8/2/2019 Identity Based XML Firewalling
1/2
The Problem:Identity is at the heart of SOA security. Identity drives authentication and authorization decisions for
all client-service interactions in an SOA. An ability to validate identity is also central to enforcing
transactional integrity and accountability policies. However, defining and enforcing identity based
security policies is complicated in an SOA. Machine identities for client applications must be reposited
within a centrally accessible directory. Services must have an ability to extract identity information
from credentials passed to it inside a Web services message, validate those credentials against a
centralized identity directory and then enforce a security policy based on the rights associated with
the identity. How a Web services security policy is defined, how to support decision delegation to
existing policy decision points, how to find the credentials in a Web services message, how to assure
compliance with the various WS-* and WS-I security standards, and how to propagate identity context
in multi-hop SOA environments only complicates the application of identity to SOA. This is where an
Identity based XML Firewall product like Layer 7s can help.
The Layer 7 Solution:
The SecureSpan XML Firewall provides security and SOA architects a centralized integration andenforcement point for identity based SOA security operations like client authentication, service level
authorization, message privacy and transaction integrity. The SecureSpan XML Firewall integrates with
popular identity and access products including LDAP, MS Active Directory, CA SiteMinder, CA
TransactionMinder, RSA ClearTrust, Tivoli AccessManager, Novell Access Manager, Oracle Access
Manager and Sun Java Access Manager so that an existing identity and access policy store can be
reused for SOA. The SecureSpan XML Firewall also offers hardware accelerated XML parsing, validation
and transformation so that identity credentials can be rapidly extracted, validated and if need be
transformed for downstream authentication. To support emerging single sign-on and federation
standards, the SecureSpan XML Firewall also supports WS-Trust and SAML.
SecureSpan XML Firewall
clusters, screening XML content,centrally controlling service level
access and enforcing message
level security policies like privacy
and integrity.
Identity-Based XML Firewalling with SecureSpanTM XML Firewa
Solution Brief:
Identity
Management
Service
Consumer
Service
Consumer
Service
Consumer
Web Service
UTP
X.509
SAML
SecureSpan
XML Firewall Cluster
SAML
8/2/2019 Identity Based XML Firewalling
2/2
XML Threat Protection- Infrastructural protections against XML parsing, XDoS andOS attacks, Application protection against XML content
tampering and viruses in SOAP attachments, Protection
against SQL and malicious script injection attacks,
Allow / reject messages based on time of day, day of week
and IP address, onfigurable throughput restrictions based
on requestor or destination prevents downstream XDoS
Administration Options- GUI-based SecureSpan Manager deployed as either stand
alone application (Windows / Linux) or browser-based
(Internet Explorer / Firefox), Centralized cluster management
and configuration with delegated administration, Drag and
drop policy-based policy configuration, Intelligent, real-time
validation and testing of policies, Logging and audit trapping
of violations and system/user defined events via SNMP and
SMTP, Dashboard for graphical, real-time monitoring of
traffic profiles and security violations, Audit controls
Advanced Identity, Credentialing and PKI Support- Onboard identity store for administrative identities and fast
staging of new services, Integration with multiple external
identity, access, single sign-on and federation systems including
LDAP, Microsoft (Active Directory and Active Directory Federated
Services), Novell Access Manager, Oracle Access Manager, IBM
Tivoli (Access Manager and Federated Identity Manager), CA
SiteMinder and TransactionMinder, RSA ClearTrust, Sun JavaAccess Manager Credential chaining, credential remapping
and support for federated identity, Comprehensive support
for SAML 1.1/2.0 authentication, authorization and attribute
based policies Integrated PKI CA for automated deployment
and management of client-side certificates and RA ability for
external CAs including Verisign
General Security
- Support for XML, SOAP, POX, AJAX, REST and other
XML-based, services, Configuration wizards simplifypolicy creation and activation, Support for policy
branching based on identity or any message content
or context, Support for multiple routing destinations
with configurable failover, Policies can be applied t o
request-only, response-only or both request and
response messages
Identity Based XML Firewalling
Web Site: www.layer7tech.comEmail: [email protected]: 800.681.9377
with SecureSpanTM XML Firewall
Key Features
Supported Standards and Specifications:
XML 1.0, SOAP 1.1, REST, AJAX, XPath 1.0, XSLT 1.0, WSDL 1.1, XML Schema & DTD, LDAP 3.0, SAML 1.1/2.0, PKCS #10, X.509 v3
Certificates, W3C XML Signature 1.0, W3C XML Encryption 1.0, FIPS 140.2, SSL/TLS 2.0 / 3.0, SNMP, SMTP, FTP, HTTP/HTTPS,
WS-Security 1.0, WS-Trust 1.0, WS-SecureConversation, WS-MetadataExchange, WS-Policy, WS-Security Policy, WS-Policy,
WS-Secure Exchange, WSIL, WS-I, WS-I BSP, UDDI 3.0
R
Support for access control based on multiple identities/groups/identity sources in a single XML Firewall policy
Ability to distribute third party Web SSO session cookies to Web services clients
Optional SecureSpan XML VPN Client automates PKI provisioning to Web Service clients
Range of credential support including HTTP, WS-S, WS-Trust, Web SSO, and SAML 1.1 / 2.0.
Built-in PKI subsystem and support for external X.509 certificates
Standards-based interface to external STS SAML issuers
Rich credential mining tools
Policy branching supports any combination of identity and content based message processing
Innovations and Solution Features: