View
223
Download
0
Category
Preview:
Citation preview
1copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What is AON to Cisco IT Architecture and Function
Hicham ToutmdashIT Engineer IT Infrastructure Sandeep PurimdashIT Engineer IT InfrastructureKhaldoun RayesmdashIT Engineer IT Infrastructure
2copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Application Oriented Networking Ismdash
bull A blademodule
bull Delivering a set of application and service support utilities
bull That help clients to communicate safely and well with applications by providing
bull SecurityReliability
Manageability
Targeted Service
Catalyst 6500 Blade
2600280037003800 Module
3copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Is AON to Cisco IT vs What AON Is Not
What AON isbull A Message Router between end points
bull A message transformermapper
bull A service and integration hub with WS management capabilities
What AON is notbull A general purpose application Server
bull An orchestration engine
4copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Security Integrator
5copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to frames
Physical Data Bits transmission
6copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
ADS (AON Design Studio)Used for DevelopingApplication Policies
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules AON Blades
AON
LOG DB
7copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature (for strong authentication)
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
8copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
LimitedSTA (Secure Transport
Architecture)mdashCustom
Varies for each environment
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
9copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Reliabilitybull Reliable Delivery
Manageabilitybull Message and Transaction-Level Logging
bull Transaction Monitoring
Targeted Servicebull Service Versioning (allows multiple versions of single service
to run simultaneously)
bull MessageContent-Based Routing (routes messages based on contents andor business rules)
10copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Reliability and Manageability Functionshellip
AON Reliability Function
External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional Authentication
Custom written with limited capabilities
bull WebMethods specific Requires significant setup effort
Custom written with limited capabilities
Custom written with limited capabilities
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco Services
AON Manageability Function
External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional Authentication
Custom written by each app
WebMethods specific
Custom written by each app Limited
Monitoring (Transaction level)
Custom written by each application
bull Webmethods specific
bull Limited to WM transactions
Custom written by each application
Custom written andor Producttechnology
specific
11copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Targeted Service Functionshellip
AON TARGETED SERVICE FUNCTION
External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional Authentication
Custom written with limited capabilities
Custom written with limited capabilities
Custom written with limited capabilities
Custom written with limited capabilities
MessageContent-Based Routing
Custom written with limited capabilities
bull WebMethods specific
bull Limited to WebMethods transactions
Custom written by each application
Custom written andor Producttechnology
specific
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco Services
12copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Features Deployed within Cisco IT
The Goal is to Have AON Play the Role of Services Management BrokerGateway and Pass the Single Virtual Gateway for all Web and B2B Services Below is a List of Important Features of Which Many Have Been Formalized as Requirements
bull Authentication
bull Monitoring
bull Service Versioning
bull Encryption and Digital Signatures
bull Message-level Load Balancing and Distribution
bull Logging
bull Message and Content-Based Routing
bull Protocol Translation
bull Secure Tunneling across Firewall
bull Contracts
bull Billing
13copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
14copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
15copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Who Would Benefit From AON
Service Developersbull Reduces development lifecyclebull Builds on existing servicesBusinessbull Time-to-marketbull Lower development and maintenance costInformation Securitybull Simpler security modelbull Better visibilityInfrastructure bull Reduced complexitybull Better visibilityEnterprise Architects
16copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Recommended AON Architecture
FirewallDMZFirewall
HTTP(S)
App Server Layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Server
17copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Transformation and Mapping
Messaging B
us
Back End SystemsPackagesDatabases
Proxy Web Service
JMS LibTransformation
MappingAutomated BPInternal
Env 1JMS Lib
Adaptor
HTTPSQL
Web Services
OCM
JDBC
Custom ApplicationsInternal
Env 2JMS Lib
JDBC
ExternalEnv 1
Internal DBInternal DB
Internal DB
SOAP HTTP(s)
18copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase I
Messaging B
us
Back End SystemsPackagesDatabases
TransformationMapping
Automated BPInternalEnv 1
JMS Lib
Adaptor
OCM
SOAP HTTP(s)
JDBC
Custom ApplicationsInternal
Env 2JMS Lib
JDBC
AON
AON
AON Blades Replace Proxy Web Services on External Env 1
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
19copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase IIBack End SystemsPackagesDatabases
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
AON with Transformation
Mapping
AON Blades Could Also Replace Business Process and Transformation Engine by
Providing Transformationmapping Capabilities in Addition to Proxy web
Service Layer (Phase 2)
SOAP HTTP(s)
20copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase IIBack End SystemsPackagesDatabases
SOAP HTTP(s)
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
AON with Transformation
Mapping
AON Blades Could Also Replace Business Process and Transformation Engine by
Providing Transformationmapping Capabilities in Addition to Proxy web
Service Layer (Phase 2)
21copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Using AON vs B2B Gateway
SOAPHTTP(S)
XMLHTTP(S)
RNIF
EDIAS2
Flat FileHTTP(S)
LegacyB2B
Gateway
DistributedEnterpriseServices
Internet
Enterprise Network
Customers
Partners
22copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Protocol Relationships
Web Services Protocol SetXM
L-D
igita
l Sig
natu
re(D
SIG
)
XML-
Encr
yptio
n(X
ENC
)
TCPIP
HTTP
SOAP
WS-Security
AONService Broker
WSD
L
Out of BandExchange
UDDI
23copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in SOA
bull Service BrokerApplication-Level Message Routing
ApplicationService Security
Application-Level Monitoring
Service Abstraction
Protocol Translation
Transformation and Mapping
bull Message Schema Validation
24copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in Application Integration
Application Integrationbull Protocol Translation
bull Transformation and Mapping
bull Message Schema and Data Validation
25copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT AON Production Intangible Benefits
bull Faster time to delivery by reducing development lifecycle
bull Better security made possible by a common and simplified implementation provisioning and configuration process
bull Reduced complexity of applications and infrastructure
bull Architecture lends itself to the future of SOAbull Reduced resource requirements by individual
applicationsbull Moving intelligence into the network
26copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT View of AON
An invisible message routergateway in the network that routes transforms monitors and authenticateauthorize messages between end points
27copy 2005 Cisco Systems Inc All rights reserved Cisco Public
How Can AON Be Invisible
An AON node resides in the network as an inline application-aware device the device acts as an intelligent intermediary gateway that can either be explicitly addressed by applications or as a pass-through proxy that is transparent to applications
28copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Modes of Operation
Transparent Mode
Intercept with No Change to Applications
SendingApplication A
ReceivingApplication B
Integrated SwitchAON Blade
Based on WCCP Re-Direct ACL Intercept Traffic and
Forward to AON
httpBService1
29copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Best PracticesA Cisco IT Perspective
30copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Logical Diagram
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Cluster AON blades based on functionality
bull Identify common capabilities that span across multiple applications to be owned by Infrastructure
bull Move commoninfrastructure capabilities into a separate set of AON clusters while keeping application-dependent capabilities into its own set of clusters
bull For external-facing Web Services infrastructure AON cluster should exist in the DMZ while the application AON cluster should reside in the protected net
bull Standardize on AONP(S) as the inter-cluster communication protocol
bull Standardize on a naming convention for resources flows and properties
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
31copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Provisioning and Management
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Implement a standard SDLC strategy (devtestprod)
bull Implement collision prevention utilizing standard name spacing
bull Implement isolation by sandboxing development environment by project teams
bull Allow for an automated promotion process
bull Implement a promotion strategy that takes into account all of the above
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
32copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Services Leveraging AON
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Background Check
bull Salesforcecom Integration (contacts leads etchellip)
33copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
34copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Intermission
Coming up in the next hourbull Security with AON
bull AON Deployment Timelines within Cisco IT
bull AON Business Case within Cisco IT
35copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Security with AON
Brook Schoenfield Senior Security ArchitectCSPO
36copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
37copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger PictureWhat is Service Oriented Architecture (SOA)
What is Application Integration
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
38copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA
bull Service Oriented Architecture is a different mindset
bull Focus on delivering a service offering (an invoice a purchase order an item or unit that has intrinsic business understanding and value)
bull No longer focus on the programmatic interface (message standards take care of that)
39copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA Is Now
ldquoBy 2005 the aggressive use of Web services will drive a 30 increase in the efficiency of IT development projectsrdquo
Gartner Inc ldquoThe Hype Is Right Web Services Will Deliver Immediate Benefitsrdquo October 2001
This Is FYQ06 Enterprises Are Looking for that 30 Gain
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
2copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Application Oriented Networking Ismdash
bull A blademodule
bull Delivering a set of application and service support utilities
bull That help clients to communicate safely and well with applications by providing
bull SecurityReliability
Manageability
Targeted Service
Catalyst 6500 Blade
2600280037003800 Module
3copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Is AON to Cisco IT vs What AON Is Not
What AON isbull A Message Router between end points
bull A message transformermapper
bull A service and integration hub with WS management capabilities
What AON is notbull A general purpose application Server
bull An orchestration engine
4copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Security Integrator
5copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to frames
Physical Data Bits transmission
6copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
ADS (AON Design Studio)Used for DevelopingApplication Policies
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules AON Blades
AON
LOG DB
7copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature (for strong authentication)
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
8copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
LimitedSTA (Secure Transport
Architecture)mdashCustom
Varies for each environment
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
9copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Reliabilitybull Reliable Delivery
Manageabilitybull Message and Transaction-Level Logging
bull Transaction Monitoring
Targeted Servicebull Service Versioning (allows multiple versions of single service
to run simultaneously)
bull MessageContent-Based Routing (routes messages based on contents andor business rules)
10copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Reliability and Manageability Functionshellip
AON Reliability Function
External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional Authentication
Custom written with limited capabilities
bull WebMethods specific Requires significant setup effort
Custom written with limited capabilities
Custom written with limited capabilities
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco Services
AON Manageability Function
External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional Authentication
Custom written by each app
WebMethods specific
Custom written by each app Limited
Monitoring (Transaction level)
Custom written by each application
bull Webmethods specific
bull Limited to WM transactions
Custom written by each application
Custom written andor Producttechnology
specific
11copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Targeted Service Functionshellip
AON TARGETED SERVICE FUNCTION
External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional Authentication
Custom written with limited capabilities
Custom written with limited capabilities
Custom written with limited capabilities
Custom written with limited capabilities
MessageContent-Based Routing
Custom written with limited capabilities
bull WebMethods specific
bull Limited to WebMethods transactions
Custom written by each application
Custom written andor Producttechnology
specific
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco Services
12copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Features Deployed within Cisco IT
The Goal is to Have AON Play the Role of Services Management BrokerGateway and Pass the Single Virtual Gateway for all Web and B2B Services Below is a List of Important Features of Which Many Have Been Formalized as Requirements
bull Authentication
bull Monitoring
bull Service Versioning
bull Encryption and Digital Signatures
bull Message-level Load Balancing and Distribution
bull Logging
bull Message and Content-Based Routing
bull Protocol Translation
bull Secure Tunneling across Firewall
bull Contracts
bull Billing
13copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
14copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
15copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Who Would Benefit From AON
Service Developersbull Reduces development lifecyclebull Builds on existing servicesBusinessbull Time-to-marketbull Lower development and maintenance costInformation Securitybull Simpler security modelbull Better visibilityInfrastructure bull Reduced complexitybull Better visibilityEnterprise Architects
16copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Recommended AON Architecture
FirewallDMZFirewall
HTTP(S)
App Server Layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Server
17copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Transformation and Mapping
Messaging B
us
Back End SystemsPackagesDatabases
Proxy Web Service
JMS LibTransformation
MappingAutomated BPInternal
Env 1JMS Lib
Adaptor
HTTPSQL
Web Services
OCM
JDBC
Custom ApplicationsInternal
Env 2JMS Lib
JDBC
ExternalEnv 1
Internal DBInternal DB
Internal DB
SOAP HTTP(s)
18copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase I
Messaging B
us
Back End SystemsPackagesDatabases
TransformationMapping
Automated BPInternalEnv 1
JMS Lib
Adaptor
OCM
SOAP HTTP(s)
JDBC
Custom ApplicationsInternal
Env 2JMS Lib
JDBC
AON
AON
AON Blades Replace Proxy Web Services on External Env 1
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
19copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase IIBack End SystemsPackagesDatabases
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
AON with Transformation
Mapping
AON Blades Could Also Replace Business Process and Transformation Engine by
Providing Transformationmapping Capabilities in Addition to Proxy web
Service Layer (Phase 2)
SOAP HTTP(s)
20copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase IIBack End SystemsPackagesDatabases
SOAP HTTP(s)
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
AON with Transformation
Mapping
AON Blades Could Also Replace Business Process and Transformation Engine by
Providing Transformationmapping Capabilities in Addition to Proxy web
Service Layer (Phase 2)
21copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Using AON vs B2B Gateway
SOAPHTTP(S)
XMLHTTP(S)
RNIF
EDIAS2
Flat FileHTTP(S)
LegacyB2B
Gateway
DistributedEnterpriseServices
Internet
Enterprise Network
Customers
Partners
22copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Protocol Relationships
Web Services Protocol SetXM
L-D
igita
l Sig
natu
re(D
SIG
)
XML-
Encr
yptio
n(X
ENC
)
TCPIP
HTTP
SOAP
WS-Security
AONService Broker
WSD
L
Out of BandExchange
UDDI
23copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in SOA
bull Service BrokerApplication-Level Message Routing
ApplicationService Security
Application-Level Monitoring
Service Abstraction
Protocol Translation
Transformation and Mapping
bull Message Schema Validation
24copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in Application Integration
Application Integrationbull Protocol Translation
bull Transformation and Mapping
bull Message Schema and Data Validation
25copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT AON Production Intangible Benefits
bull Faster time to delivery by reducing development lifecycle
bull Better security made possible by a common and simplified implementation provisioning and configuration process
bull Reduced complexity of applications and infrastructure
bull Architecture lends itself to the future of SOAbull Reduced resource requirements by individual
applicationsbull Moving intelligence into the network
26copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT View of AON
An invisible message routergateway in the network that routes transforms monitors and authenticateauthorize messages between end points
27copy 2005 Cisco Systems Inc All rights reserved Cisco Public
How Can AON Be Invisible
An AON node resides in the network as an inline application-aware device the device acts as an intelligent intermediary gateway that can either be explicitly addressed by applications or as a pass-through proxy that is transparent to applications
28copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Modes of Operation
Transparent Mode
Intercept with No Change to Applications
SendingApplication A
ReceivingApplication B
Integrated SwitchAON Blade
Based on WCCP Re-Direct ACL Intercept Traffic and
Forward to AON
httpBService1
29copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Best PracticesA Cisco IT Perspective
30copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Logical Diagram
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Cluster AON blades based on functionality
bull Identify common capabilities that span across multiple applications to be owned by Infrastructure
bull Move commoninfrastructure capabilities into a separate set of AON clusters while keeping application-dependent capabilities into its own set of clusters
bull For external-facing Web Services infrastructure AON cluster should exist in the DMZ while the application AON cluster should reside in the protected net
bull Standardize on AONP(S) as the inter-cluster communication protocol
bull Standardize on a naming convention for resources flows and properties
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
31copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Provisioning and Management
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Implement a standard SDLC strategy (devtestprod)
bull Implement collision prevention utilizing standard name spacing
bull Implement isolation by sandboxing development environment by project teams
bull Allow for an automated promotion process
bull Implement a promotion strategy that takes into account all of the above
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
32copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Services Leveraging AON
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Background Check
bull Salesforcecom Integration (contacts leads etchellip)
33copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
34copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Intermission
Coming up in the next hourbull Security with AON
bull AON Deployment Timelines within Cisco IT
bull AON Business Case within Cisco IT
35copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Security with AON
Brook Schoenfield Senior Security ArchitectCSPO
36copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
37copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger PictureWhat is Service Oriented Architecture (SOA)
What is Application Integration
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
38copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA
bull Service Oriented Architecture is a different mindset
bull Focus on delivering a service offering (an invoice a purchase order an item or unit that has intrinsic business understanding and value)
bull No longer focus on the programmatic interface (message standards take care of that)
39copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA Is Now
ldquoBy 2005 the aggressive use of Web services will drive a 30 increase in the efficiency of IT development projectsrdquo
Gartner Inc ldquoThe Hype Is Right Web Services Will Deliver Immediate Benefitsrdquo October 2001
This Is FYQ06 Enterprises Are Looking for that 30 Gain
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
3copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Is AON to Cisco IT vs What AON Is Not
What AON isbull A Message Router between end points
bull A message transformermapper
bull A service and integration hub with WS management capabilities
What AON is notbull A general purpose application Server
bull An orchestration engine
4copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Security Integrator
5copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to frames
Physical Data Bits transmission
6copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
ADS (AON Design Studio)Used for DevelopingApplication Policies
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules AON Blades
AON
LOG DB
7copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature (for strong authentication)
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
8copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
LimitedSTA (Secure Transport
Architecture)mdashCustom
Varies for each environment
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
9copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Reliabilitybull Reliable Delivery
Manageabilitybull Message and Transaction-Level Logging
bull Transaction Monitoring
Targeted Servicebull Service Versioning (allows multiple versions of single service
to run simultaneously)
bull MessageContent-Based Routing (routes messages based on contents andor business rules)
10copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Reliability and Manageability Functionshellip
AON Reliability Function
External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional Authentication
Custom written with limited capabilities
bull WebMethods specific Requires significant setup effort
Custom written with limited capabilities
Custom written with limited capabilities
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco Services
AON Manageability Function
External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional Authentication
Custom written by each app
WebMethods specific
Custom written by each app Limited
Monitoring (Transaction level)
Custom written by each application
bull Webmethods specific
bull Limited to WM transactions
Custom written by each application
Custom written andor Producttechnology
specific
11copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Targeted Service Functionshellip
AON TARGETED SERVICE FUNCTION
External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional Authentication
Custom written with limited capabilities
Custom written with limited capabilities
Custom written with limited capabilities
Custom written with limited capabilities
MessageContent-Based Routing
Custom written with limited capabilities
bull WebMethods specific
bull Limited to WebMethods transactions
Custom written by each application
Custom written andor Producttechnology
specific
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco Services
12copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Features Deployed within Cisco IT
The Goal is to Have AON Play the Role of Services Management BrokerGateway and Pass the Single Virtual Gateway for all Web and B2B Services Below is a List of Important Features of Which Many Have Been Formalized as Requirements
bull Authentication
bull Monitoring
bull Service Versioning
bull Encryption and Digital Signatures
bull Message-level Load Balancing and Distribution
bull Logging
bull Message and Content-Based Routing
bull Protocol Translation
bull Secure Tunneling across Firewall
bull Contracts
bull Billing
13copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
14copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
15copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Who Would Benefit From AON
Service Developersbull Reduces development lifecyclebull Builds on existing servicesBusinessbull Time-to-marketbull Lower development and maintenance costInformation Securitybull Simpler security modelbull Better visibilityInfrastructure bull Reduced complexitybull Better visibilityEnterprise Architects
16copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Recommended AON Architecture
FirewallDMZFirewall
HTTP(S)
App Server Layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Server
17copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Transformation and Mapping
Messaging B
us
Back End SystemsPackagesDatabases
Proxy Web Service
JMS LibTransformation
MappingAutomated BPInternal
Env 1JMS Lib
Adaptor
HTTPSQL
Web Services
OCM
JDBC
Custom ApplicationsInternal
Env 2JMS Lib
JDBC
ExternalEnv 1
Internal DBInternal DB
Internal DB
SOAP HTTP(s)
18copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase I
Messaging B
us
Back End SystemsPackagesDatabases
TransformationMapping
Automated BPInternalEnv 1
JMS Lib
Adaptor
OCM
SOAP HTTP(s)
JDBC
Custom ApplicationsInternal
Env 2JMS Lib
JDBC
AON
AON
AON Blades Replace Proxy Web Services on External Env 1
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
19copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase IIBack End SystemsPackagesDatabases
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
AON with Transformation
Mapping
AON Blades Could Also Replace Business Process and Transformation Engine by
Providing Transformationmapping Capabilities in Addition to Proxy web
Service Layer (Phase 2)
SOAP HTTP(s)
20copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase IIBack End SystemsPackagesDatabases
SOAP HTTP(s)
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
AON with Transformation
Mapping
AON Blades Could Also Replace Business Process and Transformation Engine by
Providing Transformationmapping Capabilities in Addition to Proxy web
Service Layer (Phase 2)
21copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Using AON vs B2B Gateway
SOAPHTTP(S)
XMLHTTP(S)
RNIF
EDIAS2
Flat FileHTTP(S)
LegacyB2B
Gateway
DistributedEnterpriseServices
Internet
Enterprise Network
Customers
Partners
22copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Protocol Relationships
Web Services Protocol SetXM
L-D
igita
l Sig
natu
re(D
SIG
)
XML-
Encr
yptio
n(X
ENC
)
TCPIP
HTTP
SOAP
WS-Security
AONService Broker
WSD
L
Out of BandExchange
UDDI
23copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in SOA
bull Service BrokerApplication-Level Message Routing
ApplicationService Security
Application-Level Monitoring
Service Abstraction
Protocol Translation
Transformation and Mapping
bull Message Schema Validation
24copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in Application Integration
Application Integrationbull Protocol Translation
bull Transformation and Mapping
bull Message Schema and Data Validation
25copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT AON Production Intangible Benefits
bull Faster time to delivery by reducing development lifecycle
bull Better security made possible by a common and simplified implementation provisioning and configuration process
bull Reduced complexity of applications and infrastructure
bull Architecture lends itself to the future of SOAbull Reduced resource requirements by individual
applicationsbull Moving intelligence into the network
26copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT View of AON
An invisible message routergateway in the network that routes transforms monitors and authenticateauthorize messages between end points
27copy 2005 Cisco Systems Inc All rights reserved Cisco Public
