SlideShare a Scribd company logo

Layer 7 Technologies: What Is An Xml Firewall

CA API Management, profile picture
CA API Management

An XML firewall is a tool that enforces security policies on XML documents and messages. It can check factors like the message contents, structure, and origin, and take actions like allowing, blocking, or logging the message. XML firewalls provide benefits like deep packet inspection, stateful filtering, acceleration of XML processing, and threat detection that help secure XML web services and SOA implementations.

Technology
Related topics:
Service-Oriented Architecture
1 of 33
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
What are XML Firewalls Adam Vincent, Layer 7 Technologies Federal Technical Director Prepared for Institute of Electrical and Electronics Engineers (IEEE) Given at IEEE Chapter Meeting on April 17th, 2008 in Mclean, VA
Firewalls Overview Traditional Firewalls do very little to mitigate XML vulnerabilities since they are normally configured to allow all ASCII traffic through port 80, and XML is ASCII. XML firewalls are devices for implementing security policies, as specifically applied to XML messages. The following slides review XML firewalls, with a focus on how they are used to mitigate security risks. The focus of this section will be on boundary protection, although when you look at an SOA it is important to look at the entirety of the architecture. Providing boundary protection is a necessary step to providing end-to-end security. What is an XML Firewall?
What is an XML Firewall? What is a Firewall? Firewall Policies Definition: Limits access between networks in accordance with local security policies .
Firewall Implements a Policy The policy specifies all the factors that must be considered when making a decision what actions should be taken upon making a decision The firewall implements the policy What is an XML Firewall?
Two Categories of Firewalls Network firewalls (a.k.a. IP/port firewalls): Decisions are made based purely upon factors relating to the packet’s origin and destination: Where did the packet come from? Who originated the packet? Where is its destination? What time did the packet arrive? Application firewalls: Decisions are made based upon the content of the message: Is the content of the message acceptable? Is the content of a high-value transaction? Is the content of a low-value transaction? Is the content of the message structured appropriately? What is an XML Firewall?
Two Categories of Firewalls What is an XML Firewall? Check IP/port Network firewalls Check message content Application firewalls Note: many routers already do this checking
What is an XML Firewall? What is an XML Firewall? XML Firewall What should I do with this XML document/message? Policies Definition: An XML firewall is a tool that takes as input an XML document/message and enforces security policies XML
Example Deployment What is an XML Firewall?
XML Firewalls can do IP/Port checking and content checking What is an XML Firewall? Stateful Inspection: Analysis of data within the lowest levels of the protocol stack in order to compare the current session with previous ones for detection of suspicious activity Deep Packet Inspection: Analysis of content of a thru-passing packet, searching for illegal statements to decide if the packet can pass. Check IP/port Packet firewalls Check message content Application firewalls XML Firewalls Note: many routers already do this checking Stateful Inspection Deep Packet Inspection
What Factors Enter into an XML Firewall's Decision? Decisions can be made based upon countless factors, e.g., Package-based factors: Where did the connection/message come from? Who originated the connection/message? Where is its destination? What time did the connection/message arrive? What time was the connection/message sent? Content-based factors: Is the content of the message acceptable? Is the content a high-value transaction? Is the content a low-value transaction? Is the content of the message structured appropriately? Is the XML security header formatted correctly? What is an XML Firewall?
What Actions can an XML Firewall Take? If the firewall decides the message/document is not acceptable for propagation, it may: log the document return the document discard the document Etc. If the firewall decides the message/document is acceptable for propagation, it may: simply forward it along route it along a special path delay sending it along for a period of time Etc. What is an XML Firewall?
What is an XML Firewall? Example of a Check that an XML Firewall may Perform "Does the XML conform to the data business rules, i.e., does it validate against a XML Schema defining the business rules?” “ Does the XML contain malicious code” “ Does the Message Level Security component of the message comply with the DoD/IC requirements” “ Authentication/Authorization of the sender/message creator”
Policy Enforcement Point (PEP) It enforces that the message adheres to the policy and may per policy take input from one or more external resources to use in its enforcement process XML Firewalls provide centralized management and enforcement when acting as a PEP What is an XML Firewall? This is analogous to the PEP.
