From:
hsplmkting
Views: 722
Comments: 0
Real life Web 2.0 examples from the enterprise, these screens were built at Harbinger Systems and are being used in the enterprise.
Slide 1: September 30, 2009
How to Extend Oracle Fusion Middleware with a Security Gateway Appliance
- Integration Scenarios for Securing External Web Services
Presented by:
Blake Dournaee – Product Manager, Intel SOA Products Group Matt Sebastian – Solution Architect, Oracle Enterprise Solutions Group
1
Slide 2: Key Learning Objectives
Identify which Oracle products can be leveraged by SOA Expressway to secure external web services Showcase why a Security Gateway Appliance is the recommended perimeter security model for Oracle Fusion Middleware Differentiate appliance form factors and illustrate why a Virtualized SOA Soft-appliance excels in today’s datacenter
2
Slide 3: External Web Services Present a Different Challenge
Internal Enterprise Need Solved Oracle Web Logic Suite Oracle SOA Suite Oracle Web Services Manager Oracle IdM (OID, OAM, OEM) Application & Service Deployment Internal Web Services Internal Web Services Mgmt Internal SSO, AAA, Fine Grained Authorization
• XML content threats? • Expose internal service externally? • Partner SLAs? • Expense to scale middleware? • Tie-in to VDC strategy? • B2B service monitoring? • Consistent security policy? • Credential mapping & federation?
SOA Security Appliances are purpose built to address Web Service security
3
Slide 4: How did we arrive here? SOA Appliance Evolution
Date 2000 Data
Static XML Latency, Throughput
Paradigm
Problem
Architecture/ Form Factor
“XML parsing and transformation is too slow to be useful for web sites; I need to process XML at wire speed.”
XML/HTTP XML HTML
XML Proxy
20022006
Data
XML Web Services Power
Performance, Security
“I need to provide scalable XML security for my Web Services. I need validation and message level security for my XML.”
AAA .NET AXIS
WS Proxy
IBM
2008+
Data Service Oriented
Architecture Performance, Power, Security, VDC Ready
“All of my new applications require workflows that deal in XML processing or legacy integration.
SOAP,XML/JMS, FTP,MLLP,HTTP
SOA Proxy
.NET AXIS
SOAP,XML/JMS, FTP,MLLP,HTTP
DB
AAA JVM
IBM
4
Slide 5: How did we arrive here? SOA Appliance Evolution
Date 2000 Data
Static XML Latency, Throughput
Paradigm
Problem
Architecture/ Form Factor
XML Accelerator
XML/HTTP XML HTML
“XML parsing and transformation is too slow to be useful for web sites; I need to process XML at wire speed.”
XML Proxy
20022006
Data
XML Web Services Power
Performance, Security
“I need to provide scalable XML security for my Web Services. I need validation and message level security for my XML.”
AAA .NET AXIS
WS Proxy
IBM
2008+
Data Service Oriented
Architecture Performance, Power, Security, VDC Ready
“All of my new applications require workflows that deal in XML processing or legacy integration.
SOAP,XML/JMS, FTP,MLLP,HTTP
SOA Proxy
.NET AXIS
SOAP,XML/JMS, FTP,MLLP,HTTP
DB
AAA JVM
IBM
5
Slide 6: How did we arrive here? SOA Appliance Evolution
Date 2000 Data
Static XML Latency, Throughput
Paradigm
Problem
Architecture/ Form Factor
XML Accelerator
XML/HTTP XML HTML
“XML parsing and transformation is too slow to be useful for web sites; I need to process XML at wire speed.”
XML Proxy
20022006
Data
XML Web Services Power
Performance, Security
“I need to provide scalable XML security for my Web Services. I need validation and message level security for my XML.”
Security Gateway .NET Hardware Appliance
WS Proxy AXIS
AAA
IBM
2008+
Data Service Oriented
Architecture Performance, Power, Security, VDC Ready
“All of my new applications require workflows that deal in XML processing or legacy integration.
