© 2015 ibm corporation ibm datapower gateway the security gateway – {“title”:...
TRANSCRIPT
© 2015 IBM Corporation
IBM Datapower GatewayThe Security Gateway
<Pierre Richelle/> – {“title”: [“Technical”,”Specialist”,”Integration”]}
Agenda
►IBM Datapower Gateway Introduction & Concept
►Capabilities
►Use Cases
►Wrap-up
Applications and Systems
Silos of security & control are impeding business agility
DEVELOPERSPARTNERS CONSUMERS
EMPLOYEES
WEBMOBILEB2B SOA APIS
PARTNERS
DEVELOPERS
API GATEWAYB2BGATEWAY
SOAGATEWAY
WEB ACCESS PROXY
MOBILE GATEWAY
Business Channels
Users
Security & Control Solutions
CLOUD
ALL
CLOUD GATEWAY
CONSUMERS
EMPLOYEES
z SystemMiddleware
ESBApplication Service
Applications and Systems
DEVELOPERSPARTNERS CONSUMERS
EMPLOYEES
WEBMOBILEB2B SOA APIS
PARTNERS
DEVELOPERS
Business Channels
Users
Security & Control Solutions
CLOUD
ALLCONSUMERS
EMPLOYEES
Reduce cost + improve security & control with a single gateway
z SystemMiddleware
ESBApplication Service
Virtual appliance Physical appliance
DataPower Gateway
Applications and Systems
DEVELOPERSPARTNERS CONSUMERS
EMPLOYEES
WEBMOBILEB2B SOA APIS
PARTNERS
DEVELOPERS
Business Channels
Users
Security & Control Solutions
CLOUD
ALLCONSUMERS
EMPLOYEES
Reduce cost + improve security & control with a single gateway
z SystemMiddleware
ESBApplication Service
Virtual appliance Physical appliance
DataPower Gateway
Protect Control Integrate
IBM DataPower DNA
config
XML Acceleration
Hardware
DataPower’s True Network Device
WebSphere DataPowerDigitally Signed and Encrypted
Firmware
FlashMemory
Crypto Acceleration
IBM Optimized Embedded Operating Environment
WebGUICLI
SOMA
configuration
DataPowerConfiguration
IBM DataPower Gateway
Virtual Edition
IBM DataPower Gateway
Appliance
Flexible deployment
DataPowerConfiguration
Agenda
►Use Cases
►Wrap-up
►Capabilities
►IBM Datapower Gateway Introduction & Concept
ISAM Proxy
Module
Integration Module
B2B Module
AO Module
TIBCO EMS
Module
HSM
IBM DataPower Gateway capabilities
Protect
Control
Integrate
Threats Encryption ValidationAAA
Service Level Management
Transformation Routing
Protect
XML/JSON Threats Protection
• Entity Expansion/Recursion Attacks
• Content Validation (XML / JSON)
• XML / JSON : Size, Width, Depth attacks
• Public Key DoS
• XML Flood
• Resource Hijack
• Dictionary Attack
• Replay Attack
• Message/Data Tampering
• Message Snooping
• XPath or SQL Injection
• XML Encapsulation
• XML Virus
• …many others
XML / JSON Threat Protection
Cryptographic Operations
Authentication Authorization Audit
Cryptographic Operations
XML-Encryption (http://www.w3.org/TR/xmlenc-core/)
Data confidentialityEncrypt data
◦ The whole message◦ Specific fields (document crypto map)
Decrypt data
XML-DSig (http://www.w3.org/TR/xmldsig-core/)
Data Integrity
Non-repudiation of dataDigital signature
◦ Define elements on which the signature is based (document crypto map)
Signature verification
XML / JSON Threat Protection
Cryptographic Operations
Authentication Authorization Audit
Protect
Employ flexible AAA (Authenticate, Authorize, Audit) Policies
XML / JSON Threat Protection
Cryptographic Operations
Authentication Authorization Audit
Protect
Control
Service Level Management
Service Level Management – Protect your system
High Availability
from over-utilizationFrequency based on
concurrencybased on messages per time period (rate)
Take action when exceeding a custom threshold:◦ Notify (or log)◦ Shape (or delay)◦ Throttle (or reject)
Control
Service Level Management
Control load distribution
