© 2015 IBM Corporation IBM Datapower Gateway The Security Gateway – {“title”: [“Technical”,”Specialist”,”Integration”]}

© 2015 IBM Corporation

IBM Datapower GatewayThe Security Gateway

<Pierre Richelle/> – {“title”: [“Technical”,”Specialist”,”Integration”]}

Agenda

►IBM Datapower Gateway Introduction & Concept

►Capabilities

►Use Cases

►Wrap-up

Applications and Systems

Silos of security & control are impeding business agility

DEVELOPERSPARTNERS CONSUMERS

EMPLOYEES

WEBMOBILEB2B SOA APIS

PARTNERS

DEVELOPERS

API GATEWAYB2BGATEWAY

SOAGATEWAY

WEB ACCESS PROXY

MOBILE GATEWAY

Business Channels

Users

Security & Control Solutions

CLOUD

ALL

CLOUD GATEWAY

CONSUMERS

EMPLOYEES

z SystemMiddleware

ESBApplication Service



EMPLOYEES


PARTNERS

DEVELOPERS

Business Channels

Users


CLOUD

ALLCONSUMERS

EMPLOYEES

Reduce cost + improve security & control with a single gateway

z SystemMiddleware


Virtual appliance Physical appliance

DataPower Gateway



EMPLOYEES


PARTNERS

DEVELOPERS

Business Channels

Users


CLOUD

ALLCONSUMERS

EMPLOYEES

Reduce cost + improve security & control with a single gateway

z SystemMiddleware


Virtual appliance Physical appliance

DataPower Gateway

Protect Control Integrate

IBM DataPower DNA

config

XML Acceleration

Hardware

DataPower’s True Network Device

WebSphere DataPowerDigitally Signed and Encrypted

Firmware

FlashMemory

Crypto Acceleration

IBM Optimized Embedded Operating Environment

WebGUICLI

SOMA

configuration

DataPowerConfiguration

IBM DataPower Gateway

Virtual Edition

IBM DataPower Gateway

Appliance

Flexible deployment

DataPowerConfiguration

Agenda

►Use Cases

►Wrap-up

►Capabilities


ISAM Proxy

Module

Integration Module

B2B Module

AO Module

TIBCO EMS

Module

HSM

IBM DataPower Gateway capabilities

Protect

Control

Integrate

Threats Encryption ValidationAAA

Service Level Management

Transformation Routing

Protect

XML/JSON Threats Protection

• Entity Expansion/Recursion Attacks

• Content Validation (XML / JSON)

• XML / JSON : Size, Width, Depth attacks

• Public Key DoS

• XML Flood

• Resource Hijack

• Dictionary Attack

• Replay Attack

• Message/Data Tampering

• Message Snooping

• XPath or SQL Injection

• XML Encapsulation

• XML Virus

• …many others

XML / JSON Threat Protection

Cryptographic Operations

Authentication Authorization Audit


XML-Encryption (http://www.w3.org/TR/xmlenc-core/)

Data confidentialityEncrypt data

◦ The whole message◦ Specific fields (document crypto map)

Decrypt data

XML-DSig (http://www.w3.org/TR/xmldsig-core/)

Data Integrity

Non-repudiation of dataDigital signature

◦ Define elements on which the signature is based (document crypto map)

Signature verification




Protect

http://www.w3.org/TR/xmlenc-core/

http://www.w3.org/TR/xmldsig-core/

Employ flexible AAA (Authenticate, Authorize, Audit) Policies




Protect

Control


Service Level Management – Protect your system

High Availability

from over-utilizationFrequency based on

concurrencybased on messages per time period (rate)

Take action when exceeding a custom threshold:◦ Notify (or log)◦ Shape (or delay)◦ Throttle (or reject)

Control


Control load distribution

High Availability

Combine SLM with Routing to make intelligent failover decisions

Use alternate servers when a threshold is exceeded

Advanced Load Balancing algorithms simplify your architectureFirst Available(Weighted) Round Robin(Weighted) Least ConnectionsHash

active / active w/AO

active / standby

VIP

VIP

Load balancer

Load balancer

active / active

HSRP / VRRP

Control

High Availability


No dependencies between inbound “front-side” and outbound “back-side”

