Upload
shilpin-pvt-ltd
View
679
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
DataPower Introduction
DataPower SOA Appliance
2
DataPower SOA Appliances redefine the boundaries of middleware extending the
SOA Foundation with specialized, consumable, and dedicated SOA
Appliances that simplify and combine superior performance, hardened
security, and integration for SOA implementations.
An SOA Appliance…
Simplifies SOA and accelerates time to value
Helps secure SOA XML implementations
Governs and enforces SOA/Web Services policies
creates customer value through extreme
SOA performance, connectivity, and
security.
Why an Appliance for SOA?
• Addresses the divergent needs of different groups
– Enterprise architects, network operations, security operations, web services developers
• Simplified deployment and ongoing management
– Drop-in appliance, secures traffic in minutes, integrates with existing operations
3
Hardened, specialized hardware for helping to integrate, secure & accelerate SOA
Many functions in a single device
Service level management, dynamic routing, policy enforcement, transformation
Higher levels of security assurance certification
FIPS 140-2 Level 3, Common Criteria EAL4
Higher performance with hardware acceleration facilitates security enforcement
What is DataPower ?
• Provides the flexibility of software in a hardware footprint
• Is quick to deploy – configuration NOT coding or programming
• Typically takes days to integrate NOT weeks or months
• Is a 1U 19” Rack Mounted appliance – Looks like a router
• Has minimal components and has no stack of software. Consequently
DataPower is highly secure
• As attack points are minimised – DataPower is undergoing accreditation to Common Criteria EAL4
– This is globally recognised check by an impartial third party that warrants the security claims
made by IBM
4
What Does DataPower Address ?
• XML is the language of Web Services and SOA
• XML is pervasive – in a matter of years, it will fuel every application, device, and document found in enterprise networks
• XML challenges
– XML is very ‘Verbose’
• XML is bandwidth intensive
• Has a direct impact on Application Server performance
• XML processing requires significant processor cycles and memory resources
– XML is effectively ‘Human readable’ Text
• It has no native security mechanisms
• It is readily understood and vulnerable to interception
• Security can be implemented on the application server but this is additional XML processing and adds to the performance problem
– SOA is not just Web Services and XML
• Customers need to integrate existing legacy systems, messaging formats and protocols into the SOA architecture.
• The ability to ‘transform’ legacy systems into the XML format is needed.
5
What Does DataPower Address ?
• XML Performance
– How ? – by offloading XML processing from the Application Server to
DataPower in optimised hardware
– Thereby greatly reducing the required number of Application Servers
• XML Security
– How ? – by offloading XML security to DataPower
– Provide standards based security – WS Security
• Integrating XML and legacy systems
– How ? – by using DataPower to transform XML to legacy message
formats and protocols e.g
• XML < > Cobol Copybook (brings a Mainframe into SOA
Architecture)
• XML > HMTL (renders HTML content to Portal very rapidly)
• XML < > MQ Messaging
All of this is done at WIRESPEED
6
– Offload XML processing
– No more hand-optimizing XML
– Lowers development costs
7
Hardware ESB
“Any-to-Any” conversion at wire-speed
Bridges multiple protocols
Integrated message-level security
Enhanced Security Capabilities
Centralized Policy Enforcement
Fine-grained authorization
Rich authentication
WebSphere DataPower SOA
Appliance Product Line
B2B Messaging (AS2/AS3)
Trading Partner Profile Management
B2B Transaction Viewer
Unparalleled performance
Simplified management and configuration
High volume, low latency messaging
Enhanced QoS and performance
Simplified, configuration-driven approach to LLM
Publish/subscribe messaging
High Availability
XM70
XA35
XI50
XB60
XS40
WebSphere DataPower Basic Use Cases
8
Internet Trusted Domain
Consumer
