DataPower SOA Appliances Acelerando el Valor

converseoncologistInternet και Εφαρμογές Web

7 Αυγ 2012 (πριν από 5 χρόνια και 1 μήνα)

634 εμφανίσεις

© 2007 IBM Corporation

®


DataPower SOA Appliances


Acelerando el Valor

Ricardo Fittipaldi

DataPower SOA Appliances, LatinAmerica Sales

rfittipa@ve.ibm.com

IBM Software Group | WebSphere software

Business

Objectives

Innovation

Top line
growth

Operational
Excellence

Reduce
costs

Resources

and IT Assets

Gain
market
share



Legacy
Claims
Database

Home Claims
System

Business
Partner Claims
System

Auto

Claims System

Life

Insurance

Claims

2


Complex processes

& systems


Complex applications

& interfaces


Difficult to adapt

quickly


Large portion of IT
budget spent on
maintenance, not

on new value add
investments



Legacy
Claims
Database

Home Claims
System

Business
Partner Claims
System

Auto

Claims System

Life

Insurance

Claims

The Infamous Spaghetti Chart…

IBM Software Group | WebSphere software

3

Business

Objectives

Innovation

Top line
growth

Operational
Excellence

Reduce
costs

Resources

and IT Assets

Gain
market
share



Legacy
Claims
Database

Home Claims
System

Business
Partner Claims
System

Auto

Claims System

Life

Insurance

Claims

Rate Of Change

Degree of Reuse



Business
Processes

Service
Components



Legacy
Database

Consumer
System

Business
Partner System

Ranking
System

Alerting
Consumer
Products

External

Service Enabling Applications Addresses This Challenge

IBM Software Group | WebSphere software

4

This Promises Efficiencies…. but Comes With Challenges

XML Challenges


Businesses want to move to standards
-
based
XML…
but XML is bulky which can cause performance
bottlenecks.


Businesses want to deploy secure XML
-
based
applications
…but security adds further bulk to
applications that slows them down.


Businesses want to integrate their new Web
Services to existing legacy applications…
but this
creates a need for process intensive format
transformations.

XML


Web Service enabling apps delivers huge efficiencies through reuse of services.


XML/Web Services form the foundation of service enablement, but bring new challenges:


Scalability
: XML is very bandwidth, CPU, and memory intensive;


Security
: connecting systems via Web Services creates new security issues.


Integration
: connecting Web Services to legacy applications requires different formats.

IBM Software Group | WebSphere software

5


Historical trend is for software functions that are simple, yet require a lot of
computing power, to move into dedicated appliances.


Part of a larger trend that initially started by moving functions such as
Traffic Routing and Load Balancing into hardware.


XML/Web Services processing tasks such as Security, Application Routing,
Transformation, Management are rather simple, but very CPU intensive.

“Commodity” Processes Migrate to Appliances

IBM Software Group | WebSphere software

6

IBM’s Answer: XML
-
aware Network Appliances


Solve XML’s performance & scalability challenges in an appliance


Patented architecture to process “XML in hardware”


Offload & combine functions from traditional software onto a purpose built
appliance:


XML security & transformations


Web Services Management


Legacy integration and protocol switching


Other resource intensive tasks

RESULTS
:


Improved security & integration


Reduced latency, more throughput


Significant reduction in server farms


ROI payback typically in < 1 year


Lower capital costs (less servers)


