IBM DataPower Gateway
advertisement
IBM Datapower
Gateway
The Security Gateway
<Pierre Richelle/> –
{“title”: [“Technical”,”Specialist”,”Integration”]}
© 2015 IBM Corporation
Agenda
► IBM Datapower Gateway Introduction & Concept
► Capabilities
► Use Cases
► Wrap-up
Silos of security & control are impeding business agility
Business
Channels
B2B
Users
Security &
Control Solutions
PARTNERS
B2B
GATEWAY
SOA
PARTNERS
DEVELOPERS
SOA
GATEWAY
DEVELOPERS
API GATEWAY
Application
Applications
and Systems
Middleware
WEB
MOBILE
APIS
ESB
CONSUMERS
CONSUMERS
EMPLOYEES
EMPLOYEES
MOBILE
GATEWAY
WEB
ACCESS PROXY
Service
z System
CLOUD
ALL
CLOUD
GATEWAY
Reduce cost + improve security & control with a single gateway
Business
Channels
B2B
Users
PARTNERS
SOA
PARTNERS
DEVELOPERS
WEB
MOBILE
APIS
DEVELOPERS
CONSUMERS
CONSUMERS
EMPLOYEES
EMPLOYEES
DataPower Gateway
Security &
Control Solutions
Physical appliance
Virtual appliance
Application
Applications
and Systems
Middleware
ESB
Service
z System
CLOUD
ALL
Reduce cost + improve security & control with a single gateway
Business
Channels
B2B
Users
PARTNERS
PARTNERS
DEVELOPERS
WEB
MOBILE
APIS
SOA
DEVELOPERS
CONSUMERS
CONSUMERS
EMPLOYEES
EMPLOYEES
DataPower Gateway
Security &
Control Solutions
Physical appliance
Virtual appliance
Application
Applications
Protect
and Systems
Control
Middleware
ESB
Service
Integrate
z System
CLOUD
ALL
IBM DataPower DNA
DataPower’s True Network Device
config
configuration
WebGUI
CLI
SOMA
WebSphere DataPower
Digitally Signed and Encrypted
Firmware
IBM Optimized Embedded Operating Environment
XML
Acceleration
Crypto
Acceleration
Flash
Memory
Hardware
Flexible deployment
IBM DataPower Gateway
IBM DataPower Gateway
Appliance
Virtual Edition
DataPower
Configuration
DataPower
Configuration
Agenda
► IBM Datapower Gateway Introduction & Concept
► Capabilities
► Use Cases
► Wrap-up
IBM DataPower Gateway capabilities
ISAM
Proxy
Module
Integration
Module
B2B
Module
AO
Module
TIBCO
EMS
Module
HSM
Protect
Control
Integrate
Threats
Encryption
AAA
Validation
Service Level Management
Transformation
Routing
XML/JSON Threats Protection
Protect
XML / JSON Threat Protection
Cryptographic Operations
Authentication Authorization Audit
•
Entity Expansion/Recursion Attacks
•
Content Validation (XML / JSON)
•
XML / JSON : Size, Width, Depth attacks
•
Public Key DoS
•
XML Flood
•
Resource Hijack
•
Dictionary Attack
•
Replay Attack
•
Message/Data Tampering
•
Message Snooping
•
XPath or SQL Injection
•
XML Encapsulation
•
XML Virus
•
…many others
Cryptographic Operations
XML-Encryption (http://www.w3.org/TR/xmlenc-core/)
Protect
Data confidentiality
Encrypt data
◦ The whole message
◦ Specific fields (document crypto map)
Decrypt data
XML / JSON Threat Protection
XML-DSig (http://www.w3.org/TR/xmldsig-core/)
Cryptographic Operations
Data Integrity
Authentication Authorization Audit
Non-repudiation of data
Digital signature
◦ Define elements on which the signature is based
(document crypto map)
Signature verification
Employ flexible AAA (Authenticate,
Authorize, Audit) Policies
Protect
XML / JSON Threat Protection
Cryptographic Operations
Authentication Authorization
Audit
Service Level Management – Protect your system
Control
from over-utilization
Frequency based on
concurrency
based on messages per time period (rate)
Take action when exceeding a custom threshold:
◦ Notify (or log)
Service Level Management
◦ Shape (or delay)
◦ Throttle (or reject)
High Availability
Control load distribution
Control
Combine SLM with Routing to make intelligent failover
decisions
