than an hour versus loading and configuring conventional software.
  6. 6. DMZ-Class Security • Perimeter Security and Defense in Depth • Threat Protection • Access Control through integration with Oracle IDM Suite • Federated Identity across disparate security realms (SAML) • Support for WS* Security and messaging standards and products • FIPS 140-2 Level 3 with Elliptic Curve/B Suite Support Intercept problematic messages at the enterprise perimeter before they reach your services Oracle Oracle Entitlements Access  Server Manager X X X Perform Identity-based access to services and operations in the DMZ
  7. 7. Performance Challenges • Threat Protection (Costly for Performance) • Fast XML Processing (XPATH, XSLT, XSD) • Crypto Operations as Required (message/transport) • Large Message Processing Delegate common or expensive XML-related tasks from your services to your infrastructure
  8. 8. OSBA for Cross Boundary Info Sharing
  9. 9. What’s in the Box 144.30% to 16,564.97% Improvement XML Accelerator Over Server Install of OSB Cryptographic Accelerator & Hardware Security Module SSL Acceleration & FIPS 140.2 Level 3 Integrate & Customize Protect & Secure
  10. 10. SOA & REST Overview Traditional SOA & REST Services all have custom Services all have standard ways of communicating. way of communicating. • SOA & REST utilize Standards • XML, WS*, SOAP, HTTP(S), Etc.
  11. 11. SOA & REST Security 101 Security SSL, WS-Security, Etc. Presentation Transport XML, AJAX, Portal, Etc. Discovery Threats Parsing UDDI, WSDL, Etc. Access Deployment SOAP, REST Etc. Transport Service Code HTTP, HTTPS, JMS, Etc. Business Business Logic, Code, Etc.
  12. 12. Transport Threats Sniffing and Snooping • Message confidentiality concerns WS-Routing • SOAP messages can contain verbose instructions on their desired routing. If a single node in this routing path is compromised multiple threats can be realized. Replay Attacks • Message integrity concerns and potential Denial of Service by taking a correct message with valid credential and sending it 1000+ times Denial of Service • Same old threat in regard to network Denial of Service
  13. 13. Parsing Threats Most products employ the same parsers, therefore if a vulnerability exists in a single product leveraging MS Parser then all others have the same threat. The XML specification itself does not put any restrictions on the structure itself and rather is open to interpretation by the creator of the parser. Example: Some parsers will stop reading an XML Attribute value once they reach some number of characters and others will continue. <Name Organization=“I’m a parser attack, …………………….>
  14. 14. Buffer, Heap, or Integer Overflow Threats Warning: Through a successful buffer overflow a malicious command may be executed on your system. We see these all the time! Through passing a malicious buffer to a Web Server or Application server the attacker can create an overflow condition where a segmentation fault occurs. • This oversized/malicious buffer can be sent as part of the transport header OR as part of the message. • An expected integer value can be overflowed by exceeding the value allowed causing a segmentation fault. Once an attacker knows that a overflow is possible they can then use this to potentially execute malicious code on the system. Commonly called a buffer overflow attack.
  15. 15. XML Parser Attack Threats The following threats can result in a denial of service commonly referred to as XML Denial of Service (XDOS) by consuming 100% of processing power on the system doing the parsing. Complex or Recursive Payload • Again, the XML specification and structure has no limits! • Automated applications are available which create Fuzzed data for XDOS attacks. Oversized Payload • Many parsing technologies load entire documents into memory • Web Services were generally NOT designed around large message sizes. Other • Unique attacks will be found where underlying parsers have vulnerabilities
  16. 16. Deployment Threats Web Service Automation is Our Friend…..Or Is It? UDDI, WSDL, SOAP Faults (errors), Descriptions….OH BOY! UDDI • UDDI contains asset information • Automated War-Dialers (scanners) can search for UDDI’s for services (i.e. Bank service found here) WSDL • Contains adequate information to attack service (i.e Here is how the bank service works) • Automated programs consume WSDL and commence scanning the service (i.e. Automatically issue scanning/attack messages) SOAP Faults • SOAP Faults return information about the service (i.e Bank service is running on IIS version ?? and uses .Net parser) • SOAP Faults returns errors from the backend resources such as the SQL DB, or Mainframe (i.e Bank service is using Oracle DB version ??)
  17. 17. Service Code Threats Good development practices can alleviate this threat. How many programs or programmers are perfect though? Parameter Tampering • Parameters are changed • <file_location>C:/INET/file.txt</file_location> changed to • <file_location>C:/*</file_location> Code Injection • Code is injected within an XML element • <SQL>SELECT name FROM DB1 WHERE name = ‘Adam’</SQL> changed to • <SQL>SELECT * From DB1 WHERE name = *</SQL Virus/Spyware/Malware Injections • XML Attachments (MTOM, DIME, MIME) are used as a delivery mechanism for virus Session Tampering and Identity Hijacking • Some Web Services keep track of session with a Unique ID. Attackers can use that ID to become part of the transaction taking place.
