Hide Notes 

Slide 1: What are XML Firewalls Adam Vincent, Layer 7 Technologies Federal Technical Director Prepared for Institute of Electrical and Electronics Engineers (IEEE) Given at IEEE Chapter Meeting on April 17th, 2008 in Mclean, VA
Slide 2: Firewalls Overview Traditional Firewalls do very little to mitigate XML vulnerabilities since they are normally configured to allow all ASCII traffic through port 80, and XML is ASCII. XML firewalls are devices for implementing security policies, as specifically applied to XML messages. The following slides review XML firewalls, with a focus on how they are used to mitigate security risks. The focus of this section will be on boundary protection, although when you look at an SOA it is important to look at the entirety of the architecture. Providing boundary protection is a necessary step to providing end-to-end security. What is an XML Firewall? 2
Slide 3: What is a Firewall? Firewall Policies Definition: Limits access between networks in accordance with local security policies. What is an XML Firewall? 3
Slide 4: Firewall Implements a Policy The policy • specifies all the factors that must be considered when making a decision • what actions should be taken upon making a decision The firewall • implements the policy What is an XML Firewall? 4
Slide 5: Two Categories of Firewalls Network firewalls (a.k.a. IP/port firewalls): • Decisions are made based purely upon factors relating to the packet’s origin and destination:  Where did the packet come from?  Who originated the packet?  Where is its destination?  What time did the packet arrive? Application firewalls: • Decisions are made based upon the content of the message:  Is the content of the message acceptable?  Is the content of a high-value transaction?  Is the content of a low-value transaction?  Is the content of the message structured appropriately? What is an XML Firewall? 5
Slide 6: Two Categories of Firewalls Network firewalls Application firewalls Check IP/port Note: many routers already do this checking Check message content What is an XML Firewall? 6
Slide 7: What is an XML Firewall? What should I do with this XML document/message? XML XML Firewall Policies Definition: An XML firewall is a tool that takes as input an XML document/message and enforces security policies What is an XML Firewall? 7
Slide 8: Example Deployment Local Area Network Service Enclave Internet Client Client Workstation Client Workstation Server Server Internet Server Packet Firewall Perimeter XML Firewall Enclave XML Firewalls Server Client Workstation Server Server What is an XML Firewall? 8
Slide 9: XML Firewalls can do IP/Port checking and content checking Packet firewalls Application firewalls Stateful Inspection Deep Packet Inspection Check IP/port Note: many routers already do this checking XML Firewalls Check message content Stateful Inspection: Analysis of data within the lowest levels of the protocol stack in order to compare the current session with previous ones for detection of suspicious activity Deep Packet Inspection: Analysis of content of a thru-passing packet, searching for illegal statements to decide if the packet can pass. What is an XML Firewall? 9
Slide 10: What Factors Enter into an XML Firewall's Decision? Decisions can be made based upon countless factors, e.g., • Package-based factors:  Where did the connection/message come from?  Who originated the connection/message?  Where is its destination?  What time did the connection/message arrive?  What time was the connection/message sent? • Content-based factors:  Is the content of the message acceptable?  Is the content a high-value transaction?  Is the content a low-value transaction?  Is the content of the message structured appropriately?  Is the XML security header formatted correctly? What is an XML Firewall? 10
Slide 11: What Actions can an XML Firewall Take? If the firewall decides the message/document is not acceptable for propagation, it may: • log the document • return the document • discard the document • Etc. If the firewall decides the message/document is acceptable for propagation, it may: • simply forward it along • route it along a special path • delay sending it along for a period of time • Etc. What is an XML Firewall? 11
Slide 12: Example of a Check that an XML Firewall may Perform "Does the XML conform to the data business rules, i.e., does it validate against a XML Schema defining the business rules?” “Does the XML contain malicious code” “Does the Message Level Security component of the message comply with the DoD/IC requirements” “Authentication/Authorization of the sender/message creator” What is an XML Firewall? 12
Slide 13: Policy Enforcement Point (PEP) It enforces that the message adheres to the policy and may per policy take input from one or more external resources to use in its enforcement process XML Firewalls provide centralized management and enforcement when acting as a PEP This is analogous to the PEP. What is an XML Firewall? 13
Slide 14: Policy Decision Point (PDP) Makes a decision based upon destination resource and calling entity. It sends the decision to a PEP, which carries out Enforcement XML Firewalls can utilize inputs from a PDP, or can act as a PDP when one is not available. PDP PEP What is an XML Firewall? 14