Use alternate servers when a threshold is exceeded
Service Level Management
High Availability
Advanced Load Balancing algorithms simplify
your architecture
First Available
(Weighted) Round Robin
(Weighted) Least Connections
Hash
active / active
Load balancer
Control
active / standby
Service Level Management
V
I
P
High Availability
HSRP / VRRP
active / active w/AO
V
I
P
Load balancer
No dependencies between inbound “front-side” and
outbound “back-side”
Integrate disparate transport protocols with extreme ease
Integrate
Protocol & data mediation
Supported Languages
HTTP(s), WebSphere MQ, WebSphere JMS, Tibco EMS,
SFTP, FTP(s), NFS, IMS, Database (DB2, Oracle, Sybase, SQL
Server), AS1, AS2, AS3,…
HTTP/S
HTTP/S
FTP/S
FTP/S
MQ
MQ
JMS
JMS
Transform the message format with ultimate flexibility
Process XML and Non-XML formats in a single configuration
Support synchronous, asynchronous, publish-subscribe and
guaranteed-delivery message patterns
Supported languages and transformation
standards
XSLT
XSLT1.0 / XPath1.0
EXSLT
DataPower extension elements and functions
Integrate
XQuery 1.0
JSONiq
Protocol & data mediation
JSON Schema Validation
JavaScript (GatewayScript)
Supported Languages
Strict mode
CommonJS
ECMAScript 5 reference
Binary transformation
FFD (XSLT binary transformation)
WebSphere Transformation eXtender
Agenda
► IBM Datapower Gateway Introduction & Concept
► Capabilities
► Use Cases
► Wrap-up
IBM DataPower Appliance Usage
Protect, Control, Integrate
Internet
DMZ
Trusted Domain
Consumer
DataPower Gateway
Application or Service
DataPower Gateway
Middleware
Consumer
Trading partners
1 Mobile Gateway
2 API Gateway
3 Web Gateway
4 B2B Partner Gateway
5 SOA & API Gateway
z System
6 Internal Security Enforcement
7 Web Services Governance & Management
Routing
Transformation
Service Level Agreement
Service
Consumer
Authorizations
Exposed service
invocation
Authentication
Service Security Gateway
SOAP
Service
Provider
Target service
invocation
REST
Service
Provider
Logs (Trace & Audit)
Services usage statistics
& Monitoring
Web
Application
Provider
Agenda
► IBM Datapower Gateway Introduction & Concept
► Capabilities
► Use Cases
► Wrap-up
IBM Datapower Gateway Values
Protect
Control
Integrate
Mobile, API, Web, SOA, B2B
Using
Threats protection, encryption, AAA, Validation
Access to your Systems
Using
Service Level Management
Your system of Records
Using
Protocol, Data transformation & routing
Thank you!
Questions ?
Backup
Slides
Supported Standards & Protocols
•
•
Data format & language
•
–
JavaScript
‒
JSON
‒
JSON Schema
‒
JSONiq
‒
REST
‒
SOAP 1.1, 1.2
‒
WSDL 1.1
‒
XML 1.0
‒
XML Schema 1.0
‒
XPath 1.0
‒
XPath 2.0 (XQuery only)
‒
XSLT 1.0
‒
XQuery 1.0
Security policy enforcement
•
‒
OAuth 2.0
‒
SAML 1.0, 1.1 and 2.0, SAML Token
Profile, SAML queries
‒
XACML 2.0
•
‒
Kerberos, SPNEGO
‒
RADIUS
‒
RSA SecurID OTP using RADIUS
‒
LDAP versions 2 and 3
‒
Lightweight Third-Party Authentication
(LTPA)
‒
Microsoft Active Directory
‒
FIPS 140-2 Level 3 (w/ optional HSM) •
‒
FIPS 140-2 Level 1 (w/ certified crypto
module)
‒
SAF & IBM RACF® integration with
z/OS
‒
Internet Content Adaptation Protocol
‒
W3C XML Encryption
•
‒
W3C XML Signature
‒
S/MIME encryption and digital signature
‒
WS-Security 1.0, 1.1
‒
WS-I Basic Security Profile 1.0, 1.1
‒
WS-SecurityPolicy
‒
WS-SecureConversation 1.3
Transport & connectivity
•
–
HTTP, HTTPS, WebSocket Proxy
–
FTP, FTPS, SFTP
–
WebSphere MQ
–
WebSphere MQ File Transfer Edition
(MQFTE)
–
TIBCO EMS
–
WebSphere Java Message Service (JMS)
–
IBM IMS Connect, & IMS Callout