  18. 18. SOA & REST Security 101 Conclusion Attackers See Opportunities! Web Services offer a entirely new dimension to the traditional security stack. This new layer is a business layer and current security practices DO NOT offer sufficient protection. Why: • Totally new technology, with new comes problems • Operates over common web transports, traditional firewalls are based on the concept of stopping attacks at the network level not at the Message Level (Layer 3-5). • Automation and Toolkit development (Reuse of these tools) • Standardization of attack vectors, you can attack .NET and Java business applications using the same messages. • Inherent Descriptions (WSDL, Tool kit web pages, etc.)
  19. 19. OSBA Use-Cases Usage Themes OSBA Value • Security • Challenges To Discuss • Performance • Solution(s) • Customization • OSBA Value • Monitoring • Demonstrate
  20. 20. Security - Challenges • Challenges • Cyber Threats – Existing firewalls do very little • Net-Centric Security Approaches and Complexities • Identity and Access Control Across boundaries • Audit & Certification Risks • Significant Time & Money • Government Certifications, Etc. Did I mention: Cyber Threats – Existing firewalls do very little in protecting XML applications from cyber attack
  21. 21. Security – Solutions & Value • Solutions • Leverage XML Firewall(s) for Cyber Defense • Utilize products for SOA/REST Security • Federation of existing Identities across boundaries • Integrate with existing enterprise monitoring and SA toolsets • Certify once and reuse over and over with Policy • OSBA Value Proposition • Integrated XML Firewall for Cyber Defense • Supportive of WS* and REST Security standards • Integration with IDaM and Capable of Federating identities, and Attributes • Integrated Enterprise Monitoring for Situational Awareness
  22. 22. Security - Demonstration • Threat Detection • Schema Validation • Identity Federation and Access Control • Access Control • Audit OSBA Security Console
  23. 23. Performance - Challenges • Hardware – Latency versus throughput and power consumption requirements • Message Size – Streaming techniques can help scale better with increasing size • Functional Requirements and Design Complexity • Underlying Transport • Reliability Requirements
  24. 24. Performance is a core OSB value • High performance and light footprint are key driving factors of the OSB product design. • OSB is optimized for stateless message processing and routing. • Performance and scalability requirements are important release criteria for each OSB version. • OSB is designed to be at the core of an enterprise messaging infrastructure for SOA.
  25. 25. Scalability – Multiple Dimensions • Vertical • Horizontal Scalability is like a train! • Number of Users • Message Size What about speed? • Number of Services The goal is to scale without a significant loss to performance.
  26. 26. Horizontal Scalability • Horizontal Scalability refers to the impact on performance when additional servers are added to the system. • Request queues are distributed destinations. • Clients subscribe to multiple response queues. Load Generator OSB OSB Managed Server (Blocking Client) CLUSTER Linux / Xeon 5130 Load Generator Distribute d Queue Load Generator Client) (Blocking Q OSB Managed Server Client Linux / Xeon 5130 Local Respons Load Generator e Queues (Blocking Client) OSB Managed Server Q1/Q2/Q 3 Linux / Xeon 5130
  27. 27. Scalability with Large Number of Services Scalability with Large Number of Services HTTP Pass Through 7000 3.5 6000 3.0 Response Time (ms) 5000 2.5 Throughput 2 Service TPS 4000 2.0 2000 Service TPS 2 Service RT 3000 1.5 2000 Service RT 2000 1.0 1000 0.5 0 0.0 1 2 4 8 12 16 Number of Clients • Scalability with increasing number of services is an important and often ignored dimension of SOA architectures. • OSB scales easily to over 2000 services even when monitoring is enabled with a relatively small drop (10-15% or 0.5 ms) in performance from 2 services. • The drop in performance is negligible going from 500 to 2000 services
  28. 28. Scaling to Higher Message Sizes - Partial Parsing (20 MB SOAP Message) • OSB includes partial parsing capabilities that help scale better with increasing message size. SOAP Header Based Routing - 20 MB • Scenarios where partial parsing of the 2.0 100 payload is applied: 80 Response Time (ms) 1.5 • SOAP Header Based Routing. Throughput 60 Full Parse TPS Throughput gains: 1.0 Partial Parse TPS Full Parse CPU 40 • ~1.5X for a 5KB message Partial Parse CPU 0.5 • ~3X for a 20M message 20 • Pass-Through with SOAP Body 0.0 1 2 4 0 Selection Number of Clients • Content Based Routing with Streaming • Partial parsing is enabled by using StAX to extract the required data.