Consumer
4 Internal Security
5 Enterprise Service Bus
6 Web Service Management
7 Legacy Integration
8 XML Acceleration
3 Low Latency Gateway 1 B2B Gateway
2 Secure Gateway
(Web Services,
Web Applications)
Application
Application
System z
DMZ
XML Accelerator XA35
Purpose-built hardware for presentation-tier transformation
9
• XML Pipeline processing accelerates XML/XSLT/XPath evaluation, increasing throughput and decreasing latency by offloading XML operations to the network
• Innovative drag-and-drop policy editor accelerates time to value and simplifies configuration and deployment
• Logical application domains allow individual “sandboxes” and facilitate configuration management through import/export features
• Multiple management interfaces serve varying needs of an organization, including browser-based WebGUI, command line CLI, and scriptable Web Services
• “The Original” DataPower XML Appliance
• Defines high performance architecture for all DataPower SOA Appliances
• Processes XML operations at “wire-speed”
• Ideal in an XSL-intensive HTTP presentation tier
XML Security Gateway XS40
Purpose-built hardware for assuring confidentiality, authenticity, and non-
repudiation
10
• Native support for WS-Security policy enforcement
• Extremely secure hardware design
• Integrate with a variety of authentication and authorization systems for real-time protection
• Ideal in front-line DMZ or internal security gateway
• XML/SOAP Firewall capabilities enable Layer 7 filtering on any content, metadata or network variable in a message
• Web Application Firewall service offers additional security, threat mediation, and content processing for other URL encoded HTTP-based applications
• Easily configurable field-level security options allow flexible enforcement of confidentiality, authenticity, and non-repudiation requirements
• Low latency architecture leverages hardware-acceleration for cryptographic operations
Hardware Device for Improved Security
• Sealed network-resident appliance
– Optimized hardware, firmware, embedded OS
– Single signed/encrypted firmware upgrade only
– No arbitrary software
– High assurance, “default off” locked-down configuration
– Security vulnerabilities minimized (few 3 party components)
– Hardware storage of encryption keys, locked audit log
– No USB ports, tamper-proof case
• Third party certification
– FIPS 140-2 level 3 HSM (option)
– Common Criteria EAL4
11
“The DataPower [XS40]... is the most hardened ... it looks
and feels like a datacenter appliance, with no extra ports
or buttons exposed… "
- InfoWorld
XML security threats are growing
DataPower provides hardened real-time protection • XML Entity Expansion and Recursion
Attacks
• XML Document Size Attacks
• XML Document Width Attacks
• XML Document Depth Attacks
• XML Wellformedness-based Parser Attacks
• Jumbo Payloads
• Recursive Elements
• MegaTags – aka Jumbo Tag Names
• Public Key DoS
• XML Flood
• Resource Hijack
• Dictionary Attack
• Message Tampering
• Data Tampering
• Message Snooping
• XPath Injection
• SQL injection
• WSDL Enumeration
• Routing Detour
• Schema Poisoning
• Malicious Morphing
• Malicious Include – also called XML External Entity (XXE) Attack
• Memory Space Breach
• XML Encapsulation
• XML Virus
• Falsified Message
• Replay Attack
• …others
12
Gartner: Web Services Security Best Practices
“Therefore, enterprises should investigate tools such as security gateways, SSL concentrators and accelerators, and wire-speed SOAP/XML inspection hardware.”
-- John Pescatore, Gartner
• Build Expertise/Design From Strength
• Educate Business Leaders
• Build Centralized Infrastructure
– SSL is key
– Use management/security platforms
– Manage your identities
– You may need PKI
• Trust (Really) Your Partners
• Use OTS Web Services with Caution
• Monitor and Control
13
Provide System Security Inspect ALL traffic
Transform all messages
Mask internal resources
Implement XML filtering
Secure logging
Protect against XML DoS
Require good authentication mechanisms
Provide Message Security Sign all messages
Validate messages (Inbound+Outbound)
Time-stamp all messages
Ask for Compatibility SSL MA, SAML, x.509.