High Availability
Combine SLM with Routing to make intelligent failover decisions
Use alternate servers when a threshold is exceeded
Advanced Load Balancing algorithms simplify your architectureFirst Available(Weighted) Round Robin(Weighted) Least ConnectionsHash
active / active w/AO
active / standby
VIP
VIP
Load balancer
Load balancer
active / active
HSRP / VRRP
Control
High Availability
Service Level Management
No dependencies between inbound “front-side” and outbound “back-side”
Integrate disparate transport protocols with extreme ease
HTTP(s), WebSphere MQ, WebSphere JMS, Tibco EMS, SFTP, FTP(s), NFS, IMS, Database (DB2, Oracle, Sybase, SQL Server), AS1, AS2, AS3,…
Transform the message format with ultimate flexibility Process XML and Non-XML formats in a single configuration
Support synchronous, asynchronous, publish-subscribe and guaranteed-delivery message patterns
HTTP/S
FTP/S
MQ
JMS
HTTP/S
FTP/S
MQ
JMS
Integrate
Protocol & data mediation
Supported Languages
Integrate
Protocol & data mediation
Supported Languages
Supported languages and transformation standards
XSLTXSLT1.0 / XPath1.0EXSLTDataPower extension elements and functions
XQuery 1.0
JSONiq
JSON Schema Validation
JavaScript (GatewayScript)Strict modeCommonJSECMAScript 5 reference
Binary transformationFFD (XSLT binary transformation)WebSphere Transformation eXtender
Agenda
►Wrap-up
►IBM Datapower Gateway Introduction & Concept
►Use Cases
►Capabilities
Trusted Domain
Consumer
Application or Service
DMZ
Trading partners
1 Mobile Gateway
2 API Gateway
3 Web Gateway
4 B2B Partner Gateway
5 SOA & API Gateway
6 Internal Security Enforcement
7 Web Services Governance & Management
Consumer
Middleware
z System
DataPower Gateway DataPower Gateway
IBM DataPower Appliance Usage
Internet
Protect, Control, Integrate
Au
then
tica
tion
Au
thori
zati
on
s
Serv
ice L
evel A
gre
em
en
t
Logs (Trace & Audit)
Rou
tin
g
Tran
sform
ati
on
Services usage statistics& Monitoring
Target serviceinvocation
Exposed serviceinvocation
ServiceConsumer
SOAPService
Provider
RESTService
Provider
WebApplication
Provider
Service Security Gateway
Agenda
►Use Cases
►IBM Datapower Gateway Introduction & Concept
►Wrap-up
►Capabilities
IBM Datapower Gateway Values
Protect
Mobile, API, Web, SOA, B2BUsingThreats protection, encryption, AAA, Validation
Control
Access to your SystemsUsingService Level Management
Integrate
Your system of RecordsUsingProtocol, Data transformation & routing
Thank you!
Questions ?
Backup Slides
• Data format & language– JavaScript‒ JSON ‒ JSON Schema ‒ JSONiq ‒ REST ‒ SOAP 1.1, 1.2 ‒ WSDL 1.1 ‒ XML 1.0 ‒ XML Schema 1.0 ‒ XPath 1.0 ‒ XPath 2.0 (XQuery only) ‒ XSLT 1.0 ‒ XQuery 1.0
• Security policy enforcement‒ OAuth 2.0 ‒ SAML 1.0, 1.1 and 2.0, SAML Token
Profile, SAML queries ‒ XACML 2.0 ‒ Kerberos, SPNEGO ‒ RADIUS‒ RSA SecurID OTP using RADIUS ‒ LDAP versions 2 and 3 ‒ Lightweight Third-Party Authentication
(LTPA) ‒ Microsoft Active Directory ‒ FIPS 140-2 Level 3 (w/ optional HSM)‒ FIPS 140-2 Level 1 (w/ certified crypto
module) ‒ SAF & IBM RACF® integration with
z/OS ‒ Internet Content Adaptation Protocol‒ W3C XML Encryption ‒ W3C XML Signature ‒ S/MIME encryption and digital signature ‒ WS-Security 1.0, 1.1 ‒ WS-I Basic Security Profile 1.0, 1.1 ‒ WS-SecurityPolicy ‒ WS-SecureConversation 1.3
• Transport & connectivity– HTTP, HTTPS, WebSocket Proxy– FTP, FTPS, SFTP – WebSphere MQ– WebSphere MQ File Transfer Edition
(MQFTE) – TIBCO EMS – WebSphere Java Message Service (JMS) – IBM IMS Connect, & IMS Callout– NFS – AS1, AS2, AS3, ebMS 2.0, CPPA 2.0,