How Can AON Be Invisible
An AON node resides in the network as an inline application-aware device the device acts as an intelligent intermediary gateway that can either be explicitly addressed by applications or as a pass-through proxy that is transparent to applications
28copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Modes of Operation
Transparent Mode
Intercept with No Change to Applications
SendingApplication A
ReceivingApplication B
Integrated SwitchAON Blade
Based on WCCP Re-Direct ACL Intercept Traffic and
Forward to AON
httpBService1
29copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Best PracticesA Cisco IT Perspective
30copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Logical Diagram
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Cluster AON blades based on functionality
bull Identify common capabilities that span across multiple applications to be owned by Infrastructure
bull Move commoninfrastructure capabilities into a separate set of AON clusters while keeping application-dependent capabilities into its own set of clusters
bull For external-facing Web Services infrastructure AON cluster should exist in the DMZ while the application AON cluster should reside in the protected net
bull Standardize on AONP(S) as the inter-cluster communication protocol
bull Standardize on a naming convention for resources flows and properties
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
31copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Provisioning and Management
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Implement a standard SDLC strategy (devtestprod)
bull Implement collision prevention utilizing standard name spacing
bull Implement isolation by sandboxing development environment by project teams
bull Allow for an automated promotion process
bull Implement a promotion strategy that takes into account all of the above
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
32copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Services Leveraging AON
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Background Check
bull Salesforcecom Integration (contacts leads etchellip)
33copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
34copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Intermission
Coming up in the next hourbull Security with AON
bull AON Deployment Timelines within Cisco IT
bull AON Business Case within Cisco IT
35copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Security with AON
Brook Schoenfield Senior Security ArchitectCSPO
36copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
37copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger PictureWhat is Service Oriented Architecture (SOA)
What is Application Integration
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
38copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA
bull Service Oriented Architecture is a different mindset
bull Focus on delivering a service offering (an invoice a purchase order an item or unit that has intrinsic business understanding and value)
bull No longer focus on the programmatic interface (message standards take care of that)
39copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA Is Now
ldquoBy 2005 the aggressive use of Web services will drive a 30 increase in the efficiency of IT development projectsrdquo
Gartner Inc ldquoThe Hype Is Right Web Services Will Deliver Immediate Benefitsrdquo October 2001
This Is FYQ06 Enterprises Are Looking for that 30 Gain
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
4copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Security Integrator
5copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to frames
Physical Data Bits transmission
6copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
ADS (AON Design Studio)Used for DevelopingApplication Policies
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules AON Blades
AON
LOG DB
7copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature (for strong authentication)
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
8copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
LimitedSTA (Secure Transport
Architecture)mdashCustom
Varies for each environment
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
9copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Reliabilitybull Reliable Delivery
Manageabilitybull Message and Transaction-Level Logging
bull Transaction Monitoring
Targeted Servicebull Service Versioning (allows multiple versions of single service
to run simultaneously)
bull MessageContent-Based Routing (routes messages based on contents andor business rules)
10copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Reliability and Manageability Functionshellip
AON Reliability Function
External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional Authentication
Custom written with limited capabilities
bull WebMethods specific Requires significant setup effort
Custom written with limited capabilities
Custom written with limited capabilities
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco Services
AON Manageability Function
External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional Authentication
Custom written by each app
WebMethods specific
Custom written by each app Limited
Monitoring (Transaction level)
Custom written by each application
bull Webmethods specific
bull Limited to WM transactions
Custom written by each application
Custom written andor Producttechnology
specific
11copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Targeted Service Functionshellip
AON TARGETED SERVICE FUNCTION
External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional Authentication
Custom written with limited capabilities
Custom written with limited capabilities
Custom written with limited capabilities
Custom written with limited capabilities
MessageContent-Based Routing
Custom written with limited capabilities
bull WebMethods specific
bull Limited to WebMethods transactions
Custom written by each application
Custom written andor Producttechnology
specific
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco Services
12copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Features Deployed within Cisco IT
The Goal is to Have AON Play the Role of Services Management BrokerGateway and Pass the Single Virtual Gateway for all Web and B2B Services Below is a List of Important Features of Which Many Have Been Formalized as Requirements
bull Authentication
bull Monitoring
bull Service Versioning
bull Encryption and Digital Signatures
bull Message-level Load Balancing and Distribution
bull Logging
bull Message and Content-Based Routing
bull Protocol Translation
bull Secure Tunneling across Firewall
bull Contracts
bull Billing
13copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
14copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
15copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Who Would Benefit From AON
Service Developersbull Reduces development lifecyclebull Builds on existing servicesBusinessbull Time-to-marketbull Lower development and maintenance costInformation Securitybull Simpler security modelbull Better visibilityInfrastructure bull Reduced complexitybull Better visibilityEnterprise Architects
16copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Recommended AON Architecture
FirewallDMZFirewall
HTTP(S)
App Server Layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Server
17copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Transformation and Mapping
Messaging B
us
Back End SystemsPackagesDatabases
Proxy Web Service
JMS LibTransformation
MappingAutomated BPInternal
Env 1JMS Lib
Adaptor
HTTPSQL
Web Services
OCM
JDBC
Custom ApplicationsInternal
Env 2JMS Lib
JDBC
ExternalEnv 1
Internal DBInternal DB
Internal DB
SOAP HTTP(s)
18copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase I
Messaging B
us
Back End SystemsPackagesDatabases
TransformationMapping
Automated BPInternalEnv 1
JMS Lib
Adaptor
OCM
SOAP HTTP(s)
JDBC
Custom ApplicationsInternal
Env 2JMS Lib
JDBC
AON
AON
AON Blades Replace Proxy Web Services on External Env 1
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
19copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase IIBack End SystemsPackagesDatabases
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
AON with Transformation
Mapping
AON Blades Could Also Replace Business Process and Transformation Engine by
Providing Transformationmapping Capabilities in Addition to Proxy web
Service Layer (Phase 2)
SOAP HTTP(s)
20copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase IIBack End SystemsPackagesDatabases
SOAP HTTP(s)
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
AON with Transformation
Mapping
AON Blades Could Also Replace Business Process and Transformation Engine by
Providing Transformationmapping Capabilities in Addition to Proxy web
Service Layer (Phase 2)
21copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Using AON vs B2B Gateway
SOAPHTTP(S)
XMLHTTP(S)
RNIF
EDIAS2
Flat FileHTTP(S)
LegacyB2B
Gateway
DistributedEnterpriseServices
Internet
Enterprise Network
Customers
Partners
22copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Protocol Relationships
Web Services Protocol SetXM
L-D
igita
l Sig
natu
re(D
SIG
)
XML-
Encr
yptio
n(X
ENC
)
TCPIP
HTTP
SOAP
WS-Security
AONService Broker
WSD
L
Out of BandExchange
UDDI
23copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in SOA
bull Service BrokerApplication-Level Message Routing
ApplicationService Security
Application-Level Monitoring
Service Abstraction
Protocol Translation
Transformation and Mapping
bull Message Schema Validation
24copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in Application Integration
Application Integrationbull Protocol Translation
bull Transformation and Mapping
bull Message Schema and Data Validation
25copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT AON Production Intangible Benefits
bull Faster time to delivery by reducing development lifecycle
bull Better security made possible by a common and simplified implementation provisioning and configuration process
bull Reduced complexity of applications and infrastructure
bull Architecture lends itself to the future of SOAbull Reduced resource requirements by individual
applicationsbull Moving intelligence into the network
26copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT View of AON
An invisible message routergateway in the network that routes transforms monitors and authenticateauthorize messages between end points
27copy 2005 Cisco Systems Inc All rights reserved Cisco Public
How Can AON Be Invisible
An AON node resides in the network as an inline application-aware device the device acts as an intelligent intermediary gateway that can either be explicitly addressed by applications or as a pass-through proxy that is transparent to applications
28copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Modes of Operation
Transparent Mode
Intercept with No Change to Applications
SendingApplication A
ReceivingApplication B
Integrated SwitchAON Blade
Based on WCCP Re-Direct ACL Intercept Traffic and
Forward to AON
httpBService1
29copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Best PracticesA Cisco IT Perspective
30copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Logical Diagram
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Cluster AON blades based on functionality
bull Identify common capabilities that span across multiple applications to be owned by Infrastructure
bull Move commoninfrastructure capabilities into a separate set of AON clusters while keeping application-dependent capabilities into its own set of clusters
bull For external-facing Web Services infrastructure AON cluster should exist in the DMZ while the application AON cluster should reside in the protected net
bull Standardize on AONP(S) as the inter-cluster communication protocol
bull Standardize on a naming convention for resources flows and properties
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
31copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Provisioning and Management
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Implement a standard SDLC strategy (devtestprod)
bull Implement collision prevention utilizing standard name spacing
bull Implement isolation by sandboxing development environment by project teams
bull Allow for an automated promotion process
bull Implement a promotion strategy that takes into account all of the above
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
32copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Services Leveraging AON
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Background Check
bull Salesforcecom Integration (contacts leads etchellip)
33copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
34copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Intermission
Coming up in the next hourbull Security with AON
bull AON Deployment Timelines within Cisco IT
bull AON Business Case within Cisco IT
35copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Security with AON
Brook Schoenfield Senior Security ArchitectCSPO
36copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
37copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger PictureWhat is Service Oriented Architecture (SOA)
What is Application Integration
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
38copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA
bull Service Oriented Architecture is a different mindset
bull Focus on delivering a service offering (an invoice a purchase order an item or unit that has intrinsic business understanding and value)
bull No longer focus on the programmatic interface (message standards take care of that)
39copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA Is Now
ldquoBy 2005 the aggressive use of Web services will drive a 30 increase in the efficiency of IT development projectsrdquo
Gartner Inc ldquoThe Hype Is Right Web Services Will Deliver Immediate Benefitsrdquo October 2001
This Is FYQ06 Enterprises Are Looking for that 30 Gain
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
5copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to frames
Physical Data Bits transmission
6copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
ADS (AON Design Studio)Used for DevelopingApplication Policies
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules AON Blades
AON
LOG DB
7copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature (for strong authentication)
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
8copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
LimitedSTA (Secure Transport
Architecture)mdashCustom
Varies for each environment
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
9copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Reliabilitybull Reliable Delivery
Manageabilitybull Message and Transaction-Level Logging
bull Transaction Monitoring
Targeted Servicebull Service Versioning (allows multiple versions of single service
to run simultaneously)
bull MessageContent-Based Routing (routes messages based on contents andor business rules)
10copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Reliability and Manageability Functionshellip
AON Reliability Function
External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional Authentication
Custom written with limited capabilities
bull WebMethods specific Requires significant setup effort
Custom written with limited capabilities
Custom written with limited capabilities
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco Services
AON Manageability Function
External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional Authentication
Custom written by each app
WebMethods specific
Custom written by each app Limited
Monitoring (Transaction level)
Custom written by each application
bull Webmethods specific
bull Limited to WM transactions
Custom written by each application
Custom written andor Producttechnology
specific
11copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Targeted Service Functionshellip
AON TARGETED SERVICE FUNCTION
External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional Authentication
Custom written with limited capabilities
Custom written with limited capabilities
Custom written with limited capabilities
Custom written with limited capabilities
MessageContent-Based Routing
Custom written with limited capabilities
bull WebMethods specific
bull Limited to WebMethods transactions
Custom written by each application
Custom written andor Producttechnology
specific
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco Services
12copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Features Deployed within Cisco IT
The Goal is to Have AON Play the Role of Services Management BrokerGateway and Pass the Single Virtual Gateway for all Web and B2B Services Below is a List of Important Features of Which Many Have Been Formalized as Requirements
bull Authentication
bull Monitoring
bull Service Versioning
bull Encryption and Digital Signatures
bull Message-level Load Balancing and Distribution
bull Logging
bull Message and Content-Based Routing
bull Protocol Translation
bull Secure Tunneling across Firewall
bull Contracts
bull Billing
13copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
14copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
15copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Who Would Benefit From AON
Service Developersbull Reduces development lifecyclebull Builds on existing servicesBusinessbull Time-to-marketbull Lower development and maintenance costInformation Securitybull Simpler security modelbull Better visibilityInfrastructure bull Reduced complexitybull Better visibilityEnterprise Architects
16copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Recommended AON Architecture
FirewallDMZFirewall
HTTP(S)
App Server Layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Server
17copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Transformation and Mapping
Messaging B
us
Back End SystemsPackagesDatabases
Proxy Web Service
JMS LibTransformation
MappingAutomated BPInternal
Env 1JMS Lib
Adaptor
HTTPSQL
Web Services
OCM
JDBC
Custom ApplicationsInternal
Env 2JMS Lib
JDBC
ExternalEnv 1
Internal DBInternal DB
Internal DB
SOAP HTTP(s)
18copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase I
Messaging B
us
Back End SystemsPackagesDatabases
TransformationMapping
Automated BPInternalEnv 1
JMS Lib
Adaptor
OCM
SOAP HTTP(s)
JDBC
Custom ApplicationsInternal
Env 2JMS Lib
JDBC
AON
AON
AON Blades Replace Proxy Web Services on External Env 1
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
19copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase IIBack End SystemsPackagesDatabases
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
AON with Transformation
Mapping
AON Blades Could Also Replace Business Process and Transformation Engine by
Providing Transformationmapping Capabilities in Addition to Proxy web
Service Layer (Phase 2)
SOAP HTTP(s)
20copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase IIBack End SystemsPackagesDatabases
SOAP HTTP(s)
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
AON with Transformation
Mapping
AON Blades Could Also Replace Business Process and Transformation Engine by
Providing Transformationmapping Capabilities in Addition to Proxy web
Service Layer (Phase 2)
21copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Using AON vs B2B Gateway
SOAPHTTP(S)
XMLHTTP(S)
RNIF
EDIAS2
Flat FileHTTP(S)
LegacyB2B
Gateway
DistributedEnterpriseServices
Internet
Enterprise Network
Customers
Partners
22copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Protocol Relationships
Web Services Protocol SetXM
L-D
igita
l Sig
natu
re(D
SIG
)
XML-
Encr
yptio
n(X
ENC
)
TCPIP
HTTP
SOAP
WS-Security
AONService Broker
WSD
L
Out of BandExchange
UDDI
23copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in SOA
bull Service BrokerApplication-Level Message Routing
ApplicationService Security
Application-Level Monitoring
Service Abstraction
Protocol Translation
Transformation and Mapping
bull Message Schema Validation
24copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in Application Integration
Application Integrationbull Protocol Translation
bull Transformation and Mapping
bull Message Schema and Data Validation
25copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT AON Production Intangible Benefits
bull Faster time to delivery by reducing development lifecycle
bull Better security made possible by a common and simplified implementation provisioning and configuration process
bull Reduced complexity of applications and infrastructure
bull Architecture lends itself to the future of SOAbull Reduced resource requirements by individual
applicationsbull Moving intelligence into the network
26copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT View of AON
An invisible message routergateway in the network that routes transforms monitors and authenticateauthorize messages between end points
27copy 2005 Cisco Systems Inc All rights reserved Cisco Public
How Can AON Be Invisible
An AON node resides in the network as an inline application-aware device the device acts as an intelligent intermediary gateway that can either be explicitly addressed by applications or as a pass-through proxy that is transparent to applications
28copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Modes of Operation
Transparent Mode
Intercept with No Change to Applications
SendingApplication A
ReceivingApplication B
Integrated SwitchAON Blade
Based on WCCP Re-Direct ACL Intercept Traffic and
Forward to AON
httpBService1
29copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Best PracticesA Cisco IT Perspective
30copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Logical Diagram
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Cluster AON blades based on functionality
bull Identify common capabilities that span across multiple applications to be owned by Infrastructure
bull Move commoninfrastructure capabilities into a separate set of AON clusters while keeping application-dependent capabilities into its own set of clusters
bull For external-facing Web Services infrastructure AON cluster should exist in the DMZ while the application AON cluster should reside in the protected net
bull Standardize on AONP(S) as the inter-cluster communication protocol
bull Standardize on a naming convention for resources flows and properties
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
31copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Provisioning and Management
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Implement a standard SDLC strategy (devtestprod)
bull Implement collision prevention utilizing standard name spacing
bull Implement isolation by sandboxing development environment by project teams
bull Allow for an automated promotion process
bull Implement a promotion strategy that takes into account all of the above
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
32copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Services Leveraging AON
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Background Check
bull Salesforcecom Integration (contacts leads etchellip)
33copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
34copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Intermission
Coming up in the next hourbull Security with AON
bull AON Deployment Timelines within Cisco IT
bull AON Business Case within Cisco IT
35copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Security with AON
Brook Schoenfield Senior Security ArchitectCSPO
36copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
37copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger PictureWhat is Service Oriented Architecture (SOA)
What is Application Integration
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
38copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA
bull Service Oriented Architecture is a different mindset
bull Focus on delivering a service offering (an invoice a purchase order an item or unit that has intrinsic business understanding and value)
bull No longer focus on the programmatic interface (message standards take care of that)
39copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA Is Now
ldquoBy 2005 the aggressive use of Web services will drive a 30 increase in the efficiency of IT development projectsrdquo
Gartner Inc ldquoThe Hype Is Right Web Services Will Deliver Immediate Benefitsrdquo October 2001
This Is FYQ06 Enterprises Are Looking for that 30 Gain
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
6copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
ADS (AON Design Studio)Used for DevelopingApplication Policies
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules AON Blades
AON
LOG DB
7copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature (for strong authentication)
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
8copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
LimitedSTA (Secure Transport
Architecture)mdashCustom
Varies for each environment
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
9copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Reliabilitybull Reliable Delivery
Manageabilitybull Message and Transaction-Level Logging
bull Transaction Monitoring
Targeted Servicebull Service Versioning (allows multiple versions of single service
to run simultaneously)
bull MessageContent-Based Routing (routes messages based on contents andor business rules)
10copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Reliability and Manageability Functionshellip
AON Reliability Function
External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional Authentication
Custom written with limited capabilities
bull WebMethods specific Requires significant setup effort
Custom written with limited capabilities
Custom written with limited capabilities
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco Services
AON Manageability Function
External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional Authentication
Custom written by each app
WebMethods specific
Custom written by each app Limited
Monitoring (Transaction level)
Custom written by each application
bull Webmethods specific
bull Limited to WM transactions
Custom written by each application
Custom written andor Producttechnology
specific
11copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Targeted Service Functionshellip
AON TARGETED SERVICE FUNCTION
External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional Authentication
Custom written with limited capabilities
Custom written with limited capabilities
Custom written with limited capabilities
Custom written with limited capabilities
MessageContent-Based Routing
Custom written with limited capabilities
bull WebMethods specific
bull Limited to WebMethods transactions
Custom written by each application
Custom written andor Producttechnology
specific
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco Services
12copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Features Deployed within Cisco IT
The Goal is to Have AON Play the Role of Services Management BrokerGateway and Pass the Single Virtual Gateway for all Web and B2B Services Below is a List of Important Features of Which Many Have Been Formalized as Requirements
bull Authentication
bull Monitoring
bull Service Versioning
bull Encryption and Digital Signatures
bull Message-level Load Balancing and Distribution
bull Logging
bull Message and Content-Based Routing
bull Protocol Translation
bull Secure Tunneling across Firewall
bull Contracts
bull Billing
13copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
14copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
15copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Who Would Benefit From AON
Service Developersbull Reduces development lifecyclebull Builds on existing servicesBusinessbull Time-to-marketbull Lower development and maintenance costInformation Securitybull Simpler security modelbull Better visibilityInfrastructure bull Reduced complexitybull Better visibilityEnterprise Architects
16copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Recommended AON Architecture
FirewallDMZFirewall
HTTP(S)
App Server Layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Server
17copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Transformation and Mapping
Messaging B
us
Back End SystemsPackagesDatabases
Proxy Web Service
JMS LibTransformation
MappingAutomated BPInternal
Env 1JMS Lib
Adaptor
HTTPSQL
Web Services
OCM
JDBC
Custom ApplicationsInternal
Env 2JMS Lib
JDBC
ExternalEnv 1
Internal DBInternal DB
Internal DB
SOAP HTTP(s)
18copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase I
Messaging B
us
Back End SystemsPackagesDatabases
TransformationMapping
Automated BPInternalEnv 1
JMS Lib
Adaptor
OCM
SOAP HTTP(s)
JDBC
Custom ApplicationsInternal
Env 2JMS Lib
JDBC
AON
AON
AON Blades Replace Proxy Web Services on External Env 1
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
19copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase IIBack End SystemsPackagesDatabases
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
AON with Transformation
Mapping
AON Blades Could Also Replace Business Process and Transformation Engine by
Providing Transformationmapping Capabilities in Addition to Proxy web
Service Layer (Phase 2)
SOAP HTTP(s)
20copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase IIBack End SystemsPackagesDatabases
SOAP HTTP(s)
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
AON with Transformation
Mapping
AON Blades Could Also Replace Business Process and Transformation Engine by
Providing Transformationmapping Capabilities in Addition to Proxy web
Service Layer (Phase 2)
21copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Using AON vs B2B Gateway
SOAPHTTP(S)
XMLHTTP(S)
RNIF
EDIAS2
Flat FileHTTP(S)
LegacyB2B
Gateway
DistributedEnterpriseServices
Internet
Enterprise Network
Customers
Partners
22copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Protocol Relationships
Web Services Protocol SetXM
L-D
igita
l Sig
natu
re(D
SIG
)
XML-
Encr
yptio
n(X
ENC
)
TCPIP
HTTP
SOAP