WS-Security
WS-* extensions
Access Control Integration Framework
(AAA) Authenticate, Authorize, Audit
14
External Access Control Server or
Onboard Identity Management Store
Authenticate
Authorize
Ou
tpu
t M
essag
e
Extract
Resource
Extract
Identity
Inp
ut
Messag
e
Audit &
Accounting
Transport Headers
URL
SOAP Method
XPath
WS-Security
SAML
X.509
Kerberos
Proprietary Tokens
SAML Assertion
Credential Mediation
IDS Integration
Monitoring
Map
Resource
Map
Credentials
LDAP
ActiveDirectory
SAML
Tivoli
CA eTrust/Netegrity
RSA
Entrust
Novell
Proprietary
LDAP
ActiveDirectory
SAML
Tivoli
CA eTrust/Netegrity
RSA
Entrust
Novell
RACF
Web Application Firewall
• URL-encoded HTTP application protection
in addition to XML Web Services firewall
security
• Protection for static or dynamic HTML-
based applications
• Supports browser-based clients and
HTTP/HTTPS backend servers
• Wizard-driven configuration
• Cross-site scripting and SQL Injection
protection
• AAA framework support for web
applications
• General name-value criteria boundary
profiles for:
– Query string and form parameters
– HTTP headers
– Cookies
15
HTML Input Conversion Maps for form processing and handling
Cookie watermarking (sign and/or encrypt)
Rate limiting and traffic throttling/shaping
HTTP header stripping, injection and rewriting
HTTP protocol and method filtering
Content-type filtering
Dynamic routing and load balancing
Session handling policies
SSL Acceleration & Termination (Link)
XML and non-XML processing policies
Customizable error handling
Integration Appliance XI50
16
• Web Service virtualization for legacy applications
• Enforce high levels of security independent of protocol or payload format
• Integrate with enterprise monitoring systems
• Service level management options to shape traffic
Advanced protocol-bridging seamlessly supports a wide array of transports, including HTTP, WebSphere MQ, WebSphere JMS, Tibco EMS, FTP, NFS
Any-to-any “DataGlue” engine supports XML and Non-XML (Binary) payloads, promoting asset reuse and enabling integration without coding
Direct database access enables message-enrichment and data-as-a-service messaging patterns (DB2, Oracle, MS-SQL, Sybase)
High performance architecture creates low-cost, easily-scalable ESB solution for Smart SOA needs !
Purpose-built hardware for Enterprise Service Bus functionality
17
Internal Trusted
Networks
DMZ
Intranet
Portal
Wireless
Access
Internet
Access
Business
Partners
Internet
Portal
Wireless
Portal
Directory /
IDM
Logging
Monitoring /
Management
Midrange
DB2
IMS
System Z
SCM
CRM
w2k
Unix
ESB
In medium to large organizations
running significant transaction volumes,
the footprint of their ESB becomes very
large and expensive, very quickly.
The ESB Cost Explosion - background A significant and growing problem with bus installations around the world.
The ESB Cost Explosion – Root
causes 1. The resource requirements of today’s services (mostly XML-based)
– Software mediation solutions written on general-purpose platforms require shocking
amounts of CPU and memory to process messages and perform the basic bus
functions:
• Message Parsing and Interpretation
• Message Transformation
• Message Routing
2. The minimal headroom purchased because of HA requirements.
– Companies quickly use up extra capacity purchased initially in order to maintain high
availability for this critical part of their network.
– Nevertheless the problem is often still hidden by the HA deployment initially
– Companies are often taken by surprise by how quickly they “hit the wall”
It doesn’t take much!
• At somewhere between 20-60 TPS the infrastructure needs to be at least doubled.
• you don’t have to be a F500 company to get hit
18
The ESB Cost Explosion - Solution
19
The DataPower module, deployed in an Architected ESB Federation pattern, is designed to bring the “commodity” work of an ESB to the network layer.
