Solution Brief: Identity-Based XML Firewalling with SecureSpanTM XML Firewall

Service Consumer

SecureSpan XML Firewall clusters, screening XML content, centrally controlling service level
SAML SAML

access and enforcing message

Web Service

level security policies like privacy and integrity.

Service Consumer

UTP

X.509

SecureSpan XML Firewall Cluster

Service Consumer

Identity Management

The Problem:
Identity is at the heart of SOA security. Identity drives authentication and authorization decisions for all client-service interactions in an SOA. An ability to validate identity is also central to enforcing transactional integrity and accountability policies. However, defining and enforcing identity based security policies is complicated in an SOA. Machine identities for client applications must be reposited within a centrally accessible directory. Services must have an ability to extract identity information from credentials passed to it inside a Web services message, validate those credentials against a centralized identity directory and then enforce a security policy based on the rights associated with the identity. How a Web services security policy is defined, how to support decision delegation to existing policy decision points, how to find the credentials in a Web services message, how to assure compliance with the various WS-* and WS-I security standards, and how to propagate identity context in multi-hop SOA environments only complicates the application of identity to SOA. This is where an Identity based XML Firewall product like Layer 7s can help.

The Layer 7 Solution:

The SecureSpan XML Firewall provides security and SOA architects a centralized integration and enforcement point for identity based SOA security operations like client authentication, service level authorization, message privacy and transaction integrity. The SecureSpan XML Firewall integrates with popular identity and access products including LDAP, MS Active Directory, CA SiteMinder, CA TransactionMinder, RSA ClearTrust, Tivoli AccessManager, Novell Access Manager, Oracle Access Manager and Sun Java Access Manager so that an existing identity and access policy store can be reused for SOA. The SecureSpan XML Firewall also offers hardware accelerated XML parsing, validation and transformation so that identity credentials can be rapidly extracted, validated and if need be transformed for downstream authentication. To support emerging single sign-on and federation standards, the SecureSpan XML Firewall also supports WS-Trust and SAML.

Identity Based XML Firewalling with SecureSpanTM XML Firewall

Innovations and Solution Features:

Support for access control based on multiple identities/groups/identity sources in a single XML Firewall policy Ability to distribute third party Web SSO session cookies to Web services clients Optional SecureSpan XML VPN Client automates PKI provisioning to Web Service clients Range of credential support including HTTP, WS-S, WS-Trust, Web SSO, and SAML 1.1 / 2.0. Built-in PKI subsystem and support for external X.509 certificates Standards-based interface to external STS SAML issuers Rich credential mining tools Policy branching supports any combination of identity and content based message processing

Supported Standards and Specifications:

XML 1.0, SOAP 1.1, REST, AJAX, XPath 1.0, XSLT 1.0, WSDL 1.1, XML Schema & DTD, LDAP 3.0, SAML 1.1/2.0, PKCS #10, X.509 v3 Certificates, W3C XML Signature 1.0, W3C XML Encryption 1.0, FIPS 140.2, SSL/TLS 2.0 / 3.0, SNMP, SMTP, FTP, HTTP/HTTPS, WS-Security 1.0, WS-Trust 1.0, WS-SecureConversation, WS-MetadataExchange, WS-Policy, WS-Security Policy, WS-Policy, WS-Secure Exchange, WSIL, WS-I, WS-I BSP, UDDI 3.0

Key Features
XML Threat Protection
- Infrastructural protections against XML parsing, XDoS and OS attacks, Application protection against XML content tampering and viruses in SOAP attachments, Protection against SQL and malicious script injection attacks, Allow / reject messages based on time of day, day of week and IP address, onfigurable throughput restrictions based on requestor or destination prevents downstream XDoS

Advanced Identity, Credentialing and PKI Support

- Onboard identity store for administrative identities and fast staging of new services, Integration with multiple external identity, access, single sign-on and federation systems including LDAP, Microsoft (Active Directory and Active Directory Federated Services), Novell Access Manager, Oracle Access Manager, IBM Tivoli (Access Manager and Federated Identity Manager), CA SiteMinder and TransactionMinder, RSA ClearTrust, Sun Java Access Manager Credential chaining, credential remapping and support for federated identity, Comprehensive support for SAML 1.1/2.0 authentication, authorization and attribute based policies Integrated PKI CA for automated deployment and management of client-side certificates and RA ability for external CAs including Verisign

General Security
- Support for XML, SOAP, POX, AJAX, REST and other XML-based, services, Configuration wizards simplify policy creation and activation, Support for policy branching based on identity or any message content or context, Support for multiple routing destinations with configurable failover, Policies can be applied to request-only, response-only or both request and response messages

Administration Options
- GUI-based SecureSpan Manager deployed as either stand alone application (Windows / Linux) or browser-based (Internet Explorer / Firefox), Centralized cluster management and configuration with delegated administration, Drag and drop policy-based policy configuration, Intelligent, real-time validation and testing of policies, Logging and audit trapping of violations and system/user defined events via SNMP and SMTP, Dashboard for graphical, real-time monitoring of traffic profiles and security violations, Audit controls

Web Site: www.layer7tech.com Email: info@layer7tech.com Phone: 800.681.9377