Policy Decision Point (PDP) Makes a decision based upon destination resource and calling entity. It sends the decision to a PEP, which carries out Enforcement XML Firewalls can utilize inputs from a PDP, or can act as a PDP when one is not available. What is an XML Firewall? PEP PDP
Attribute Services (AS) Provides attributes about resources and/or entities as inputs to a PDP XML Firewalls can utilize inputs from an Attribute Service, or can act as a AS when one is not available What is an XML Firewall? PDP AS PEP
What is an XML Firewall? Firewalls and PEP/PDP/AS A firewall can act as either a PEP, a PDP, or an AS. When a firewall is acting as a PEP, it "consults" a PDP service (externally or internally) and gives it information about what it knows, and asks "What should I do?" Thus, a firewall must always have both a PEP and a PDP. A firewall may provide a PEP, PDP, and a AS PDP Traffic inputs Firewall Firewall AS
What is an XML Firewall? Firewall acting as a PEP only Firewall (acting as a PEP only) PDP service "Do this" ” Bob wants to Send a message To Service A" Attribute service ” Tell me about Bob” ” Bob is in the Army” Threat Protection, Verify Message Security, Audit, and Call out to PDP Policies doc Policies
What is an XML Firewall? More Realistic use of an XML Firewall XML Firewall PDP service Attribute service Threat Protection, Verify Message Security, Audit, Authenticate/Authorize via ABAC Attribute Repository (LDAP) PEP Policies doc
XML Acceleration (1 of 2) XML is verbose and processing can be time consuming XML Firewalls provide mechanisms to accelerate XML processing: Utilize hardware-based mechanisms to accelerate XML processing Utilize low-level software processing capabilities and pipelining to accelerate XML processing What is an XML Firewall? XML Firewall Policies Back-end applications are relieved from doing all of this XML processing Policy Verified Policy Un-verified Back-end applications XML New XML
XML Acceleration (2 of 2) Here’s some XML processing which can be done very quickly with an XML Firewall: Validate XML Message against an XML Schema Transform using XSLT an XML input for output to a back-end service Verify message conforms to WS-Security Specification XPATH Processing and Content Based Routing What is an XML Firewall?
Threat Detection An XML Firewall can perform detection and mitigation of malicious code using XML as a vector of attack What is an XML Firewall? XML Firewall Malicious Code Policy Malicious code is not allowed to pass Entity A Entity B XML Purchase Order (with Malicious Code)
Access Control An XML Firewall can perform fine grained Authentication and Authorization of a sending, and receiving entity What is an XML Firewall? XML Firewall Access Control Policy is allowed to send purchase orders to (B) Entity A Entity B XML Purchase Order
Complex Access Control What is an XML Firewall? Organization Green Michelle Dimitri Program X Organization Blue Policy Enforcement Point Secure Token Server (STS) for Federation Policy Application Point WS-MetadataExchange of WS-Policy Documents WS-Trust Token Requests WSS secure SOAP messages with bound SAML tokens Policy Administration
XML Schema Validation An XML Firewall can determine whether an XML message/document conforms to an XML Schema What is an XML Firewall? XML Firewall XML Schema Entity A Entity B XML Document XML Document
XSL Transformation An XML Firewall can change XML messages/documents through an integrated XSLT processor What is an XML Firewall? XML Firewall XML Schema Entity A Entity B XML Document New XML Document
XML Filtering An XML Firewall can filter incoming XML traffic based on message size, disallowed content, other metadata, etc. What is an XML Firewall? XML Firewall Policies Message Size Limit Exceeded Entity A Entity B LARGE XML Document
Dynamic Routing An XML Firewall routes a request based on content, network parameters or other metadata What is an XML Firewall? Firewall Where should I route this document? Policies Busy Not busy. Document is routed here. Entity A $1,000,000 Purchase Order
Service Virtualization/Abstraction Mask back-end resources from external probing What is an XML Firewall? XML Firewall Policies “ I’m Service (A)” This is the actual service (A) The XML Firewall shields the actual service from external attacks by acting as a virtual stand-in to the service. Message to Service (A)
Quality of Service (QoS) Enables you to provide service priorities A $1,000,000.00 transaction will get expedited service, a $2.00 transaction will get regular service What is an XML Firewall? Firewall On arrival, priority goes to $1,000,000 Purchase Order Policies $1,000,000 Purchase Order $2.00 Purchase Order
Auditing Provides service level auditing capabilities Number of requests Types of requests Where requests originate What is an XML Firewall? Firewall Audit Data Service 2 Service 1
Virus Detection (1 of 2) Many XML Firewalls offer virus detection capabilities Viruses in attachments (MIME and DIME Messages) Viruses in XML content What is an XML Firewall? Firewall Virus Detected! Virus
Virus Detection (2 of 2) How XML Firewalls offer Virus Protection What is an XML Firewall? Firewall External Virus Engine Symantec/Other Scanner Virus Def Update
Conclusions Whew…. You now know everything  …Just kidding Keep in mind that SOA is a moving target and changes by the Day! Questions & Comments: Adam Vincent [email_address] 703-965-1771 What is an XML Firewall?