  29. 29. Scaling to Higher Message Sizes - Streaming (20MB SOAP Message) • Streaming in OSB significantly increases Large File Transformation Benchmarks 20MB SOAP Message scalability with message size: 0.4 60000 – Without streaming there is an OOM at 8 50000 Avg. Response Time (ms) 0.3 concurrent users for 20MB message. Throughput (TPS) 40000 No Stream TPS Stream Mem TPS – With streaming OSB easily scales to 16 0.2 30000 Stream File TPS No Stream RT concurrent users 20000 Stream File RT DTR RT – Using a file based buffer introduces a small 0.1 10000 overhead 0 0 1 2 4 8 16 Number of Clients • The combination of partial parsing and streaming enables Content Based Streaming File Benchmarks - 20MB SOAP Message Routing to perform as well as a pass 3.5 40000 through scenario 3 – Routing field is in the first 5KB of the Avg. Response Time (ms) 30000 2.5 PT TPS Throughput (TPS) message 2 CBR TPS DTR TPS 20000 PT RT 1.5 CBR RT • OSB has been tested to handle 1 10000 DTR RT transformation and routing of 500 MB 0.5 payload in the streaming mode. 0 1 2 4 8 16 0 Number of Clients
  30. 30. OSBA Performance Value Proposition • The numbers speak for themselves • 1K • Schema Validation – 261.34% Faster • XSLT – 262.86% Faster • 10K • Schema Validation – 287.92% Faster • XSLT – 187.24% Faster • 100K • Schema Validation - 16564.97% Faster • XSLT – 144.30% Faster
  31. 31. Performance Demonstration • Hardware Accelerated • Schema Validation • XSLT XML Accelerator OSBA Console(s)
  32. 32. Customization - Challenges • Ability to Adapt To Change • Service virtualization • Protocol Switching • Routing and Transformation BPM • Error Handling, Policy Enforcement Portal BPM B2B • Scaling in Multiple Dimensions • 1,000s of services • Millions of Transactions Oracle Service Bus • Reduce Cost Through Re-use • Connect your services once • Easily configure services for integration Service Adapters • Single view of assets w/ Service Lifecycle Repository • Manage risk Integration Services • Embedded service-level management • Failure Isolation and auto-recovery Business Logic Business Logic • Application Alerts & SLAs • Auditing and Reporting
  33. 33. OSB Service Patterns Adaptive Messaging • Traditional Web Services • Pre-negotiated Interfaces Contract (WSDL) • Standards in place, supported by many vendors • SOAP over HTTP • Legacy Services • Non-XML (XML) over File, EJB, FTP, MQ, JMS, Tuxedo • POX (Plain Old XML) • Structure of Payload to determines action • XML over HTTP • REST (Representational State Transfer) • Based on Pattern of Service Invocation • Nouns vs. Verbs • URIs over HTTP
  34. 34. Adaptive Connectivity In a Nutshell… Service Oracle Service Bus Enterprise Clients Service Messaging Services Application HTTP/SOAP WS-RM Service Client Request / Response JMS TUX Application Service Client Synch / Asynch FTP MQ Application Service Client REST Split / Join EJB Application Service Client Application EJB Publish / Subscribe JCA Client Service • Any to Any Protocol • Multiple communications paradigms • Any to Any Payload • Request/response • XML • Synchronous and asynchronous • non-XML • One-to-many, many-to-one • Binary • Pub-sub • No WSDL Required • Mix-and-match (e.g. sync-to-async)
  35. 35. More REST… Adaptive Services • REST service each unique URL is a representation of some object or resource. • Expose an existing service as REST • Expose existing REST as a Proxy service • Dynamic routing to Business services in a REST like fashion. Benefits • Expose REST services from existing services quickly and easily • Better re-use without development effort
  36. 36. REST Example http://rewards/miles/1002 REST URI Get Mileage XML over HTTP Oracle Service Bus XForm Route Reward id SOAP Service
  37. 37. RESTful OSB Overview • RESTful Services Gateway • Messaging type Proxy Service that uses http transport • Data type for request and response can either be XML or Text • Contains logic for routing, but not handling a REST request • RESTful Services Registry • XML document used to register RESTful services, declaratively • Saved as an XQuery resource • Request Handler • Messaging type Proxy Service that uses the local transport • Data type for request and response can either be XML or Text • Performs any transformations required on payload
  38. 38. RESTful OSB Pattern for Handling Common REST Use Cases Service Invoker Request (Business Service, ?) Handler(Proxy Service, Local) Request REST API Request Handler(Proxy Service, Local) Message Channel RESTful Services Registry Request Dynamic REST Service SOAP Handler(Proxy Routing Service, Local) Web Action Services Stack Request Reply Handler(Proxy SOAP Service RESTful Services Gateway (Proxy Service, Local) Service, HTTP) … Service OSB 10gR3 (or above) Consumer
  39. 39. Customization Solutions & Value • Solutions • Ability to adapt to Changes • Adaptive Messaging • Support integration with Legacy System • RESTFul Services Gateway • REST  REST • REST  SOAP • SOAP  REST • SOAP  SOAP • OSBA Value Proposition • OSB Service Patterns • Advanced Protocol Switching and Mediation Patterns • Support for Any-To-Any Protocol and Payload
  40. 40. Customization Demonstration • OSBA • Protocol Switching • Routing Rules • RESTful Services Legacy SOAP REST OSBA Console(s)
  41. 41. Monitoring Challenges • Cyber Situational Awareness • Standards-based support for Cyber Situational Awareness • System, Organization, Enterprise, Global (USCyberCommand) • Enterprise Monitoring for SLA, and Business Drivers • Availability of Health and Availability across boundaries • Net-Centric Systems ability to react gracefully to systems outside of their control.
