Gateway/APIC security

Session 6785
Mastering Security IBM API Connect
API Connect & DataPower
Shiu Fun Poon
STSM Security

IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice
and at IBM’s sole discretion.
Information regarding potential future products is intended to outline our general product direction and it should
not be relied on in making a purchasing decision.
The information mentioned regarding potential future products is not a commitment, promise, or legal
obligation to deliver any material, code or functionality. Information about potential future products may not be
incorporated into any contract.
The development, release, and timing of any future features or functionality described for our products remains
at our sole discretion.
Performance is based on measurements and projections using standard IBM benchmarks in a controlled
environment. The actual throughput or performance that any user will experience will vary depending upon
many factors, including considerations such as the amount of multiprogramming in the user’s job stream,
the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be
given that an individual user will achieve results similar to those stated here.
2
Please note

• Security
 DataPower Traditional Gateway
 APIC platform
 API Gateway
00
Agenda

DataPower Gateway
• New Algorithm Support
• JSONWeb Signature
– Support for RSASSA-PSS algorithm
» PS256, PS384, PS512
• OAuth/OIDC
• Allow duplicate credentials for application
• Proof Key for Code Exchange support
• Support at_hash, c_hash, s_hash
• Fine tune refresh_token handling
• Reuse or not

DataPower Gateway
• HSTS header for GUI
• 'Strict-Transport-Security'" value="'max-age=31536000; includeSubDomains’
• SSH
• Pre-autehntication banner -> 4 kb
• Allow selection of KEX and MAC

API Security
API Gateway:
• Decoupling/routing
• Traffic management
• Security
• Translation
Developer portal:
• API discovery
• Self subscription/administration
• Account usage analytics
• Monetization
API Manager:
• Plan/product design
• Policy administration
• API plan usage analytics
• API Governance

API Security
API Gateway:
• Decoupling/routing
• Traffic management
• Security
• Translation
Developer portal:
• API discovery
• Self subscription/administration
• Account usage analytics
• Monetization
• Security
API Manager:
• Plan/product design
• Policy administration
• API plan usage analytics
• API Governance
• Security

Micro services Kubernetes Cluster
Node
1
Node
2
Node
3
Master
Node 1
Master
Node 2
Master
Node 3
Gateway Service
Analytics Service
Portal Service
Management Service
APIC Connect White Paper: https://www.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=03023503USEN&

Micro services Kubernetes Cluster
Node
1
Node
2
Node
3
Master
Node 1
Master
Node 2
Master
Node 3
Gateway Service
Analytics Service
Portal Service
Management Service
APIC Connect White Paper: https://www.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=03023503USEN& (Chris Phillips)

API Manager
• User Registry support
• Authenticate URL
• LDAP (supports group authentication)
• Search DN
• Compose DN
• Compose UPN
• OIDC (Federated Identity)
• Portal
• APIC/Admin (coming)
• Local User Registry (LUR)
• Protection against timing attack
• Protection against brute force attack
• Token (JWT)
• OAuth 2.0 (no basicauth)
• Role
• Custom role
• Token ttl
• ttl
• Data at Rest
• Data at Transit
• Introduction of microservices to each others
• Webhook

API Manager
• API are published
• Publish in openapi v2 format
• apim vs consumer
• WebGUI/toolkits
• RateLimit
DrinkingOur Own Champagne
Get an access_token
access_token must contain the right scope
Permission is checked
Is token valid
Token contains necessary scope ?
Does User has the proper permission ?

APIManager with Gateway
• Gateway must be 24 * 7 (without APIm)
• API gateway introduce a gateway director manager
• Using clustering technology to track configuration from APIM
• Heartbeat from APIm to make sure Gateway will have the latest information
• 911 protocol to handle catastrophic failure
• Gateway director allows auto scaling of the additional gateway
• Configuration/Key Materials
• State of the processing

Hardened Portal Security
Supports OpenID Connect for accelerated
developer on-boarding and social login
Enable PSD2/ Open Banking compliance to
programmatically onboard consumers using
REST Management APIs and OpenID
Connect
Enhanced spam protection against spam
bots with CAPTCHA and honeypot
Detect and prevent malicious attacks with
perimeter and DNS check
Detect and prevent flood attacks

Comprehensive API Security leveraging AI and Machine Learning
15
Power your APIs with API Behavioral Security
(ABS), integrated with Ping Intelligence to
detect attacks against your APIs
Detect and block cyberattacks that target APIs,
such as:
• Data, Application and System attacks
• API DDoS attacks
• Login Attacks (credential stuffing, fuzzing,
stolen cookies & tokens)
Easily enable AI-powered threat protection on
every API using Global Policy support
+
https://www.pingidentity.com/en/platform/api-security.html
https://developer.ibm.com/apiconnect/2019/02/12/ping-identity-and-ibm-partner-to-protect-against-
api-cyberattacks/

Under the hook
16
Pre-req : ase-token
Global policy (x-correlationid)
Pre-hook :
is request ok ?
authorization header ?
appId ?
cookie ?
Post-hook :
backend response
redact (record) for learning

Scalable Multi-Cloud API Platform AI-powered Threat Protection for APIs
Data & Application Attacks
Advanced Persistent Threats, Data exfiltration, Deletion
DoS & DDoS Attacks
DDoS API attack, Login service DDoS attack, Botnet attacking API
Login Attacks
Stolen tokens or cookies, Credential stuffing, fuzzing,
Message Security
JSON/XML threat protection, SQL injection, XSS, Schema validation, Encryption
& signature, Redaction, AV scanning
Access Control
Authentication, Authorization, Token Translation
Rate Limiting
Client throttling, Provider throttling, Quotas
Network Privacy
SSL/TLS
PingIntelligence
for APIs
Comprehensive API Security with Ping and IBM
Copyright ©2018 Ping Identity Corporation. All rights reserved.1

Secure & Manage GraphQL Endpoints
Next-Gen evolution of Gateway technology
beyond Web services and REST with GraphQL
support
Secure and Manage APIs with GraphQL
backends, efficiently managing compute
intensive services
Threat Protection against cyberattacks using
advance query complexity analysis to prevent
API-based attacks
Rate Limit GraphQL queries with consumer
plans based on number of API calls & backend
compute time
https://www.ibm.com/blogs/research/2019/02/graphql-api-management/
https://developer.github.com/v4/guides/resource-limitations/

Secure & Manage GraphQL Endpoints
Next-Gen evolution of Gateway technology
beyond Web services and REST with GraphQL
support
Secure and Manage APIs with GraphQL
backends, efficiently managing compute
intensive services
Threat Protection against cyberattacks using
advance query complexity analysis to prevent
API-based attacks
Rate Limit GraphQL queries with consumer
plans based on number of API calls & backend
compute time
https://www.ibm.com/blogs/research/2019/02/graphql-api-management/
https://developer.github.com/v4/guides/resource-limitations/
1. Access Control
• Who can access the data and what data
• APIc
• Client credential (application)
• User credential (who)
2. Load Control
• How much effort for the server to fulfill the request
• Complexity
• Type (object type)
• Resolve
• nesting

Up to 5X+ increased performance with natively built
API Gateway using purpose-built technology for
native OpenAPI/Swagger REST and SOAP APIs
Multi-cloud scalability and extensibility to help meet
SLAs and improve client user experience
Optimized drag & drop built-in policies for security,
traffic control and mediation including flexible
OAuth, enhanced JSON & XML threat protection
Secure to the core with self-contained signed &
encrypted image to minimize risk, plus proven
security policies to quickly protect APIs
Before: DP Multi
protocol Gateway
Service
API call Backend
New: Native API
Gateway Service
API call Backend
Cloud-Native API Gateway Service in DataPower
API GW service

Policies for Enforcement on API Gateway Service
Gateway Script and XSLT policy support
provides flexible message mediation &
dynamic security enforcement
Dynamic Routing support through Conditional
Policy
Enforce strong security through Parse, JSON
and XML Schema Validation policy
OpenID Connect support to enable banks to
meet PSD2 / Open Banking regulations
OAuthToken revocation to enable self-service
token management
Foundational Security Mediation
Invoke API Key Map
Activity Log JWT Validate JSON-XML
Rate Limit JWT Generate Gateway Script
Throw OAuth Policy XSLT
Set Variable Parse
(Threat Detection)
Conditional Validate
User Security
OpenID Connect
Built-in policies

Rapid OAuth policy creation to quickly create
OAuth provider security without deep security
expertise
Improved governance capabilities on managing
OAuth providers with flexible administrative
access control to enforce enterprise standards
Ability to meet business demands with
customizable OAuth assembly
New User Security policy to enforce
authentication & authorization in API assembly,
adapting to unique enterprise security needs
Meeting Security Needs through New Flexible OAuth Provider

Customizable
Ease of use
• Crypto material on per OAuth native provider (vs gateway level)
• End user credential gathering (context variable) *
• Consent handling
• Global Policy (and thus inject context variable for processing) *
• Token handling (white/black listing)
• Flexibility
• ….

25
• Istio Integration for improved performance & security by passing
API header and tokens into Istio
• Open APIV3 support to meet security industry standards (i.e.
PSD2) & improve reuse
• OpenBanking & PSD2 Compliant including flexible JWT and
OAuth features
• 5X Improved Performance with cloud-native API-centric Gateway
Service
• FastTime toValue through Out of the Box policies for API
Gateway Service
• Enterprise Specific Security Support through OAuth flow
customization
• Expanded Security with OIDC, CAPTCHA, Perimeter, DNS check
on Portal, etc.
Performant and Secure

Notices and disclaimers
26
© 2018 International Business Machines Corporation. No part of this
document may be reproduced or transmitted in any form without
written permission from IBM.
U.S. Government Users Restricted Rights — use, duplication or
disclosure restricted by GSA ADP Schedule Contract with IBM.
Information in these presentations (including information relating to
products that have not yet been announced by IBM) has been reviewed
for accuracy as of the date of initial publication and could include
unintentional technical or typographical errors. IBM shall have no
responsibility to update this information. This document is distributed
“as is” without any warranty, either express or implied. In no event,
shall IBM be liable for any damage arising from the use of this
information, including but not limited to, loss of data, business
interruption, loss of profit or loss of opportunity. IBM products and
services are warranted per the terms and conditions of the agreements
under which they are provided.
IBM products are manufactured from new parts or new and used parts.
In some cases, a product may not be new and may have been previously
installed. Regardless, our warranty terms apply.”
Any statements regarding IBM's future direction, intent or product
plans are subject to change or withdrawal without notice.
Performance data contained herein was generally obtained in a
controlled, isolated environments. Customer examples are presented as
illustrations of how those customers have used IBM products and the
results they may have achieved. Actual performance, cost, savings or
other results in other operating environments may vary.
References in this document to IBM products, programs, or services does
not imply that IBM intends to make such products, programs or services
available in all countries in which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared
by independent session speakers, and do not necessarily reflect the
views of IBM. All materials and discussions are provided for informational
purposes only, and are neither intended to, nor shall constitute legal or
other guidance or advice to any individual participant or their specific
situation.
It is the customer’s responsibility to insure its own compliance with legal
requirements and to obtain advice of competent legal counsel as to
the identification and interpretation of any relevant laws and regulatory
requirements that may affect the customer’s business and any actions
the customer may need to take to comply with such laws. IBM does not
provide legal advice or represent or warrant that its services or products
will ensure that the customer follows any law.

Notices and disclaimers
continued
27
Information concerning non-IBM products was obtained from the
suppliers of those products, their published announcements or other
publicly available sources. IBM has not tested those products about this
publication and cannot confirm the accuracy of performance, compatibility
or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed
to the suppliers of those products. IBM does not warrant the quality of any
third-party products, or the ability of any such third-party products to
interoperate with IBM’s products. IBM expressly disclaims all
warranties, expressed or implied, including but not limited to, the
implied warranties of merchantability and fitness for a purpose.
The provision of the information contained herein is not intended to, and
does not, grant any right or license under any IBM patents, copyrights,
trademarks or other intellectual property right.
IBM, the IBM logo, ibm.com and [names of other referenced IBM
products and services used in the presentation] are trademarks of
International Business Machines Corporation, registered in many
jurisdictions worldwide. Other product and service names might
be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the Web at “Copyright and trademark
information” at: www.ibm.com/legal/copytrade.shtml.

Multi-cloud scalable API Manager & Gateway Architecture
API Manager
Gateway Cluster
API Connect V5
API Gateway
API Gateway
Gateway
Cluster Mgmt
• Gateway Cluster Management
moved from API Manager in V5 to API
Gateway in V2018.1
• API Data Replication performed
between API Gateway instances in
V2018.1, whereas in V5 it was
between API Manager and each API
Gateway instance
• Reduces runtime dependency
between the API Gateway and API
Manager in V2018.1
Cache
Cache
API Manager
Gateway Cluster
API Connect V2018.1
API Gateway
API Gateway
Gateway
Cluster Mgmt
Distributed
Cache
Distributed
Cache

Gateway/APIC security

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Gateway/APIC security

Similar to Gateway/APIC security (20)

More from Shiu-Fun Poon

More from Shiu-Fun Poon (12)

Recently uploaded

Recently uploaded (20)

Gateway/APIC security

Editor's Notes