More Related Content

PPTX
ASA Firewall Interview- Questions & Answers
NetProtocol Xpert
 
PDF
Cisco Meraki- Simplifying IT
Cisco Canada
 
DOCX
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Alberto Rivai
 
PPT
Distributed document based system
Chetan Selukar
 
PPTX
CCNA4 Verson6 Chapter1
Chaing Ravuth
 
PDF
What's new in MQ 9.1.* on z/OS
Matt Leming
 
PDF
Meraki Solution Overview
Claudiu Sandor
 
PDF
Meraki Overview
Cloud Distribution
 
ASA Firewall Interview- Questions & Answers
NetProtocol Xpert
 
Cisco Meraki- Simplifying IT
Cisco Canada
 
Palo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Alberto Rivai
 
Distributed document based system
Chetan Selukar
 
CCNA4 Verson6 Chapter1
Chaing Ravuth
 
What's new in MQ 9.1.* on z/OS
Matt Leming
 
Meraki Solution Overview
Claudiu Sandor
 
Meraki Overview
Cloud Distribution
 

What's hot (20)

PDF
O365 to cisco cloud guide
Muthanna Ranganath
 
PPT
Cisco icons
wukegz
 
PPTX
Using ibm mq in managed file transfer environments final
Leif Davidsen
 
PDF
Fortinet security fabric
ANSItunCERT
 
PPTX
IBM API Connect Deployment `Good Practices - IBM Think 2018
Chris Phillips
 
PPT
Fortigate Training
NCS Computech Ltd.
 
PPT
Cisco Network Icon Library
mike_adolphs
 
PDF
Web Security Deployment
Cisco Canada
 
PPTX
安全SD-WAN-Fortinet-AWS Summit2022.pptx
Yitao Cen
 
PPTX
Palo Alto Networks 28.5.2013
Belsoft
 
PPT
Vp npresentation 2
Swarup Kumar Mall
 
PDF
IBM Managed File Transfer Solutions Overview
Lightwell
 
PDF
F5 Networks: architecture and risk management
AEC Networks
 
PDF
Vpn ppt
Nikhila Pothukuchi
 
PDF
Succeeding with Secure Access Service Edge (SASE)
Cloudflare
 
PDF
Meraki overview sales deck inside sales
Haffizulla Rahman
 
PPT
Data power use cases
sflynn073
 
PPTX
Ping Identity
Ping Identity
 
PDF
Microsoft 365 Compliance
David J Rosenthal
 
PDF
Network Access Control (NAC)
Forescout Technologies Inc
 
O365 to cisco cloud guide
Muthanna Ranganath
 
Cisco icons
wukegz
 
Using ibm mq in managed file transfer environments final
Leif Davidsen
 
Fortinet security fabric
ANSItunCERT
 
IBM API Connect Deployment `Good Practices - IBM Think 2018
Chris Phillips
 
Fortigate Training
NCS Computech Ltd.
 
