Layer 7 SecureSpan Solution
-
Upload
ca-api-management -
Category
Technology
-
view
1.544 -
download
1
Transcript of Layer 7 SecureSpan Solution
SecureSpan Solution Security and Monitoring for Services Inside the Enterprise and out to the Cloud
K. Scott Morrison CTO & Chief Architect Layer 7 Technologies
Layer 7 Confidential 2
About Layer 7
Layer 7 is the leading vendor of security and governance for:
2003 2006 2009
Cus
tom
ers
Rev
enue
XML
SOA
Cloud
Layer 7 Confidential 3
Why Governance?
Governance is essential. Governance is needed for
security, planned change and configuration
management, testing, monitoring, and setting of
quality-of-service requirements. “ “
Jess Thompson, Research Vice President As quoted by CyberMedia India Online Ltd
(http://www.ciol.com/enterprise/biztech/news-reports/soa-evolving-beyond-traditional-roots/3409118003/0/)
Layer 7 Confidential 4
Layer 7’s Approach to Governance
Security Compliance Reliability
SLAs Quality of Service Message Content
Policy Agility Deployment Flexibility Interoperability
Layer 7 Confidential 5
Achieve Control through Policy Enforcement
Facilitate Compliance
Generate log and audit files at mul1ple levels
Export of data for correla1on and forensic analysis Verify messages for compliance to industry or government-‐mandated specifica1ons
Ensure Reliability
Ensure data confiden1ality over the wire and at rest
Ensure services remain readily available
Verify messages to ensure integrity
Enforce Security
Centralized policy enforcement point deployed in-‐house or in the cloud
Policy-‐driven authen1ca1on and fine-‐grained, service level authoriza1on
Enforce policies according to risk
Layer 7 Confidential 6
Gain Visibility by Monitoring Services
Track Message Content
Iden1fy trends, excep1ons or viola1ons at the message level
Report on user, client and system access to sensi1ve data
Assure Quality of Service
Monitor and report on service performance in real-‐1me
Reroute and throFle services to maintain reach-‐ability and availability
Alert or automate ac1ons based on:
Throughput, rou1ng failures, u1liza1on, availability rates, etc
Ensure SLA Conformance
Monitor and report on SLAs using an agent-‐less management system
Ensure you are mee1ng your own SLAs
Ensure you’re geMng the value you expect from 3rd-‐party service providers
Layer 7 Confidential 7
React at the Pace of Business Change
Facilitate Interoperability
Out-‐of-‐the box integra1on with leading SOA solu1ons
Standards-‐based, open APIs facilitates integra1on
Gain Deployment Flexibility
Deploy in-‐house or in the cloud
Mul1ple form factors: Hardware appliance
SoRware appliance
SoRware
Cross-‐domain client
Gain Policy Agility
Decouple security, SLA, compliance and other shared code from services
Modify exis1ng or deploy new policies on the fly
Out-‐of-‐the-‐box asser1ons facilitate policy assembly without coding
Custom asser1ons let you meet specific requirements
Layer 7 Confidential 8
Separation of Policy Enforcement Layer Using SecureSpan Gateways
Operator
Consistency
Reuse
Central Control
LDAP and/or IAM
SecureSpan Gateway Cluster
Service Hosts
Service Requester
Layer 7 Confidential 9
Leverage of Existing Identity Assets
Web Services Server
Web Services Client
XML
Access Mgmt
Security Token Service
(STS)
LDAP
Policy Decision Points (PDPs)
WS-Trust
LDAP(S) Native
ID, Access Mgmt & STS
LDAP
Sun OpenSSO
RSA Cleartrust
CA/Netegrity SiteMinder & TxMinder
IBM TAM, TFIM
MSAD, Infocard (on VPN client)
Oracle Access Mgr
New instances are simple to add
Layer 7 Confidential 10
Consistency and Scalability Cluster-wide Sharing
Cluster variables (user configurable)
Replay
Policy updates
SLA
Web Services Client
HTTP Load
Balancer Transparent replication of policy across
the cluster
Horizontal scalability
Replay attack prevention across the cluster
Single point of management across
cluster
Layer 7 Confidential 11
May 2009
SecureSpan™ Gateway Overview Proprietary and Confidential 11
Edge-of-Network, DMZ-based Deployment
SecureSpan Management Console
May 2009
Corporate Network
DMZ
Internal Network
Internal Applications
Service Requester
External Firewall
Internal Firewall
SecureSpan Gateway Cluster
Message
Internet
Layer 7 Confidential 12
Rich Policy Language
…
SecureSpan Gateway Cluster
SecureSpan Management Console
May 2009
SecureSpan™ Gateway Overview Proprietary and Confidential 13
Message Consumers
Applications
Message
Pros Consistent security for all systems Centrally managed High performance, hardware accelerated document processing and cryptography Cons Need rudimentary last mile security
SSL typically, SAML, WS-S Must cluster for high availability
J2EE
.NET
Apache+PERL
Centralized Gateway PEP
Cluster
Policy Decision Point (PDP)
(IAM, STS, etc)
Message Producer
May 2009
SecureSpan™ Gateway Overview Proprietary and Confidential 14
Accelerated XML transform Accelerated XML schema val Signing services (notary pattern) Encryption services Filtering for compliance Threat detection
Message Producer/Consumers Applications
J2EE
.NET
Apache+PERL
Centralized Gateway Co-processor Cluster
Virtual Loopback
Transformed XML document
Input XML document
ESB
May 2009
SecureSpan™ Gateway Overview Proprietary and Confidential 15
Administrative changes to policy change API
Web Services Server
Web Services Client
WSDL
WSDL + Security Changes
Which API do you program to?
Security implemented in code is difficult to change
Shift of burden to client
Very programmer intensive
May 2009
SecureSpan™ Gateway Overview Proprietary and Confidential 16
SecureSpan XML VPN Client
WS-Policy Document
SOAP message “decorated” to current policy
May 2009
SecureSpan™ Gateway Overview Proprietary and Confidential 17
Web Services Server
Web Services Client
Secure CSR
Secure Certificate Download
Gateway acts as certificate authority
May 2009
SecureSpan™ Gateway Overview Proprietary and Confidential 18
Trusted Certificates
Web Services Server
Web Services Client
Administrative Import
PKI System
LDAP or HTTP Server HTTP(S)
OCSP
CRLs
Certs
LDAP(S)
Secure Message
Protecting & monitoring your applications in the cloud
Giving your cloud apps access to on-premises data sources
Big picture view of the distributed application network
Enterprise On-Premise IT
?
?
NetOps
Application-Layer Isolation, Monitoring,
& Control
?
?Hardware PEP Virtual PEP
Identical Functionality
May 2009
SecureSpan™ Gateway Overview Proprietary and Confidential 21
Virtual SecureSpan
Instance
Virtual Application
Instance
Protected Application
Stack
Separate Instances
Combined Instance
Layer 7 Confidential 24
Summary Cloud should be viewed as a deployment pattern for SOA
- This means you should leverage SOA technology in the cloud
- Virtual SOA gateways, like SecureSpan, provide you with a means to secure cloud
SOA best practices for federation can be transferred into the cloud
- Avoid key material in the cloud
- Use distributable token validation strategy
- SAML, Kerberos
- Employ authorization based on attributes, not concrete identities
- These have persistence
K. Scott Morrison
Layer 7 Technologies
405 – 1100 Melville St.
Vancouver, B.C. V6E 4A6
Canada
(800) 681-9377
http://www.layer7tech.com
For further information: