network approach in enabling soa - cisco · improve the performance of soa / web 2.0 applications...

Network Approach in enabling SOA

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1

Cheng Jang Thye

Business Development Manager

[email protected]

Applications Are Changing


� Collaborative (Web 2.0 and SOA)

– Applications componentized with extensive app-to-app communication and data sharing

– Rich Interactive UI (AJAX, JS)

– Web Services or XML interface

– Significantly greater challenges with Scalability, Security, Visibility, Control

� Client-Server/Silo-ed (Web 1.0)

– Limited data sharing between applications

– Static web pages

– Internet enabled

– Challenges with Scalability, Security, Visibility, Control

Verify CustomerCredit

Determine ProductAvailability

Check CustomerAddress

Look-upStore Sales

What is SOA All About?

Client

Web Services

Enterprise applications required repetitive coding


Data Data Data Data

Business

IntelligenceFinance Custom Call Center

DataAccess

DataAccess

DataAccess

DataAccess

Credit Availability AddressStore Sales

Data Tier

Applications

SOA enables reuse of data and business logic

Exploring a Web 2.0 User Interface

Web 1.0 Web 2.0


Impact of Web 2.0 User Interfaces

Web 1.0

Web 2.0


Web 2.0 clients increase server processing and network traffic

Web 2.0

Typical Enterprise Application Architecture:Some Important Challenges to Consider

User Activation Web Services

Internet

Payment & Billing Services

Business App

XML Messages introduce new

security threats

XML Messages are ASCII and 3-10X larger than their binary equivalent


Internet Services

CRM Services

Business App

XML will be 50% of network traffic, up from 15% in 2005 – 451 GroupKey Considerations: With XML traffic new XML security threats arise and

application performance deteriorates

Access control must be enforced to prevent

malicious users

Mission critical applications

require that Web services be

reliable

How to Web-Service Enable Your Apps

� Build new application servers with Web Service Interfaces

Pro: Clean extension

Cons: Expensive

� Extend current applications with Web Service


� Extend current applications with Web Service Interfaces

Pro: Dependency on versions of applications

Cons: Cheaper

� Use a gateway to provide Web Service Interface

Pro: No touch to existing application

Cons: New gateway

Other Challenges

� Web Service/XML Security

Authentication, Authorization, Encryption

Firewall, DOS

Other Threats

� Server Performance


� Server Performance

� Web Service Management

� Federation

XML Introduces New Security Threats


Source: WhiteHat Security

Most Common Web Application Vulnerabilities

XML Threat Categories

� Format Attacks

Main focus: Buffer overflow, Overload and Denial of Service

Documents of extreme depth, breadth, length, number of nodes

� Content Attacks


Main focus: Command execution

Exploiting insecure business logic (e.g. SQL Injection)

� Denial of Service

Main focus: Consuming all system resources

Exploiting processing issues to overwhelm capacity

Content Attack: SQL Injection

Strategy: insert SQL statements into otherwise valid XML to cause problems on database back end

<customer>

<customerName>BigCo</customerName>

<customerID>12345</customerID>

</customer>


<customer>

<customerName>BigCo</customerName>

<customerID>12345; drop table users; --</customerID>

</customer>

� Eg. of a general class of threats: Command Injection, LDAP…

SqlQuery = “Select * from userTable where ID =“

+ myCustomer.CustomerID + “;”

XML Denial of Service (XDoS)

� Swamping a server with illegitimate messages that consume resources that would otherwise be used to process legitimate messages

� Resources

Server CPU (parsing, SSL processing, signature validation, etc.)


Server CPU (parsing, SSL processing, signature validation, etc.)

Server network Connections

Server memory

Server storage

� Inadvertent, non-malicious XDoS is just as bad as intentional XDoS

XML Threats Are Already Here!


http://www.webservicessummit.com/Vulnerabilities.htm

XML Processing Increases Server Cost


Biz Logic

Overhead

Server CPU Utilization(without XML)

Biz Logic Overhead

Schema Validation Parsing

Data Transformation Encryption

Decryption Content-based Routing

Protocol Mediation

Server CPU Utilization(with XML)

Application servers cost on a “per CPU” basis

I’ll add more servers to address performance, not application delivery infrastructure

It is more cost-effective to deploy high performance dedicated XML processing appliances than new servers to improve performance.