Decreased maintenance costs


Reduced time to market


Datacenter savings

WebSphere DataPower Appliances

IBM Software Group | WebSphere software

Ventajas de un Network Appliance vs. Server Appliance


Hardware Optimizado, firmware, SO encapsulado


Alta seguridad de configuración


Vulnerabilidades eliminadas como open source, Trojan horses, Java/C++ libraries


Claves de encriptación almacenadas en hardware storage of encryption keys


No posee drives o puertos USB


Tamper
-
proof case

Hardware

Firmware

XML

Acceleration

Crypto

Acceleration

Configuration

Hardware

Floppy

CD

Rom

USB

Port

Disk

Linux OS

Config



Apache

Config

Libxml

glibc

Java



Tomcat

Config



Linux Daemon

Config



Proprietary

Software

Config



MySQL

Config

DataPower Network Appliance

Server Appliance

IBM SOA

IBM DataPower SOA Appliances

XML

XSL

Internet

XML

HTML

WML

XA35


Client

or

Server

XS40

Tivoli
Access
Manager

------------

Federated
Identity
Manager



HTTP XML REQ


HTTP XML RESPONSE



Web Services
Client



LEGACY REQ

LEGACY RESP


XI㔰

IP Firewall

Internet

Web Tier

Security

Integration & Management Tiers

Application Server

Application Server Web Server

DataPower XS
40
DataPower XS
40
Tivoli Access Manager
WebSphere App Server
MQ Server
Web service
client
Nortel L
7
Module
Tivoli NetView

DataPower XS
40
DataPower XS
40
Tivoli Access Manager
WebSphere App Server
MQ Server
Web service
client
Nortel L
7
Module
Tivoli NetView

DataPower XS
40
DataPower XS
40
Tivoli Access Manager
WebSphere App Server
MQ Server
Web service
client
Nortel L
7
Module
Tivoli NetView

ITCAM for
SOA

© 2007 IBM Corporation

®


DataPower Customer Scenarios

IBM Software Group | WebSphere software


WebSphere DataPower XML Security Gateway XS40

(XML/AAA Gateway)

Scenario 1: Gateway de Seguridad B2B


3
rd

Party Makes Service Request
(SOAP/HTTP/HTTPS)


Capture Credentials and
pass SAML query to Tivoli
for authentication and
authorization



Verify, Decrypt and Validate
Request Message


Process and Validate

Response Message

Internal

Services Platform

FI Owned Systems

3rd Party Systems

Core Services

Account

Services

CRM

CIF

Insurance

Payment

Credit

Card

Services Platform

SOAP

Interface

SOAP

Interface

SOAP

Interface

XML

Interface

HTTP

Interface

Account

Aggregation

Inter
-
FI

Payment

Insurance

Brokers

White Label

3rd Party Systems


Sign and Encrypt Response


Send Response to Client

Extract Identity

Extract Resource

Map Credentials

Map Resource

Authenticate

Authorize

Audit

XML

Decrypt

Signature

Verify

Schema

Validate

Route

XML

Transform

Schema

Validate

XML

Encrypt

XML

Sign


Generate Appropriate Token
(SAML,WS
-
Security) and

Route Request to Backend

Service

DataPower XS
40
DataPower XS
40
Tivoli Access Manager
WebSphere App Server
MQ Server
Web service
client
Nortel L
7
Module
Tivoli NetView

Access

Manager

IBM Software Group | WebSphere software

Scenario 2: Enterprise Service Bus



Client Makes
Service request


Application Server
sends data to the
Gateway to update
legacy systems


Decrypts, Verifies
and Validates the
message


Tranforms
message to non
-
XML or XML
format


Routes request to
one or more
backend systems
via MQ

`
WebSphere DataPower Integration Appliance XI50

Cheque Imaging

J2EE Application

on WAS/pSeries

Self
-
Service Channel

Application Server

Enterprise

WebSphere MQ

Cluster

WebSphere MQ

Legacy Data
Formats

Online Banking

Client

Flat File/FTP,
SOAP/JMS, etc

CCB/MQ

SOAP/MQ

SOAP/HTTP

CRM .NET Application

On WinTel

SOAP/HTTP

XML

Decrypt

Schema

Validate

Signature


Verify

Context Routing

XML/Binary

Transformation

Core Banking

Applications on

System z

IBM Software Group | WebSphere software

WebSphere Message Broker V6

Q1

Input

Node

DataPower Exit
passes data to the
XI50 for processing at
wire speed

“Offload message transformations with near zero latency”

Exit to offload costly data
transformation, data
encryption/decryption and
other possessing to the
WebSphere DataPower
Appliance

Transformed
decrypted message is
passed back to the
flow for continued
processing.