Cisco Network Icon Library
mike_adolphs
 
Web Security Deployment
Cisco Canada
 
安全SD-WAN-Fortinet-AWS Summit2022.pptx
Yitao Cen
 
Palo Alto Networks 28.5.2013
Belsoft
 
Vp npresentation 2
Swarup Kumar Mall
 
IBM Managed File Transfer Solutions Overview
Lightwell
 
F5 Networks: architecture and risk management
AEC Networks
 
Vpn ppt
Nikhila Pothukuchi
 
Succeeding with Secure Access Service Edge (SASE)
Cloudflare
 
Meraki overview sales deck inside sales
Haffizulla Rahman
 
Data power use cases
sflynn073
 
Ping Identity
Ping Identity
 
Microsoft 365 Compliance
David J Rosenthal
 
Network Access Control (NAC)
Forescout Technologies Inc
 
Ad

Similar to Layer 7 Technologies: What Is An Xml Firewall (20)

PDF
Principles of Information Security 6th Edition Whitman Solutions Manual
hfaewkm1166
 
PDF
Principles of Information Security 6th Edition Whitman Solutions Manual
edrisipabba73
 
PDF
Principles of Information Security 6th Edition Whitman Solutions Manual
thiabkelka
 
PDF
Principles of Information Security 6th Edition Whitman Solutions Manual
qahersayfou
 
PDF
Principles of Information Security 6th Edition Whitman Solutions Manual
akiragarlid
 
PDF
Principles of Information Security 6th Edition Whitman Solutions Manual
dolmosoperv7
 
PDF
Immediate download Principles of Information Security 6th Edition Whitman Sol...
matayalokh
 
PPT
Unit II Chapter 6 firewalls.ppt
AkshitRana31
 
PPT
Cryptography and Network Security Slide.
adaiki2023
 
PDF
Principles of Information Security 6th Edition Whitman Solutions Manual
weudesased
 
PDF
Parsing of xml file to make secure transaction in mobile commerce
ijcsa
 
PPT
Layer 7: Managing SOA Security and Operations with SecureSpan
CA API Management
 
PPT
Ch20
Joe Christensen
 
PPTX
Web Api services using IBM Datapower
Sigortam.net
 
PDF
Ten new topics on security+ 2011 (sy0 301) (domain 1.0 network security)
chhoup
 
PDF
Intorduction to Datapower
Shilpin Pvt. Ltd.
 
DOCX
Firewall
syeda zoya mehdi
 
PDF
XTM moving security forward
Medley India Infosolution Pvt Ltd
 
PPTX
Product Overview Nov 2010 V1
Alvaro Roldan Peral
 
PPT
Network security and cryptography ppt.ppt
ssuser51a50e
 
Principles of Information Security 6th Edition Whitman Solutions Manual
hfaewkm1166
 
Principles of Information Security 6th Edition Whitman Solutions Manual
edrisipabba73
 
Principles of Information Security 6th Edition Whitman Solutions Manual
thiabkelka
 
Principles of Information Security 6th Edition Whitman Solutions Manual
qahersayfou
 
Principles of Information Security 6th Edition Whitman Solutions Manual
akiragarlid
 
Principles of Information Security 6th Edition Whitman Solutions Manual
dolmosoperv7
 
Immediate download Principles of Information Security 6th Edition Whitman Sol...
matayalokh
 
Unit II Chapter 6 firewalls.ppt
AkshitRana31
 
Cryptography and Network Security Slide.
adaiki2023
 
Principles of Information Security 6th Edition Whitman Solutions Manual
weudesased
 
Parsing of xml file to make secure transaction in mobile commerce
ijcsa
 
Layer 7: Managing SOA Security and Operations with SecureSpan
CA API Management
 
Ch20
Joe Christensen
 
Web Api services using IBM Datapower
Sigortam.net
 
Ten new topics on security+ 2011 (sy0 301) (domain 1.0 network security)
chhoup
 
Intorduction to Datapower
Shilpin Pvt. Ltd.
 