Response

Objection

I don’t think I need application security, I have firewallsObjection

Typical objections and responses


I don’t think I need application security, I have firewalls

ResponseBasic firewalls don’t fully protect against application-layer attacks – true security is L2-L7, a Cisco strength

I only do Web Services with business partners I trust. They would never attack me anyway.

Response

Objection

Who controls the quality of their software front end? What if a few input validation inputs slip through the cracks? What if someone compromises their infrastructure, or intercepts the messages in flight?

Challenges with Today’sDistributed, Heterogeneous SOA

Interoperability Multiple implementations of core standards means interoperability is a challenge

Availability Services must be made universally available and callable across heterogeneous implementations

Manageability and Visibility

Distributed, loosely coupled applications across platforms, domains, geographies difficult to see


and Visibility platforms, domains, geographies difficult to see and manage effectively

Security Application messages traversing multiple protocols (incl. HTTP) introduce new security challenges

Scalability Higher volume XML/ Web Services traffic creating server processing overhead

Reliability Transaction-level reliability is required for messages traversing multiple protocols (e.g., HTTP)

EDITelephonyBusinessIntelligence

Custom ProtocolWeb

Service

SOA

Compression ASP

Leveraging the Strengths of an Intelligent Network to enable SOA

Benefits of a Network

Based Approach:

� High Performance, as resources are dedicated for that function

� No new intermediary layers or components

B2B Links

Partners


RemoteEnvironments

MessageBroker

LegacyApps

Security

B2B Gateway

BAM

TransformationBusiness

RulesMobile

Services

Event Capture

RFID

ComplianceLogging

DatabaseLookup

Load Balancing

EAI

Service

Adapters

Standards

Compression

ESB

J2EE

.Net

ASP

MQSeries

� No changes required to applications

� Network and applications can work together

� Simplifies infrastructure

� Leverages investment

Data Center

Branch Offices

Distribution

Extranet

Field Organizations

Past Examples:

� Firewall, Proxy, VPN, SSL Accelerator

Introducing the ACE XML Gateway

Improve the performance of SOA / Web 2.0 applications while securing XML data and offloading XML processing from application servers


Prevent threats to application – XML Firewall, Deep message inspection, Access control

Improve Server UtilizationOffload XML and message processing from

application servers

Secure SOA/Web 2.0 applications

The highest performance XML switch in the market!

ACE XML Manager

Development Integration Security Operations

Federated message policy

workflow

Deployment, auditing, and management

ACE XML Gateway and Manager


ACE XML Gateways

Inboundmessages

Outboundmessages

workflow

Transformation and mediation

Identity and access enforcement

Message transport, security, and routing

Message Policy Enforcement & Analysis

Secure, high-performance XML processing pipeline

Best of breed platform

XML Firewall

XML denial of service

Content screeningXML attack detection

Access Enforcement

WS-SecurityAuthenticationAuthorizationIAM integration

LW security token service (STS)Multi-level credential collection

HTTP/S HTTP/S

Authentication, Transformation, & Management API’s/SDK

Cisco ACE XML Gateway Functionality


XML Message ProcessingXML schema, encryption/ signing,

transformation, mediation, acceleration, XML traffic monitoring

Content/IP/header based routing,Enterprise class management,

Auditing & forensics

detectionAttachment anti-virus protection,

Privacy enforcement

Multi-level credential collectionIdentity-based reporting & alerting

Identity-based routingCompliance reporting

SSL termination

SMTP

MQ

TIBCO

JMS

Custom

Inboundmessages

SMTP

MQ

TIBCO

JMS

Custom

Outboundmessages

Network Deployment

XML W

eb Services

Aware ApplicationsNetwork

Firewall

ACE XMLManagerInternet


XML W

eb Services

Aware Applications

Identity Mgt Systems

External XMLWeb Services Consumers

DMZ DATA CENTER

PortalACE ApplicationSwitches

ACE XMLGateway

ACE XMLGateway

ACE XMLGateway

Perimeter Security XML Offload

ACE

1. Perimeter Security (e.g. Web and XML Firewall protection for applications)

2. XML Offload (e.g. XML processing offload from servers)

Validated By Customers


Demo

� Environment

J2EE Application Server with JAX-WS (VM) running web services:

Web Service #1: Add 2 numbers

Web Service #2: Concatenate 2 strings


Web Service #2: Concatenate 2 strings

AXG 6.0 (VM)

Gateway and Manager

� Demos

Browser -> Manager - (WS) - > Gateway -> J2EE App Server