Integrate disparate transport protocols with extreme ease

HTTP(s), WebSphere MQ, WebSphere JMS, Tibco EMS, SFTP, FTP(s), NFS, IMS, Database (DB2, Oracle, Sybase, SQL Server), AS1, AS2, AS3,…

Transform the message format with ultimate flexibility Process XML and Non-XML formats in a single configuration

Support synchronous, asynchronous, publish-subscribe and guaranteed-delivery message patterns

HTTP/S

FTP/S

MQ

JMS

HTTP/S

FTP/S

MQ

JMS

Integrate

Protocol & data mediation

Supported Languages

Integrate

Protocol & data mediation

Supported Languages

Supported languages and transformation standards

XSLTXSLT1.0 / XPath1.0EXSLTDataPower extension elements and functions

XQuery 1.0

JSONiq

JSON Schema Validation

JavaScript (GatewayScript)Strict modeCommonJSECMAScript 5 reference

Binary transformationFFD (XSLT binary transformation)WebSphere Transformation eXtender

Agenda

►Wrap-up


►Use Cases

►Capabilities

Trusted Domain

Consumer

Application or Service

DMZ

Trading partners

1 Mobile Gateway

2 API Gateway

3 Web Gateway

4 B2B Partner Gateway

5 SOA & API Gateway

6 Internal Security Enforcement

7 Web Services Governance & Management

Consumer

Middleware

z System

DataPower Gateway DataPower Gateway

IBM DataPower Appliance Usage

Internet

Protect, Control, Integrate

Au

then

tica

tion

Au

thori

zati

on

s

Serv

ice L

evel A

gre

em

en

t

Logs (Trace & Audit)

Rou

tin

g

Tran

sform

ati

on

Services usage statistics& Monitoring

Target serviceinvocation

Exposed serviceinvocation

ServiceConsumer

SOAPService

Provider

RESTService

Provider

WebApplication

Provider

Service Security Gateway

Agenda

►Use Cases


►Wrap-up

►Capabilities

IBM Datapower Gateway Values

Protect

Mobile, API, Web, SOA, B2BUsingThreats protection, encryption, AAA, Validation

Control

Access to your SystemsUsingService Level Management

Integrate

Your system of RecordsUsingProtocol, Data transformation & routing

Thank you!

Questions ?

Backup Slides

• Data format & language– JavaScript‒ JSON ‒ JSON Schema ‒ JSONiq ‒ REST ‒ SOAP 1.1, 1.2 ‒ WSDL 1.1 ‒ XML 1.0 ‒ XML Schema 1.0 ‒ XPath 1.0 ‒ XPath 2.0 (XQuery only) ‒ XSLT 1.0 ‒ XQuery 1.0

• Security policy enforcement‒ OAuth 2.0 ‒ SAML 1.0, 1.1 and 2.0, SAML Token

Profile, SAML queries ‒ XACML 2.0 ‒ Kerberos, SPNEGO ‒ RADIUS‒ RSA SecurID OTP using RADIUS ‒ LDAP versions 2 and 3 ‒ Lightweight Third-Party Authentication

(LTPA) ‒ Microsoft Active Directory ‒ FIPS 140-2 Level 3 (w/ optional HSM)‒ FIPS 140-2 Level 1 (w/ certified crypto

module) ‒ SAF & IBM RACF® integration with

z/OS ‒ Internet Content Adaptation Protocol‒ W3C XML Encryption ‒ W3C XML Signature ‒ S/MIME encryption and digital signature ‒ WS-Security 1.0, 1.1 ‒ WS-I Basic Security Profile 1.0, 1.1 ‒ WS-SecurityPolicy ‒ WS-SecureConversation 1.3

• Transport & connectivity– HTTP, HTTPS, WebSocket Proxy– FTP, FTPS, SFTP – WebSphere MQ– WebSphere MQ File Transfer Edition

(MQFTE) – TIBCO EMS – WebSphere Java Message Service (JMS) – IBM IMS Connect, & IMS Callout– NFS – AS1, AS2, AS3, ebMS 2.0, CPPA 2.0,

