8/2/2019 Identity Based XML Firewalling

1/2

The Problem:Identity is at the heart of SOA security. Identity drives authentication and authorization decisions for

all client-service interactions in an SOA. An ability to validate identity is also central to enforcing

transactional integrity and accountability policies. However, defining and enforcing identity based

security policies is complicated in an SOA. Machine identities for client applications must be reposited

within a centrally accessible directory. Services must have an ability to extract identity information

from credentials passed to it inside a Web services message, validate those credentials against a

centralized identity directory and then enforce a security policy based on the rights associated with

the identity. How a Web services security policy is defined, how to support decision delegation to

existing policy decision points, how to find the credentials in a Web services message, how to assure

compliance with the various WS-* and WS-I security standards, and how to propagate identity context

in multi-hop SOA environments only complicates the application of identity to SOA. This is where an

Identity based XML Firewall product like Layer 7s can help.

The Layer 7 Solution:

The SecureSpan XML Firewall provides security and SOA architects a centralized integration andenforcement point for identity based SOA security operations like client authentication, service level

authorization, message privacy and transaction integrity. The SecureSpan XML Firewall integrates with

popular identity and access products including LDAP, MS Active Directory, CA SiteMinder, CA

TransactionMinder, RSA ClearTrust, Tivoli AccessManager, Novell Access Manager, Oracle Access

Manager and Sun Java Access Manager so that an existing identity and access policy store can be

reused for SOA. The SecureSpan XML Firewall also offers hardware accelerated XML parsing, validation

and transformation so that identity credentials can be rapidly extracted, validated and if need be

transformed for downstream authentication. To support emerging single sign-on and federation

standards, the SecureSpan XML Firewall also supports WS-Trust and SAML.

SecureSpan XML Firewall

clusters, screening XML content,centrally controlling service level

access and enforcing message

level security policies like privacy

and integrity.

Identity-Based XML Firewalling with SecureSpanTM XML Firewa

Solution Brief:

Identity

Management

Service

Consumer

Service

Consumer

Service

Consumer

Web Service

UTP

X.509

SAML

SecureSpan

XML Firewall Cluster

SAML

8/2/2019 Identity Based XML Firewalling

2/2

XML Threat Protection- Infrastructural protections against XML parsing, XDoS andOS attacks, Application protection against XML content

tampering and viruses in SOAP attachments, Protection

against SQL and malicious script injection attacks,

Allow / reject messages based on time of day, day of week

and IP address, onfigurable throughput restrictions based

on requestor or destination prevents downstream XDoS

Administration Options- GUI-based SecureSpan Manager deployed as either stand

alone application (Windows / Linux) or browser-based

(Internet Explorer / Firefox), Centralized cluster management

and configuration with delegated administration, Drag and

drop policy-based policy configuration, Intelligent, real-time

validation and testing of policies, Logging and audit trapping

of violations and system/user defined events via SNMP and

SMTP, Dashboard for graphical, real-time monitoring of

traffic profiles and security violations, Audit controls

Advanced Identity, Credentialing and PKI Support- Onboard identity store for administrative identities and fast

staging of new services, Integration with multiple external

identity, access, single sign-on and federation systems including

LDAP, Microsoft (Active Directory and Active Directory Federated

Services), Novell Access Manager, Oracle Access Manager, IBM

Tivoli (Access Manager and Federated Identity Manager), CA

SiteMinder and TransactionMinder, RSA ClearTrust, Sun JavaAccess Manager Credential chaining, credential remapping

and support for federated identity, Comprehensive support

for SAML 1.1/2.0 authentication, authorization and attribute

based policies Integrated PKI CA for automated deployment

and management of client-side certificates and RA ability for

external CAs including Verisign

General Security

- Support for XML, SOAP, POX, AJAX, REST and other

XML-based, services, Configuration wizards simplifypolicy creation and activation, Support for policy

branching based on identity or any message content

or context, Support for multiple routing destinations

with configurable failover, Policies can be applied t o

request-only, response-only or both request and

response messages

Identity Based XML Firewalling

Web Site: www.layer7tech.comEmail: info@layer7tech.comPhone: 800.681.9377

with SecureSpanTM XML Firewall

Key Features

Supported Standards and Specifications:

XML 1.0, SOAP 1.1, REST, AJAX, XPath 1.0, XSLT 1.0, WSDL 1.1, XML Schema & DTD, LDAP 3.0, SAML 1.1/2.0, PKCS #10, X.509 v3

Certificates, W3C XML Signature 1.0, W3C XML Encryption 1.0, FIPS 140.2, SSL/TLS 2.0 / 3.0, SNMP, SMTP, FTP, HTTP/HTTPS,

WS-Security 1.0, WS-Trust 1.0, WS-SecureConversation, WS-MetadataExchange, WS-Policy, WS-Security Policy, WS-Policy,

WS-Secure Exchange, WSIL, WS-I, WS-I BSP, UDDI 3.0

R

Support for access control based on multiple identities/groups/identity sources in a single XML Firewall policy

Ability to distribute third party Web SSO session cookies to Web services clients

Optional SecureSpan XML VPN Client automates PKI provisioning to Web Service clients

Range of credential support including HTTP, WS-S, WS-Trust, Web SSO, and SAML 1.1 / 2.0.

Built-in PKI subsystem and support for external X.509 certificates

Standards-based interface to external STS SAML issuers

Rich credential mining tools

Policy branching supports any combination of identity and content based message processing

Innovations and Solution Features: