XML VPN Client

Copyright © 2011 Layer 7 Technologies Inc. All rights reserved.

trademarks of Layer 7 Technologies Inc.

SecureSpan

Sharing services across distributed organizations is key to

it can be a complex undertaking, involving

In a Service Oriented Architecture (SOA),

and between security domains, ensuring proper authentication and authorization is

in the fact that traditional Identity and Access Management (IAM) solutions are predicated on user

interactions and cannot easily accommodate machine

Web services has been to securely embed

However, matching the security details supplied in a

demanded by the Web service provider is a fine balancing act, r

provider applications within an organization

organizations) as industry regulations and corporate requirements change.

The SecureSpan XML VPN Client (XVC)

negotiating the “handshake” between them. The handshake could be as simple as verifying that the

permitted to access the service, or as complex as

correct credentials, originates from a trusted domain

Based on a scalable appliance model, Layer 7

overcoming the security challenges in a SOA

• The SecureSpan XML Firewall or SOA

services security domain, gating inbound access and regulating outbound communication.

appliance, virtual appliance or software, the gateway

enforcement activities, including threat protection, access management, privacy enforcement, data validation,

routing, transformation, and auditing

• The SecureSpan Manager (Manager) is used to

policies for protected Web services. External credential, Public Key Infrastructure (PKI), and Single Sign

(SSO) sources can also be configured through the Manager

• The SecureSpan XML VPN Client (XVC

consumers and providers.

While all three components work together to

solution and reducing total cost of ownership

ogies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are

trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective

SecureSpan™ XML VPN Client

services across distributed organizations is key to maximizing ROI in any SOA

it can be a complex undertaking, involving issues of trust, identity management and access control

In a Service Oriented Architecture (SOA), where services can invoke (and be invoked by) other services both within

, ensuring proper authentication and authorization is challenging

raditional Identity and Access Management (IAM) solutions are predicated on user

interactions and cannot easily accommodate machine-to-machine interactions. One solution, based on XML

embed identity and access information in every message.

details supplied in a Web service consumer’s request to the security requirements

he Web service provider is a fine balancing act, requiring constant updating of both consumer and

provider applications within an organization (in addition to regular out-of-band communication

as industry regulations and corporate requirements change.

streamlines consumer and provider interactions by automatically

negotiating the “handshake” between them. The handshake could be as simple as verifying that the

permitted to access the service, or as complex as ensuring that the request is properly encrypted, carries the

correct credentials, originates from a trusted domain, has been digitally signed, and so on.

Layer 7 provides a turnkey, reusable, and standards-based method for

in a SOA:

SOA Gateway (Gateway) is typically installed at the boundary of a Web

services security domain, gating inbound access and regulating outbound communication.

appliance or software, the gateway performs various XML and Web services security


routing, transformation, and auditing.

anager) is used to create fine-grained, identity-based entitlements and security

for protected Web services. External credential, Public Key Infrastructure (PKI), and Single Sign

(SSO) sources can also be configured through the Manager.

XVC) automatically coordinates security preferences between service

together to solve SOA’s identity problems, the XVC is key to automating the

cost of ownership.

SecureSpan and the Layer 7 Technologies design mark are

copyrights are the property of their respective owners.

XML VPN Client Solutions

ROI in any SOA initiative, but

issues of trust, identity management and access control.

services can invoke (and be invoked by) other services both within

challenging. The problem lies

raditional Identity and Access Management (IAM) solutions are predicated on user-machine

machine interactions. One solution, based on XML-based

Web service consumer’s request to the security requirements

constant updating of both consumer and

band communications between

by automatically

negotiating the “handshake” between them. The handshake could be as simple as verifying that the client is

properly encrypted, carries the

based method for

(Gateway) is typically installed at the boundary of a Web

services security domain, gating inbound access and regulating outbound communication. Available as an

performs various XML and Web services security


based entitlements and security

for protected Web services. External credential, Public Key Infrastructure (PKI), and Single Sign-On

between service

solve SOA’s identity problems, the XVC is key to automating the

Copyright © 2011 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are

trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.

Extend Existing Identity Management Infrastructure to SOA

To create a standard security model and lower the IT costs associated with maintaining large numbers of users and

their associated access privileges, most organizations have adopted Lightweight Directory Access Protocol (LDAP)

directories, Microsoft Active Directories (MSAD), Single Sign-On (SSO) systems or Identity and Access Management

(IAM) products (such as CA SiteMinder, IBM Tivoli Access Manager, Novell CentraSite, or Sun OpenSSO). While

these are proven solutions for ensuring that users are authenticated and restricted to those resources to which

they are entitled, it does nothing to address machine-to-machine interaction, which is a key function of any

Services Oriented Architecture (SOA).

While current generation LDAP, MSAD, SSO and IAM solutions can be extended to handle machine-based

identities, most don’t natively support the ability to make decisions based on Web service parameters like URL

address, SOAP Action, Operation name or XML element. Moreover, none address the challenge of implementing

an identity-based infrastructure in a SOA, which typically requires some form of digital certificate, token or other

credential to be embedded in a client’s request before that request will be accepted by a target service. New

technology is therefore necessary to help machine identities prove who they claim to be, and which resources they

can access.

The SecureSpan XML VPN Client (XVC) coordinates with the SecureSpan Gateway (Gateway) to overcome this

machine-to-machine identity problem. The Gateway is typically implemented at the perimeter of the Web services

provider’s domain, enforcing security policy and controlling access to Web services. Using the SecureSpan

Manager (Manager), an administrator can assemble policies that define a set of requirements needed to access a

Web service – requirements that might include such things as transport protocol, threat safeguards, access

permissions, signing and encryption expectations, and other preferences.