Slide 15: Attribute Services (AS) Provides attributes about resources and/or entities as inputs to a PDP XML Firewalls can utilize inputs from an Attribute Service, or can act as a AS when one is not available AS PDP PEP What is an XML Firewall? 15
Slide 16: Firewalls and PEP/PDP/AS A firewall can act as either a PEP, a PDP, or an AS. • When a firewall is acting as a PEP, it "consults" a PDP service (externally or internally) and gives it information about what it knows, and asks "What should I do?" Thus, a firewall must always have both a PEP and a PDP. A firewall may provide a PEP, PDP, and a AS Firewall AS Traffic inputs PDP Firewall What is an XML Firewall? 16
Slide 17: Firewall acting as a PEP only Threat Protection, Verify Message Security, Audit, and Call out to PDP Firewall Policies doc (acting as a PEP only) ”Bob wants to "Do this" Send a message To Service A" Policies PDP service ”Tell me about Bob” ”Bob is in the Army” Attribute service What is an XML Firewall? 17
Slide 18: More Realistic use of an XML Firewall XML Firewall doc PEP PDP service Attribute service Policies Threat Protection, Verify Message Security, Audit, Authenticate/Authorize via ABAC Attribute Repository (LDAP) What is an XML Firewall? 18
Slide 19: XML Acceleration (1 of 2) XML is verbose and processing can be time consuming XML Firewalls provide mechanisms to accelerate XML processing: • Utilize hardware-based mechanisms to accelerate XML processing • Utilize low-level software processing capabilities and pipelining to accelerate XML processing XML New XML XML Firewall Policy Un-verified Policy Verified Back-end applications Policies Back-end applications are relieved from doing all of this XML processing What is an XML Firewall? 19
Slide 20: XML Acceleration (2 of 2) Here’s some XML processing which can be done very quickly with an XML Firewall: • Validate XML Message against an XML Schema • Transform using XSLT an XML input for output to a back-end service • Verify message conforms to WS-Security Specification • XPATH Processing and Content Based Routing What is an XML Firewall? 20
Slide 21: Threat Detection An XML Firewall can perform detection and mitigation of malicious code using XML as a vector of attack Malicious code is not allowed to pass XML Purchase Order (with Malicious Code) Entity A XML Firewall Entity B Malicious Code Policy What is an XML Firewall? 21
Slide 22: Access Control An XML Firewall can perform fine grained Authentication and Authorization of a sending, and receiving entity (A) is allowed to send purchase orders to (B) XML Purchase Order Entity A XML Firewall Entity B Access Control Policy What is an XML Firewall? 22
Slide 23: Complex Access Control Policy Enforcement Point Secure Token Server (STS) for Federation WSS secure SOAP messages with bound SAML tokens Policy Administration WS-Trust Token Requests Policy Application Point Organization Blue WS-MetadataExchange of WS-Policy Documents Michelle Dimitri Program X Organization Green What is an XML Firewall? 23
Slide 24: XML Schema Validation An XML Firewall can determine whether an XML message/document conforms to an XML Schema XML Document XML Document Entity A XML Firewall Entity B XML Schema What is an XML Firewall? 24
Slide 25: XSL Transformation An XML Firewall can change XML messages/documents through an integrated XSLT processor XML Document New XML Document Entity A XML Firewall Entity B XML Schema What is an XML Firewall? 25
Slide 26: XML Filtering An XML Firewall can filter incoming XML traffic based on message size, disallowed content, other metadata, etc. LARGE XML Document Message Size Limit Exceeded Entity A XML Firewall Entity B Policies What is an XML Firewall? 26
Slide 27: Dynamic Routing An XML Firewall routes a request based on content, network parameters or other metadata Where should I route this document? Entity A $1,000,000 Purchase Order Firewall Busy Policies Not busy. Document is routed here. What is an XML Firewall? 27
Slide 28: Service Virtualization/Abstraction Mask back-end resources from external probing “I’m Service (A)” Message to Service (A) XML Firewall This is the actual service (A) Policies The XML Firewall shields the actual service from external attacks by acting as a virtual stand-in to the service. What is an XML Firewall? 28
Slide 29: Quality of Service (QoS) Enables you to provide service priorities • A $1,000,000.00 transaction will get expedited service, a $2.00 transaction will get regular service On arrival, priority goes to $1,000,000 Purchase Order $2.00 Purchase Order Firewall $1,000,000 Purchase Order Policies What is an XML Firewall? 29
Slide 30: Auditing Provides service level auditing capabilities • Number of requests • Types of requests • Where requests originate Service 1 Audit Data Firewall Service 2 What is an XML Firewall? 30
Slide 31: Virus Detection (1 of 2) Many XML Firewalls offer virus detection capabilities • Viruses in attachments (MIME and DIME Messages) • Viruses in XML content Virus Detected! Virus Firewall What is an XML Firewall? 31
Slide 32: Virus Detection (2 of 2) How XML Firewalls offer Virus Protection External Virus Engine Firewall Symantec/Other Scanner Virus Def Update What is an XML Firewall? 32
Slide 33: Conclusions Whew…. You now know everything…Just kidding Keep in mind that SOA is a moving target and changes by the Day! Questions & Comments: Adam Vincent avincent@layer7tech.com 703-965-1771 What is an XML Firewall? 33