Firewall
syeda zoya mehdi
 
XTM moving security forward
Medley India Infosolution Pvt Ltd
 
Product Overview Nov 2010 V1
Alvaro Roldan Peral
 
Network security and cryptography ppt.ppt
ssuser51a50e
 
Ad

More from CA API Management (20)

PDF
Api architectures for the modern enterprise
CA API Management
 
PDF
Mastering Digital Channels with APIs
CA API Management
 
PDF
Takeaways from API Security Breaches Webinar
CA API Management
 
PDF
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
CA API Management
 
PDF
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
CA API Management
 
PDF
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
CA API Management
 
PPTX
API Monetization: Unlock the Value of Your Data
CA API Management
 
PDF
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
CA API Management
 
PDF
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
CA API Management
 
PDF
Enabling the Multi-Device Universe
CA API Management
 
PDF
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
CA API Management
 
PDF
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
CA API Management
 
PPTX
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
CA API Management
 
PDF
Adapting to Digital Change: Use APIs to Delight Customers & Win
CA API Management
 
PPTX
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
CA API Management
 
PDF
5 steps end to end security consumer apps
CA API Management
 
PPTX
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
CA API Management
 
PDF
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
CA API Management
 
PPTX
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
CA API Management
 
PDF
Using APIs to Create an Omni-Channel Retail Experience
CA API Management
 
Api architectures for the modern enterprise
CA API Management
 
Mastering Digital Channels with APIs
CA API Management
 
Takeaways from API Security Breaches Webinar
CA API Management
 
API Design Methodology - Mike Amundsen, Director of API Architecture, API Aca...
CA API Management
 
Liberating the API Economy with Scale-Free Networks - Mike Amundsen, Director...
CA API Management
 
API360 – A How-To Guide for Enterprise APIs - Learn how to position your ente...
CA API Management
 
API Monetization: Unlock the Value of Your Data
CA API Management
 
Revisiting Geddes' Outlook Tower - Mike Amundsen, Director of API Architectur...
CA API Management
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
CA API Management
 
Enabling the Multi-Device Universe
CA API Management
 
Building APIs That Last for Decades - Irakli Nadareishvili, Director of API S...
CA API Management
 
The Art of API Design - Ronnie Mitra, Director of API Design, API Academy at ...
CA API Management
 
APIs Fueling the Connected Car Opportunity - Scott Morrison, SVP & Distinguis...
CA API Management
 
Adapting to Digital Change: Use APIs to Delight Customers & Win
CA API Management
 
Balancing Security & Developer Enablement in Enterprise Mobility - Jaime Ryan...
CA API Management
 
5 steps end to end security consumer apps
CA API Management
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
CA API Management
 
Drones, Phones & Pwns the Promise & Dangers of IoT APIs: Use APIs to Securely...
CA API Management
 
Gartner AADI Summit Sydney 2014 Implementing the Layer 7 API Management Pla...
CA API Management
 
Using APIs to Create an Omni-Channel Retail Experience
CA API Management
 

Recently uploaded (20)

PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PDF
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
PPTX
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
PDF
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PPTX
Web Crawler for Trend Tracking Gen Z Insights.pptx
Actowiz Solustions
 
PDF
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PDF
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
PDF
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
PDF
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
PDF
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
PDF
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
PDF
August Patch Tuesday
Ivanti
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
How ambidextrous entrepreneurial leaders react to the artificial intelligence...
IAESIJAI
 
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
Web Crawler for Trend Tracking Gen Z Insights.pptx
Actowiz Solustions
 
A Late Bloomer's Guide to GenAI: Ethics, Bias, and Effective Prompting - Boha...
Mindy Bohannon
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
Getting started with AI Agents and Multi-Agent Systems
Maxim Salnikov
 
A review of recent deep learning applications in wood surface defect identifi...
IAESIJAI
 
A contest of sentiment analysis: k-nearest neighbor versus neural network
IAESIJAI
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
August Patch Tuesday
Ivanti
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 