POP, SMTP (XB62) – DB2, Microsoft SQL Server, Oracle,
Sybase, IMS
• Transport Layer Security ‒ SSL versions 2 and 3 ‒ TLS versions 1.0, 1.1, and 1.2
• Public key infrastructure (PKI)‒ RSA, 3DES, DES, AES, SHA, X.509,
CRLs, OCSP ‒ PKCS#1, PKCS#5, PKCS#7, PKCS#8,
PKCS#10, PKCS#12‒ XKMS for integration with Tivoli Security
Policy Manager (TSPM)
• Management‒ Simple Network Management Protocol
(SNMP) ‒ SYSLOG ‒ IPv4, IPv6
• Open File Formats‒ Distributed Management Task Force
(DMTF) Open Virtualization Format (OVF)‒ Virtual Machine Disk Format (VMDK)‒ Virtual Hard Disk (VHD)
• Web services– WS-I Basic Profile 1.0, 1.1 – WS-I Simple SOAP Basic Profile – WS-Policy Framework – WS-Policy 1.2, 1.5 – WS-Trust 1.3 – WS-Addressing – WS-Enumeration – WS-Eventing – WS-Notification – Web Services Distributed Management
(WSDM) – WS-Management – WS-I Attachments Profile – SOAP Attachment Feature 1.2 – SOAP with Attachments (SwA) – Direct Internet Message Encapsulation
(DIME) – Multipurpose Internet Mail Extensions
(MIME) – XML-binary Optimized Packaging (XOP) – Message Transmission Optimization
Mechanism (MTOM) – WS-MediationPolicy (IBM standard) – Universal Description, Discovery, and
Integration (UDDI versions 2 and 3), UDDI version 3 subscription
– WebSphere Service Registry and Repository (WSRR)
Supported Standards & Protocols
39
DataPower Gateways …
39
IBM DataPower Gateways provide a low startup cost,helping clients increase ROI and reduce TCO with
specialized, consumable, dedicated gateway appliances thatcombine superior performance and hardened security in physical
and virtual form factors
INTEGRATE Systems of Engagement with Systems of Record
CONTROL & MANAGE Traffic and Service Level Agreements
SECURE Mobile, API, Web, SOA, B2B and Cloud Workloads
OPTIMIZE Data Delivery and User Experiences
CONSOLIDATE & Simplify Infrastructure Footprint
Features
Before DataPower Gateway After DataPower Gateway
Control
Integrate
Optimize
SecureConsumer
Consumer
Consumer
Consumer
Simplify, offload & centralize critical functions
IntegrateAny-to-any message
transformation
Transport protocol bridging
Message enrichment
Database connectivity
Mainframe connectivity
B2B trading partner connectivity
Control OptimizeSecureSSL / TLS offload
Hardware accelerated crypto operations
JSON, XML offload
JavaScript, JSONiq, XSLT, XQuery acceleration
Response caching
Intelligent load distribution
Service level management
Quota enforcement, rate limiting
Message accounting
Content-based routing
Failure re-routing
Integration with management & visibility
platforms
Authentication, authorization, auditing
Security token translation
Threat protection
Schema validation
Message filtering & semantics validation
Message digital signature
Message encryption
Security Gateway
New connection to target
Proxying and Enforcement• Terminate incoming connection
• Terminate transport-level security (SSL/TLS offload)
• Threat protection
• Enforce Service Level Agreement policies
• Inspect message content and filter (Schema validate)
• Enforce security policies on message content (Encrypt/decrypt, Verify/sign digital signatures)
• Authentication, Authorization, Auditing (AAA)
• Call out to virus checker
• Transform content & enrich message
• Translate security token
• Dynamically route based on content and load balance (Establish a new connection to pass results)
• Cache data on-box or in centralized, shared grid
Connection from client
ACL
Virus Scanner
Consumer
Provider
Web Service Request