–
NFS
–
AS1, AS2, AS3, ebMS 2.0, CPPA 2.0,
POP, SMTP (XB62)
–
DB2, Microsoft SQL Server, Oracle,
Sybase, IMS
Transport Layer Security
‒
SSL versions 2 and 3
‒
TLS versions 1.0, 1.1, and 1.2
Public key infrastructure (PKI)
‒
RSA, 3DES, DES, AES, SHA, X.509,
CRLs, OCSP
‒
PKCS#1, PKCS#5, PKCS#7, PKCS#8,
PKCS#10, PKCS#12
‒
XKMS for integration with Tivoli Security
Policy Manager (TSPM)
Management
Simple Network Management Protocol
(SNMP)
‒
SYSLOG
‒
IPv4, IPv6
‒
Open File Formats
‒
Distributed Management Task Force
(DMTF) Open Virtualization Format (OVF)
‒
Virtual Machine Disk Format (VMDK)
‒
Virtual Hard Disk (VHD)
Web services
–
WS-I Basic Profile 1.0, 1.1
–
WS-I Simple SOAP Basic Profile
–
WS-Policy Framework
–
WS-Policy 1.2, 1.5
–
WS-Trust 1.3
–
WS-Addressing
–
WS-Enumeration
–
WS-Eventing
–
WS-Notification
–
Web Services Distributed Management
(WSDM)
–
WS-Management
–
WS-I Attachments Profile
–
SOAP Attachment Feature 1.2
–
SOAP with Attachments (SwA)
–
Direct Internet Message Encapsulation
(DIME)
–
Multipurpose Internet Mail Extensions
(MIME)
–
XML-binary Optimized Packaging (XOP)
–
Message Transmission Optimization
Mechanism (MTOM)
–
WS-MediationPolicy (IBM standard)
–
Universal Description, Discovery, and
Integration (UDDI versions 2 and 3),
UDDI version 3 subscription
–
WebSphere Service Registry and
Repository (WSRR)
DataPower Gateways …
SECURE Mobile, API, Web, SOA, B2B and Cloud Workloads
INTEGRATE Systems of Engagement with Systems of Record
CONTROL & MANAGE Traffic and Service Level Agreements
OPTIMIZE Data Delivery and User Experiences
CONSOLIDATE & Simplify Infrastructure Footprint
IBM DataPower Gateways provide a low startup cost,
helping clients increase ROI and reduce TCO with
specialized, consumable, dedicated gateway appliances that
combine superior performance and hardened security in physical
and virtual form factors
39 39
Features
Secure
Integrate
Control
Optimize
Authentication,
authorization, auditing
Any-to-any message
transformation
Service level management
SSL / TLS offload
Security token translation
Transport protocol
bridging
Quota enforcement, rate
limiting
Hardware accelerated
crypto operations
Message accounting
JSON, XML offload
Content-based routing
JavaScript, JSONiq, XSLT,
XQuery acceleration
Threat protection
Schema validation
Message filtering &
semantics validation
Message digital signature
Message encryption
Message enrichment
Database connectivity
Mainframe connectivity
B2B trading partner
connectivity
Failure re-routing
Integration with
management & visibility
platforms
Response caching
Intelligent load
distribution
Simplify, offload & centralize critical functions
Before DataPower Gateway
Consumer
After DataPower Gateway
Secure
Integrate
Consumer
Control
Optimize
Consumer
Consumer
Security Gateway
Outside World
DMZ
HTML, JSON, XML, SOAP
MME, DIME, MTOM
XMLDSIG, XMLENC
WS-Security
Policy
WS-Trust
SAML
OAuth 2.0
Security
Gateway
Incoming access control;
Threat protection
Domain Firewall
Internet
Protocol Firewall
HTTP(s)
SaaS
Internal Network
Security
Gateway
Outgoing access control;
SAML injection etc
Browsers
Partner
Apps
Internal
Consumer
HTTP(s)
Internal
Security
Packaged Apps
Proprietary Apps
Data
ESB
ACL
Tivoli (TAM)
MS Active Directory
Any LDAP, e.g. Oracle
CA SiteMinder
PDP (XACML, SAML, other)
Proxying and Enforcement
• Terminate incoming connection
Connection from client
Web Service Request
Consumer
Basic Auth, OAuth 2.0,
WS-Security UNT, etc
• Terminate transport-level security (SSL/TLS offload)
• Threat protection
• Enforce Service Level Agreement policies
• Inspect message content and filter (Schema validate)
• Enforce security policies on message content
(Encrypt/decrypt, Verify/sign digital signatures)
• Authentication, Authorization, Auditing (AAA)
• Call out to virus checker
• Transform content & enrich message
• Translate security token
• Dynamically route based on content and load balance
(Establish a new connection to pass results)
• Cache data on-box or in centralized, shared grid
ACL
Virus
Scanner
New connection to target
Web Service Request
SAML, LTPA,
Kerberos
Provider
Protection of data plus XML & JSON threat protection
Use DataPower to help resolve PCI compliance issues
Easily sign, verify, encrypt, decrypt any content
Configurable XML Encryption and Digital Signatures
– Message-level, Field-level, Headers
Security standards: OAuth, WS-Security, WS-Policy, WSSecurityPolicy, SAML, XACML, WS-Trust, …
XML Threat Protection
•
Entity Expansion/Recursion Attacks Message/Data Tampering
•
Public Key DoS
Message Snooping
•
XML Flood
XPath or SQL Injection
•
Resource Hijack
XML Encapsulation
•
Dictionary Attack
XML Virus
•
Replay Attack
…many others
JSON Threat Protection
•
Label - Value Pairs
‒ Label String Length (characters)
‒ Value String Length (characters)
‒ Number Length (characters)
•
Threat Protection
‒ Maximum nesting depth (levels)
‒ Maximum document size (bytes)
DataPower security is policy driven
Use WS-SecurityPolicy to define security requirements for your web services
– DataPower natively consumes and enforces WS-SecurityPolicy statements
• Integrity & Confidentiality, SupportingTokens, Message/Transport Protection
Use XACML to define access and authorization policies for your web services
– DataPower natively consumes and enforces XACML policies
• Resource-based Authorization
• PEP, PDP
AAA : Authentication Authorization Auditing
HTTP Headers
WS-Security Tokens
WS-SecureConversation
WS-Trust
Kerberos
X.509/SSL
SAML Assertion
IP Address
LTPA Token
HTML Form
OAuth
Custom
Extract
Identity
LDAP/Active Directory
System/z NSS (RACF, SAF)
IBM Security Access Manager
Kerberos
WS-Trust
Netegrity SiteMinder
RADIUS
SAML
LTPA
Verify Signature
Custom
Authenticate
Map
Identity
input
LDAP/ActiveDirectory
System/z NSS
IBM Security Access Manager
Netegrity SiteMinder
SAML
XACML
OAuth
Custom
Authorize
Extract
Resource
Add WS-Security
Generate z/OS ICRX Token
Generate Kerberos
Generate Spnego
Generate SAML
Generate LTPA
Map Tivoli Federated Identity
Audit &
Post-Process
Map
Resource
URL
XPath
SOAP Operation
HTTP Operation
Custom
External Access Control Server or Onboard Identity Management Store
output
IBM Datapower Gateway Values
Cryptographic
Operations
Threats Protection
Recursion Attacks
Data confidentiality
Content Validation
XML encryption
XML / JSON : Size,
Width, Depth attacks
Data Integrity
Digital Signature
XML Flood
Dictionary Attack
Replay Attack
Signature verification
XPath or SQL Injection
XML Encapsulation
XML Virus
…
Non-repudiation of
Data
Crypto Treatments
with Hardware
Component
(appliance)
Authenticate
LDAP, Tivoli Access
Management, Kerberos,
WS-Trust, SAML, LTPA,
OAuth2, …
Authorize
LDAP, XACML, SAML,
Custom, …
Audit & Post
Process
Logs, SNMP, WSManagement
Add WS-Security
Generate LTPA, SAML,
…
Routing &
Transformation
Service Level
Management
AAA
Throttle
Shape (delay)
Reject or Intelligent fail
over
HTTP, WMQ, FTP,
AS1/2/3, WJMS,…
Notify
Load balancing
Protocol conversion
Data transformation
JSON, XML, Xquery,
Javascript, XSLT
Hardware acceleration
(appliance)
Routing