SOAP,XML/JMS, FTP,MLLP,HTTP
SOA Proxy
.NET AXIS
SOAP,XML/JMS, FTP,MLLP,HTTP
DB
AAA JVM
IBM
6
Slide 7: How did we arrive here? SOA Appliance Evolution
Date 2000 Data
Static XML Latency, Throughput
Paradigm
Problem
Architecture/ Form Factor
XML Accelerator
XML/HTTP XML HTML
“XML parsing and transformation is too slow to be useful for web sites; I need to process XML at wire speed.”
XML Proxy
20022006
Data
XML Web Services Power
Performance, Security
“I need to provide scalable XML security for my Web Services. I need validation and message level security for my XML.”
Security Gateway .NET Hardware Appliance
WS Proxy AXIS
AAA
IBM
2008+
Data Service Oriented
Architecture Performance, Power, Security, VDC Ready
“All of my new applications require workflows that deal in XML processing or legacy integration.
SOAP,XML/JMS, FTP,MLLP,HTTP
Virtualized SOA .NET Appliance
AXIS AAA JVM IBM DB
SOA Proxy
SOAP,XML/JMS, FTP,MLLP,HTTP
7
Slide 8: Ref Architecture – Security Gateway
Highly scalable/cost-effective SOA mediation and security solution
8
Slide 9: Core Threat Prevention Features
• Multi-stage Denial of Service (DoS) Protection: Multi-stage escalation and resiliency • Content threats: Pre-built and extensible content filtering for the full application payload
• Hitless Policy Updates: Update threat signatures with zero downtime • Unidirectional Protection: Protect back-end systems, partners and clients
9
Slide 10: Security Gateway Benefits
• Single entry point (sentry) for all XML/WS traffic • Edge security provides earlier threat protection • Separation of concerns
• Consistent security policy enforcement • High performance security offload • Easier to manage & audit
10
Security Gateway puts security architects in control!
Slide 11: Security Change:
XML Security Threats
Application Environment & XML Streams
XML Threat Dimensions 1. XML threats specific to b-to-b (services & APIs) 2. XML upstream (browser to services) - Web 2.0 components and protocol attacks 3. XML downstream (services to browser) - browsers and client attacks
11
Must Now Recognize Security In Outbound Direction
Slide 12: Infrastructure Change:
Moore’s Law for SOA
Continuous Platform Improvements • Movement towards multi-core computing lowers costs and increases efficiency • Commodity hardware and virtualization continue to proliferate New Challenges • SOA applications need immediate multi-core enablement • SOA needs an efficient virtualization tie-in • Mission critical SOA requires efficient, continuously scalable XML processing • SOA applications need all the help they can get from the platform!
Lower Cost Commodity Hardware • Upgrade Compute Intensive SOA/XML Servers
Software’s Flexibility
• Multi-core Optimization • CoreTM i7 processor features • Streaming SIMD Extensions 4.2
Upgrade Software to take Advantage of Moore’s Law
Optimizations Can Deliver 8X Performance Over Hardware Appliances
12
Slide 13: Standards Change: Policy
Governance: Current State
ENTERPRISE DOMAIN 2
ENTERPRISE DOMAIN 1
Vendor A App Server, Registry, or Repository PAP: Admin PAP: Admin
Vendor B App Server, Registry, or Repository
Vendor A Access/AAA Manager
PDP: Decision Vendor Policy
x
Current State • Vendor specific policy • One-off integration to use policy with other vendor’s PEP • Forced to stack vendor suite approach vs best of breed runtime & design time policy framework
PDP: Decision Vendor Policy
Vendor B Access/AAA Manager
Vendor A SOA Appliance PEP: Enforce
Vendor B SOA Appliance PEP: Enforce
Web Service Client
• Governance managed at domain level by vendor
Web Service Client
13
Slide 14: Standards Change: Policy
Driven SOA Evolution
ENTERPRISE DOMAIN 2
ENTERPRISE DOMAIN 1
Vendor A App Server, Registry, or Repository PAP: Admin PAP: Admin
Vendor B App Server, Registry, or Repository
Vendor A Access/AAA Manager
PDP: Decision Standard Policy
Cross Domain Federated Governance
Standard Policy
PDP: Decision
Vendor B Access/AAA Manager
ANY VENDOR SOA Appliance PEP: Enforce
Requirements • Standard Schemas (XACML,WS-Policy, WSMex) • Seamless integration between cross-vendor PEPs & PDPs • SOA Appliance integration with any IdM or PDP source. • Enable True Federated Governance Model PEP: Enforce
ANY VENDOR SOA Appliance
Web Service Client
Web Service Client
14
Slide 15: Introducing Intel SOA Expressway
• Software Service Router – Security, Governance, Mediation, Virtualization • Form Factor – Software (Windows, Linux, Solaris* on x86), Virtual Appliance, Hardware Appliance • Optimized for Intel® Multi-Core – Scales directly on standard Intel-based servers • Key Capabilities
• Performance – Best-in-class wire speed XML acceleration & core XML IP • Service Mediation – Sophisticated service mediation with non-XML data handling • Service Governance – Runtime governance for enforcing service policies & reporting • Security Features –Security proxy, services firewall, AAA, TLS, trust mediation & threats • Flexibility– Appliance manageability with software extensibility. • Extensibility – Custom business rules, service hosting, data and messaging adapters
15
Fast installation, open architecture= Simple overlay for Oracle deployment 15 05/26/10
Slide 16: Service Router Deployment
Partner Service or Client
Oracle* Fusion Middleware
Enterprise Perimeter (DMZ)
Enterprise Applications & Services
Cloud service or Application
Perimeter Defense • XML threat defense • Security Gateway • DoS Protection • AAA • Tamper Evident
Runtime Governance • Runtime governance • Virtual Appliance/Server Software
Cloud Governance • Service Throttling • Capacity Tuning
• Full Virtualization • Interoperable with any policy • Multi-Tenancy manager • SLA enforcement & Audit • Partner service mediation
16
Slide 17: Expressway = Tied to Intel Chip Roadmap
Next:
SOA Expressway will continue its leadership in performance with full optimization based on Intel multi-core, unique utilization of instruction sets and architectural roadmap Performance
SOA Expressway will use • AVX optimized XML/SOAP processing • ESIII Architecture
Sandy Bridge
On Westmere
SOA Expressway will use
On Nehalem
SOA Expressway uses • Intel® SSE4.2 • XML/SOAP processing • XML Threat detection
• Crypto Acceleration using AESNI • Higher WS-Security, SSL performance
Now: Up to 8x custom appliances
Core
^
AESNI - Advanced Encryption Standard New Instruction
AVX – Advanced Vector Extensions
17
Slide 18: Policy Driven SOA for Diverse Environment
Current State
PAP1 PAP2 PAP3 PAPn
• Oracle OWSM 11g Policy Server • Or other Reg/Rep Solution that has
• Vendor Policy • Non-standard policy • Pseudo-standardbased policy
…
18
Slide 19: Policy Driven SOA for Diverse Environments
Current State
PAP1 PAP2 PAP3 PAPn
• Oracle OWSM 11g Policy Server • Or other Reg/Rep Solution that has
• Vendor Policy • Non-standard policy • Pseudo-standardbased policy
…
Policy Integration • SOA Expressway polls for policy changes • Downloads new policy and artifacts • Transforms policy • Seamless transition without message loss
Security Enforcement Point
19
Slide 20: Policy Driven SOA for Diverse Environment
Current State
PAP1 PAP2 PAP3 PAPn
• Oracle OWSM 11g Policy Server • Or other Reg/Rep Solution that has
• Vendor Policy • Non-standard policy • Pseudo-standardbased policy
…
Policy Integration • SOA Expressway polls for policy changes • Downloads new policy and artifacts • Transforms policy • Seamless transition without message loss
Security Enforcement Point
SOAE Driven by Policies We Enforce
Mediation
• Exchange data between services inside or outside the datacenter • Enforcement of SLAs, FIFO and Throttling • Protection against threats not covered by firewall • AAA functions: dataprivacy & AuthN for message/transport
QoS Threats Trust
Open, pluggable architecture supports broad integration
20
Slide 21: Integration with Oracle 11g SOA Suite
21 21
Slide 22: Use Case 1: XML Attack Protection
• XML Attack Protection: When an internet /cloud service is exposed to XML content threats, such as coercive parsing or semantic threats • Content Threats: Pre-built and extensible content filtering for the full application payload
• DoS Protection: Multi-level, adaptive denial of service protection to block, rate-shape and alert on bad traffic • Performance Side Effects from Bad XML Calls: Offload processing cycles spent by Oracle SOA or OWSM suite dealing with bad XML calls, via filtration.