WS-Security
AONService Broker
WSD
L
Out of BandExchange
UDDI
23copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in SOA
bull Service BrokerApplication-Level Message Routing
ApplicationService Security
Application-Level Monitoring
Service Abstraction
Protocol Translation
Transformation and Mapping
bull Message Schema Validation
24copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in Application Integration
Application Integrationbull Protocol Translation
bull Transformation and Mapping
bull Message Schema and Data Validation
25copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT AON Production Intangible Benefits
bull Faster time to delivery by reducing development lifecycle
bull Better security made possible by a common and simplified implementation provisioning and configuration process
bull Reduced complexity of applications and infrastructure
bull Architecture lends itself to the future of SOAbull Reduced resource requirements by individual
applicationsbull Moving intelligence into the network
26copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT View of AON
An invisible message routergateway in the network that routes transforms monitors and authenticateauthorize messages between end points
27copy 2005 Cisco Systems Inc All rights reserved Cisco Public
How Can AON Be Invisible
An AON node resides in the network as an inline application-aware device the device acts as an intelligent intermediary gateway that can either be explicitly addressed by applications or as a pass-through proxy that is transparent to applications
28copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Modes of Operation
Transparent Mode
Intercept with No Change to Applications
SendingApplication A
ReceivingApplication B
Integrated SwitchAON Blade
Based on WCCP Re-Direct ACL Intercept Traffic and
Forward to AON
httpBService1
29copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Best PracticesA Cisco IT Perspective
30copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Logical Diagram
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Cluster AON blades based on functionality
bull Identify common capabilities that span across multiple applications to be owned by Infrastructure
bull Move commoninfrastructure capabilities into a separate set of AON clusters while keeping application-dependent capabilities into its own set of clusters
bull For external-facing Web Services infrastructure AON cluster should exist in the DMZ while the application AON cluster should reside in the protected net
bull Standardize on AONP(S) as the inter-cluster communication protocol
bull Standardize on a naming convention for resources flows and properties
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
31copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Provisioning and Management
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Implement a standard SDLC strategy (devtestprod)
bull Implement collision prevention utilizing standard name spacing
bull Implement isolation by sandboxing development environment by project teams
bull Allow for an automated promotion process
bull Implement a promotion strategy that takes into account all of the above
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
32copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Services Leveraging AON
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Background Check
bull Salesforcecom Integration (contacts leads etchellip)
33copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
34copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Intermission
Coming up in the next hourbull Security with AON
bull AON Deployment Timelines within Cisco IT
bull AON Business Case within Cisco IT
35copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Security with AON
Brook Schoenfield Senior Security ArchitectCSPO
36copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
37copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger PictureWhat is Service Oriented Architecture (SOA)
What is Application Integration
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
38copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA
bull Service Oriented Architecture is a different mindset
bull Focus on delivering a service offering (an invoice a purchase order an item or unit that has intrinsic business understanding and value)
bull No longer focus on the programmatic interface (message standards take care of that)
39copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA Is Now
ldquoBy 2005 the aggressive use of Web services will drive a 30 increase in the efficiency of IT development projectsrdquo
Gartner Inc ldquoThe Hype Is Right Web Services Will Deliver Immediate Benefitsrdquo October 2001
This Is FYQ06 Enterprises Are Looking for that 30 Gain
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
7copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature (for strong authentication)
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
8copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
LimitedSTA (Secure Transport
Architecture)mdashCustom
Varies for each environment
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
9copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Reliabilitybull Reliable Delivery
Manageabilitybull Message and Transaction-Level Logging
bull Transaction Monitoring
Targeted Servicebull Service Versioning (allows multiple versions of single service
to run simultaneously)
bull MessageContent-Based Routing (routes messages based on contents andor business rules)
10copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Reliability and Manageability Functionshellip
AON Reliability Function
External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional Authentication
Custom written with limited capabilities
bull WebMethods specific Requires significant setup effort
Custom written with limited capabilities
Custom written with limited capabilities
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco Services
AON Manageability Function
External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional Authentication
Custom written by each app
WebMethods specific
Custom written by each app Limited
Monitoring (Transaction level)
Custom written by each application
bull Webmethods specific
bull Limited to WM transactions
Custom written by each application
Custom written andor Producttechnology
specific
11copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Targeted Service Functionshellip
AON TARGETED SERVICE FUNCTION
External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional Authentication
Custom written with limited capabilities
Custom written with limited capabilities
Custom written with limited capabilities
Custom written with limited capabilities
MessageContent-Based Routing
Custom written with limited capabilities
bull WebMethods specific
bull Limited to WebMethods transactions
Custom written by each application
Custom written andor Producttechnology
specific
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco Services
12copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Features Deployed within Cisco IT
The Goal is to Have AON Play the Role of Services Management BrokerGateway and Pass the Single Virtual Gateway for all Web and B2B Services Below is a List of Important Features of Which Many Have Been Formalized as Requirements
bull Authentication
bull Monitoring
bull Service Versioning
bull Encryption and Digital Signatures
bull Message-level Load Balancing and Distribution
bull Logging
bull Message and Content-Based Routing
bull Protocol Translation
bull Secure Tunneling across Firewall
bull Contracts
bull Billing
13copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
14copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
15copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Who Would Benefit From AON
Service Developersbull Reduces development lifecyclebull Builds on existing servicesBusinessbull Time-to-marketbull Lower development and maintenance costInformation Securitybull Simpler security modelbull Better visibilityInfrastructure bull Reduced complexitybull Better visibilityEnterprise Architects
16copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Recommended AON Architecture
FirewallDMZFirewall
HTTP(S)
App Server Layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Server
17copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Transformation and Mapping
Messaging B
us
Back End SystemsPackagesDatabases
Proxy Web Service
JMS LibTransformation
MappingAutomated BPInternal
Env 1JMS Lib
Adaptor
HTTPSQL
Web Services
OCM
JDBC
Custom ApplicationsInternal
Env 2JMS Lib
JDBC
ExternalEnv 1
Internal DBInternal DB
Internal DB
SOAP HTTP(s)
18copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase I
Messaging B
us
Back End SystemsPackagesDatabases
TransformationMapping
Automated BPInternalEnv 1
JMS Lib
Adaptor
OCM
SOAP HTTP(s)
JDBC
Custom ApplicationsInternal
Env 2JMS Lib
JDBC
AON
AON
AON Blades Replace Proxy Web Services on External Env 1
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
19copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase IIBack End SystemsPackagesDatabases
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
AON with Transformation
Mapping
AON Blades Could Also Replace Business Process and Transformation Engine by
Providing Transformationmapping Capabilities in Addition to Proxy web
Service Layer (Phase 2)
SOAP HTTP(s)
20copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase IIBack End SystemsPackagesDatabases
SOAP HTTP(s)
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
AON with Transformation
Mapping
AON Blades Could Also Replace Business Process and Transformation Engine by
Providing Transformationmapping Capabilities in Addition to Proxy web
Service Layer (Phase 2)
21copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Using AON vs B2B Gateway
SOAPHTTP(S)
XMLHTTP(S)
RNIF
EDIAS2
Flat FileHTTP(S)
LegacyB2B
Gateway
DistributedEnterpriseServices
Internet
Enterprise Network
Customers
Partners
22copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Protocol Relationships
Web Services Protocol SetXM
L-D
igita
l Sig
natu
re(D
SIG
)
XML-
Encr
yptio
n(X
ENC
)
TCPIP
HTTP
SOAP
WS-Security
AONService Broker
WSD
L
Out of BandExchange
UDDI
23copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in SOA
bull Service BrokerApplication-Level Message Routing
ApplicationService Security
Application-Level Monitoring
Service Abstraction
Protocol Translation
Transformation and Mapping
bull Message Schema Validation
24copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in Application Integration
Application Integrationbull Protocol Translation
bull Transformation and Mapping
bull Message Schema and Data Validation
25copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT AON Production Intangible Benefits
bull Faster time to delivery by reducing development lifecycle
bull Better security made possible by a common and simplified implementation provisioning and configuration process
bull Reduced complexity of applications and infrastructure
bull Architecture lends itself to the future of SOAbull Reduced resource requirements by individual
applicationsbull Moving intelligence into the network
26copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT View of AON
An invisible message routergateway in the network that routes transforms monitors and authenticateauthorize messages between end points
27copy 2005 Cisco Systems Inc All rights reserved Cisco Public
How Can AON Be Invisible
An AON node resides in the network as an inline application-aware device the device acts as an intelligent intermediary gateway that can either be explicitly addressed by applications or as a pass-through proxy that is transparent to applications
28copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Modes of Operation
Transparent Mode
Intercept with No Change to Applications
SendingApplication A
ReceivingApplication B
Integrated SwitchAON Blade
Based on WCCP Re-Direct ACL Intercept Traffic and
Forward to AON
httpBService1
29copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Best PracticesA Cisco IT Perspective
30copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Logical Diagram
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Cluster AON blades based on functionality
bull Identify common capabilities that span across multiple applications to be owned by Infrastructure
bull Move commoninfrastructure capabilities into a separate set of AON clusters while keeping application-dependent capabilities into its own set of clusters
bull For external-facing Web Services infrastructure AON cluster should exist in the DMZ while the application AON cluster should reside in the protected net
bull Standardize on AONP(S) as the inter-cluster communication protocol
bull Standardize on a naming convention for resources flows and properties
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
31copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Provisioning and Management
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Implement a standard SDLC strategy (devtestprod)
bull Implement collision prevention utilizing standard name spacing
bull Implement isolation by sandboxing development environment by project teams
bull Allow for an automated promotion process
bull Implement a promotion strategy that takes into account all of the above
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
32copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Services Leveraging AON
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Background Check
bull Salesforcecom Integration (contacts leads etchellip)
33copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
34copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Intermission
Coming up in the next hourbull Security with AON
bull AON Deployment Timelines within Cisco IT
bull AON Business Case within Cisco IT
35copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Security with AON
Brook Schoenfield Senior Security ArchitectCSPO
36copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
37copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger PictureWhat is Service Oriented Architecture (SOA)
What is Application Integration
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
38copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA
bull Service Oriented Architecture is a different mindset
bull Focus on delivering a service offering (an invoice a purchase order an item or unit that has intrinsic business understanding and value)
bull No longer focus on the programmatic interface (message standards take care of that)
39copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA Is Now
ldquoBy 2005 the aggressive use of Web services will drive a 30 increase in the efficiency of IT development projectsrdquo
Gartner Inc ldquoThe Hype Is Right Web Services Will Deliver Immediate Benefitsrdquo October 2001
This Is FYQ06 Enterprises Are Looking for that 30 Gain
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
8copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
LimitedSTA (Secure Transport
Architecture)mdashCustom
Varies for each environment
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
9copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Reliabilitybull Reliable Delivery
Manageabilitybull Message and Transaction-Level Logging
bull Transaction Monitoring
Targeted Servicebull Service Versioning (allows multiple versions of single service
to run simultaneously)
bull MessageContent-Based Routing (routes messages based on contents andor business rules)
10copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Reliability and Manageability Functionshellip
AON Reliability Function
External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional Authentication
Custom written with limited capabilities
bull WebMethods specific Requires significant setup effort
Custom written with limited capabilities
Custom written with limited capabilities
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco Services
AON Manageability Function
External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional Authentication
Custom written by each app
WebMethods specific
Custom written by each app Limited
Monitoring (Transaction level)
Custom written by each application
bull Webmethods specific
bull Limited to WM transactions
Custom written by each application
Custom written andor Producttechnology
specific
11copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Targeted Service Functionshellip
AON TARGETED SERVICE FUNCTION
External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional Authentication
Custom written with limited capabilities
Custom written with limited capabilities
Custom written with limited capabilities
Custom written with limited capabilities
MessageContent-Based Routing
Custom written with limited capabilities
bull WebMethods specific
bull Limited to WebMethods transactions
Custom written by each application
Custom written andor Producttechnology
specific
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco Services
12copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Features Deployed within Cisco IT
The Goal is to Have AON Play the Role of Services Management BrokerGateway and Pass the Single Virtual Gateway for all Web and B2B Services Below is a List of Important Features of Which Many Have Been Formalized as Requirements
bull Authentication
bull Monitoring
bull Service Versioning
bull Encryption and Digital Signatures
bull Message-level Load Balancing and Distribution
bull Logging
bull Message and Content-Based Routing
bull Protocol Translation
bull Secure Tunneling across Firewall
bull Contracts
bull Billing
13copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
14copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
15copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Who Would Benefit From AON
Service Developersbull Reduces development lifecyclebull Builds on existing servicesBusinessbull Time-to-marketbull Lower development and maintenance costInformation Securitybull Simpler security modelbull Better visibilityInfrastructure bull Reduced complexitybull Better visibilityEnterprise Architects
16copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Recommended AON Architecture
FirewallDMZFirewall
HTTP(S)
App Server Layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Server
17copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Transformation and Mapping
Messaging B
us
Back End SystemsPackagesDatabases
Proxy Web Service
JMS LibTransformation
MappingAutomated BPInternal
Env 1JMS Lib
Adaptor
HTTPSQL
Web Services
OCM
JDBC
Custom ApplicationsInternal
Env 2JMS Lib
JDBC
ExternalEnv 1
Internal DBInternal DB
Internal DB
SOAP HTTP(s)
18copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase I
Messaging B
us
Back End SystemsPackagesDatabases
TransformationMapping
Automated BPInternalEnv 1
JMS Lib
Adaptor
OCM
SOAP HTTP(s)
JDBC
Custom ApplicationsInternal
Env 2JMS Lib
JDBC
AON
AON
AON Blades Replace Proxy Web Services on External Env 1
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
19copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase IIBack End SystemsPackagesDatabases
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
AON with Transformation
Mapping
AON Blades Could Also Replace Business Process and Transformation Engine by
Providing Transformationmapping Capabilities in Addition to Proxy web
Service Layer (Phase 2)
SOAP HTTP(s)
20copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase IIBack End SystemsPackagesDatabases
SOAP HTTP(s)
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
AON with Transformation
Mapping
AON Blades Could Also Replace Business Process and Transformation Engine by
Providing Transformationmapping Capabilities in Addition to Proxy web
Service Layer (Phase 2)
21copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Using AON vs B2B Gateway
SOAPHTTP(S)
XMLHTTP(S)
RNIF
EDIAS2
Flat FileHTTP(S)
LegacyB2B
Gateway
DistributedEnterpriseServices
Internet
Enterprise Network
Customers
Partners
22copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Protocol Relationships
Web Services Protocol SetXM
L-D
igita
l Sig
natu
re(D
SIG
)
XML-
Encr
yptio
n(X
ENC
)
TCPIP
HTTP
SOAP
WS-Security
AONService Broker
WSD
L
Out of BandExchange
UDDI
23copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in SOA
bull Service BrokerApplication-Level Message Routing
ApplicationService Security
Application-Level Monitoring
Service Abstraction
Protocol Translation
Transformation and Mapping
bull Message Schema Validation
24copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in Application Integration
Application Integrationbull Protocol Translation
bull Transformation and Mapping
bull Message Schema and Data Validation
25copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT AON Production Intangible Benefits
bull Faster time to delivery by reducing development lifecycle
bull Better security made possible by a common and simplified implementation provisioning and configuration process
bull Reduced complexity of applications and infrastructure
bull Architecture lends itself to the future of SOAbull Reduced resource requirements by individual
applicationsbull Moving intelligence into the network
26copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT View of AON
An invisible message routergateway in the network that routes transforms monitors and authenticateauthorize messages between end points
27copy 2005 Cisco Systems Inc All rights reserved Cisco Public
How Can AON Be Invisible
An AON node resides in the network as an inline application-aware device the device acts as an intelligent intermediary gateway that can either be explicitly addressed by applications or as a pass-through proxy that is transparent to applications
28copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Modes of Operation
Transparent Mode
Intercept with No Change to Applications
SendingApplication A
ReceivingApplication B
Integrated SwitchAON Blade
Based on WCCP Re-Direct ACL Intercept Traffic and
Forward to AON
httpBService1
29copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Best PracticesA Cisco IT Perspective
30copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Logical Diagram
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Cluster AON blades based on functionality
bull Identify common capabilities that span across multiple applications to be owned by Infrastructure
bull Move commoninfrastructure capabilities into a separate set of AON clusters while keeping application-dependent capabilities into its own set of clusters
bull For external-facing Web Services infrastructure AON cluster should exist in the DMZ while the application AON cluster should reside in the protected net
bull Standardize on AONP(S) as the inter-cluster communication protocol
bull Standardize on a naming convention for resources flows and properties
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
31copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Provisioning and Management
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Implement a standard SDLC strategy (devtestprod)
bull Implement collision prevention utilizing standard name spacing
bull Implement isolation by sandboxing development environment by project teams
bull Allow for an automated promotion process
bull Implement a promotion strategy that takes into account all of the above
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
32copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Services Leveraging AON
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Background Check
bull Salesforcecom Integration (contacts leads etchellip)
33copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
34copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Intermission
Coming up in the next hourbull Security with AON
bull AON Deployment Timelines within Cisco IT
bull AON Business Case within Cisco IT
35copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Security with AON
Brook Schoenfield Senior Security ArchitectCSPO
36copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
37copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger PictureWhat is Service Oriented Architecture (SOA)
What is Application Integration
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
38copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA
bull Service Oriented Architecture is a different mindset
bull Focus on delivering a service offering (an invoice a purchase order an item or unit that has intrinsic business understanding and value)
bull No longer focus on the programmatic interface (message standards take care of that)
39copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA Is Now
ldquoBy 2005 the aggressive use of Web services will drive a 30 increase in the efficiency of IT development projectsrdquo
Gartner Inc ldquoThe Hype Is Right Web Services Will Deliver Immediate Benefitsrdquo October 2001
This Is FYQ06 Enterprises Are Looking for that 30 Gain
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
9copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Reliabilitybull Reliable Delivery
Manageabilitybull Message and Transaction-Level Logging
bull Transaction Monitoring
Targeted Servicebull Service Versioning (allows multiple versions of single service
to run simultaneously)
bull MessageContent-Based Routing (routes messages based on contents andor business rules)
10copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Reliability and Manageability Functionshellip
AON Reliability Function
External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional Authentication
Custom written with limited capabilities
bull WebMethods specific Requires significant setup effort
Custom written with limited capabilities
Custom written with limited capabilities
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco Services
AON Manageability Function
External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional Authentication
Custom written by each app
WebMethods specific
Custom written by each app Limited
Monitoring (Transaction level)
Custom written by each application
bull Webmethods specific
bull Limited to WM transactions
Custom written by each application
Custom written andor Producttechnology
specific
11copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Targeted Service Functionshellip
AON TARGETED SERVICE FUNCTION
External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional Authentication
Custom written with limited capabilities
Custom written with limited capabilities
Custom written with limited capabilities
Custom written with limited capabilities
MessageContent-Based Routing
Custom written with limited capabilities
bull WebMethods specific
bull Limited to WebMethods transactions
Custom written by each application
Custom written andor Producttechnology
specific
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco Services
12copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Features Deployed within Cisco IT
The Goal is to Have AON Play the Role of Services Management BrokerGateway and Pass the Single Virtual Gateway for all Web and B2B Services Below is a List of Important Features of Which Many Have Been Formalized as Requirements
bull Authentication
bull Monitoring
bull Service Versioning
bull Encryption and Digital Signatures
bull Message-level Load Balancing and Distribution
bull Logging
bull Message and Content-Based Routing
bull Protocol Translation
bull Secure Tunneling across Firewall
bull Contracts
bull Billing
13copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
14copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
15copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Who Would Benefit From AON
Service Developersbull Reduces development lifecyclebull Builds on existing servicesBusinessbull Time-to-marketbull Lower development and maintenance costInformation Securitybull Simpler security modelbull Better visibilityInfrastructure bull Reduced complexitybull Better visibilityEnterprise Architects
16copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Recommended AON Architecture
FirewallDMZFirewall
HTTP(S)
App Server Layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Server
17copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Transformation and Mapping
Messaging B
us
Back End SystemsPackagesDatabases
Proxy Web Service
JMS LibTransformation
MappingAutomated BPInternal
Env 1JMS Lib
Adaptor
HTTPSQL
Web Services
OCM
JDBC
Custom ApplicationsInternal
Env 2JMS Lib
JDBC
ExternalEnv 1
Internal DBInternal DB
Internal DB
SOAP HTTP(s)
18copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase I
Messaging B
us
Back End SystemsPackagesDatabases
TransformationMapping
Automated BPInternalEnv 1
JMS Lib
Adaptor
OCM
SOAP HTTP(s)
JDBC
Custom ApplicationsInternal
Env 2JMS Lib
JDBC
AON
AON
AON Blades Replace Proxy Web Services on External Env 1
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
19copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase IIBack End SystemsPackagesDatabases
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
AON with Transformation
Mapping
AON Blades Could Also Replace Business Process and Transformation Engine by
Providing Transformationmapping Capabilities in Addition to Proxy web
Service Layer (Phase 2)
SOAP HTTP(s)
20copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase IIBack End SystemsPackagesDatabases
SOAP HTTP(s)
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
AON with Transformation
Mapping
AON Blades Could Also Replace Business Process and Transformation Engine by
Providing Transformationmapping Capabilities in Addition to Proxy web
Service Layer (Phase 2)
21copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Using AON vs B2B Gateway
SOAPHTTP(S)
XMLHTTP(S)
RNIF
EDIAS2
Flat FileHTTP(S)
LegacyB2B
Gateway
DistributedEnterpriseServices
Internet
Enterprise Network
Customers
Partners
22copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Protocol Relationships
Web Services Protocol SetXM
L-D
igita
l Sig
natu
re(D
SIG
)
XML-
Encr
yptio
n(X
ENC
)
TCPIP
HTTP
SOAP
WS-Security
AONService Broker
WSD
L
Out of BandExchange
UDDI
23copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in SOA
bull Service BrokerApplication-Level Message Routing
ApplicationService Security
Application-Level Monitoring
Service Abstraction
Protocol Translation
Transformation and Mapping
bull Message Schema Validation
24copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in Application Integration
Application Integrationbull Protocol Translation
bull Transformation and Mapping
bull Message Schema and Data Validation
25copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT AON Production Intangible Benefits
bull Faster time to delivery by reducing development lifecycle
bull Better security made possible by a common and simplified implementation provisioning and configuration process
bull Reduced complexity of applications and infrastructure
bull Architecture lends itself to the future of SOAbull Reduced resource requirements by individual
applicationsbull Moving intelligence into the network
26copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT View of AON
An invisible message routergateway in the network that routes transforms monitors and authenticateauthorize messages between end points
27copy 2005 Cisco Systems Inc All rights reserved Cisco Public
How Can AON Be Invisible
An AON node resides in the network as an inline application-aware device the device acts as an intelligent intermediary gateway that can either be explicitly addressed by applications or as a pass-through proxy that is transparent to applications
28copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Modes of Operation
Transparent Mode
Intercept with No Change to Applications
SendingApplication A
ReceivingApplication B
Integrated SwitchAON Blade
Based on WCCP Re-Direct ACL Intercept Traffic and
Forward to AON
httpBService1
29copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Best PracticesA Cisco IT Perspective
30copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Logical Diagram
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Cluster AON blades based on functionality
bull Identify common capabilities that span across multiple applications to be owned by Infrastructure
bull Move commoninfrastructure capabilities into a separate set of AON clusters while keeping application-dependent capabilities into its own set of clusters
bull For external-facing Web Services infrastructure AON cluster should exist in the DMZ while the application AON cluster should reside in the protected net
bull Standardize on AONP(S) as the inter-cluster communication protocol
bull Standardize on a naming convention for resources flows and properties
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
31copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Provisioning and Management
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Implement a standard SDLC strategy (devtestprod)
bull Implement collision prevention utilizing standard name spacing
bull Implement isolation by sandboxing development environment by project teams
bull Allow for an automated promotion process
bull Implement a promotion strategy that takes into account all of the above
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
32copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Services Leveraging AON
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Background Check
bull Salesforcecom Integration (contacts leads etchellip)
33copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
34copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Intermission
Coming up in the next hourbull Security with AON
bull AON Deployment Timelines within Cisco IT
bull AON Business Case within Cisco IT
35copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Security with AON
Brook Schoenfield Senior Security ArchitectCSPO
36copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
37copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger PictureWhat is Service Oriented Architecture (SOA)
What is Application Integration
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
38copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA
bull Service Oriented Architecture is a different mindset
bull Focus on delivering a service offering (an invoice a purchase order an item or unit that has intrinsic business understanding and value)
bull No longer focus on the programmatic interface (message standards take care of that)
39copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA Is Now
ldquoBy 2005 the aggressive use of Web services will drive a 30 increase in the efficiency of IT development projectsrdquo
Gartner Inc ldquoThe Hype Is Right Web Services Will Deliver Immediate Benefitsrdquo October 2001
This Is FYQ06 Enterprises Are Looking for that 30 Gain
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
10copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Reliability and Manageability Functionshellip
AON Reliability Function
External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional Authentication
Custom written with limited capabilities
bull WebMethods specific Requires significant setup effort
Custom written with limited capabilities
Custom written with limited capabilities
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco Services
AON Manageability Function
External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional Authentication
Custom written by each app
WebMethods specific
Custom written by each app Limited
Monitoring (Transaction level)
Custom written by each application
bull Webmethods specific
bull Limited to WM transactions
Custom written by each application
Custom written andor Producttechnology
specific
11copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Targeted Service Functionshellip
AON TARGETED SERVICE FUNCTION
External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional Authentication
Custom written with limited capabilities
Custom written with limited capabilities
Custom written with limited capabilities
Custom written with limited capabilities
MessageContent-Based Routing
Custom written with limited capabilities
bull WebMethods specific
bull Limited to WebMethods transactions
Custom written by each application
Custom written andor Producttechnology
specific
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco Services
12copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Features Deployed within Cisco IT
The Goal is to Have AON Play the Role of Services Management BrokerGateway and Pass the Single Virtual Gateway for all Web and B2B Services Below is a List of Important Features of Which Many Have Been Formalized as Requirements
bull Authentication
bull Monitoring
bull Service Versioning
bull Encryption and Digital Signatures
bull Message-level Load Balancing and Distribution
bull Logging
bull Message and Content-Based Routing
bull Protocol Translation
bull Secure Tunneling across Firewall
bull Contracts
bull Billing
13copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
14copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
15copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Who Would Benefit From AON
Service Developersbull Reduces development lifecyclebull Builds on existing servicesBusinessbull Time-to-marketbull Lower development and maintenance costInformation Securitybull Simpler security modelbull Better visibilityInfrastructure bull Reduced complexitybull Better visibilityEnterprise Architects
16copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Recommended AON Architecture
FirewallDMZFirewall
HTTP(S)
App Server Layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Server
17copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Transformation and Mapping
Messaging B
us
Back End SystemsPackagesDatabases
Proxy Web Service
JMS LibTransformation
MappingAutomated BPInternal
Env 1JMS Lib
Adaptor
HTTPSQL
Web Services
OCM
JDBC
Custom ApplicationsInternal
Env 2JMS Lib
JDBC
ExternalEnv 1
Internal DBInternal DB
Internal DB
SOAP HTTP(s)
18copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase I
Messaging B
us
Back End SystemsPackagesDatabases
TransformationMapping
Automated BPInternalEnv 1
JMS Lib
Adaptor
OCM
SOAP HTTP(s)
JDBC
Custom ApplicationsInternal
Env 2JMS Lib
JDBC
AON
AON
AON Blades Replace Proxy Web Services on External Env 1
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
19copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase IIBack End SystemsPackagesDatabases
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
AON with Transformation
Mapping
AON Blades Could Also Replace Business Process and Transformation Engine by
Providing Transformationmapping Capabilities in Addition to Proxy web
Service Layer (Phase 2)
SOAP HTTP(s)
20copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase IIBack End SystemsPackagesDatabases
SOAP HTTP(s)
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
AON with Transformation
Mapping
AON Blades Could Also Replace Business Process and Transformation Engine by
Providing Transformationmapping Capabilities in Addition to Proxy web
Service Layer (Phase 2)
21copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Using AON vs B2B Gateway
SOAPHTTP(S)
XMLHTTP(S)
RNIF
EDIAS2
Flat FileHTTP(S)
LegacyB2B
Gateway
DistributedEnterpriseServices
Internet
Enterprise Network
Customers
Partners
22copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Protocol Relationships
Web Services Protocol SetXM
L-D
igita
l Sig
natu
re(D
SIG
)
XML-
Encr
yptio
n(X
ENC
)
TCPIP
HTTP
SOAP
WS-Security
AONService Broker
WSD
L
Out of BandExchange
UDDI
23copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in SOA
bull Service BrokerApplication-Level Message Routing
ApplicationService Security
Application-Level Monitoring
Service Abstraction
Protocol Translation
Transformation and Mapping
bull Message Schema Validation
24copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in Application Integration
Application Integrationbull Protocol Translation
bull Transformation and Mapping
bull Message Schema and Data Validation
25copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT AON Production Intangible Benefits
bull Faster time to delivery by reducing development lifecycle
bull Better security made possible by a common and simplified implementation provisioning and configuration process
bull Reduced complexity of applications and infrastructure
bull Architecture lends itself to the future of SOAbull Reduced resource requirements by individual
applicationsbull Moving intelligence into the network
26copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT View of AON
An invisible message routergateway in the network that routes transforms monitors and authenticateauthorize messages between end points
27copy 2005 Cisco Systems Inc All rights reserved Cisco Public
How Can AON Be Invisible
An AON node resides in the network as an inline application-aware device the device acts as an intelligent intermediary gateway that can either be explicitly addressed by applications or as a pass-through proxy that is transparent to applications
28copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Modes of Operation
Transparent Mode
Intercept with No Change to Applications
SendingApplication A
ReceivingApplication B
Integrated SwitchAON Blade
Based on WCCP Re-Direct ACL Intercept Traffic and
Forward to AON
httpBService1
29copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Best PracticesA Cisco IT Perspective
30copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Logical Diagram
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Cluster AON blades based on functionality
bull Identify common capabilities that span across multiple applications to be owned by Infrastructure
bull Move commoninfrastructure capabilities into a separate set of AON clusters while keeping application-dependent capabilities into its own set of clusters
bull For external-facing Web Services infrastructure AON cluster should exist in the DMZ while the application AON cluster should reside in the protected net
bull Standardize on AONP(S) as the inter-cluster communication protocol
bull Standardize on a naming convention for resources flows and properties
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
31copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Provisioning and Management
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Implement a standard SDLC strategy (devtestprod)
bull Implement collision prevention utilizing standard name spacing
bull Implement isolation by sandboxing development environment by project teams
bull Allow for an automated promotion process
bull Implement a promotion strategy that takes into account all of the above
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
32copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Services Leveraging AON
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Background Check
bull Salesforcecom Integration (contacts leads etchellip)
33copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
34copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Intermission
Coming up in the next hourbull Security with AON
bull AON Deployment Timelines within Cisco IT
bull AON Business Case within Cisco IT
35copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Security with AON
Brook Schoenfield Senior Security ArchitectCSPO
36copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
37copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger PictureWhat is Service Oriented Architecture (SOA)
What is Application Integration
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
38copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA
bull Service Oriented Architecture is a different mindset
bull Focus on delivering a service offering (an invoice a purchase order an item or unit that has intrinsic business understanding and value)
bull No longer focus on the programmatic interface (message standards take care of that)
39copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA Is Now
ldquoBy 2005 the aggressive use of Web services will drive a 30 increase in the efficiency of IT development projectsrdquo
Gartner Inc ldquoThe Hype Is Right Web Services Will Deliver Immediate Benefitsrdquo October 2001
This Is FYQ06 Enterprises Are Looking for that 30 Gain
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
11copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Targeted Service Functionshellip
AON TARGETED SERVICE FUNCTION
External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional Authentication
Custom written with limited capabilities
Custom written with limited capabilities
Custom written with limited capabilities
Custom written with limited capabilities
MessageContent-Based Routing
Custom written with limited capabilities
bull WebMethods specific
bull Limited to WebMethods transactions
Custom written by each application
Custom written andor Producttechnology
specific
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco Services
12copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Features Deployed within Cisco IT
The Goal is to Have AON Play the Role of Services Management BrokerGateway and Pass the Single Virtual Gateway for all Web and B2B Services Below is a List of Important Features of Which Many Have Been Formalized as Requirements
bull Authentication
bull Monitoring
bull Service Versioning
bull Encryption and Digital Signatures
bull Message-level Load Balancing and Distribution
bull Logging
bull Message and Content-Based Routing
bull Protocol Translation
bull Secure Tunneling across Firewall
bull Contracts
bull Billing
13copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
14copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
15copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Who Would Benefit From AON
Service Developersbull Reduces development lifecyclebull Builds on existing servicesBusinessbull Time-to-marketbull Lower development and maintenance costInformation Securitybull Simpler security modelbull Better visibilityInfrastructure bull Reduced complexitybull Better visibilityEnterprise Architects
16copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Recommended AON Architecture
FirewallDMZFirewall
HTTP(S)
App Server Layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Server
17copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Transformation and Mapping
Messaging B
us
Back End SystemsPackagesDatabases
Proxy Web Service
JMS LibTransformation
MappingAutomated BPInternal
Env 1JMS Lib
Adaptor
HTTPSQL
Web Services
OCM
JDBC
Custom ApplicationsInternal
Env 2JMS Lib
JDBC
ExternalEnv 1
Internal DBInternal DB
Internal DB
SOAP HTTP(s)
18copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase I
Messaging B
us
Back End SystemsPackagesDatabases
TransformationMapping
Automated BPInternalEnv 1
JMS Lib
Adaptor
OCM
SOAP HTTP(s)
JDBC
Custom ApplicationsInternal
Env 2JMS Lib
JDBC
AON
AON
AON Blades Replace Proxy Web Services on External Env 1
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
19copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase IIBack End SystemsPackagesDatabases
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
AON with Transformation
Mapping
AON Blades Could Also Replace Business Process and Transformation Engine by
Providing Transformationmapping Capabilities in Addition to Proxy web
Service Layer (Phase 2)
SOAP HTTP(s)
20copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase IIBack End SystemsPackagesDatabases
SOAP HTTP(s)
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
AON with Transformation
Mapping
AON Blades Could Also Replace Business Process and Transformation Engine by
Providing Transformationmapping Capabilities in Addition to Proxy web
Service Layer (Phase 2)
21copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Using AON vs B2B Gateway
SOAPHTTP(S)
XMLHTTP(S)
RNIF
EDIAS2
Flat FileHTTP(S)
LegacyB2B
Gateway
DistributedEnterpriseServices
Internet
Enterprise Network
Customers
Partners
22copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Protocol Relationships
Web Services Protocol SetXM
L-D
igita
l Sig
natu
re(D
SIG
)
XML-
Encr
yptio
n(X
ENC
)
TCPIP
HTTP
SOAP
WS-Security
AONService Broker
WSD
L
Out of BandExchange
UDDI
23copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in SOA
bull Service BrokerApplication-Level Message Routing
ApplicationService Security
Application-Level Monitoring
Service Abstraction
Protocol Translation
Transformation and Mapping
bull Message Schema Validation
24copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in Application Integration
Application Integrationbull Protocol Translation
bull Transformation and Mapping
bull Message Schema and Data Validation
25copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT AON Production Intangible Benefits
bull Faster time to delivery by reducing development lifecycle
bull Better security made possible by a common and simplified implementation provisioning and configuration process
bull Reduced complexity of applications and infrastructure
bull Architecture lends itself to the future of SOAbull Reduced resource requirements by individual
applicationsbull Moving intelligence into the network
26copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT View of AON
An invisible message routergateway in the network that routes transforms monitors and authenticateauthorize messages between end points
27copy 2005 Cisco Systems Inc All rights reserved Cisco Public
How Can AON Be Invisible
An AON node resides in the network as an inline application-aware device the device acts as an intelligent intermediary gateway that can either be explicitly addressed by applications or as a pass-through proxy that is transparent to applications
28copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Modes of Operation
Transparent Mode
Intercept with No Change to Applications
SendingApplication A
ReceivingApplication B
Integrated SwitchAON Blade
Based on WCCP Re-Direct ACL Intercept Traffic and
Forward to AON
httpBService1
29copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Best PracticesA Cisco IT Perspective
30copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Logical Diagram
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Cluster AON blades based on functionality
bull Identify common capabilities that span across multiple applications to be owned by Infrastructure
bull Move commoninfrastructure capabilities into a separate set of AON clusters while keeping application-dependent capabilities into its own set of clusters
bull For external-facing Web Services infrastructure AON cluster should exist in the DMZ while the application AON cluster should reside in the protected net
bull Standardize on AONP(S) as the inter-cluster communication protocol
bull Standardize on a naming convention for resources flows and properties
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
31copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Provisioning and Management
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Implement a standard SDLC strategy (devtestprod)
bull Implement collision prevention utilizing standard name spacing
bull Implement isolation by sandboxing development environment by project teams
bull Allow for an automated promotion process
bull Implement a promotion strategy that takes into account all of the above
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
32copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Services Leveraging AON
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Background Check
bull Salesforcecom Integration (contacts leads etchellip)
33copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
34copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Intermission
Coming up in the next hourbull Security with AON
bull AON Deployment Timelines within Cisco IT
bull AON Business Case within Cisco IT
35copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Security with AON
Brook Schoenfield Senior Security ArchitectCSPO
36copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
37copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger PictureWhat is Service Oriented Architecture (SOA)
What is Application Integration
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
38copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA
bull Service Oriented Architecture is a different mindset
bull Focus on delivering a service offering (an invoice a purchase order an item or unit that has intrinsic business understanding and value)
bull No longer focus on the programmatic interface (message standards take care of that)
39copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA Is Now
ldquoBy 2005 the aggressive use of Web services will drive a 30 increase in the efficiency of IT development projectsrdquo
Gartner Inc ldquoThe Hype Is Right Web Services Will Deliver Immediate Benefitsrdquo October 2001
This Is FYQ06 Enterprises Are Looking for that 30 Gain
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
12copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Features Deployed within Cisco IT
The Goal is to Have AON Play the Role of Services Management BrokerGateway and Pass the Single Virtual Gateway for all Web and B2B Services Below is a List of Important Features of Which Many Have Been Formalized as Requirements
bull Authentication
bull Monitoring
bull Service Versioning
bull Encryption and Digital Signatures
bull Message-level Load Balancing and Distribution
bull Logging
bull Message and Content-Based Routing
bull Protocol Translation
bull Secure Tunneling across Firewall
bull Contracts
bull Billing
13copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
14copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
15copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Who Would Benefit From AON
Service Developersbull Reduces development lifecyclebull Builds on existing servicesBusinessbull Time-to-marketbull Lower development and maintenance costInformation Securitybull Simpler security modelbull Better visibilityInfrastructure bull Reduced complexitybull Better visibilityEnterprise Architects
16copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Recommended AON Architecture
FirewallDMZFirewall
HTTP(S)
App Server Layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Server
17copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Transformation and Mapping
Messaging B
us
Back End SystemsPackagesDatabases
Proxy Web Service
JMS LibTransformation
MappingAutomated BPInternal
Env 1JMS Lib
Adaptor
HTTPSQL
Web Services
OCM
JDBC
Custom ApplicationsInternal
Env 2JMS Lib
JDBC
ExternalEnv 1
Internal DBInternal DB
Internal DB
SOAP HTTP(s)
18copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase I
Messaging B
us
Back End SystemsPackagesDatabases
TransformationMapping
Automated BPInternalEnv 1
JMS Lib
Adaptor
OCM
SOAP HTTP(s)
JDBC
Custom ApplicationsInternal
Env 2JMS Lib
JDBC
AON
AON
AON Blades Replace Proxy Web Services on External Env 1
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
19copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase IIBack End SystemsPackagesDatabases
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
AON with Transformation
Mapping
AON Blades Could Also Replace Business Process and Transformation Engine by
Providing Transformationmapping Capabilities in Addition to Proxy web
Service Layer (Phase 2)
SOAP HTTP(s)
20copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase IIBack End SystemsPackagesDatabases
SOAP HTTP(s)
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
AON with Transformation
Mapping
AON Blades Could Also Replace Business Process and Transformation Engine by
Providing Transformationmapping Capabilities in Addition to Proxy web
Service Layer (Phase 2)
21copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Using AON vs B2B Gateway
SOAPHTTP(S)
XMLHTTP(S)
RNIF
EDIAS2
Flat FileHTTP(S)
LegacyB2B
Gateway
DistributedEnterpriseServices
Internet
Enterprise Network
Customers
Partners
22copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Protocol Relationships
Web Services Protocol SetXM
L-D
igita
l Sig
natu
re(D
SIG
)
XML-
Encr
yptio
n(X
ENC
)
TCPIP
HTTP
SOAP
WS-Security
AONService Broker
WSD
L
Out of BandExchange
UDDI
23copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in SOA
bull Service BrokerApplication-Level Message Routing
ApplicationService Security
Application-Level Monitoring
Service Abstraction
Protocol Translation
Transformation and Mapping
bull Message Schema Validation
24copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in Application Integration
Application Integrationbull Protocol Translation
bull Transformation and Mapping
bull Message Schema and Data Validation
25copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT AON Production Intangible Benefits
bull Faster time to delivery by reducing development lifecycle
bull Better security made possible by a common and simplified implementation provisioning and configuration process
bull Reduced complexity of applications and infrastructure
bull Architecture lends itself to the future of SOAbull Reduced resource requirements by individual
applicationsbull Moving intelligence into the network
26copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT View of AON
An invisible message routergateway in the network that routes transforms monitors and authenticateauthorize messages between end points
27copy 2005 Cisco Systems Inc All rights reserved Cisco Public
How Can AON Be Invisible
An AON node resides in the network as an inline application-aware device the device acts as an intelligent intermediary gateway that can either be explicitly addressed by applications or as a pass-through proxy that is transparent to applications
28copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Modes of Operation
Transparent Mode
Intercept with No Change to Applications
SendingApplication A
ReceivingApplication B
Integrated SwitchAON Blade
Based on WCCP Re-Direct ACL Intercept Traffic and
Forward to AON
httpBService1
29copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Best PracticesA Cisco IT Perspective
30copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Logical Diagram
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Cluster AON blades based on functionality
bull Identify common capabilities that span across multiple applications to be owned by Infrastructure
bull Move commoninfrastructure capabilities into a separate set of AON clusters while keeping application-dependent capabilities into its own set of clusters
bull For external-facing Web Services infrastructure AON cluster should exist in the DMZ while the application AON cluster should reside in the protected net
bull Standardize on AONP(S) as the inter-cluster communication protocol
bull Standardize on a naming convention for resources flows and properties
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
31copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Provisioning and Management
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Implement a standard SDLC strategy (devtestprod)
bull Implement collision prevention utilizing standard name spacing
bull Implement isolation by sandboxing development environment by project teams
bull Allow for an automated promotion process
bull Implement a promotion strategy that takes into account all of the above
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
32copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Services Leveraging AON
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Background Check
bull Salesforcecom Integration (contacts leads etchellip)
33copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
34copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Intermission
Coming up in the next hourbull Security with AON
bull AON Deployment Timelines within Cisco IT
bull AON Business Case within Cisco IT
35copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Security with AON
Brook Schoenfield Senior Security ArchitectCSPO
36copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
37copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger PictureWhat is Service Oriented Architecture (SOA)
What is Application Integration
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
38copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA
bull Service Oriented Architecture is a different mindset
bull Focus on delivering a service offering (an invoice a purchase order an item or unit that has intrinsic business understanding and value)
bull No longer focus on the programmatic interface (message standards take care of that)
39copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA Is Now
ldquoBy 2005 the aggressive use of Web services will drive a 30 increase in the efficiency of IT development projectsrdquo
Gartner Inc ldquoThe Hype Is Right Web Services Will Deliver Immediate Benefitsrdquo October 2001
This Is FYQ06 Enterprises Are Looking for that 30 Gain
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
13copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
14copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
15copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Who Would Benefit From AON
Service Developersbull Reduces development lifecyclebull Builds on existing servicesBusinessbull Time-to-marketbull Lower development and maintenance costInformation Securitybull Simpler security modelbull Better visibilityInfrastructure bull Reduced complexitybull Better visibilityEnterprise Architects
16copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Recommended AON Architecture
FirewallDMZFirewall
HTTP(S)
App Server Layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Server
17copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Transformation and Mapping
Messaging B
us
Back End SystemsPackagesDatabases
Proxy Web Service
JMS LibTransformation
MappingAutomated BPInternal
Env 1JMS Lib
Adaptor
HTTPSQL
Web Services
OCM
JDBC
Custom ApplicationsInternal
Env 2JMS Lib
JDBC
ExternalEnv 1
Internal DBInternal DB
Internal DB
SOAP HTTP(s)
18copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase I
Messaging B
us
Back End SystemsPackagesDatabases
TransformationMapping
Automated BPInternalEnv 1
JMS Lib
Adaptor
OCM
SOAP HTTP(s)
JDBC
Custom ApplicationsInternal
Env 2JMS Lib
JDBC
AON
AON
AON Blades Replace Proxy Web Services on External Env 1
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
19copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase IIBack End SystemsPackagesDatabases
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
AON with Transformation
Mapping
AON Blades Could Also Replace Business Process and Transformation Engine by
Providing Transformationmapping Capabilities in Addition to Proxy web
Service Layer (Phase 2)
SOAP HTTP(s)
20copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase IIBack End SystemsPackagesDatabases
SOAP HTTP(s)
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
AON with Transformation
Mapping
AON Blades Could Also Replace Business Process and Transformation Engine by
Providing Transformationmapping Capabilities in Addition to Proxy web
Service Layer (Phase 2)
21copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Using AON vs B2B Gateway
SOAPHTTP(S)
XMLHTTP(S)
RNIF
EDIAS2
Flat FileHTTP(S)
LegacyB2B
Gateway
DistributedEnterpriseServices
Internet
Enterprise Network
Customers
Partners
22copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Protocol Relationships
Web Services Protocol SetXM
L-D
igita
l Sig
natu
re(D
SIG
)
XML-
Encr
yptio
n(X
ENC
)
TCPIP
HTTP
SOAP
WS-Security
AONService Broker
WSD
L
Out of BandExchange
UDDI
23copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in SOA
bull Service BrokerApplication-Level Message Routing
ApplicationService Security
Application-Level Monitoring
Service Abstraction
Protocol Translation
Transformation and Mapping
bull Message Schema Validation
24copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in Application Integration
Application Integrationbull Protocol Translation
bull Transformation and Mapping
bull Message Schema and Data Validation
25copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT AON Production Intangible Benefits
bull Faster time to delivery by reducing development lifecycle
bull Better security made possible by a common and simplified implementation provisioning and configuration process
bull Reduced complexity of applications and infrastructure
bull Architecture lends itself to the future of SOAbull Reduced resource requirements by individual
applicationsbull Moving intelligence into the network
26copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT View of AON
An invisible message routergateway in the network that routes transforms monitors and authenticateauthorize messages between end points
27copy 2005 Cisco Systems Inc All rights reserved Cisco Public
How Can AON Be Invisible
An AON node resides in the network as an inline application-aware device the device acts as an intelligent intermediary gateway that can either be explicitly addressed by applications or as a pass-through proxy that is transparent to applications
28copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Modes of Operation
Transparent Mode
Intercept with No Change to Applications
SendingApplication A
ReceivingApplication B
Integrated SwitchAON Blade
Based on WCCP Re-Direct ACL Intercept Traffic and
Forward to AON
httpBService1
29copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Best PracticesA Cisco IT Perspective
30copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Logical Diagram
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Cluster AON blades based on functionality
bull Identify common capabilities that span across multiple applications to be owned by Infrastructure
bull Move commoninfrastructure capabilities into a separate set of AON clusters while keeping application-dependent capabilities into its own set of clusters
bull For external-facing Web Services infrastructure AON cluster should exist in the DMZ while the application AON cluster should reside in the protected net
bull Standardize on AONP(S) as the inter-cluster communication protocol
bull Standardize on a naming convention for resources flows and properties
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
31copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Provisioning and Management
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Implement a standard SDLC strategy (devtestprod)
bull Implement collision prevention utilizing standard name spacing
bull Implement isolation by sandboxing development environment by project teams
bull Allow for an automated promotion process
bull Implement a promotion strategy that takes into account all of the above
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
32copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Services Leveraging AON
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Background Check
bull Salesforcecom Integration (contacts leads etchellip)
33copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
34copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Intermission
Coming up in the next hourbull Security with AON
bull AON Deployment Timelines within Cisco IT
bull AON Business Case within Cisco IT
35copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Security with AON
Brook Schoenfield Senior Security ArchitectCSPO
36copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
37copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger PictureWhat is Service Oriented Architecture (SOA)
What is Application Integration
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
38copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA
bull Service Oriented Architecture is a different mindset
bull Focus on delivering a service offering (an invoice a purchase order an item or unit that has intrinsic business understanding and value)
bull No longer focus on the programmatic interface (message standards take care of that)
39copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA Is Now
ldquoBy 2005 the aggressive use of Web services will drive a 30 increase in the efficiency of IT development projectsrdquo
Gartner Inc ldquoThe Hype Is Right Web Services Will Deliver Immediate Benefitsrdquo October 2001
This Is FYQ06 Enterprises Are Looking for that 30 Gain
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
14copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
15copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Who Would Benefit From AON
Service Developersbull Reduces development lifecyclebull Builds on existing servicesBusinessbull Time-to-marketbull Lower development and maintenance costInformation Securitybull Simpler security modelbull Better visibilityInfrastructure bull Reduced complexitybull Better visibilityEnterprise Architects
16copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Recommended AON Architecture
FirewallDMZFirewall
HTTP(S)
App Server Layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Server
17copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Transformation and Mapping
Messaging B
us
Back End SystemsPackagesDatabases
Proxy Web Service
JMS LibTransformation
MappingAutomated BPInternal
Env 1JMS Lib
Adaptor
HTTPSQL
Web Services
OCM
JDBC
Custom ApplicationsInternal
Env 2JMS Lib
JDBC
ExternalEnv 1
Internal DBInternal DB
Internal DB
SOAP HTTP(s)
18copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase I
Messaging B
us
Back End SystemsPackagesDatabases
TransformationMapping
Automated BPInternalEnv 1
JMS Lib
Adaptor
OCM
SOAP HTTP(s)
JDBC
Custom ApplicationsInternal
Env 2JMS Lib
JDBC
AON
AON
AON Blades Replace Proxy Web Services on External Env 1
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
19copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase IIBack End SystemsPackagesDatabases
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
AON with Transformation
Mapping
AON Blades Could Also Replace Business Process and Transformation Engine by
Providing Transformationmapping Capabilities in Addition to Proxy web
Service Layer (Phase 2)
SOAP HTTP(s)
20copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase IIBack End SystemsPackagesDatabases
SOAP HTTP(s)
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
AON with Transformation
Mapping
AON Blades Could Also Replace Business Process and Transformation Engine by
Providing Transformationmapping Capabilities in Addition to Proxy web
Service Layer (Phase 2)
21copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Using AON vs B2B Gateway
SOAPHTTP(S)
XMLHTTP(S)
RNIF
EDIAS2
Flat FileHTTP(S)
LegacyB2B
Gateway
DistributedEnterpriseServices
Internet
Enterprise Network
Customers
Partners
22copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Protocol Relationships
Web Services Protocol SetXM
L-D
igita
l Sig
natu
re(D
SIG
)
XML-
Encr
yptio
n(X
ENC
)
TCPIP
HTTP
SOAP
WS-Security
AONService Broker
WSD
L
Out of BandExchange
UDDI
23copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in SOA
bull Service BrokerApplication-Level Message Routing
ApplicationService Security
Application-Level Monitoring
Service Abstraction
Protocol Translation
Transformation and Mapping
bull Message Schema Validation
24copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in Application Integration
Application Integrationbull Protocol Translation
bull Transformation and Mapping
bull Message Schema and Data Validation
25copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT AON Production Intangible Benefits
bull Faster time to delivery by reducing development lifecycle
bull Better security made possible by a common and simplified implementation provisioning and configuration process
bull Reduced complexity of applications and infrastructure
bull Architecture lends itself to the future of SOAbull Reduced resource requirements by individual
applicationsbull Moving intelligence into the network
26copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT View of AON
An invisible message routergateway in the network that routes transforms monitors and authenticateauthorize messages between end points
27copy 2005 Cisco Systems Inc All rights reserved Cisco Public
How Can AON Be Invisible
An AON node resides in the network as an inline application-aware device the device acts as an intelligent intermediary gateway that can either be explicitly addressed by applications or as a pass-through proxy that is transparent to applications
28copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Modes of Operation
Transparent Mode
Intercept with No Change to Applications
SendingApplication A
ReceivingApplication B
Integrated SwitchAON Blade
Based on WCCP Re-Direct ACL Intercept Traffic and
Forward to AON
httpBService1
29copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Best PracticesA Cisco IT Perspective
30copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Logical Diagram
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Cluster AON blades based on functionality
bull Identify common capabilities that span across multiple applications to be owned by Infrastructure
bull Move commoninfrastructure capabilities into a separate set of AON clusters while keeping application-dependent capabilities into its own set of clusters
bull For external-facing Web Services infrastructure AON cluster should exist in the DMZ while the application AON cluster should reside in the protected net
bull Standardize on AONP(S) as the inter-cluster communication protocol
bull Standardize on a naming convention for resources flows and properties
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
31copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Provisioning and Management
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Implement a standard SDLC strategy (devtestprod)
bull Implement collision prevention utilizing standard name spacing
bull Implement isolation by sandboxing development environment by project teams
bull Allow for an automated promotion process
bull Implement a promotion strategy that takes into account all of the above
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
32copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Services Leveraging AON
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Background Check
bull Salesforcecom Integration (contacts leads etchellip)
33copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
34copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Intermission
Coming up in the next hourbull Security with AON
bull AON Deployment Timelines within Cisco IT
bull AON Business Case within Cisco IT
35copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Security with AON
Brook Schoenfield Senior Security ArchitectCSPO
36copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
37copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger PictureWhat is Service Oriented Architecture (SOA)
What is Application Integration
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
38copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA
bull Service Oriented Architecture is a different mindset
bull Focus on delivering a service offering (an invoice a purchase order an item or unit that has intrinsic business understanding and value)
bull No longer focus on the programmatic interface (message standards take care of that)
39copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA Is Now
ldquoBy 2005 the aggressive use of Web services will drive a 30 increase in the efficiency of IT development projectsrdquo
Gartner Inc ldquoThe Hype Is Right Web Services Will Deliver Immediate Benefitsrdquo October 2001
This Is FYQ06 Enterprises Are Looking for that 30 Gain
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
15copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Who Would Benefit From AON
Service Developersbull Reduces development lifecyclebull Builds on existing servicesBusinessbull Time-to-marketbull Lower development and maintenance costInformation Securitybull Simpler security modelbull Better visibilityInfrastructure bull Reduced complexitybull Better visibilityEnterprise Architects
16copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Recommended AON Architecture
FirewallDMZFirewall
HTTP(S)
App Server Layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Server
17copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Transformation and Mapping
Messaging B
us
Back End SystemsPackagesDatabases
Proxy Web Service
JMS LibTransformation
MappingAutomated BPInternal
Env 1JMS Lib
Adaptor
HTTPSQL
Web Services
OCM
JDBC
Custom ApplicationsInternal
Env 2JMS Lib
JDBC
ExternalEnv 1
Internal DBInternal DB
Internal DB
SOAP HTTP(s)
18copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase I
Messaging B
us
Back End SystemsPackagesDatabases
TransformationMapping
Automated BPInternalEnv 1
JMS Lib
Adaptor
OCM
SOAP HTTP(s)
JDBC
Custom ApplicationsInternal
Env 2JMS Lib
JDBC
AON
AON
AON Blades Replace Proxy Web Services on External Env 1
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
19copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase IIBack End SystemsPackagesDatabases
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
AON with Transformation
Mapping
AON Blades Could Also Replace Business Process and Transformation Engine by
Providing Transformationmapping Capabilities in Addition to Proxy web
Service Layer (Phase 2)
SOAP HTTP(s)
20copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase IIBack End SystemsPackagesDatabases
SOAP HTTP(s)
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
AON with Transformation
Mapping
AON Blades Could Also Replace Business Process and Transformation Engine by
Providing Transformationmapping Capabilities in Addition to Proxy web
Service Layer (Phase 2)
21copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Using AON vs B2B Gateway
SOAPHTTP(S)
XMLHTTP(S)
RNIF
EDIAS2
Flat FileHTTP(S)
LegacyB2B
Gateway
DistributedEnterpriseServices
Internet
Enterprise Network
Customers
Partners
22copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Protocol Relationships
Web Services Protocol SetXM
L-D
igita
l Sig
natu
re(D
SIG
)
XML-
Encr
yptio
n(X
ENC
)
TCPIP
HTTP
SOAP
WS-Security
AONService Broker
WSD
L
Out of BandExchange
UDDI
23copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in SOA
bull Service BrokerApplication-Level Message Routing
ApplicationService Security
Application-Level Monitoring
Service Abstraction
Protocol Translation
Transformation and Mapping
bull Message Schema Validation
24copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in Application Integration
Application Integrationbull Protocol Translation
bull Transformation and Mapping
bull Message Schema and Data Validation
25copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT AON Production Intangible Benefits
bull Faster time to delivery by reducing development lifecycle
bull Better security made possible by a common and simplified implementation provisioning and configuration process
bull Reduced complexity of applications and infrastructure
bull Architecture lends itself to the future of SOAbull Reduced resource requirements by individual
applicationsbull Moving intelligence into the network
26copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT View of AON
An invisible message routergateway in the network that routes transforms monitors and authenticateauthorize messages between end points
27copy 2005 Cisco Systems Inc All rights reserved Cisco Public
How Can AON Be Invisible
An AON node resides in the network as an inline application-aware device the device acts as an intelligent intermediary gateway that can either be explicitly addressed by applications or as a pass-through proxy that is transparent to applications
28copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Modes of Operation
Transparent Mode
Intercept with No Change to Applications
SendingApplication A
ReceivingApplication B
Integrated SwitchAON Blade
Based on WCCP Re-Direct ACL Intercept Traffic and
Forward to AON
httpBService1
29copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Best PracticesA Cisco IT Perspective
30copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Logical Diagram
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Cluster AON blades based on functionality
bull Identify common capabilities that span across multiple applications to be owned by Infrastructure
bull Move commoninfrastructure capabilities into a separate set of AON clusters while keeping application-dependent capabilities into its own set of clusters
bull For external-facing Web Services infrastructure AON cluster should exist in the DMZ while the application AON cluster should reside in the protected net
bull Standardize on AONP(S) as the inter-cluster communication protocol
bull Standardize on a naming convention for resources flows and properties
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
31copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Provisioning and Management
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Implement a standard SDLC strategy (devtestprod)
bull Implement collision prevention utilizing standard name spacing
bull Implement isolation by sandboxing development environment by project teams
bull Allow for an automated promotion process
bull Implement a promotion strategy that takes into account all of the above
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
32copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Services Leveraging AON
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Background Check
bull Salesforcecom Integration (contacts leads etchellip)
33copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
34copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Intermission
Coming up in the next hourbull Security with AON
bull AON Deployment Timelines within Cisco IT
bull AON Business Case within Cisco IT
35copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Security with AON
Brook Schoenfield Senior Security ArchitectCSPO
36copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
37copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger PictureWhat is Service Oriented Architecture (SOA)
What is Application Integration
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
38copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA
bull Service Oriented Architecture is a different mindset
bull Focus on delivering a service offering (an invoice a purchase order an item or unit that has intrinsic business understanding and value)
bull No longer focus on the programmatic interface (message standards take care of that)
39copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA Is Now
ldquoBy 2005 the aggressive use of Web services will drive a 30 increase in the efficiency of IT development projectsrdquo
Gartner Inc ldquoThe Hype Is Right Web Services Will Deliver Immediate Benefitsrdquo October 2001
This Is FYQ06 Enterprises Are Looking for that 30 Gain
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
16copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Recommended AON Architecture
FirewallDMZFirewall
HTTP(S)
App Server Layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Server
17copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Transformation and Mapping
Messaging B
us
Back End SystemsPackagesDatabases
Proxy Web Service
JMS LibTransformation
MappingAutomated BPInternal
Env 1JMS Lib
Adaptor
HTTPSQL
Web Services
OCM
JDBC
Custom ApplicationsInternal
Env 2JMS Lib
JDBC
ExternalEnv 1
Internal DBInternal DB
Internal DB
SOAP HTTP(s)
18copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase I
Messaging B
us
Back End SystemsPackagesDatabases
TransformationMapping
Automated BPInternalEnv 1
JMS Lib
Adaptor
OCM
SOAP HTTP(s)
JDBC
Custom ApplicationsInternal
Env 2JMS Lib
JDBC
AON
AON
AON Blades Replace Proxy Web Services on External Env 1
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
19copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase IIBack End SystemsPackagesDatabases
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
AON with Transformation
Mapping
AON Blades Could Also Replace Business Process and Transformation Engine by
Providing Transformationmapping Capabilities in Addition to Proxy web
Service Layer (Phase 2)
SOAP HTTP(s)
20copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase IIBack End SystemsPackagesDatabases
SOAP HTTP(s)
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
AON with Transformation
Mapping
AON Blades Could Also Replace Business Process and Transformation Engine by
Providing Transformationmapping Capabilities in Addition to Proxy web
Service Layer (Phase 2)
21copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Using AON vs B2B Gateway
SOAPHTTP(S)
XMLHTTP(S)
RNIF
EDIAS2
Flat FileHTTP(S)
LegacyB2B
Gateway
DistributedEnterpriseServices
Internet
Enterprise Network
Customers
Partners
22copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Protocol Relationships
Web Services Protocol SetXM
L-D
igita
l Sig
natu
re(D
SIG
)
XML-
Encr
yptio
n(X
ENC
)
TCPIP
HTTP
SOAP
WS-Security
AONService Broker
WSD
L
Out of BandExchange
UDDI
23copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in SOA
bull Service BrokerApplication-Level Message Routing
ApplicationService Security
Application-Level Monitoring
Service Abstraction
Protocol Translation
Transformation and Mapping
bull Message Schema Validation
24copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in Application Integration
Application Integrationbull Protocol Translation
bull Transformation and Mapping
bull Message Schema and Data Validation
25copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT AON Production Intangible Benefits
bull Faster time to delivery by reducing development lifecycle
bull Better security made possible by a common and simplified implementation provisioning and configuration process
bull Reduced complexity of applications and infrastructure
bull Architecture lends itself to the future of SOAbull Reduced resource requirements by individual
applicationsbull Moving intelligence into the network
26copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT View of AON
An invisible message routergateway in the network that routes transforms monitors and authenticateauthorize messages between end points
27copy 2005 Cisco Systems Inc All rights reserved Cisco Public
How Can AON Be Invisible
An AON node resides in the network as an inline application-aware device the device acts as an intelligent intermediary gateway that can either be explicitly addressed by applications or as a pass-through proxy that is transparent to applications
28copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Modes of Operation
Transparent Mode
Intercept with No Change to Applications
SendingApplication A
ReceivingApplication B
Integrated SwitchAON Blade
Based on WCCP Re-Direct ACL Intercept Traffic and
Forward to AON
httpBService1
29copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Best PracticesA Cisco IT Perspective
30copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Logical Diagram
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Cluster AON blades based on functionality
bull Identify common capabilities that span across multiple applications to be owned by Infrastructure
bull Move commoninfrastructure capabilities into a separate set of AON clusters while keeping application-dependent capabilities into its own set of clusters
bull For external-facing Web Services infrastructure AON cluster should exist in the DMZ while the application AON cluster should reside in the protected net
bull Standardize on AONP(S) as the inter-cluster communication protocol
bull Standardize on a naming convention for resources flows and properties
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
31copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Provisioning and Management
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Implement a standard SDLC strategy (devtestprod)
bull Implement collision prevention utilizing standard name spacing
bull Implement isolation by sandboxing development environment by project teams
bull Allow for an automated promotion process
bull Implement a promotion strategy that takes into account all of the above
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
32copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Services Leveraging AON
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Background Check
bull Salesforcecom Integration (contacts leads etchellip)
33copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
34copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Intermission
Coming up in the next hourbull Security with AON
bull AON Deployment Timelines within Cisco IT
bull AON Business Case within Cisco IT
35copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Security with AON
Brook Schoenfield Senior Security ArchitectCSPO
36copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
37copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger PictureWhat is Service Oriented Architecture (SOA)
What is Application Integration
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
38copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA
bull Service Oriented Architecture is a different mindset
bull Focus on delivering a service offering (an invoice a purchase order an item or unit that has intrinsic business understanding and value)
bull No longer focus on the programmatic interface (message standards take care of that)
39copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA Is Now
ldquoBy 2005 the aggressive use of Web services will drive a 30 increase in the efficiency of IT development projectsrdquo
Gartner Inc ldquoThe Hype Is Right Web Services Will Deliver Immediate Benefitsrdquo October 2001
This Is FYQ06 Enterprises Are Looking for that 30 Gain
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
17copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Transformation and Mapping
Messaging B
us
Back End SystemsPackagesDatabases
Proxy Web Service
JMS LibTransformation
MappingAutomated BPInternal
Env 1JMS Lib
Adaptor
HTTPSQL
Web Services
OCM
JDBC
Custom ApplicationsInternal
Env 2JMS Lib
JDBC
ExternalEnv 1
Internal DBInternal DB
Internal DB
SOAP HTTP(s)
18copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase I
Messaging B
us
Back End SystemsPackagesDatabases
TransformationMapping
Automated BPInternalEnv 1
JMS Lib
Adaptor
OCM
SOAP HTTP(s)
JDBC
Custom ApplicationsInternal
Env 2JMS Lib
JDBC
AON
AON
AON Blades Replace Proxy Web Services on External Env 1
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
19copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase IIBack End SystemsPackagesDatabases
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
AON with Transformation
Mapping
AON Blades Could Also Replace Business Process and Transformation Engine by
Providing Transformationmapping Capabilities in Addition to Proxy web
Service Layer (Phase 2)
SOAP HTTP(s)
20copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase IIBack End SystemsPackagesDatabases
SOAP HTTP(s)
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
AON with Transformation
Mapping
AON Blades Could Also Replace Business Process and Transformation Engine by
Providing Transformationmapping Capabilities in Addition to Proxy web
Service Layer (Phase 2)
21copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Using AON vs B2B Gateway
SOAPHTTP(S)
XMLHTTP(S)
RNIF
EDIAS2
Flat FileHTTP(S)
LegacyB2B
Gateway
DistributedEnterpriseServices
Internet
Enterprise Network
Customers
Partners
22copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Protocol Relationships
Web Services Protocol SetXM
L-D
igita
l Sig
natu
re(D
SIG
)
XML-
Encr
yptio
n(X
ENC
)
TCPIP
HTTP
SOAP
WS-Security
AONService Broker
WSD
L
Out of BandExchange
UDDI
23copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in SOA
bull Service BrokerApplication-Level Message Routing
ApplicationService Security
Application-Level Monitoring
Service Abstraction
Protocol Translation
Transformation and Mapping
bull Message Schema Validation
24copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in Application Integration
Application Integrationbull Protocol Translation
bull Transformation and Mapping
bull Message Schema and Data Validation
25copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT AON Production Intangible Benefits
bull Faster time to delivery by reducing development lifecycle
bull Better security made possible by a common and simplified implementation provisioning and configuration process
bull Reduced complexity of applications and infrastructure
bull Architecture lends itself to the future of SOAbull Reduced resource requirements by individual
applicationsbull Moving intelligence into the network
26copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT View of AON
An invisible message routergateway in the network that routes transforms monitors and authenticateauthorize messages between end points
27copy 2005 Cisco Systems Inc All rights reserved Cisco Public
How Can AON Be Invisible
An AON node resides in the network as an inline application-aware device the device acts as an intelligent intermediary gateway that can either be explicitly addressed by applications or as a pass-through proxy that is transparent to applications
28copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Modes of Operation
Transparent Mode
Intercept with No Change to Applications
SendingApplication A
ReceivingApplication B
Integrated SwitchAON Blade
Based on WCCP Re-Direct ACL Intercept Traffic and
Forward to AON
httpBService1
29copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Best PracticesA Cisco IT Perspective
30copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Logical Diagram
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Cluster AON blades based on functionality
bull Identify common capabilities that span across multiple applications to be owned by Infrastructure
bull Move commoninfrastructure capabilities into a separate set of AON clusters while keeping application-dependent capabilities into its own set of clusters
bull For external-facing Web Services infrastructure AON cluster should exist in the DMZ while the application AON cluster should reside in the protected net
bull Standardize on AONP(S) as the inter-cluster communication protocol
bull Standardize on a naming convention for resources flows and properties
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
31copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Provisioning and Management
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Implement a standard SDLC strategy (devtestprod)
bull Implement collision prevention utilizing standard name spacing
bull Implement isolation by sandboxing development environment by project teams
bull Allow for an automated promotion process
bull Implement a promotion strategy that takes into account all of the above
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
32copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Services Leveraging AON
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Background Check
bull Salesforcecom Integration (contacts leads etchellip)
33copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
34copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Intermission
Coming up in the next hourbull Security with AON
bull AON Deployment Timelines within Cisco IT
bull AON Business Case within Cisco IT
35copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Security with AON
Brook Schoenfield Senior Security ArchitectCSPO
36copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
37copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger PictureWhat is Service Oriented Architecture (SOA)
What is Application Integration
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
38copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA
bull Service Oriented Architecture is a different mindset
bull Focus on delivering a service offering (an invoice a purchase order an item or unit that has intrinsic business understanding and value)
bull No longer focus on the programmatic interface (message standards take care of that)
39copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA Is Now
ldquoBy 2005 the aggressive use of Web services will drive a 30 increase in the efficiency of IT development projectsrdquo
Gartner Inc ldquoThe Hype Is Right Web Services Will Deliver Immediate Benefitsrdquo October 2001
This Is FYQ06 Enterprises Are Looking for that 30 Gain
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
18copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase I
Messaging B
us
Back End SystemsPackagesDatabases
TransformationMapping
Automated BPInternalEnv 1
JMS Lib
Adaptor
OCM
SOAP HTTP(s)
JDBC
Custom ApplicationsInternal
Env 2JMS Lib
JDBC
AON
AON
AON Blades Replace Proxy Web Services on External Env 1
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
19copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase IIBack End SystemsPackagesDatabases
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
AON with Transformation
Mapping
AON Blades Could Also Replace Business Process and Transformation Engine by
Providing Transformationmapping Capabilities in Addition to Proxy web
Service Layer (Phase 2)
SOAP HTTP(s)
20copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase IIBack End SystemsPackagesDatabases
SOAP HTTP(s)
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
AON with Transformation
Mapping
AON Blades Could Also Replace Business Process and Transformation Engine by
Providing Transformationmapping Capabilities in Addition to Proxy web
Service Layer (Phase 2)
21copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Using AON vs B2B Gateway
SOAPHTTP(S)
XMLHTTP(S)
RNIF
EDIAS2
Flat FileHTTP(S)
LegacyB2B
Gateway
DistributedEnterpriseServices
Internet
Enterprise Network
Customers
Partners
22copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Protocol Relationships
Web Services Protocol SetXM
L-D
igita
l Sig
natu
re(D
SIG
)
XML-
Encr
yptio
n(X
ENC
)
TCPIP
HTTP
SOAP
WS-Security
AONService Broker
WSD
L
Out of BandExchange
UDDI
23copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in SOA
bull Service BrokerApplication-Level Message Routing
ApplicationService Security
Application-Level Monitoring
Service Abstraction
Protocol Translation
Transformation and Mapping
bull Message Schema Validation
24copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in Application Integration
Application Integrationbull Protocol Translation
bull Transformation and Mapping
bull Message Schema and Data Validation
25copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT AON Production Intangible Benefits
bull Faster time to delivery by reducing development lifecycle
bull Better security made possible by a common and simplified implementation provisioning and configuration process
bull Reduced complexity of applications and infrastructure
bull Architecture lends itself to the future of SOAbull Reduced resource requirements by individual
applicationsbull Moving intelligence into the network
26copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT View of AON
An invisible message routergateway in the network that routes transforms monitors and authenticateauthorize messages between end points
27copy 2005 Cisco Systems Inc All rights reserved Cisco Public
How Can AON Be Invisible
An AON node resides in the network as an inline application-aware device the device acts as an intelligent intermediary gateway that can either be explicitly addressed by applications or as a pass-through proxy that is transparent to applications
28copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Modes of Operation
Transparent Mode
Intercept with No Change to Applications
SendingApplication A
ReceivingApplication B
Integrated SwitchAON Blade
Based on WCCP Re-Direct ACL Intercept Traffic and
Forward to AON
httpBService1
29copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Best PracticesA Cisco IT Perspective
30copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Logical Diagram
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Cluster AON blades based on functionality
bull Identify common capabilities that span across multiple applications to be owned by Infrastructure
bull Move commoninfrastructure capabilities into a separate set of AON clusters while keeping application-dependent capabilities into its own set of clusters
bull For external-facing Web Services infrastructure AON cluster should exist in the DMZ while the application AON cluster should reside in the protected net
bull Standardize on AONP(S) as the inter-cluster communication protocol
bull Standardize on a naming convention for resources flows and properties
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
31copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Provisioning and Management
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Implement a standard SDLC strategy (devtestprod)
bull Implement collision prevention utilizing standard name spacing
bull Implement isolation by sandboxing development environment by project teams
bull Allow for an automated promotion process
bull Implement a promotion strategy that takes into account all of the above
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
32copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Services Leveraging AON
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Background Check
bull Salesforcecom Integration (contacts leads etchellip)
33copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
34copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Intermission
Coming up in the next hourbull Security with AON
bull AON Deployment Timelines within Cisco IT
bull AON Business Case within Cisco IT
35copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Security with AON
Brook Schoenfield Senior Security ArchitectCSPO
36copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
37copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger PictureWhat is Service Oriented Architecture (SOA)
What is Application Integration
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
38copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA
bull Service Oriented Architecture is a different mindset
bull Focus on delivering a service offering (an invoice a purchase order an item or unit that has intrinsic business understanding and value)
bull No longer focus on the programmatic interface (message standards take care of that)
39copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA Is Now
ldquoBy 2005 the aggressive use of Web services will drive a 30 increase in the efficiency of IT development projectsrdquo
Gartner Inc ldquoThe Hype Is Right Web Services Will Deliver Immediate Benefitsrdquo October 2001
This Is FYQ06 Enterprises Are Looking for that 30 Gain
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
19copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase IIBack End SystemsPackagesDatabases
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
AON with Transformation
Mapping
AON Blades Could Also Replace Business Process and Transformation Engine by
Providing Transformationmapping Capabilities in Addition to Proxy web
Service Layer (Phase 2)
SOAP HTTP(s)
20copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase IIBack End SystemsPackagesDatabases
SOAP HTTP(s)
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
AON with Transformation
Mapping
AON Blades Could Also Replace Business Process and Transformation Engine by
Providing Transformationmapping Capabilities in Addition to Proxy web
Service Layer (Phase 2)
21copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Using AON vs B2B Gateway
SOAPHTTP(S)
XMLHTTP(S)
RNIF
EDIAS2
Flat FileHTTP(S)
LegacyB2B
Gateway
DistributedEnterpriseServices
Internet
Enterprise Network
Customers
Partners
22copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Protocol Relationships
Web Services Protocol SetXM
L-D
igita
l Sig
natu
re(D
SIG
)
XML-
Encr
yptio
n(X
ENC
)
TCPIP
HTTP
SOAP
WS-Security
AONService Broker
WSD
L
Out of BandExchange
UDDI
23copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in SOA
bull Service BrokerApplication-Level Message Routing
ApplicationService Security
Application-Level Monitoring
Service Abstraction
Protocol Translation
Transformation and Mapping
bull Message Schema Validation
24copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in Application Integration
Application Integrationbull Protocol Translation
bull Transformation and Mapping
bull Message Schema and Data Validation
25copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT AON Production Intangible Benefits
bull Faster time to delivery by reducing development lifecycle
bull Better security made possible by a common and simplified implementation provisioning and configuration process
bull Reduced complexity of applications and infrastructure
bull Architecture lends itself to the future of SOAbull Reduced resource requirements by individual
applicationsbull Moving intelligence into the network
26copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT View of AON
An invisible message routergateway in the network that routes transforms monitors and authenticateauthorize messages between end points
27copy 2005 Cisco Systems Inc All rights reserved Cisco Public
How Can AON Be Invisible
An AON node resides in the network as an inline application-aware device the device acts as an intelligent intermediary gateway that can either be explicitly addressed by applications or as a pass-through proxy that is transparent to applications
28copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Modes of Operation
Transparent Mode
Intercept with No Change to Applications
SendingApplication A
ReceivingApplication B
Integrated SwitchAON Blade
Based on WCCP Re-Direct ACL Intercept Traffic and
Forward to AON
httpBService1
29copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Best PracticesA Cisco IT Perspective
30copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Logical Diagram
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Cluster AON blades based on functionality
bull Identify common capabilities that span across multiple applications to be owned by Infrastructure
bull Move commoninfrastructure capabilities into a separate set of AON clusters while keeping application-dependent capabilities into its own set of clusters
bull For external-facing Web Services infrastructure AON cluster should exist in the DMZ while the application AON cluster should reside in the protected net
bull Standardize on AONP(S) as the inter-cluster communication protocol
bull Standardize on a naming convention for resources flows and properties
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
31copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Provisioning and Management
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Implement a standard SDLC strategy (devtestprod)
bull Implement collision prevention utilizing standard name spacing
bull Implement isolation by sandboxing development environment by project teams
bull Allow for an automated promotion process
bull Implement a promotion strategy that takes into account all of the above
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
32copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Services Leveraging AON
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Background Check
bull Salesforcecom Integration (contacts leads etchellip)
33copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
34copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Intermission
Coming up in the next hourbull Security with AON
bull AON Deployment Timelines within Cisco IT
bull AON Business Case within Cisco IT
35copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Security with AON
Brook Schoenfield Senior Security ArchitectCSPO
36copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
37copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger PictureWhat is Service Oriented Architecture (SOA)
What is Application Integration
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
38copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA
bull Service Oriented Architecture is a different mindset
bull Focus on delivering a service offering (an invoice a purchase order an item or unit that has intrinsic business understanding and value)
bull No longer focus on the programmatic interface (message standards take care of that)
39copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA Is Now
ldquoBy 2005 the aggressive use of Web services will drive a 30 increase in the efficiency of IT development projectsrdquo
Gartner Inc ldquoThe Hype Is Right Web Services Will Deliver Immediate Benefitsrdquo October 2001
This Is FYQ06 Enterprises Are Looking for that 30 Gain
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
20copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON-Phase IIBack End SystemsPackagesDatabases
SOAP HTTP(s)
Internal DBInternal DB
Internal DBHTTPSQL
Web Services
AON with Transformation
Mapping
AON Blades Could Also Replace Business Process and Transformation Engine by
Providing Transformationmapping Capabilities in Addition to Proxy web
Service Layer (Phase 2)
21copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Using AON vs B2B Gateway
SOAPHTTP(S)
XMLHTTP(S)
RNIF
EDIAS2
Flat FileHTTP(S)
LegacyB2B
Gateway
DistributedEnterpriseServices
Internet
Enterprise Network
Customers
Partners
22copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Protocol Relationships
Web Services Protocol SetXM
L-D
igita
l Sig
natu
re(D
SIG
)
XML-
Encr
yptio
n(X
ENC
)
TCPIP
HTTP
SOAP
WS-Security
AONService Broker
WSD
L
Out of BandExchange
UDDI
23copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in SOA
bull Service BrokerApplication-Level Message Routing
ApplicationService Security
Application-Level Monitoring
Service Abstraction
Protocol Translation
Transformation and Mapping
bull Message Schema Validation
24copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in Application Integration
Application Integrationbull Protocol Translation
bull Transformation and Mapping
bull Message Schema and Data Validation
25copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT AON Production Intangible Benefits
bull Faster time to delivery by reducing development lifecycle
bull Better security made possible by a common and simplified implementation provisioning and configuration process
bull Reduced complexity of applications and infrastructure
bull Architecture lends itself to the future of SOAbull Reduced resource requirements by individual
applicationsbull Moving intelligence into the network
26copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT View of AON
An invisible message routergateway in the network that routes transforms monitors and authenticateauthorize messages between end points
27copy 2005 Cisco Systems Inc All rights reserved Cisco Public
How Can AON Be Invisible
An AON node resides in the network as an inline application-aware device the device acts as an intelligent intermediary gateway that can either be explicitly addressed by applications or as a pass-through proxy that is transparent to applications
28copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Modes of Operation
Transparent Mode
Intercept with No Change to Applications
SendingApplication A
ReceivingApplication B
Integrated SwitchAON Blade
Based on WCCP Re-Direct ACL Intercept Traffic and
Forward to AON
httpBService1
29copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Best PracticesA Cisco IT Perspective
30copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Logical Diagram
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Cluster AON blades based on functionality
bull Identify common capabilities that span across multiple applications to be owned by Infrastructure
bull Move commoninfrastructure capabilities into a separate set of AON clusters while keeping application-dependent capabilities into its own set of clusters
bull For external-facing Web Services infrastructure AON cluster should exist in the DMZ while the application AON cluster should reside in the protected net
bull Standardize on AONP(S) as the inter-cluster communication protocol
bull Standardize on a naming convention for resources flows and properties
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
31copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Provisioning and Management
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Implement a standard SDLC strategy (devtestprod)
bull Implement collision prevention utilizing standard name spacing
bull Implement isolation by sandboxing development environment by project teams
bull Allow for an automated promotion process
bull Implement a promotion strategy that takes into account all of the above
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
32copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Services Leveraging AON
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Background Check
bull Salesforcecom Integration (contacts leads etchellip)
33copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
34copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Intermission
Coming up in the next hourbull Security with AON
bull AON Deployment Timelines within Cisco IT
bull AON Business Case within Cisco IT
35copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Security with AON
Brook Schoenfield Senior Security ArchitectCSPO
36copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
37copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger PictureWhat is Service Oriented Architecture (SOA)
What is Application Integration
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
38copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA
bull Service Oriented Architecture is a different mindset
bull Focus on delivering a service offering (an invoice a purchase order an item or unit that has intrinsic business understanding and value)
bull No longer focus on the programmatic interface (message standards take care of that)
39copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA Is Now
ldquoBy 2005 the aggressive use of Web services will drive a 30 increase in the efficiency of IT development projectsrdquo
Gartner Inc ldquoThe Hype Is Right Web Services Will Deliver Immediate Benefitsrdquo October 2001
This Is FYQ06 Enterprises Are Looking for that 30 Gain
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
21copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Using AON vs B2B Gateway
SOAPHTTP(S)
XMLHTTP(S)
RNIF
EDIAS2
Flat FileHTTP(S)
LegacyB2B
Gateway
DistributedEnterpriseServices
Internet
Enterprise Network
Customers
Partners
22copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Protocol Relationships
Web Services Protocol SetXM
L-D
igita
l Sig
natu
re(D
SIG
)
XML-
Encr
yptio
n(X
ENC
)
TCPIP
HTTP
SOAP
WS-Security
AONService Broker
WSD
L
Out of BandExchange
UDDI
23copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in SOA
bull Service BrokerApplication-Level Message Routing
ApplicationService Security
Application-Level Monitoring
Service Abstraction
Protocol Translation
Transformation and Mapping
bull Message Schema Validation
24copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in Application Integration
Application Integrationbull Protocol Translation
bull Transformation and Mapping
bull Message Schema and Data Validation
25copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT AON Production Intangible Benefits
bull Faster time to delivery by reducing development lifecycle
bull Better security made possible by a common and simplified implementation provisioning and configuration process
bull Reduced complexity of applications and infrastructure
bull Architecture lends itself to the future of SOAbull Reduced resource requirements by individual
applicationsbull Moving intelligence into the network
26copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT View of AON
An invisible message routergateway in the network that routes transforms monitors and authenticateauthorize messages between end points
27copy 2005 Cisco Systems Inc All rights reserved Cisco Public
How Can AON Be Invisible
An AON node resides in the network as an inline application-aware device the device acts as an intelligent intermediary gateway that can either be explicitly addressed by applications or as a pass-through proxy that is transparent to applications
28copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Modes of Operation
Transparent Mode
Intercept with No Change to Applications
SendingApplication A
ReceivingApplication B
Integrated SwitchAON Blade
Based on WCCP Re-Direct ACL Intercept Traffic and
Forward to AON
httpBService1
29copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Best PracticesA Cisco IT Perspective
30copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Logical Diagram
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Cluster AON blades based on functionality
bull Identify common capabilities that span across multiple applications to be owned by Infrastructure
bull Move commoninfrastructure capabilities into a separate set of AON clusters while keeping application-dependent capabilities into its own set of clusters
bull For external-facing Web Services infrastructure AON cluster should exist in the DMZ while the application AON cluster should reside in the protected net
bull Standardize on AONP(S) as the inter-cluster communication protocol
bull Standardize on a naming convention for resources flows and properties
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
31copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Provisioning and Management
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Implement a standard SDLC strategy (devtestprod)
bull Implement collision prevention utilizing standard name spacing
bull Implement isolation by sandboxing development environment by project teams
bull Allow for an automated promotion process
bull Implement a promotion strategy that takes into account all of the above
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
32copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Services Leveraging AON
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Background Check
bull Salesforcecom Integration (contacts leads etchellip)
33copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
34copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Intermission
Coming up in the next hourbull Security with AON
bull AON Deployment Timelines within Cisco IT
bull AON Business Case within Cisco IT
35copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Security with AON
Brook Schoenfield Senior Security ArchitectCSPO
36copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
37copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger PictureWhat is Service Oriented Architecture (SOA)
What is Application Integration
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
38copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA
bull Service Oriented Architecture is a different mindset
bull Focus on delivering a service offering (an invoice a purchase order an item or unit that has intrinsic business understanding and value)
bull No longer focus on the programmatic interface (message standards take care of that)
39copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA Is Now
ldquoBy 2005 the aggressive use of Web services will drive a 30 increase in the efficiency of IT development projectsrdquo
Gartner Inc ldquoThe Hype Is Right Web Services Will Deliver Immediate Benefitsrdquo October 2001
This Is FYQ06 Enterprises Are Looking for that 30 Gain
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
22copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Protocol Relationships
Web Services Protocol SetXM
L-D
igita
l Sig
natu
re(D
SIG
)
XML-
Encr
yptio
n(X
ENC
)
TCPIP
HTTP
SOAP
WS-Security
AONService Broker
WSD
L
Out of BandExchange
UDDI
23copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in SOA
bull Service BrokerApplication-Level Message Routing
ApplicationService Security
Application-Level Monitoring
Service Abstraction
Protocol Translation
Transformation and Mapping
bull Message Schema Validation
24copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in Application Integration
Application Integrationbull Protocol Translation
bull Transformation and Mapping
bull Message Schema and Data Validation
25copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT AON Production Intangible Benefits
bull Faster time to delivery by reducing development lifecycle
bull Better security made possible by a common and simplified implementation provisioning and configuration process
bull Reduced complexity of applications and infrastructure