  42. 42. OSB Service Monitoring • Monitor System Operations Warnings • Alerting and reporting key monitoring points 17 4 40 13 • Gauge system health, slowdown notification 72 • Monitoring is optional per service Critical • Service metrics Minor • Response times (min, max, avg) • Message, error, failover counts Error • Action level metrics New Responses • Dashboard • # of Generated Errors • By Service • Show fault and performance metrics aggregated cluster wide or per server • JMX Metrics • Metrics available via MBean interfaces • Integration with Enterprise Mgr New • Custom Alerts • SLA alerts for conditions requiring attention • Pipeline alerts can flag individual msgs • Service health • # of Alerts by Severity • Configurable Aggregation Intervals 42
  43. 43. OSB - BAM Integration • OSB Proxy Service Integration • Custom Reporting Provider • Implemented using JMS • Define Key-Value Pairs • BAM Enterprise Message Source • Configure JMS • Map To Data Object • Use Keys defined in OSB • Business Data in BAM
  44. 44. Slide 44
  45. 45. Management Pack Plus for SOA Leading and only solution for Oracle SOA Management Pack Plus for SOA • Covers BPEL, OESB, OSB • Artifact deployment • Configuration Management • System and service modeling • End-to-end dependence modeling • BPEL functional analysis • In-context performance monitoring • SLA monitoring • Service monitoring and diagnostics
  46. 46. Monitoring Solutions & Value • Solutions • Support standards-based approaches to situational awareness (SNMP, Web Services, Joint DoD/IC ESM) • Support integration with multiple vendor ESM solutions • Oracle, AmberPoint (now Oracle), etc. • OSBA Value Proposition • Integral support for various enterprise monitoring solutions • Turn-key support for SNMP, and Web Services SA tooling • Support for Joint DoD/IC ESM
  47. 47. Monitoring Demonstration • Integrated Monitoring • Integration with Enterprise Monitoring • Support for health visibility outside of enterprise OSBA Console(s)
  48. 48. Conclusions • Decrease time to market and cost of implementation by leveraging a pre-integrated, pre-configured SOA Appliance: • Initial configuration (network configuration, security lock-downs, etc.) • Security configuration (such as XML firewalling, access control, auditing, etc.) • Adapter configuration for enterprise system integration (ERP, CRM, databases, messaging systems, etc) • Thank you for joining us this morning! • Contact info: • Bob Glass,, 703-364-2466 • Adam Vincent,, 703-965-1771
  49. 49. Your Oracle Middleware Solutions Team • Business (Contracts, Licensing, Pricing) • Emily Vickers,, 703-395-2874 • Product Guidance (Product Capabilities, Architecture) • Bob Glass,, 703-364-2466 • Roy Gingher,, 443-622-6423 • Monica Mosser,, 443-742-9613 We are your advocate & reachback to Oracle!
  50. 50. Your Layer 7 Federal Team • Business (Contracts, Licensing, Pricing) • Jim Rice,, 301-325-1005 • Product Guidance (Product Capabilities, Architecture) • Adam Vincent,, 703-965-1771 • Jason Spies,, 571-247-6854
  51. 51. WebCenter Sneak Preview What Does It Mean to WebLogic Portal & ALUI Customers • When: 8:00 am, Tues, March 16th • Where: Fort Meade Courtyard Marriot • What… Learn how you can leverage WebCenter’s next generation services (Enterprise 2.0, Social Services, Online Communities, etc.) to enhance information sharing in your environment. Please e-mail if you can attend!
  52. 52. It’s a Wrap!