Q2

Format 2

decrypted

Encrypted

Message

Transformed Decrypted

Data

Scenario 2: Enterprise Service Bus


IBM Software Group | WebSphere software

Escenario 3: Web Application Firewall


`

Client Requests
Page in Browser


Checks for threats



SQL Injection


Cross
-
site
scripting,


Buffer overflows,


Improper error
handling,



Insecure storage,



Denial of service,



Insecure
configuration
management


Strong DMZ XI50
forces authentication
on first request


Sends authenticated
and authorized page
request to web app

WebSphere DataPower Integration Appliance XI50

Internal Web Applications

Browser Client

HTML or
XML/HTTP

Terminate SSL

AAA

Threat Protection

HTML or
XML/HTTPS

Active Directory

HTML or
XML/HTTP
with SAML

IBM Software Group | WebSphere software

XML Threats



XML Entity Expansion and Recursion
Attacks


XML Document Size Attacks


XML Document Width Attacks


XML Document Depth Attacks


XML Wellformedness
-
based Parser
Attacks


Jumbo Payloads


Recursive Elements


MegaTags


aka Jumbo Tag Names


Public Key DoS


XML Flood


Resource Hijack


Dictionary Attack


Message Tampering


Data Tampering


Message Snooping


XPath Injection


SQL injection


WSDL Enumeration


Routing Detour


Schema Poisoning


Malicious Morphing


Malicious Include


also called XML
External Entity (XXE) Attack


Memory Space Breach


XML Encapsulation


XML Virus


Falsified Message


Replay Attack


…others

IBM Software Group | WebSphere software

Protocol Termination

and Proxing

ESB

Web Services Management: Service Level Management

`
`
.NET
Apps

J2EE

Apps

Legacy

System

WS 6

WS 5

WS 4

WS 3

WS 2

WS 1

WS 7

Service

Registry

User

Registry

Audit,
Logging

Monitoring

Systems
-

Mgmt.

Threat

Protection

Security

Services

SLM

WS 4

WS 3

WS 2

WS 1

WS 6

WS 5

WS 7

Internal

Clients

External

Clients

100 msg/min

25 msg/min

75 msg/min

No limit

125 msg/min

No limit

No limit

© 2007 IBM Corporation

®


DataPower Deployment Models

IBM Software Group | WebSphere software

Typical Distributed HA Infrastructure Before DataPower

DMZ

Corporate

Load Balancers

Web Servers

App Servers

Load Balancers

Logging
Infrastructure

Op. Mgmt.
Infrastructure

DB
Infrastructure

Security
Infrastructure

Legacy
Infrastructure

Registry/
Repository

1. Requests balanced
to web servers

2. Web server sends
through firewalls to 2
nd

tier of load balancers

3. Requests balanced
to app servers

4. App servers integrate with corporate infrastructure

IBM Software Group | WebSphere software

DataPower in the HA Infrastructure

DMZ

Corporate

Load Balancers

Logging
Infrastructure

Op. Mgmt.
Infrastructure

DB
Infrastructure

Security
Infrastructure

Legacy
Infrastructure

Registry/
Repository

XS40 Security Gateways

XI50 Integration Appliances

1. Requests balanced
to web servers

2. XS40’s balance
requests to XI50’s
through firewalls using
Load Balancer Groups

3. XI50’s integrate with corporate infrastructure

Syslog

SNMP,

WSDM

SQL,

XQuery

SAML,

XACML,

other

MQ,

FTP, IMS

WS
-
Policy,

UDDI

IBM Software Group | WebSphere software

19

DataPower XML Security Gateway XS40

Security & Integration Scenario


Top 10 Financial Firm

1. External Party makes Web Service request


(Web Services = HTTP with XML Payload)

8. Transform XML

9. Switch protocol (e.g. HTTP to MQ)

10. Route based on content

Web Services
Interfaces


FI Owned Systems

External Systems

Payment

Interfaces/Protocols

HTTP

MQ

JMS

DB

FTP

Account

Aggregation

Invoice/

Payment

Broker

Portal

Customer

Portal

External Systems: different division, partners, etc

14. Send to security layer

13. Transform response

12. Switch protocol

11. Aggregate response

17. Send response back

16. Encrypt & Sign

15. Filter response

Protocol switch

Content Routing

Transform XML

Authenticate

Authorize

Audit

Decrypt XML

Verify Sign.