Basic Auth, OAuth 2.0, WS-Security UNT, etc
Outside World Internal NetworkDMZ
HTTP(s)
HTML, JSON, XML, SOAPMME, DIME, MTOMXMLDSIG, XMLENC
WS-SecurityPolicy
WS-TrustSAML
OAuth 2.0
Internet
SaaS
Partner Apps
Browsers
Pro
toc
ol
Fir
ew
all
Security Gateway
Packaged AppsProprietary Apps
Data
HTTP(s)ESB
Tivoli (TAM)MS Active Directory
Any LDAP, e.g. OracleCA SiteMinder
PDP (XACML, SAML, other)
Do
ma
in F
ire
wa
ll
ACL
Security Gateway
InternalConsumer
Incoming access control; Threat protection
Outgoing access control; SAML injection etc
Internal Security
Web Service Request
SAML, LTPA, Kerberos
Protection of data plus XML & JSON threat protection
Use DataPower to help resolve PCI compliance issues Easily sign, verify, encrypt, decrypt any content Configurable XML Encryption and Digital Signatures
– Message-level, Field-level, Headers Security standards: OAuth, WS-Security, WS-Policy, WS-
SecurityPolicy, SAML, XACML, WS-Trust, …
Use WS-SecurityPolicy to define security requirements for your web services– DataPower natively consumes and enforces WS-SecurityPolicy statements
• Integrity & Confidentiality, SupportingTokens, Message/Transport Protection
Use XACML to define access and authorization policies for your web services– DataPower natively consumes and enforces XACML policies
• Resource-based Authorization• PEP, PDP
DataPower security is policy driven
XML Threat Protection• Entity Expansion/Recursion Attacks
• Public Key DoS
• XML Flood
• Resource Hijack
• Dictionary Attack
• Replay Attack
Message/Data Tampering
Message Snooping
XPath or SQL Injection
XML Encapsulation
XML Virus
…many others
JSON Threat Protection• Label - Value Pairs
‒ Label String Length (characters)‒ Value String Length (characters)‒ Number Length (characters)
• Threat Protection‒ Maximum nesting depth (levels)‒ Maximum document size (bytes)
AAA : Authentication Authorization Auditing
ExtractIdentity
HTTP HeadersWS-Security TokensWS-SecureConversationWS-TrustKerberosX.509/SSLSAML AssertionIP AddressLTPA TokenHTML FormOAuthCustom
Authenticate
ExtractResource
URLXPathSOAP OperationHTTP OperationCustom
LDAP/Active DirectorySystem/z NSS (RACF, SAF)IBM Security Access ManagerKerberosWS-TrustNetegrity SiteMinderRADIUSSAMLLTPAVerify SignatureCustom
Authorize Audit &Post-Process
MapIdentity
MapResource
LDAP/ActiveDirectorySystem/z NSSIBM Security Access ManagerNetegrity SiteMinderSAMLXACMLOAuthCustom
Add WS-SecurityGenerate z/OS ICRX TokenGenerate KerberosGenerate SpnegoGenerate SAMLGenerate LTPAMap Tivoli Federated Identity
External Access Control Server or Onboard Identity Management Store
input output
Threats ProtectionCryptographic
OperationsAAA
Routing & Transformation
Service Level Management
Recursion Attacks
Content Validation
XML / JSON : Size, Width, Depth attacks
XML Flood
Dictionary Attack
Replay Attack
XPath or SQL Injection
XML Encapsulation
XML Virus
…
Data confidentiality
XML encryption
Data Integrity
Digital Signature
Non-repudiation of Data
Signature verification
Crypto Treatments with Hardware Component (appliance)
Authenticate
LDAP, Tivoli Access Management, Kerberos, WS-Trust, SAML, LTPA, OAuth2, …
Authorize
LDAP, XACML, SAML, Custom, …
Audit & Post Process
Logs, SNMP, WS-ManagementAdd WS-SecurityGenerate LTPA, SAML, …
Throttle
Shape (delay)
Reject or Intelligent fail over
Notify
Load balancing
Protocol conversion
HTTP, WMQ, FTP, AS1/2/3, WJMS,…
Data transformation
JSON, XML, Xquery, Javascript, XSLT
Hardware acceleration (appliance)
Routing
IBM Datapower Gateway Values