POP, SMTP (XB62) – DB2, Microsoft SQL Server, Oracle,

Sybase, IMS

• Transport Layer Security ‒ SSL versions 2 and 3 ‒ TLS versions 1.0, 1.1, and 1.2

• Public key infrastructure (PKI)‒ RSA, 3DES, DES, AES, SHA, X.509,

CRLs, OCSP ‒ PKCS#1, PKCS#5, PKCS#7, PKCS#8,

PKCS#10, PKCS#12‒ XKMS for integration with Tivoli Security

Policy Manager (TSPM)

• Management‒ Simple Network Management Protocol

(SNMP) ‒ SYSLOG ‒ IPv4, IPv6

• Open File Formats‒ Distributed Management Task Force

(DMTF) Open Virtualization Format (OVF)‒ Virtual Machine Disk Format (VMDK)‒ Virtual Hard Disk (VHD)

• Web services– WS-I Basic Profile 1.0, 1.1 – WS-I Simple SOAP Basic Profile – WS-Policy Framework – WS-Policy 1.2, 1.5 – WS-Trust 1.3 – WS-Addressing – WS-Enumeration – WS-Eventing – WS-Notification – Web Services Distributed Management

(WSDM) – WS-Management – WS-I Attachments Profile – SOAP Attachment Feature 1.2 – SOAP with Attachments (SwA) – Direct Internet Message Encapsulation

(DIME) – Multipurpose Internet Mail Extensions

(MIME) – XML-binary Optimized Packaging (XOP) – Message Transmission Optimization

Mechanism (MTOM) – WS-MediationPolicy (IBM standard) – Universal Description, Discovery, and

Integration (UDDI versions 2 and 3), UDDI version 3 subscription

– WebSphere Service Registry and Repository (WSRR)

Supported Standards & Protocols

39

DataPower Gateways …

39

IBM DataPower Gateways provide a low startup cost,helping clients increase ROI and reduce TCO with

specialized, consumable, dedicated gateway appliances thatcombine superior performance and hardened security in physical

and virtual form factors

INTEGRATE Systems of Engagement with Systems of Record

CONTROL & MANAGE Traffic and Service Level Agreements

SECURE Mobile, API, Web, SOA, B2B and Cloud Workloads

OPTIMIZE Data Delivery and User Experiences

CONSOLIDATE & Simplify Infrastructure Footprint

Features

Before DataPower Gateway After DataPower Gateway

Control

Integrate

Optimize

SecureConsumer

Consumer

Consumer

Consumer

Simplify, offload & centralize critical functions

IntegrateAny-to-any message

transformation

Transport protocol bridging

Message enrichment

Database connectivity

Mainframe connectivity

B2B trading partner connectivity

Control OptimizeSecureSSL / TLS offload

Hardware accelerated crypto operations

JSON, XML offload

JavaScript, JSONiq, XSLT, XQuery acceleration

Response caching

Intelligent load distribution

Service level management

Quota enforcement, rate limiting

Message accounting

Content-based routing

Failure re-routing

Integration with management & visibility

platforms

Authentication, authorization, auditing

Security token translation

Threat protection

Schema validation

Message filtering & semantics validation

Message digital signature

Message encryption

Security Gateway

New connection to target

Proxying and Enforcement• Terminate incoming connection

• Terminate transport-level security (SSL/TLS offload)

• Threat protection

• Enforce Service Level Agreement policies

• Inspect message content and filter (Schema validate)

• Enforce security policies on message content (Encrypt/decrypt, Verify/sign digital signatures)

• Authentication, Authorization, Auditing (AAA)

• Call out to virus checker

• Transform content & enrich message

• Translate security token

• Dynamically route based on content and load balance (Establish a new connection to pass results)

• Cache data on-box or in centralized, shared grid

Connection from client

ACL

Virus Scanner

Consumer

Provider

Web Service Request

Basic Auth, OAuth 2.0, WS-Security UNT, etc

Outside World Internal NetworkDMZ

HTTP(s)

