addressing security, governance and performance issues ... › ogf23 › materials › 1338 ›...

Addressing Security, Governance and Performance Issues

Vic Morris – CEO Vordel

with an XML Gateway as part of a Service Oriented Architecture

Simple projects implement “light weight” application integration

Platform approach allows applications to be aligned with business processes

Extensive use of XML messaging

XML Network Management

Service Oriented Architecture

BeInGrid Barcelona 2008 17/06/2008

Tightly-coupled

Systems

Tactical XML-based

integrationFull Services Oriented

Architecture

Access

Monitoring Performance

Requirements for SOA and XML-based integration

> Remove processing bottlenecks

> Apply AAA to SOA

> Centrally manage policies

> Conditional routing and transformation

> Defend against threats

> Gain visibility on service usage

Governance


Access Control

Policy ControlXML Networking

Security Governance

Addressing the requirements for XML-based integration and SOA

Addressing the Infrastructure Bottleneck

DMZ Application Oriented Network

XML Firewall

Network FirewallDatabases

QueuesSuppliers

Legacy Systems

XML Gateway

XML Gateway

Application Server

XML Gateway

Application Server

Application Server

Partners

XML Firewall


XML Screening

Threat Prevention

SSL Termination

Authentication

XML AccelerationApplication OffloadIdentity IntegrationProtocol MediationData Transformation

Content Aware RoutingPlus all the XML Firewall features

XML

Web App Firewall LegacyCustomers

XML

XML Gateway XML Gateway

Application Server

Vordel XML Firewall - Threat protection for XML Applications

› Threat protection for XML applications from malicious attack and unauthorized access

Vordel XML Gateway – Application Level Networking

› XML offload with data transformation, routing and acceleration

Vordel Policy Director – Centralized Policy Management

› Centralized policy creation and management for networks of XML

Vordel Products


› Centralized policy creation and management for networks of XML firewalls and gateways

Vordel Reporter – Reporting Web Services Metrics

› Full visibility reporting on Web Service usage

Vordel SOAPbox – Testing for XML Applications

› Web Services test tool

The Vordel Governance Solution

Design Time Governance

Vordel Policy Studio to create policies

Vordel Policy Director to store policies

>Stores policies in centralised store or Registry

>Staging of Policies

Vordel Soapbox to test new policies

Run Time Governance

Vordel XML Firewall to protect the perimeter

BeInGrid Barcelona 2008 17/06/2008 commercial in confidence Page 617/06/2008

Vordel XML Firewall to protect the perimeter

>Policy enforcement

>Service Discovery

Vordel XML Gateway to protect the network

>Policy enforcement

>Service Discovery

Vordel Reporter

>Comprehensive usage reports

>Compliance reports

Software

> Solaris

> Linux

> Windows

Appliance

> Deployed in the network as a network device to offload XML processing

> XML performance acceleration and optimisation

Vordel 5 Deployment Platforms

BeInGrid Barcelona 2008 17/06/2008 commercial in confidence Page 717/06/2008

> XML performance acceleration and optimisation

> Hardened appliance with FIPS-Compliant cryptographic acceleration and hardware security module key storage

> Dual power supplies and RAID dual disks for reliability

> VX4000 built on standard hardware platform for ease of maintenance

Case Studies: The role of XML Gateways in Telecoms

• Case Study 1: 911 Emergency Services [USA]

• Case Study 2: Mobile Telecoms Service Delivery Platform (SDP) [Brazil]

• Case Study 3: De-regulation [Canada]

• Case Study 4: Managing IPTV [Italy]


911 Emergency Services [USA]

The 911 Service Provider provides outsourced emergency telephone services to both fixed-line and VoIP providers including Verizon and Vonage

Customer information is fed to the 911 service provider using XML

The XML messages include:

- Name

- Address

- Preferred First Language


- Preferred First Language

- Current location

When the customer dials 911, this information is provided to the emergency services [police, fire, ambulance].

The 911 Service Provider receives a regular feed of this customer information. Feeds may contain millions of individual customer details.

911 Emergency Services [USA]

XML processing was placing a heavy load on their application servers.

The customer initially built their own XML Gateway, but it was too slow, and could not be managed.

Large volumes of XML traffic would drastically slow down their Web Services (running on Oracle Application Server 10g)


Services (running on Oracle Application Server 10g)

When the client didn’t receive an immediate response, it would re-send the SOAP message. The message re-sends compounded the problem.