SOA Network Infrastructure History tells us that selecting universal, repetitive
functions and moving them to purpose-built
appliances reduces solution costs, both in terms of
increased performance / reduced processing costs,
and reduced complexity of deployment (network
devices are configured, not coded).
Processing rule actions for ESB
20
Programmer-friendly functions within the purely-configuration message flow.
WAIT
Processing rule actions for ESB
21
Fan-out (Fan-in)
Notification Fire and Forget
Composition
MQ
JMS
HTTP
HTTP
JMS
FTP
Content-based Routing Select destination based on transaction metadata
• Dynamically determine route from transaction context and/or message
content
– Analyze originating URL, protocol headers, transaction attributes, etc.
– Analyze legacy or XML content
• Leverage a routing table for real-time decisions – Quickly deploy routing changes, including protocol conversions
• Retrieve routing information from other systems
– E.g., databases, web servers, file servers, etc.
22
Service Providers
Unclassified Requests
Protocol Mediation Independently bridge inbound and outbound protocols
24
First-class support for message and transport protocol bridging
Protocol mediation with simple configuration:
– HTTP MQ WebSphere JMS FTP Tibco EMS
Request-response and sync-async matching
Configurable for fully guaranteed, once-and-only-once delivery
http(s)
FTP(s)
sFTP
WebSphere
MQ
WebSphere
JMS
Database DB2, SQL Server,
Oracle, Sybase,
3rd Party
Messaging
IMS NFS
Web Services Management Service Level Management protects application resources
• Defined as action in the policy pipeline
• Configure policies based on:
– Any parameter: WSDL; Service Endpoint; Operation; Credential
– Request; Response; Fault; XPath
• Enforce same thresholds across a pool of devices
• Configure service level to trigger action:
– Notify (Alert)
– Shape (Slow Down)
– Throttle (Reject)
• Supports WSDM and other Web services management standards
• Allows subscription to SLM for alerts, logging, etc.
• Notify other applications such as billing, audit, etc.
25
System z Integration
• Broad integration with System z
• Connect to existing applications over WebSphere MQ
• Transform XML to/from COBOL Copybook for legacy needs
• Natively communicate with IMS Connect
• Integrate with RACF security from DataPower AAA
• Service enable CICS using WebSphere MQ
• Virtualize CICS Web Services
27
Business to Business (B2B)
Appliance XB60 Purpose-built B2B hardware for simplified deployment, exceptional
performance and hardened security
28
• Extend integration beyond the enterprise with B2B
• Hardened Security for DMZ deployments
• Easily manage and connect to trading partners using industry standards
• Simplified deployment and ongoing management
• Trading Partner Management for B2B Governance; B2B protocol policy enforcement, access control, message filtering, and data security
• Application Integration with standalone B2B Gateway capabilities supporting B2B patterns for AS2, AS3 and Web Services
• Full featured User Interface for B2B configuration and transaction viewing; correlate documents and acknowledgments displaying all associated events
• Simplified deployment, configuration and management providing a quicker time to value by establishing rapid connectivity to trading partners
DataPower B2B Appliance XB60
- B2B Components
• B2B Gateway Service
– AS2 and AS3 packaging/unpackaging
– EDI, XML and Binary Payload routing
– Front Side Protocol Handlers
– Trading Partner Profile Management
• Multiple Destinations (Back Side Protocol Handlers)
• Certificate Management (Security)
– Hard Drive Archive/Purge policy
• B2B Viewer
– B2B transaction viewing
– Transaction resend capabilities
– Acknowledgement correlation
– Transaction event correlation
– Role based access
• Persistent Storage
– Encrypted with a box specific key
– B2B document storage