Validate

6. Insert security token (e.g. SAML, Kerberos)

7. Send request to integration layer

DataPower XS
40
DataPower XS
40
Tivoli Access Manager
WebSphere App Server
MQ Server
Web service
client
Nortel L
7
Module
Tivoli NetView

Identity Mgmt System
(Tivoli, LDAP, etc)

Core Enterprise Systems

Account

Services

ERP

HR

CRM

Credit Card

DataPower Integration Appliance XI50

2. Verify Signature

3. Decrypt & Validate

4. Access Identity Mgmt System

5. Authenticate & authorize

Request
Message

Response
Message

Payment

other

MQ, JMS,
FTP, HTTP,
etc.

HTTP

Security Layer

Integration Layer

HTTP

© 2007 IBM Corporation

®


Leveraging DataPower Appliances for PCI Compliance

IBM Software Group | WebSphere software

DataPower and the PCI DSS “Dirty Dozen”

DataPower ideal solution for many requirements:


Build and Maintain a Secure Network


Requirement 1: Install and maintain a firewall configuration to protect cardholder data


Requirement 2: Do not use vendor
-
supplied defaults for system passwords and other security parameters


Protect Cardholder Data


Requirement 3: Protect stored cardholder data


Requirement 4: Encrypt transmission of cardholder data across open, public networks


Maintain a Vulnerability Management Program


Requirement 5: Use and regularly update anti
-
virus software


Requirement 6: Develop and maintain secure systems and applications


Implement Strong Access Control Measures


Requirement 7: Restrict access to cardholder data by business need
-
to
-
know


Requirement 8: Assign a unique ID to each person with computer access


Requirement 9: Restrict physical access to cardholder data


Regularly Monitor and Test Networks


Requirement 10: Track and monitor all access to network resources and cardholder data


Requirement 11: Regularly test security systems and processes


Maintain an Information Security Policy


Requirement 12: Maintain a policy that addresses information security

Complete
solution

Part of
solution

IBM Software Group | WebSphere software


Web Services (XML)

-

Filter on
any

content, metadata or network variables


Web Application Firewall
-

HTTP Protocol Filtering, Threat Protection, Cookie Handling


Data Validation
-

Approve incoming/outgoing Web traffic, Web Services, XML at wirespeed


Field Level Security
-

WS
-
Security, encrypt & sign individual fields, non
-
repudiation


Encryption of transport layer
-

HTTP, HTTPS, SSL.


Anti Virus Protection
-

messages and attachments checked for viruses; integrates with
corporate virus checking software through ICAP protocol


XML Web Services Access Control/AAA
-

SAML, LDAP, RADIUS, etc


Management & Logging
-

manage & track services, logging of all activities, audit.


Security Policy Management

-


security policies “universally understood” by multiple
software solutions, eases PCI certification process.


Easy Configuration & Management
-

WebGUI, CLI, IDE and Eclipse Configuration to
address broad organizational needs (Architects, Developers, Network Operations, Security)


XML Security Gateway XS40

Key Functions for PCI Compliance


Easy to Use Appliance Purpose
-
Built

for SOA Security

Req. 1

Req. 3,4

Req. 5

Req. 7,8,9

Req. 10

Req. 12

© 2007 IBM Corporation

®


DataPower Configuration

IBM Software Group | WebSphere software

Configuration Driven, NO Programming

IBM Software Group | WebSphere software

Example: Build Web Service Proxy with AAA

IBM Software Group | WebSphere software

Add a AAA Security Action

IBM Software Group | WebSphere software

Choose Authentication Method

IBM SOA

Que es XML
-
aware Networking

Resultado
:

El performance, la seguridad y
administración que se espera de la
red IP está disponible para las
aplicaciones XML.

Procesamiento Offload XSLT,,
Conversiones legacy
-
XML y otras
tareas de recurso intensivo de
servidores a la capa de red.

Esto reduce la latencia, mejora el
rendimiento de procesamiento y
libera los recursos de los
servidores.

IBM SOA

a division of McGraw
-
Hill

IBM SOA

Clientes en Latinoamerica

© 2007 IBM Corporation

®














Muchas Gracias!