With the Gateway in place, the XVC can simply be installed on any client machine as a “drop in” solution to the

machine-to-machine communication problem. The XVC automatically intercepts messages destined for the Web

services provider, authenticating (and potentially authorizing) on behalf of the requesting application against the

appropriate source.

In this way, organizations can quickly extend their existing identity systems to encompass Web services and XML-

based interactions, laying the foundation to bridge independent trust environments while preserving local

authentication and authorization processes.



Integrate with Service Providers More Cost-effectively

Centralizing and standardizing organization-wide security requirements in an intermediary is one of the key

benefits of introducing the SecureSpan Gateway. Rather than depending on application developers to hard-code

security and other infrastructure requirements within an backend application or service provider, subject matter

experts create centralized policies that can be implemented and enforced on the Gateway, thereby generating

improved development and operational efficiency by eliminating the need to recode, retest and redeploy

applications when industry standards and/or corporate security parameters change.

In much the same way, organizations can leverage the XVC to effectively abstract out the security and other

infrastructure requirements from a service consumer, insulating the client-side application from policy changes

and ensuring continuity of business. For example:

• Insurance providers can realize increased revenues by making it easier for their broker network to do

business with them via rich, XML-based applications that won’t break when policies change

• Web services-based travel aggregation sites can derive increased margins by linking in new online tour

operators more cost-effectively

• Global logistics companies can gain a competitive advantage by onboarding new transport services in

diverse geographies quicker than the competition

• Healthcare providers can secure and streamline their interactions with third-party test labs and regional

health authorities

• And so on

Once installed on a client system, the XVC interfaces with service consumers, automatically negotiating policy-

specific security, routing, and transaction preferences with the Gateway in real time. Specifically, when client

applications attempt to send message requests to a Gateway-protected Web service, the XVC intercepts the

request and functions as a client-side proxy, applying necessary protocols, headers, or transformations to

messages as required by the policy in force on the Gateway. Policies are automatically retrieved and applied by the

XVC to ensure all subsequent messages conform to the updated policy. This ensures rigorous, fine-grained security

with automated change control across all integrations, regardless of complexity.



For deployments that require encryption, the XVC can be used to automate client-side Public Key Infrastructure

(PKI) management. In conjunction with the Gateway’s internal Certificate Authority (CA), the XVC initiates the key

exchange, negotiating cryptographic algorithms, and invoking Certificate Signing Requests (CSRs). The XVC can also

be used with any existing X.509 certificates or other CAs accessible to the SecureSpan administrator.

In this way, organizations can lower their total cost of application development and maintenance; dramatically

reduce the deployment time for client applications; create end-to-end security consistency by automatically

coordinating security across distributed systems; and “future proof” their investment by insulating their

architecture from changes to industry standards and corporate policies.

Onboard New Acquisitions Quicker

Acquiring companies is often a two-edged sword: while revenue potential escalates, costs balloon as the

organizations attempt to integrate their disparate infrastructure. In the long run, the organizations will realize

efficiencies by consolidating and standardizing on a single application, platform and infrastructure layer, but in the

short term they may be better off functioning as independent but interoperable business units. To do so, however,

the organizations will need to overcome problems with identity federation, which quickly arise as IT departments

try to bridge identities between separate security domains.

Identity bridging is a unique and powerful model that separates authentication and authorization tasks occurring

between security domains in a SOA, delegating authentication to the service requestor while preserving control

over authorization for the provider hosting the service.

Messages bound for a Gateway-protected Web service are intercepted by the XVC, which uses an established key

relationship to initiate an authentication request on behalf of the client application against the local authentication

source. The resultant artifact of the authentication (i.e., cookie or SAML assertion) and the originating identity are

bound into the message by the XVC, signed, sequenced, and forwarded to the provider’s Gateway for processing.

The Gateway then delegates authorization to the service provider by interfacing to the provider’s trusted

authorization source that validates requests.

Administrators can select the authorization model to be used by the Gateway on a service by service basis. When a

message is received by the Gateway, subsequent processing depends on the defined Web service security policy

for the requestor’s identity. The Gateway first checks the integrity of the bundled identity, the authentication

token, and the message itself. The authentication token is examined to ensure that it has not timed out, an



important consideration when using potentially long-lived cookies or SAML assertions. The certificate of the

trusted authentication source is used to verify the authenticity and source of the authentication token that is

presented. Additional policy processing can also be performed based on specific message elements or various

assertion-based requirements that are independent of identity or the authentication token.

Tight signed binding of the credentials and authentication evidence, combined with automatic sequencing ensures

that no intermediate or replay attacks are possible even if the message is intercepted during transmission. This

binding also provides powerful transactional evidence for local auditing and non-repudiation.

If the application already has a hard-coded authorization process, or if the incoming identity has no context within

the provider-side Web services’ security domain, the originating identity and token can be stripped out before

forwarding the message to the provider’s application for additional authorization. Again, the local audit trail that

exists for all transactions and administrative functions provides positive evidence for non-repudiation or regulatory

compliance issues.

In this way, organizations can bridge multiple security domains, whether those domains be internal to the

organization (for example, across the Chinese Wall separating retail banking from investment banking), separated

globally (as between regional branch offices), or between head office and third-party service providers.

The SecureSpan XML VPN Client can be deployed in conjunction with all currently shipping versions of

the SecureSpan XML Firewall and SecureSpan SOA Gateway appliances, soft appliances and software

versions.

To learn more about how Layer 7 can address your needs, call us today at +1 800.681.9377 (toll free

within North America) or +1.604.681.9377or visit us at www.layer7tech.com.

Documents

XML VPN Client