HTML, JSON, XML, SOAPMME, DIME, MTOMXMLDSIG, XMLENC

WS-SecurityPolicy

WS-TrustSAML

OAuth 2.0

Internet

SaaS

Partner Apps

Browsers

Pro

toc

ol

Fir

ew

all

Security Gateway

Packaged AppsProprietary Apps

Data

HTTP(s)ESB

Tivoli (TAM)MS Active Directory

Any LDAP, e.g. OracleCA SiteMinder

PDP (XACML, SAML, other)

Do

ma

in F

ire

wa

ll

ACL

Security Gateway

InternalConsumer

Incoming access control; Threat protection

Outgoing access control; SAML injection etc

Internal Security

Web Service Request

SAML, LTPA, Kerberos

Protection of data plus XML & JSON threat protection

Use DataPower to help resolve PCI compliance issues Easily sign, verify, encrypt, decrypt any content Configurable XML Encryption and Digital Signatures

– Message-level, Field-level, Headers Security standards: OAuth, WS-Security, WS-Policy, WS-

SecurityPolicy, SAML, XACML, WS-Trust, …

Use WS-SecurityPolicy to define security requirements for your web services– DataPower natively consumes and enforces WS-SecurityPolicy statements

• Integrity & Confidentiality, SupportingTokens, Message/Transport Protection

Use XACML to define access and authorization policies for your web services– DataPower natively consumes and enforces XACML policies

• Resource-based Authorization• PEP, PDP

DataPower security is policy driven

XML Threat Protection• Entity Expansion/Recursion Attacks

• Public Key DoS

• XML Flood

• Resource Hijack

• Dictionary Attack

• Replay Attack

Message/Data Tampering

Message Snooping

XPath or SQL Injection

XML Encapsulation

XML Virus

…many others

JSON Threat Protection• Label - Value Pairs

‒ Label String Length (characters)‒ Value String Length (characters)‒ Number Length (characters)

• Threat Protection‒ Maximum nesting depth (levels)‒ Maximum document size (bytes)

AAA : Authentication Authorization Auditing

ExtractIdentity

HTTP HeadersWS-Security TokensWS-SecureConversationWS-TrustKerberosX.509/SSLSAML AssertionIP AddressLTPA TokenHTML FormOAuthCustom

Authenticate

ExtractResource

URLXPathSOAP OperationHTTP OperationCustom

LDAP/Active DirectorySystem/z NSS (RACF, SAF)IBM Security Access ManagerKerberosWS-TrustNetegrity SiteMinderRADIUSSAMLLTPAVerify SignatureCustom

Authorize Audit &Post-Process

MapIdentity

MapResource

LDAP/ActiveDirectorySystem/z NSSIBM Security Access ManagerNetegrity SiteMinderSAMLXACMLOAuthCustom

Add WS-SecurityGenerate z/OS ICRX TokenGenerate KerberosGenerate SpnegoGenerate SAMLGenerate LTPAMap Tivoli Federated Identity

External Access Control Server or Onboard Identity Management Store

input output

Threats ProtectionCryptographic

OperationsAAA

Routing & Transformation


Recursion Attacks

Content Validation

XML / JSON : Size, Width, Depth attacks

XML Flood

Dictionary Attack

Replay Attack

XPath or SQL Injection

XML Encapsulation

XML Virus

…

Data confidentiality

XML encryption

Data Integrity

Digital Signature

Non-repudiation of Data

Signature verification

Crypto Treatments with Hardware Component (appliance)

Authenticate

LDAP, Tivoli Access Management, Kerberos, WS-Trust, SAML, LTPA, OAuth2, …

Authorize

LDAP, XACML, SAML, Custom, …

Audit & Post Process

Logs, SNMP, WS-ManagementAdd WS-SecurityGenerate LTPA, SAML, …

Throttle

Shape (delay)

Reject or Intelligent fail over

Notify

Load balancing

Protocol conversion

HTTP, WMQ, FTP, AS1/2/3, WJMS,…

Data transformation

JSON, XML, Xquery, Javascript, XSLT

Hardware acceleration (appliance)

Routing

IBM Datapower Gateway Values

Documents

© 2015 IBM Corporation IBM Datapower Gateway The Security Gateway – {“title”: [“Technical”,”Specialist”,”Integration”]}