Layer 7 Technologies: What Is An Xml Firewall

  • 1. What are XML Firewalls Adam Vincent, Layer 7 Technologies Federal Technical Director Prepared for Institute of Electrical and Electronics Engineers (IEEE) Given at IEEE Chapter Meeting on April 17th, 2008 in Mclean, VA
  • 2. Firewalls Overview Traditional Firewalls do very little to mitigate XML vulnerabilities since they are normally configured to allow all ASCII traffic through port 80, and XML is ASCII. XML firewalls are devices for implementing security policies, as specifically applied to XML messages. The following slides review XML firewalls, with a focus on how they are used to mitigate security risks. The focus of this section will be on boundary protection, although when you look at an SOA it is important to look at the entirety of the architecture. Providing boundary protection is a necessary step to providing end-to-end security. What is an XML Firewall?
  • 3. What is an XML Firewall? What is a Firewall? Firewall Policies Definition: Limits access between networks in accordance with local security policies .
  • 4. Firewall Implements a Policy The policy specifies all the factors that must be considered when making a decision what actions should be taken upon making a decision The firewall implements the policy What is an XML Firewall?
  • 5. Two Categories of Firewalls Network firewalls (a.k.a. IP/port firewalls): Decisions are made based purely upon factors relating to the packet’s origin and destination: Where did the packet come from? Who originated the packet? Where is its destination? What time did the packet arrive? Application firewalls: Decisions are made based upon the content of the message: Is the content of the message acceptable? Is the content of a high-value transaction? Is the content of a low-value transaction? Is the content of the message structured appropriately? What is an XML Firewall?
  • 6. Two Categories of Firewalls What is an XML Firewall? Check IP/port Network firewalls Check message content Application firewalls Note: many routers already do this checking
  • 7. What is an XML Firewall? What is an XML Firewall? XML Firewall What should I do with this XML document/message? Policies Definition: An XML firewall is a tool that takes as input an XML document/message and enforces security policies XML
  • 8. Example Deployment What is an XML Firewall?
  • 9. XML Firewalls can do IP/Port checking and content checking What is an XML Firewall? Stateful Inspection: Analysis of data within the lowest levels of the protocol stack in order to compare the current session with previous ones for detection of suspicious activity Deep Packet Inspection: Analysis of content of a thru-passing packet, searching for illegal statements to decide if the packet can pass. Check IP/port Packet firewalls Check message content Application firewalls XML Firewalls Note: many routers already do this checking Stateful Inspection Deep Packet Inspection
  • 10. What Factors Enter into an XML Firewall's Decision? Decisions can be made based upon countless factors, e.g., Package-based factors: Where did the connection/message come from? Who originated the connection/message? Where is its destination? What time did the connection/message arrive? What time was the connection/message sent? Content-based factors: Is the content of the message acceptable? Is the content a high-value transaction? Is the content a low-value transaction? Is the content of the message structured appropriately? Is the XML security header formatted correctly? What is an XML Firewall?
  • 11. What Actions can an XML Firewall Take? If the firewall decides the message/document is not acceptable for propagation, it may: log the document return the document discard the document Etc. If the firewall decides the message/document is acceptable for propagation, it may: simply forward it along route it along a special path delay sending it along for a period of time Etc. What is an XML Firewall?
  • 12. What is an XML Firewall? Example of a Check that an XML Firewall may Perform "Does the XML conform to the data business rules, i.e., does it validate against a XML Schema defining the business rules?” “ Does the XML contain malicious code” “ Does the Message Level Security component of the message comply with the DoD/IC requirements” “ Authentication/Authorization of the sender/message creator”
  • 13. Policy Enforcement Point (PEP) It enforces that the message adheres to the policy and may per policy take input from one or more external resources to use in its enforcement process XML Firewalls provide centralized management and enforcement when acting as a PEP What is an XML Firewall? This is analogous to the PEP.
  • 14. Policy Decision Point (PDP) Makes a decision based upon destination resource and calling entity. It sends the decision to a PEP, which carries out Enforcement XML Firewalls can utilize inputs from a PDP, or can act as a PDP when one is not available. What is an XML Firewall? PEP PDP
  • 15. Attribute Services (AS) Provides attributes about resources and/or entities as inputs to a PDP XML Firewalls can utilize inputs from an Attribute Service, or can act as a AS when one is not available What is an XML Firewall? PDP AS PEP