• Transaction Store
– B2B metadata storage
– B2B state management 29
The DataPower B2B Appliance extends your
ESB beyond the enterprise by supporting the
following B2B functionality:
B2B Viewer
Transaction
StorePersistent
Storage
B2B Gateway Service
DataPower B2B XB60
External Partner
Destinations
Internal Partner
Destinations
Front Side
Handlers for
Integration
Front Side
Handlers
for Partner
Connections
Low-Latency Appliance XM70 Purpose-built hardware for low-latency, network-based messaging and data feed
processing
30
• Drop-in messaging solution which plugs into existing network infrastructure
• Enhanced QoS and performance with purpose-built hardware
• Simplified, configuration-driven approach to low-latency, publish/subscribe messaging and content-based routing
• High availability out of the box (two or more appliances)
• Optimized to bridge between leading standard messaging protocols such as MQ, Tibco, WebSphere JMS and HTTP(S)
• Low-latency unicast and multicast messaging, scaling to 1M messages / sec with microsecond latency
• Destination, property and content-based routing, including native XML and FIX parsers
• Simplified deployment, configuration and management providing a quicker time to value by rapidly configuring messaging destinations, connectivity and routing
Configuration & Administration Fits into existing environments
31
Multiple administration consoles
WebGUI – 100% availability of functions in all consoles
CLI – Familiar to network operators
SOAP interface – Programmatic access to all config for easy scripting
IDE integration
Eclipse/Rational Application Developer
Altova XML Spy
WAS 7 Admin Console for Multi-box Management
Easy export/import for configuration promotion
Standard operational interfaces
SNMP, syslog, etc.
Industry leading integration support across IBM and 3rd party application, security, identity management, and networking infrastructure
XI50
SNMP
IBM SOA Appliance Deployment
Summary
32
XML XSL
Internet
XML HTML WML
XA35 Client or
Server
XS40
Tivoli Access
Manager ------------ Federated
Identity Manager
HTTP XML REQ
HTTP XML RESPONSE
Web Services Client
LEGACY REQ
LEGACY RESP XI50
IP Firewall Internet
Web Tier
Security
Integration & Management Tiers
Application Server
Application Server Web Server
DataPower XS40
DataPower XS40
Tivoli Access Manager
WebSphere App Server
MQ Server
Web service
client
Nortel L7 Module
Tivoli NetView
DataPower XS40
DataPower XS40
Tivoli Access Manager
WebSphere App Server
MQ Server
Web service
client
Nortel L7 Module
Tivoli NetView
DataPower XS40
DataPower XS40
Tivoli Access Manager
WebSphere App Server
MQ Server
Web service
client
Nortel L7 Module
Tivoli NetView
ITCAM for SOA
IBM SOA Appliance Deployment
continued
Receiver
33
Low Latency Messaging (LLM)
Trading Partners
XB60
Business to Business (B2B)
DataPower XS40
DataPower XS40
Tivoli Access Manager
WebSphere App Server
MQ Server
Web service
client
Nortel L7 Module
Tivoli NetView
ITCAM for SOA
WSRR
Internet
AS2 Message
FW
FW
AS2 MDN
AS2, AS3, HTTP, FTP, Web Services, MQ
FW
XML/EDI/Binary
Application Server
Trading Manger for EDI Processing
DMZ
Receiver
Receiver
MQ/TIBCO
Transmitter
Transmitter
RUM
(unicast)
RMM
(multicast)
XM70 RUM
Summary – IBM Specialized Hardware for Smart SOA Connectivity
• Hardened, specialized product for helping integrate, secure & accelerate SOA
• Many functions integrated into a single device
• Broad integration with both non-IBM and IBM software
• Higher levels of security assurance certifications require hardware
• Higher performance with hardware acceleration
• Simplified deployment and ongoing management
34
Simplifies SOA and accelerates time to value
Helps secure SOA XML implementations
Governs and enforces SOA/Web Services policies
SOA Appliances: Creating customer value
through extreme SOA performance,
connectivity, and security
www.ibm.com/software/integration/datapower