22
Use OWSM for internal services and SOA Expressway for external services
Slide 23: Use Case-2: Performance Benefits
10x-100x Improvement for XML Rich Apps
Large Message Handling
• Prevent saturation/performance degradation of the Oracle Service Bus for large messages or transformations 100KB or more
Increased throughput for SOA apps
MPS
Critical
• Optimal when transactions exceed 5,000 messages/ sec.
Intel Multi-core Optimized
• • •
Patented algorithms Optimized memory Only product to have sub-millisecond simple proxy performance
App Servers
ESBs
Hardware Appliance
Software Appliance Intel SOA Expressway
23
23
05/26/10 Best in Class Performance. Oracle Lab Tested
Slide 24: Use Case-3: Oracle IdM Integration
• On-demand delegation of AuthN and AuthZ decisions to Oracle IDM Suite – can optionally enforce identity checks closer to the network edge. • Can perform authentication by integrating directly with the Access Server portion of the Oracle Access Manager or OID • Acts as Security Token Server to normalize & map inbound credentials from other domain to format needed by Oracle OWSM for web service or web SSO
Preserve investment in Oracle IDM & extend externally with SOAE
24
Slide 25: Hardware Appliances •They lose all of their capital value over a five-year period •At capital replacement time, the appliance must be upgraded or retired •Retained Value: 0%
SOA Expressway Software Appliance •Only the server hardware depreciates, software holds value •At capital replacement time, general purpose servers can be repurposed •Retained Value: 92% (or more)
$400,000 $300,000 $200,000 $100,000 $0 Year 1 Year 2 SOA Expressway Capital Depreciation Appliance Capital Depreciation 0
Year 3
Year 4
Year 5
25
Benefits of Moore’s Law for SOA & Virtualization
Slide 26: Oracle & Intel: The Premier Web Service Security Solution
Criteria Full featured Security Gateway Performance & scale Fast, drop-in Oracle Integration Vendor viability Affordable solution Intel & Oracle Joint Solution Mature solution packed with unique features: XSLT 2.0, XPath2.0, WS*, Virtualization Clear leader. In production at world’s largest SOA deployments Oracle lab tested & field trained Intel SSG is 6th largest in software. World class support. Strategic tie-in to chip. Typically ½ the cost. Deploy generic hardware
Download Eval and test Oracle specific scenarios
26
Slide 27: More Information?
www.intelforfusion.com
• Video Usage Scenarios • Eval & Fusion Sample App
www.intel.com/software/soae/webinars
• Evolving SOA Appliance – 3 Game Changing Innovations
New White Paper
• A Review of Pre-tested Integration Scenarios
Schedule a Demo
Intel OpenWorld Booth
• Live Demo
intelsoainfo@intel.com
27