  • 16. What is an XML Firewall? Firewalls and PEP/PDP/AS A firewall can act as either a PEP, a PDP, or an AS. When a firewall is acting as a PEP, it "consults" a PDP service (externally or internally) and gives it information about what it knows, and asks "What should I do?" Thus, a firewall must always have both a PEP and a PDP. A firewall may provide a PEP, PDP, and a AS PDP Traffic inputs Firewall Firewall AS
  • 17. What is an XML Firewall? Firewall acting as a PEP only Firewall (acting as a PEP only) PDP service "Do this" ” Bob wants to Send a message To Service A" Attribute service ” Tell me about Bob” ” Bob is in the Army” Threat Protection, Verify Message Security, Audit, and Call out to PDP Policies doc Policies
  • 18. What is an XML Firewall? More Realistic use of an XML Firewall XML Firewall PDP service Attribute service Threat Protection, Verify Message Security, Audit, Authenticate/Authorize via ABAC Attribute Repository (LDAP) PEP Policies doc
  • 19. XML Acceleration (1 of 2) XML is verbose and processing can be time consuming XML Firewalls provide mechanisms to accelerate XML processing: Utilize hardware-based mechanisms to accelerate XML processing Utilize low-level software processing capabilities and pipelining to accelerate XML processing What is an XML Firewall? XML Firewall Policies Back-end applications are relieved from doing all of this XML processing Policy Verified Policy Un-verified Back-end applications XML New XML
  • 20. XML Acceleration (2 of 2) Here’s some XML processing which can be done very quickly with an XML Firewall: Validate XML Message against an XML Schema Transform using XSLT an XML input for output to a back-end service Verify message conforms to WS-Security Specification XPATH Processing and Content Based Routing What is an XML Firewall?
  • 21. Threat Detection An XML Firewall can perform detection and mitigation of malicious code using XML as a vector of attack What is an XML Firewall? XML Firewall Malicious Code Policy Malicious code is not allowed to pass Entity A Entity B XML Purchase Order (with Malicious Code)
  • 22. Access Control An XML Firewall can perform fine grained Authentication and Authorization of a sending, and receiving entity What is an XML Firewall? XML Firewall Access Control Policy is allowed to send purchase orders to (B) Entity A Entity B XML Purchase Order
  • 23. Complex Access Control What is an XML Firewall? Organization Green Michelle Dimitri Program X Organization Blue Policy Enforcement Point Secure Token Server (STS) for Federation Policy Application Point WS-MetadataExchange of WS-Policy Documents WS-Trust Token Requests WSS secure SOAP messages with bound SAML tokens Policy Administration
  • 24. XML Schema Validation An XML Firewall can determine whether an XML message/document conforms to an XML Schema What is an XML Firewall? XML Firewall XML Schema Entity A Entity B XML Document XML Document
  • 25. XSL Transformation An XML Firewall can change XML messages/documents through an integrated XSLT processor What is an XML Firewall? XML Firewall XML Schema Entity A Entity B XML Document New XML Document
  • 26. XML Filtering An XML Firewall can filter incoming XML traffic based on message size, disallowed content, other metadata, etc. What is an XML Firewall? XML Firewall Policies Message Size Limit Exceeded Entity A Entity B LARGE XML Document
  • 27. Dynamic Routing An XML Firewall routes a request based on content, network parameters or other metadata What is an XML Firewall? Firewall Where should I route this document? Policies Busy Not busy. Document is routed here. Entity A $1,000,000 Purchase Order
  • 28. Service Virtualization/Abstraction Mask back-end resources from external probing What is an XML Firewall? XML Firewall Policies “ I’m Service (A)” This is the actual service (A) The XML Firewall shields the actual service from external attacks by acting as a virtual stand-in to the service. Message to Service (A)
  • 29. Quality of Service (QoS) Enables you to provide service priorities A $1,000,000.00 transaction will get expedited service, a $2.00 transaction will get regular service What is an XML Firewall? Firewall On arrival, priority goes to $1,000,000 Purchase Order Policies $1,000,000 Purchase Order $2.00 Purchase Order
  • 30. Auditing Provides service level auditing capabilities Number of requests Types of requests Where requests originate What is an XML Firewall? Firewall Audit Data Service 2 Service 1
  • 31. Virus Detection (1 of 2) Many XML Firewalls offer virus detection capabilities Viruses in attachments (MIME and DIME Messages) Viruses in XML content What is an XML Firewall? Firewall Virus Detected! Virus
  • 32. Virus Detection (2 of 2) How XML Firewalls offer Virus Protection What is an XML Firewall? Firewall External Virus Engine Symantec/Other Scanner Virus Def Update
  • 33. Conclusions Whew…. You now know everything  …Just kidding Keep in mind that SOA is a moving target and changes by the Day! Questions & Comments: Adam Vincent [email_address] 703-965-1771 What is an XML Firewall?