bull Architecture lends itself to the future of SOAbull Reduced resource requirements by individual
applicationsbull Moving intelligence into the network
26copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT View of AON
An invisible message routergateway in the network that routes transforms monitors and authenticateauthorize messages between end points
27copy 2005 Cisco Systems Inc All rights reserved Cisco Public
How Can AON Be Invisible
An AON node resides in the network as an inline application-aware device the device acts as an intelligent intermediary gateway that can either be explicitly addressed by applications or as a pass-through proxy that is transparent to applications
28copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Modes of Operation
Transparent Mode
Intercept with No Change to Applications
SendingApplication A
ReceivingApplication B
Integrated SwitchAON Blade
Based on WCCP Re-Direct ACL Intercept Traffic and
Forward to AON
httpBService1
29copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Best PracticesA Cisco IT Perspective
30copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Logical Diagram
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Cluster AON blades based on functionality
bull Identify common capabilities that span across multiple applications to be owned by Infrastructure
bull Move commoninfrastructure capabilities into a separate set of AON clusters while keeping application-dependent capabilities into its own set of clusters
bull For external-facing Web Services infrastructure AON cluster should exist in the DMZ while the application AON cluster should reside in the protected net
bull Standardize on AONP(S) as the inter-cluster communication protocol
bull Standardize on a naming convention for resources flows and properties
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
31copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Provisioning and Management
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Implement a standard SDLC strategy (devtestprod)
bull Implement collision prevention utilizing standard name spacing
bull Implement isolation by sandboxing development environment by project teams
bull Allow for an automated promotion process
bull Implement a promotion strategy that takes into account all of the above
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
32copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Services Leveraging AON
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Background Check
bull Salesforcecom Integration (contacts leads etchellip)
33copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
34copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Intermission
Coming up in the next hourbull Security with AON
bull AON Deployment Timelines within Cisco IT
bull AON Business Case within Cisco IT
35copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Security with AON
Brook Schoenfield Senior Security ArchitectCSPO
36copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
37copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger PictureWhat is Service Oriented Architecture (SOA)
What is Application Integration
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
38copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA
bull Service Oriented Architecture is a different mindset
bull Focus on delivering a service offering (an invoice a purchase order an item or unit that has intrinsic business understanding and value)
bull No longer focus on the programmatic interface (message standards take care of that)
39copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA Is Now
ldquoBy 2005 the aggressive use of Web services will drive a 30 increase in the efficiency of IT development projectsrdquo
Gartner Inc ldquoThe Hype Is Right Web Services Will Deliver Immediate Benefitsrdquo October 2001
This Is FYQ06 Enterprises Are Looking for that 30 Gain
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
23copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in SOA
bull Service BrokerApplication-Level Message Routing
ApplicationService Security
Application-Level Monitoring
Service Abstraction
Protocol Translation
Transformation and Mapping
bull Message Schema Validation
24copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in Application Integration
Application Integrationbull Protocol Translation
bull Transformation and Mapping
bull Message Schema and Data Validation
25copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT AON Production Intangible Benefits
bull Faster time to delivery by reducing development lifecycle
bull Better security made possible by a common and simplified implementation provisioning and configuration process
bull Reduced complexity of applications and infrastructure
bull Architecture lends itself to the future of SOAbull Reduced resource requirements by individual
applicationsbull Moving intelligence into the network
26copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT View of AON
An invisible message routergateway in the network that routes transforms monitors and authenticateauthorize messages between end points
27copy 2005 Cisco Systems Inc All rights reserved Cisco Public
How Can AON Be Invisible
An AON node resides in the network as an inline application-aware device the device acts as an intelligent intermediary gateway that can either be explicitly addressed by applications or as a pass-through proxy that is transparent to applications
28copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Modes of Operation
Transparent Mode
Intercept with No Change to Applications
SendingApplication A
ReceivingApplication B
Integrated SwitchAON Blade
Based on WCCP Re-Direct ACL Intercept Traffic and
Forward to AON
httpBService1
29copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Best PracticesA Cisco IT Perspective
30copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Logical Diagram
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Cluster AON blades based on functionality
bull Identify common capabilities that span across multiple applications to be owned by Infrastructure
bull Move commoninfrastructure capabilities into a separate set of AON clusters while keeping application-dependent capabilities into its own set of clusters
bull For external-facing Web Services infrastructure AON cluster should exist in the DMZ while the application AON cluster should reside in the protected net
bull Standardize on AONP(S) as the inter-cluster communication protocol
bull Standardize on a naming convention for resources flows and properties
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
31copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Provisioning and Management
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Implement a standard SDLC strategy (devtestprod)
bull Implement collision prevention utilizing standard name spacing
bull Implement isolation by sandboxing development environment by project teams
bull Allow for an automated promotion process
bull Implement a promotion strategy that takes into account all of the above
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
32copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Services Leveraging AON
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Background Check
bull Salesforcecom Integration (contacts leads etchellip)
33copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
34copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Intermission
Coming up in the next hourbull Security with AON
bull AON Deployment Timelines within Cisco IT
bull AON Business Case within Cisco IT
35copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Security with AON
Brook Schoenfield Senior Security ArchitectCSPO
36copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
37copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger PictureWhat is Service Oriented Architecture (SOA)
What is Application Integration
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
38copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA
bull Service Oriented Architecture is a different mindset
bull Focus on delivering a service offering (an invoice a purchase order an item or unit that has intrinsic business understanding and value)
bull No longer focus on the programmatic interface (message standards take care of that)
39copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA Is Now
ldquoBy 2005 the aggressive use of Web services will drive a 30 increase in the efficiency of IT development projectsrdquo
Gartner Inc ldquoThe Hype Is Right Web Services Will Deliver Immediate Benefitsrdquo October 2001
This Is FYQ06 Enterprises Are Looking for that 30 Gain
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
24copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON Play in Application Integration
Application Integrationbull Protocol Translation
bull Transformation and Mapping
bull Message Schema and Data Validation
25copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT AON Production Intangible Benefits
bull Faster time to delivery by reducing development lifecycle
bull Better security made possible by a common and simplified implementation provisioning and configuration process
bull Reduced complexity of applications and infrastructure
bull Architecture lends itself to the future of SOAbull Reduced resource requirements by individual
applicationsbull Moving intelligence into the network
26copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT View of AON
An invisible message routergateway in the network that routes transforms monitors and authenticateauthorize messages between end points
27copy 2005 Cisco Systems Inc All rights reserved Cisco Public
How Can AON Be Invisible
An AON node resides in the network as an inline application-aware device the device acts as an intelligent intermediary gateway that can either be explicitly addressed by applications or as a pass-through proxy that is transparent to applications
28copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Modes of Operation
Transparent Mode
Intercept with No Change to Applications
SendingApplication A
ReceivingApplication B
Integrated SwitchAON Blade
Based on WCCP Re-Direct ACL Intercept Traffic and
Forward to AON
httpBService1
29copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Best PracticesA Cisco IT Perspective
30copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Logical Diagram
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Cluster AON blades based on functionality
bull Identify common capabilities that span across multiple applications to be owned by Infrastructure
bull Move commoninfrastructure capabilities into a separate set of AON clusters while keeping application-dependent capabilities into its own set of clusters
bull For external-facing Web Services infrastructure AON cluster should exist in the DMZ while the application AON cluster should reside in the protected net
bull Standardize on AONP(S) as the inter-cluster communication protocol
bull Standardize on a naming convention for resources flows and properties
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
31copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Provisioning and Management
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Implement a standard SDLC strategy (devtestprod)
bull Implement collision prevention utilizing standard name spacing
bull Implement isolation by sandboxing development environment by project teams
bull Allow for an automated promotion process
bull Implement a promotion strategy that takes into account all of the above
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
32copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Services Leveraging AON
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Background Check
bull Salesforcecom Integration (contacts leads etchellip)
33copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
34copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Intermission
Coming up in the next hourbull Security with AON
bull AON Deployment Timelines within Cisco IT
bull AON Business Case within Cisco IT
35copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Security with AON
Brook Schoenfield Senior Security ArchitectCSPO
36copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
37copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger PictureWhat is Service Oriented Architecture (SOA)
What is Application Integration
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
38copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA
bull Service Oriented Architecture is a different mindset
bull Focus on delivering a service offering (an invoice a purchase order an item or unit that has intrinsic business understanding and value)
bull No longer focus on the programmatic interface (message standards take care of that)
39copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA Is Now
ldquoBy 2005 the aggressive use of Web services will drive a 30 increase in the efficiency of IT development projectsrdquo
Gartner Inc ldquoThe Hype Is Right Web Services Will Deliver Immediate Benefitsrdquo October 2001
This Is FYQ06 Enterprises Are Looking for that 30 Gain
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
25copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT AON Production Intangible Benefits
bull Faster time to delivery by reducing development lifecycle
bull Better security made possible by a common and simplified implementation provisioning and configuration process
bull Reduced complexity of applications and infrastructure
bull Architecture lends itself to the future of SOAbull Reduced resource requirements by individual
applicationsbull Moving intelligence into the network
26copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT View of AON
An invisible message routergateway in the network that routes transforms monitors and authenticateauthorize messages between end points
27copy 2005 Cisco Systems Inc All rights reserved Cisco Public
How Can AON Be Invisible
An AON node resides in the network as an inline application-aware device the device acts as an intelligent intermediary gateway that can either be explicitly addressed by applications or as a pass-through proxy that is transparent to applications
28copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Modes of Operation
Transparent Mode
Intercept with No Change to Applications
SendingApplication A
ReceivingApplication B
Integrated SwitchAON Blade
Based on WCCP Re-Direct ACL Intercept Traffic and
Forward to AON
httpBService1
29copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Best PracticesA Cisco IT Perspective
30copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Logical Diagram
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Cluster AON blades based on functionality
bull Identify common capabilities that span across multiple applications to be owned by Infrastructure
bull Move commoninfrastructure capabilities into a separate set of AON clusters while keeping application-dependent capabilities into its own set of clusters
bull For external-facing Web Services infrastructure AON cluster should exist in the DMZ while the application AON cluster should reside in the protected net
bull Standardize on AONP(S) as the inter-cluster communication protocol
bull Standardize on a naming convention for resources flows and properties
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
31copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Provisioning and Management
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Implement a standard SDLC strategy (devtestprod)
bull Implement collision prevention utilizing standard name spacing
bull Implement isolation by sandboxing development environment by project teams
bull Allow for an automated promotion process
bull Implement a promotion strategy that takes into account all of the above
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
32copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Services Leveraging AON
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Background Check
bull Salesforcecom Integration (contacts leads etchellip)
33copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
34copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Intermission
Coming up in the next hourbull Security with AON
bull AON Deployment Timelines within Cisco IT
bull AON Business Case within Cisco IT
35copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Security with AON
Brook Schoenfield Senior Security ArchitectCSPO
36copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
37copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger PictureWhat is Service Oriented Architecture (SOA)
What is Application Integration
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
38copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA
bull Service Oriented Architecture is a different mindset
bull Focus on delivering a service offering (an invoice a purchase order an item or unit that has intrinsic business understanding and value)
bull No longer focus on the programmatic interface (message standards take care of that)
39copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA Is Now
ldquoBy 2005 the aggressive use of Web services will drive a 30 increase in the efficiency of IT development projectsrdquo
Gartner Inc ldquoThe Hype Is Right Web Services Will Deliver Immediate Benefitsrdquo October 2001
This Is FYQ06 Enterprises Are Looking for that 30 Gain
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
26copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT View of AON
An invisible message routergateway in the network that routes transforms monitors and authenticateauthorize messages between end points
27copy 2005 Cisco Systems Inc All rights reserved Cisco Public
How Can AON Be Invisible
An AON node resides in the network as an inline application-aware device the device acts as an intelligent intermediary gateway that can either be explicitly addressed by applications or as a pass-through proxy that is transparent to applications
28copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Modes of Operation
Transparent Mode
Intercept with No Change to Applications
SendingApplication A
ReceivingApplication B
Integrated SwitchAON Blade
Based on WCCP Re-Direct ACL Intercept Traffic and
Forward to AON
httpBService1
29copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Best PracticesA Cisco IT Perspective
30copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Logical Diagram
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Cluster AON blades based on functionality
bull Identify common capabilities that span across multiple applications to be owned by Infrastructure
bull Move commoninfrastructure capabilities into a separate set of AON clusters while keeping application-dependent capabilities into its own set of clusters
bull For external-facing Web Services infrastructure AON cluster should exist in the DMZ while the application AON cluster should reside in the protected net
bull Standardize on AONP(S) as the inter-cluster communication protocol
bull Standardize on a naming convention for resources flows and properties
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
31copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Provisioning and Management
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Implement a standard SDLC strategy (devtestprod)
bull Implement collision prevention utilizing standard name spacing
bull Implement isolation by sandboxing development environment by project teams
bull Allow for an automated promotion process
bull Implement a promotion strategy that takes into account all of the above
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
32copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Services Leveraging AON
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Background Check
bull Salesforcecom Integration (contacts leads etchellip)
33copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
34copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Intermission
Coming up in the next hourbull Security with AON
bull AON Deployment Timelines within Cisco IT
bull AON Business Case within Cisco IT
35copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Security with AON
Brook Schoenfield Senior Security ArchitectCSPO
36copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
37copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger PictureWhat is Service Oriented Architecture (SOA)
What is Application Integration
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
38copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA
bull Service Oriented Architecture is a different mindset
bull Focus on delivering a service offering (an invoice a purchase order an item or unit that has intrinsic business understanding and value)
bull No longer focus on the programmatic interface (message standards take care of that)
39copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA Is Now
ldquoBy 2005 the aggressive use of Web services will drive a 30 increase in the efficiency of IT development projectsrdquo
Gartner Inc ldquoThe Hype Is Right Web Services Will Deliver Immediate Benefitsrdquo October 2001
This Is FYQ06 Enterprises Are Looking for that 30 Gain
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
27copy 2005 Cisco Systems Inc All rights reserved Cisco Public
How Can AON Be Invisible
An AON node resides in the network as an inline application-aware device the device acts as an intelligent intermediary gateway that can either be explicitly addressed by applications or as a pass-through proxy that is transparent to applications
28copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Modes of Operation
Transparent Mode
Intercept with No Change to Applications
SendingApplication A
ReceivingApplication B
Integrated SwitchAON Blade
Based on WCCP Re-Direct ACL Intercept Traffic and
Forward to AON
httpBService1
29copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Best PracticesA Cisco IT Perspective
30copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Logical Diagram
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Cluster AON blades based on functionality
bull Identify common capabilities that span across multiple applications to be owned by Infrastructure
bull Move commoninfrastructure capabilities into a separate set of AON clusters while keeping application-dependent capabilities into its own set of clusters
bull For external-facing Web Services infrastructure AON cluster should exist in the DMZ while the application AON cluster should reside in the protected net
bull Standardize on AONP(S) as the inter-cluster communication protocol
bull Standardize on a naming convention for resources flows and properties
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
31copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Provisioning and Management
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Implement a standard SDLC strategy (devtestprod)
bull Implement collision prevention utilizing standard name spacing
bull Implement isolation by sandboxing development environment by project teams
bull Allow for an automated promotion process
bull Implement a promotion strategy that takes into account all of the above
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
32copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Services Leveraging AON
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Background Check
bull Salesforcecom Integration (contacts leads etchellip)
33copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
34copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Intermission
Coming up in the next hourbull Security with AON
bull AON Deployment Timelines within Cisco IT
bull AON Business Case within Cisco IT
35copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Security with AON
Brook Schoenfield Senior Security ArchitectCSPO
36copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
37copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger PictureWhat is Service Oriented Architecture (SOA)
What is Application Integration
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
38copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA
bull Service Oriented Architecture is a different mindset
bull Focus on delivering a service offering (an invoice a purchase order an item or unit that has intrinsic business understanding and value)
bull No longer focus on the programmatic interface (message standards take care of that)
39copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA Is Now
ldquoBy 2005 the aggressive use of Web services will drive a 30 increase in the efficiency of IT development projectsrdquo
Gartner Inc ldquoThe Hype Is Right Web Services Will Deliver Immediate Benefitsrdquo October 2001
This Is FYQ06 Enterprises Are Looking for that 30 Gain
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
28copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Modes of Operation
Transparent Mode
Intercept with No Change to Applications
SendingApplication A
ReceivingApplication B
Integrated SwitchAON Blade
Based on WCCP Re-Direct ACL Intercept Traffic and
Forward to AON
httpBService1
29copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Best PracticesA Cisco IT Perspective
30copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Logical Diagram
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Cluster AON blades based on functionality
bull Identify common capabilities that span across multiple applications to be owned by Infrastructure
bull Move commoninfrastructure capabilities into a separate set of AON clusters while keeping application-dependent capabilities into its own set of clusters
bull For external-facing Web Services infrastructure AON cluster should exist in the DMZ while the application AON cluster should reside in the protected net
bull Standardize on AONP(S) as the inter-cluster communication protocol
bull Standardize on a naming convention for resources flows and properties
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
31copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Provisioning and Management
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Implement a standard SDLC strategy (devtestprod)
bull Implement collision prevention utilizing standard name spacing
bull Implement isolation by sandboxing development environment by project teams
bull Allow for an automated promotion process
bull Implement a promotion strategy that takes into account all of the above
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
32copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Services Leveraging AON
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Background Check
bull Salesforcecom Integration (contacts leads etchellip)
33copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
34copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Intermission
Coming up in the next hourbull Security with AON
bull AON Deployment Timelines within Cisco IT
bull AON Business Case within Cisco IT
35copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Security with AON
Brook Schoenfield Senior Security ArchitectCSPO
36copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
37copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger PictureWhat is Service Oriented Architecture (SOA)
What is Application Integration
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
38copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA
bull Service Oriented Architecture is a different mindset
bull Focus on delivering a service offering (an invoice a purchase order an item or unit that has intrinsic business understanding and value)
bull No longer focus on the programmatic interface (message standards take care of that)
39copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA Is Now
ldquoBy 2005 the aggressive use of Web services will drive a 30 increase in the efficiency of IT development projectsrdquo
Gartner Inc ldquoThe Hype Is Right Web Services Will Deliver Immediate Benefitsrdquo October 2001
This Is FYQ06 Enterprises Are Looking for that 30 Gain
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
29copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Best PracticesA Cisco IT Perspective
30copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Logical Diagram
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Cluster AON blades based on functionality
bull Identify common capabilities that span across multiple applications to be owned by Infrastructure
bull Move commoninfrastructure capabilities into a separate set of AON clusters while keeping application-dependent capabilities into its own set of clusters
bull For external-facing Web Services infrastructure AON cluster should exist in the DMZ while the application AON cluster should reside in the protected net
bull Standardize on AONP(S) as the inter-cluster communication protocol
bull Standardize on a naming convention for resources flows and properties
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
31copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Provisioning and Management
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Implement a standard SDLC strategy (devtestprod)
bull Implement collision prevention utilizing standard name spacing
bull Implement isolation by sandboxing development environment by project teams
bull Allow for an automated promotion process
bull Implement a promotion strategy that takes into account all of the above
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
32copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Services Leveraging AON
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Background Check
bull Salesforcecom Integration (contacts leads etchellip)
33copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
34copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Intermission
Coming up in the next hourbull Security with AON
bull AON Deployment Timelines within Cisco IT
bull AON Business Case within Cisco IT
35copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Security with AON
Brook Schoenfield Senior Security ArchitectCSPO
36copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
37copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger PictureWhat is Service Oriented Architecture (SOA)
What is Application Integration
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
38copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA
bull Service Oriented Architecture is a different mindset
bull Focus on delivering a service offering (an invoice a purchase order an item or unit that has intrinsic business understanding and value)
bull No longer focus on the programmatic interface (message standards take care of that)
39copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA Is Now
ldquoBy 2005 the aggressive use of Web services will drive a 30 increase in the efficiency of IT development projectsrdquo
Gartner Inc ldquoThe Hype Is Right Web Services Will Deliver Immediate Benefitsrdquo October 2001
This Is FYQ06 Enterprises Are Looking for that 30 Gain
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
30copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Logical Diagram
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Cluster AON blades based on functionality
bull Identify common capabilities that span across multiple applications to be owned by Infrastructure
bull Move commoninfrastructure capabilities into a separate set of AON clusters while keeping application-dependent capabilities into its own set of clusters
bull For external-facing Web Services infrastructure AON cluster should exist in the DMZ while the application AON cluster should reside in the protected net
bull Standardize on AONP(S) as the inter-cluster communication protocol
bull Standardize on a naming convention for resources flows and properties
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
31copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Provisioning and Management
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Implement a standard SDLC strategy (devtestprod)
bull Implement collision prevention utilizing standard name spacing
bull Implement isolation by sandboxing development environment by project teams
bull Allow for an automated promotion process
bull Implement a promotion strategy that takes into account all of the above
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
32copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Services Leveraging AON
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Background Check
bull Salesforcecom Integration (contacts leads etchellip)
33copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
34copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Intermission
Coming up in the next hourbull Security with AON
bull AON Deployment Timelines within Cisco IT
bull AON Business Case within Cisco IT
35copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Security with AON
Brook Schoenfield Senior Security ArchitectCSPO
36copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
37copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger PictureWhat is Service Oriented Architecture (SOA)
What is Application Integration
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
38copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA
bull Service Oriented Architecture is a different mindset
bull Focus on delivering a service offering (an invoice a purchase order an item or unit that has intrinsic business understanding and value)
bull No longer focus on the programmatic interface (message standards take care of that)
39copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA Is Now
ldquoBy 2005 the aggressive use of Web services will drive a 30 increase in the efficiency of IT development projectsrdquo
Gartner Inc ldquoThe Hype Is Right Web Services Will Deliver Immediate Benefitsrdquo October 2001
This Is FYQ06 Enterprises Are Looking for that 30 Gain
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
31copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Best Practices Provisioning and Management
FirewallDMZFirewall
App Server Layer
AON
AON
AON
AON
AON
AON
AON
AON
AON
bull Implement a standard SDLC strategy (devtestprod)
bull Implement collision prevention utilizing standard name spacing
bull Implement isolation by sandboxing development environment by project teams
bull Allow for an automated promotion process
bull Implement a promotion strategy that takes into account all of the above
Log DB
AONSPAONSP
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
32copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Services Leveraging AON
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Background Check
bull Salesforcecom Integration (contacts leads etchellip)
33copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
34copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Intermission
Coming up in the next hourbull Security with AON
bull AON Deployment Timelines within Cisco IT
bull AON Business Case within Cisco IT
35copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Security with AON
Brook Schoenfield Senior Security ArchitectCSPO
36copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
37copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger PictureWhat is Service Oriented Architecture (SOA)
What is Application Integration
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
38copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA
bull Service Oriented Architecture is a different mindset
bull Focus on delivering a service offering (an invoice a purchase order an item or unit that has intrinsic business understanding and value)
bull No longer focus on the programmatic interface (message standards take care of that)
39copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA Is Now
ldquoBy 2005 the aggressive use of Web services will drive a 30 increase in the efficiency of IT development projectsrdquo
Gartner Inc ldquoThe Hype Is Right Web Services Will Deliver Immediate Benefitsrdquo October 2001
This Is FYQ06 Enterprises Are Looking for that 30 Gain
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
32copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Services Leveraging AON
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Background Check
bull Salesforcecom Integration (contacts leads etchellip)
33copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
34copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Intermission
Coming up in the next hourbull Security with AON
bull AON Deployment Timelines within Cisco IT
bull AON Business Case within Cisco IT
35copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Security with AON
Brook Schoenfield Senior Security ArchitectCSPO
36copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
37copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger PictureWhat is Service Oriented Architecture (SOA)
What is Application Integration
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
38copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA
bull Service Oriented Architecture is a different mindset
bull Focus on delivering a service offering (an invoice a purchase order an item or unit that has intrinsic business understanding and value)
bull No longer focus on the programmatic interface (message standards take care of that)
39copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA Is Now
ldquoBy 2005 the aggressive use of Web services will drive a 30 increase in the efficiency of IT development projectsrdquo
Gartner Inc ldquoThe Hype Is Right Web Services Will Deliver Immediate Benefitsrdquo October 2001
This Is FYQ06 Enterprises Are Looking for that 30 Gain
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
33copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
34copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Intermission
Coming up in the next hourbull Security with AON
bull AON Deployment Timelines within Cisco IT
bull AON Business Case within Cisco IT
35copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Security with AON
Brook Schoenfield Senior Security ArchitectCSPO
36copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
37copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger PictureWhat is Service Oriented Architecture (SOA)
What is Application Integration
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
38copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA
bull Service Oriented Architecture is a different mindset
bull Focus on delivering a service offering (an invoice a purchase order an item or unit that has intrinsic business understanding and value)
bull No longer focus on the programmatic interface (message standards take care of that)
39copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA Is Now
ldquoBy 2005 the aggressive use of Web services will drive a 30 increase in the efficiency of IT development projectsrdquo
Gartner Inc ldquoThe Hype Is Right Web Services Will Deliver Immediate Benefitsrdquo October 2001
This Is FYQ06 Enterprises Are Looking for that 30 Gain
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
34copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Intermission
Coming up in the next hourbull Security with AON
bull AON Deployment Timelines within Cisco IT
bull AON Business Case within Cisco IT
35copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Security with AON
Brook Schoenfield Senior Security ArchitectCSPO
36copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
37copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger PictureWhat is Service Oriented Architecture (SOA)
What is Application Integration
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
38copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA
bull Service Oriented Architecture is a different mindset
bull Focus on delivering a service offering (an invoice a purchase order an item or unit that has intrinsic business understanding and value)
bull No longer focus on the programmatic interface (message standards take care of that)
39copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA Is Now
ldquoBy 2005 the aggressive use of Web services will drive a 30 increase in the efficiency of IT development projectsrdquo
Gartner Inc ldquoThe Hype Is Right Web Services Will Deliver Immediate Benefitsrdquo October 2001
This Is FYQ06 Enterprises Are Looking for that 30 Gain
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
35copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Security with AON
Brook Schoenfield Senior Security ArchitectCSPO
36copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
37copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger PictureWhat is Service Oriented Architecture (SOA)
What is Application Integration
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
38copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA
bull Service Oriented Architecture is a different mindset
bull Focus on delivering a service offering (an invoice a purchase order an item or unit that has intrinsic business understanding and value)
bull No longer focus on the programmatic interface (message standards take care of that)
39copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA Is Now
ldquoBy 2005 the aggressive use of Web services will drive a 30 increase in the efficiency of IT development projectsrdquo
Gartner Inc ldquoThe Hype Is Right Web Services Will Deliver Immediate Benefitsrdquo October 2001
This Is FYQ06 Enterprises Are Looking for that 30 Gain
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
36copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
37copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger PictureWhat is Service Oriented Architecture (SOA)
What is Application Integration
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
38copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA
bull Service Oriented Architecture is a different mindset
bull Focus on delivering a service offering (an invoice a purchase order an item or unit that has intrinsic business understanding and value)
bull No longer focus on the programmatic interface (message standards take care of that)
39copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA Is Now
ldquoBy 2005 the aggressive use of Web services will drive a 30 increase in the efficiency of IT development projectsrdquo
Gartner Inc ldquoThe Hype Is Right Web Services Will Deliver Immediate Benefitsrdquo October 2001
This Is FYQ06 Enterprises Are Looking for that 30 Gain
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
37copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger PictureWhat is Service Oriented Architecture (SOA)
What is Application Integration
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
38copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA
bull Service Oriented Architecture is a different mindset
bull Focus on delivering a service offering (an invoice a purchase order an item or unit that has intrinsic business understanding and value)
bull No longer focus on the programmatic interface (message standards take care of that)
39copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA Is Now
ldquoBy 2005 the aggressive use of Web services will drive a 30 increase in the efficiency of IT development projectsrdquo
Gartner Inc ldquoThe Hype Is Right Web Services Will Deliver Immediate Benefitsrdquo October 2001
This Is FYQ06 Enterprises Are Looking for that 30 Gain
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
38copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA
bull Service Oriented Architecture is a different mindset
bull Focus on delivering a service offering (an invoice a purchase order an item or unit that has intrinsic business understanding and value)
bull No longer focus on the programmatic interface (message standards take care of that)
39copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA Is Now
ldquoBy 2005 the aggressive use of Web services will drive a 30 increase in the efficiency of IT development projectsrdquo
Gartner Inc ldquoThe Hype Is Right Web Services Will Deliver Immediate Benefitsrdquo October 2001
This Is FYQ06 Enterprises Are Looking for that 30 Gain
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
39copy 2005 Cisco Systems Inc All rights reserved Cisco Public
SOA Is Now
ldquoBy 2005 the aggressive use of Web services will drive a 30 increase in the efficiency of IT development projectsrdquo
Gartner Inc ldquoThe Hype Is Right Web Services Will Deliver Immediate Benefitsrdquo October 2001
This Is FYQ06 Enterprises Are Looking for that 30 Gain
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
40copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and SOA
bull AON can be a key part of an SOA build out
bull AON provides the necessary security functions
bull Common functions become ldquopart of the networkrdquo
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
41copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Cisco IT Specific Drivers for SOA
bull Move from functionally focused IT to business process focused
bull Single source of truth
bull Development cyclesmdashreusability
bull Business responsiveness
bull Consistency
bull Security functions
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
42copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Example of Cisco Distributed Services (SOA)
bull Product Configurator
bull Order Status
bull RMA (Return Merchandize Authorization)
bull Lead management integration (contacts leads etchellip)
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
43copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Complexity (and Risk) Increase with Adoption
Partner 1
Partner 2
Partner n
Self-Service
Inventory Mgmt
Call Center
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
44copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Healthy Distrust = Security Controls
bull Services should be distrustful of the outside world
bull Not everyone will be served
bull Inspect validate and authenticate requestsThe codersquos internal state is not openly exposed
bull Only well defined requests are serviced
bull Requests do not reveal the servicersquos algorithms
bull Requests do not describe the servicersquos state
bull Requests provide services not data accessServices should not share ACID transactions
bull Transactions imply a certain level of trustLocks may be held for a long time
bull Transactions imply a level of couplingmdashMicrosoft Incorporated
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
45copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
46copy 2005 Cisco Systems Inc All rights reserved Cisco Public
What Role Does AON play
bull Service Broker in SOA
bull Integration Broker in Application Integration
bull Message Security Integrator
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
47copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON and the OSI Stack
Network
Transport
Session
Content-Based Routing
ASCII MPEG GIF etchellip
RPC NFS
TCP UDP
IP Logical Addressing
Message Level Protocol (SOAP)
Content Inspection Transformation Security amp Mapping
Application
Presentation
Data Link Data Translation to Frames
Physical Data Bits Transmission
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
48copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Inspection and Operation
IP TCP HTTP
Switches Routers Firewalls ldquoContent Inspectionrdquo Operate Around the Payload
Opaque
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
49copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
50copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Is Inside the TCPIP Wrapper
IP TCP HTTP
Session Protocol + Content Inspection ==Session and Payload
PayloadMessageltxml version=10gt ltpurchaseOrder orderDate=1999-10-20gt
ltshipTo country=USgt ltnamegtAlice Smithltnamegt ltstreetgt123 Maple Streetltstreetgt ltcitygtMill Valleyltcitygt ltstategtCAltstategt ltzipgt90952ltzipgt
ltshipTogt hellip
Httpwww
Optimized for XML Payloads
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
51copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON == Message Content and Envelope
IP TCP HTTP
HTTP Envelope (SOAP) Messages(XML envelope standards + custom XML) ==
ldquoDeep Inspectionrdquo
SOAPWSECHttpwww
Existing Message Bodies + Custom Parsing
HTTP XMLMessageBody
Existing Message Bodies + Custom Parsing
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
52copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Why XML
bull TCPIP gives you network HW independence
bull JAVA gives you platform independence(sortrsquoa kindrsquoa for the first few years it was ldquowrite once debug everywhererdquo)
bull XML gives you data independence
bull Ubiquitous adoption
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
53copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Delivers the Following Support Utilities for
Securitybull Transport-level encryption termination (SSL v3)
bull Payload encryption termination (XML)
bull Protocol translation (HTTP lt--gt JMS)
bull Digital Signature
bull DMZ-to-Application Layer Secure Connector (like SSH or STA)
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
54copy 2005 Cisco Systems Inc All rights reserved Cisco Public
These AON Security Functionshellip
hellipAre Currently Being Performed by Custom Code or Vendor-Proprietary Tools Built into Dozens of Cisco External-Facing Services
AON Security Function External App Environment 1 B2B (WebMethods) External App
Environment 2 Other Environments
Encryption using SSL V3 With Bi-Directional
AuthenticationLimited
bull WebMethods specific Requires significant setup effort
Limited Limited
XML Payload Encryption
Custom written by each app using java
librariesLimited Custom written by
each app Limited
Protocol Translation Custom written by each application
bull WebMethods specific
bull Limited to WebMethods transactions
bull Interoperates with a limited number of Messaging technologies
Custom written by each application
Custom written andor Producttechnology
specific
Digital SignatureCustom written by
each app using java libraries
Limited Custom written by each app Limited
DMZ-2-App Layer Secure Connector
mod_IIOP over SSH pipes Reserve Proxy STA (Secure Transport
Architecture)mdashCustomVaries for each
environment
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
55copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Before AON Current Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
External Env 1
External Env 2
B2B
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
bull EnvironmentTechnology specific Authentication SSL V3 Termination DSIG Validation Encryption
bull CustomApplication-basedContent InspectionRouting Schema Validation Logging Service Versioning
Internal DBInternal DB
Internal DB
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
56copy 2005 Cisco Systems Inc All rights reserved Cisco Public
After AON Future Location of Application and Service Support Utilities
DMZ Application layerFirewall Firewall Firewall
Common Utilities Business Logic
AON
AON
AON
Java
PERL
B2B
Internal DBInternal DB
Internal DB
bull SSL Termination bull SIGCert Validationbull Authenticationbull Logging bull Content-based Routing
bull Protocol Conversion bull Payload Encryptionbull Payload Decryptionbull Schema Validation
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
57copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Agenda
bull Where Does AON Fit into the Bigger Picture
bull What is AON
bull AON Security FeaturesArchitecture
Combining Layer 34 and Layer 7+
Common Security Functions
Deep Content Inspection
Access Controls
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
58copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Security
bull AON fosters a better network security architecture Because of the reduction of unprotected segments between applications and AON
bull Use of layer 34 to protect layer 7 functions (ie layer 7 security implemented in the network device)
bull Common and consistent implementation of security functions
Digital signatures (DSIG) encryptiondecryption authentication access control lists (ACL) validation
bull PKI implementation that is correct tested and validatedbull Separation of designdevelopment and implementation
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
59copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Web Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DB
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
60copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON SOAWeb Services Security Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
61copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Java
PERL
B2B
Internal DBInternal DB
Internal DBWSGW
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
62copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Pre-AON Attack Vectors
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
Net architecture must be changed for GW (more switches and routers = more ACs to manage)
Java
PERL
B2B
Internal DBInternal DB
Internal DB
The GW is NOT part of the network Compromise of layer 34 can attack the application layer going around the GW
WSGW
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
63copy 2005 Cisco Systems Inc All rights reserved Cisco Public
A Possible (Simplified) AON Architecture
DMZ Application LayerFirewall Firewall Firewall
Web Servers Business Logic
WS
WS
WS
AON Is part of the Network App Layer Is Directly Connected to Network Device
Message Protection Is Terminated at AON No attack Vector Is Exposed
AON Can Be Dropped into an Existing Layered Architecture without Changing the Security Boundaries
Java
PERL
B2B
Internal DBInternal DB
Internal DBAON
AON
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
64copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS ServerWeb servers == AON
Common Application functions == AON
DMZ
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
65copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Potential Architecture
FirewallDMZFirewall
HTTP(S)
App Server layer
HTTP(S)
AON
AON
AON
AON
AON
AON
AON
AON
AON
AONSP
JMS
HTTP(S)
HTTP(S)
HTTP(S)
App Dir Svc
JMS
HTTP(S)
JMS
SSL Termination DSIGCert Validation Authentication logging etchellipPayload Decryption Schema Validation Content InspectionRouting loggingProtocol Conversion (HTTP-2-JMS) Content-based Routing loggingPayload Encryption DSIG logging etchellip
App1
Svc2
Svc3
Gateway
JMS Serverbull Replace web servers with AON
bull AON terminates HTTPS and provides other DMZ functions
bull Common functions in Application layer provided by AON protect services and logic in application layer
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
66copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Implementation Consistency
bull The devil is in the details most exploitable vulnerabilities are found in implementations rather than algorithms
bull A good maxim is to implement common or tricky services as part of an infrastructure ldquoFor application developers not by application developersrdquo
bull AON provides common and consistent implementations of message level security functions
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
67copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Some of AONrsquos Security Functions
bull Digital signatures (DSIG)
bull Encryptiondecryption at transport (SSL) or message (XENC)
bull Authentication (HTTP BASIC LDAP stores X-509 Certificate etc)
bull Something very like access control lists (flows can be used as message level ACLs)
bull Data and schema validations (flows can contain XSLT expressions)
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
68copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Key XML Standards
bull WS-SEC or WSEC (WS-Security) An envelope and semantic for
XML-Signature (DSIG) == Digital signature use
XML-Encryption (XENC) == Encryptdecrypt use
Authenticators
bull + More standards proposed Alphabet soupWeb Services Description Language (WSDL)
Universal Description Discovery and Integration (UDDI)
Web Services Flow Language (WSFL)
Other Business Rules (BPEL4WS)
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
69copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Implements Messaging Standards
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONSecurity IntegratorSOA
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
70copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Standards Relationships
XML Protocol SetXM
L-En
cryp
tion
(XEN
C)
XML-
Dig
ital S
igna
ture
(DSI
G)
XML-
Expr
essi
ons
(XLS
T)
TCPIP
HTTP
SOAP
WS-Security
AONAccelerated XML Services
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
71copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Digital Signatures (X509 + DSIG)
bull Authentication credentials
bull Non-repudiation
bull Integrity
bull Used at the entire message or for parts of a message use Certificate or key enveloping (WSSEC) DSIG is very general purpose
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
72copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Encryptiondecryption
bull Confidentiality
bull Integrity
bull Of the transport (SSL)
bull Or in the message (XENC)
bull Entire message or parts of a message
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
73copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Authentication
bull HTTP BASIC
bull SOAP Enveloped (header)
bull Enterprise LDAP (Directory) stores
bull Different types of credentialsX-509 Certificate
Signature validation (XENC certificate based)
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
74copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Flow Security Mechanisms
bull Validation of the message format
bull Validation of data ranges
bull Rules defining authorization
bull One could even write XML firewall signatures (though this functionality does not come out-of-the-box)
bull A very general purpose mechanism for controlling message access and routing
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
75copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Deep Content Inspection
bull Content inspection delivers the ability to build Intrusion Detection (IDS) or even firewall signatures
bull Expressions and logic can be applied with inspectionbull Signatures can fire off alarms (content IDS)bull Message flow can be stopped via signatures
(firewall functionality)bull Write java ldquobladeletsrdquo code that can use the same
services as AONs internal content handling code ergo handle custom content types
bull This functionality is available to users (for instance the IDS or firewall security team)
bull AON is NOT a Firewall (because signatures do not come out-of-the-box)
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
76copy 2005 Cisco Systems Inc All rights reserved Cisco Public
AON Components
AON
AMC (AON Mgmt Console)Used for Configuring and
Provisioning AON Modules
ADS (AON Design Studio)Used for Developing
Application Policies ldquoFlowsrdquo
LOG DB
AON Blades
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
77copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Access Controls
bull Allows staging of flows
bull Stages can be proofed before deployment
bull Verification stages can be easily added(Development staging production)
bull Approval processes can be easily added
bull Different user types can be assigned different roles and accesses (designers developers approvers administrators etc)
Implemented at device AON component and through AON access controls
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
78copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Summary
bull Cisco is building out a SOA
bull AON is being piloted to play a strong role in Ciscorsquos SOA
bull AON security featuresArchitecture
Combining Layer 34 and Layer 7+ security controls
Common security functions signatures encryption PKI
Deep content inspection content level ACLs
Reasonable administrative access controls
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
79copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Q and A
79copy 2005 Cisco Systems Inc All rights reservedSession Number11657_09_2005_c1 Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
80copy 2005 Cisco Systems Inc All rights reserved Cisco Public
Recommended