- They were being DoS’ed by their own customers!

[DoS = Denial of Service]

XML Message Flooding


Java code on the Oracle Application Server was validating the incoming XML, and authenticating the sender.

Unfortunately, it ran slowly and would fall over under stress.

Solution Architecture

• Failover

• Development, Staging, andproduction

• Heavy XML processingoffloaded fromapp server.


Solution: XML Offload

Vordel’s XML Gateway takes the XML heavy-lifting off the app server

• Before:

• After:

Read

XML

into

memory

Check

XML is

well-

formed

Validate

against a

Schema

Transform

XML using

XSLT

Perform

Business

Logic


• After:

13

Read

XML

into

memory

Check

XML is

well-

formed

Validate

against a

Schema

Transform

XML using

XSLT

Perform

Business

Logic

Offloaded onto XML Gateway

Solution Benefits

• Message retries are automatically detected and throttled

• Responses are cached so that retries do not have to touch the application server

• XML is validated and screened for threats before it reaches the application server

• Security policies are now in the hands of Operations staff


• Policies are no longer baked into code at the application server

• Policies can be backed-up, updated, rolled-back, archived

• A full evidential (signed) audit trail is provided

Case Study 2: Service Delivery Platform

Vordel’s products are an integral component of the Ericsson “Service

Delivery Platform” which uses XML to link telecoms systems together

• Parlay-X is the XML standard used

• Required validation of the Parlay-X traffic

• Required lookup of subscriber information from databases, and the on-the-fly population of subscriber data into XML fields


Solution Architecture


Solution benefit: “XML Enrichment”• Before: Everything on the application server

• After: XML enrichment happens at the XML Gateway

Read

XML

into

memory

Look up

customer

info in

database

Operate

based on

customer

info

Look up

customer

in LDAP

directory

Enrich XML Enrich XML Read XML Operate Passed to


Enrich XML

with

customer

data from

directory

Enrich XML

with

customer

data from

database

Read XML

into

memory

Offloaded onto XML Gateway

Operate

based on

customer

info

Passed to

application

server

Case Study 3: De-regulation [Canada]

Largest Canadian telecommunications company provides connectivity to

residential and business customers.

• Must provide an interface to CLECs (Competitive Local Exchange Carriers) in a deregulated telecoms environment.

• They had an existing Web portal which enables CLECs to access information using a Web browser. But they wanted automated B2B access using XML.

• 500,000 portal users, with an additional 5,000 users being added monthly.


• 500,000 portal users, with an additional 5,000 users being added monthly.

• Launch of new B2B XML Web Services, alongside the portal, to allow larger customers and partners to integrate their back office systems directly into the telecom provider’s own systems.

• Vordel products integrated with Web SSO (Entrust) and Enterprise AV (McAfee).

Deployment: De-regulation [Canada]


Case Study 4: IPTV [Italy]

Large Italian mobile telco

• Trialing IPTV services. XML messages are used to order IPTV programmes and clips

• XML Gateways process incoming XML messages which contain credit card details, co-marketing codes (for partners), and details of requested TV programmes

• The XML Gateway allows the credit card data to be selectively encrypted using XML Encryption.


XML Encryption.

• XML data is validated against Schemas and is scanned for threats.

• Integration into CA SiteMinder ensures that all traffic is authenticated and authorised

Requirement for Identity Federation

• SiteMinder is used for all authentication and authorization at the telco side

• At the client side, SiteMinder is usually not present. But, usually a directory such as Active Directory is present

• The customer decided to use a Security Token Service (STS) to issue SAML tokens at the client side, and these are passed to the XML Gateway at the telco side.

• This allows for Identity Federation to occur. The same end-user may have a


• This allows for Identity Federation to occur. The same end-user may have a different identity at the telco side, compared to their identity at the client side. This requires the XML Gateway to perform identity mapping.

• At the telco side, the user is logged into a SiteMinder session, based on their identity at the telco.

Case Study 4: IPTV with identity federation


Addressing Security, Governance and Performance Issues

with an XML Gateway as part of a Service Oriented


Vic Morris – CEO Vordel

with an XML Gateway as part of a Service Oriented Architecture

addressing security, governance and performance issues ... › ogf23 › materials › 1338 ›...

Documents