1 / 31

DataPower SOA Appliances Acelerando el Valor

DataPower SOA Appliances Acelerando el Valor. Ricardo Fittipaldi DataPower SOA Appliances, LatinAmerica Sales rfittipa@ve.ibm.com. The Infamous Spaghetti Chart…. Gain market share. Business Objectives. Operational Excellence. Top line growth. Reduce costs. Innovation.

rae-bolton
Download Presentation

DataPower SOA Appliances Acelerando el Valor

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DataPower SOA AppliancesAcelerando el Valor Ricardo Fittipaldi DataPower SOA Appliances, LatinAmerica Sales rfittipa@ve.ibm.com

  2. The Infamous Spaghetti Chart… Gain market share Business Objectives Operational Excellence Top line growth Reduce costs Innovation Resources and IT Assets Legacy Claims Database LifeInsuranceClaims Business Partner Claims System Auto Claims System Home Claims System … • Complex processes & systems • Complex applications & interfaces • Difficult to adapt quickly • Large portion of IT budget spent on maintenance, not on new value add investments Legacy Claims Database LifeInsuranceClaims Business Partner Claims System Auto Claims System Home Claims System … 2

  3. Service Enabling Applications Addresses This Challenge Gain market share Business Objectives Operational Excellence Top line growth Reduce costs Innovation Degree of Reuse Rate Of Change Resources and IT Assets Legacy Claims Database LifeInsuranceClaims Business Partner Claims System Auto Claims System Home Claims System … Business Processes External Service Components Alerting Consumer Products Ranking System Consumer System … Legacy Database Business Partner System 3

  4. This Promises Efficiencies…. but Comes With Challenges Businesses want to move to standards-based XML…but XML is bulky which can cause performance bottlenecks. Businesses want to deploy secure XML-based applications…but security adds further bulk to applications that slows them down. Businesses want to integrate their new Web Services to existing legacy applications…but this creates a need for process intensive format transformations. XML Challenges • Web Service enabling apps delivers huge efficiencies through reuse of services. • XML/Web Services form the foundation of service enablement, but bring new challenges: • Scalability: XML is very bandwidth, CPU, and memory intensive; • Security: connecting systems via Web Services creates new security issues. • Integration: connecting Web Services to legacy applications requires different formats. XML 4

  5. Historical trend is for software functions that are simple, yet require a lot of computing power, to move into dedicated appliances. Part of a larger trend that initially started by moving functions such as Traffic Routing and Load Balancing into hardware. XML/Web Services processing tasks such as Security, Application Routing, Transformation, Management are rather simple, but very CPU intensive. “Commodity” Processes Migrate to Appliances 5

  6. IBM’s Answer: XML-aware Network Appliances Solve XML’s performance & scalability challenges in an appliance Patented architecture to process “XML in hardware” Offload & combine functions from traditional software onto a purpose built appliance: XML security & transformations Web Services Management Legacy integration and protocol switching Other resource intensive tasks RESULTS: • Improved security & integration • Reduced latency, more throughput • Significant reduction in server farms • ROI payback typically in < 1 year • Lower capital costs (less servers) • Decreased maintenance costs • Reduced time to market • Datacenter savings WebSphere DataPower Appliances 6

  7. DataPower Network Appliance Server Appliance Config Configuration Config Config Config Apache Proprietary Software Tomcat Firmware MySQL Libxml glibc Java Linux Daemon Config Config Linux OS XML Acceleration Crypto Acceleration Hardware Floppy CD Rom USB Port Disk Hardware Ventajas de un Network Appliance vs. Server Appliance • Hardware Optimizado, firmware, SO encapsulado • Alta seguridad de configuración • Vulnerabilidades eliminadas como open source, Trojan horses, Java/C++ libraries • Claves de encriptación almacenadas en hardware storage of encryption keys • No posee drives o puertos USB • Tamper-proof case

  8. REPLY Q IBM DataPower SOA Appliances Web Tier XML HTML WML XML XSL XA35 Client orServer Application Server Web Server Internet Security Tivoli Access Manager ------------ Federated Identity Manager XS40 Internet IP Firewall Application Server Integration & Management Tiers  LEGACY REQ  HTTP XML REQ HTTP XML RESPONSE XI50 LEGACY RESP  Web Services Client ITCAM for SOA

  9. DataPower Customer Scenarios

  10. XML Sign XML Encrypt Signature Verify XML Decrypt Schema Validate Internal Services Platform Extract Resource Map Resource Authorize Audit Extract Identity Authenticate Map Credentials SOAP Interface SOAP Interface SOAP Interface XML Interface HTTP Interface XML Transform Route Scenario 1: Gateway de Seguridad B2B 3rd Party Systems Insurance Brokers Account Aggregation Inter-FI Payment White Label • 3rd Party Makes Service Request (SOAP/HTTP/HTTPS) • Capture Credentials and pass SAML query to Tivoli for authentication and authorization WebSphere DataPower XML Security Gateway XS40(XML/AAA Gateway) Schema Validate Access Manager • Verify, Decrypt and Validate Request Message • Generate Appropriate Token (SAML,WS-Security) and Route Request to Backend Service Services Platform • Process and Validate Response Message FI Owned Systems • Sign and Encrypt Response 3rd Party Systems Account Services CRM CIF Insurance Payment Credit Card • Send Response to Client Core Services

  11. XML Decrypt Signature Verify Schema Validate Scenario 2: Enterprise Service Bus • Client Makes Service request Online Banking Client WebSphere MQ Self-Service Channel Application Server • Application Server sends data to the Gateway to update legacy systems SOAP/MQ SOAP/HTTP WebSphere DataPower Integration Appliance XI50 • Decrypts, Verifies and Validates the message XML/Binary Transformation Context Routing Flat File/FTP, SOAP/JMS, etc CCB/MQ SOAP/HTTP • Tranforms message to non-XML or XML format Legacy Data Formats • Routes request to one or more backend systems via MQ CRM .NET Application On WinTel Cheque Imaging J2EE Application on WAS/pSeries Enterprise WebSphere MQ Cluster Core Banking Applications on System z

  12. Transformed Decrypted Data Log Transaction or errors Scenario 2: Enterprise Service Bus “Offload message transformations with near zero latency” WebSphere Message Broker V6 Format 2 decrypted Encrypted Message Q2 Input Node Q1 Exit to offload costly data transformation, data encryption/decryption and other possessing to the WebSphere DataPower Appliance Transformed decrypted message is passed back to the flow for continued processing. DataPower Exit passes data to the XI50 for processing at wire speed

  13. Checks for threats • SQL Injection • Cross-site scripting, • Buffer overflows, • Improper error handling, • Insecure storage, • Denial of service, • Insecure configuration management Escenario 3: Web Application Firewall • Client Requests Page in Browser Browser Client HTML or XML/HTTPS • Strong DMZ XI50 forces authentication on first request HTML or XML/HTTP Terminate SSL Threat Protection AAA WebSphere DataPower Integration Appliance XI50 Active Directory HTML or XML/HTTPwith SAML • Sends authenticated and authorized page request to web app Internal Web Applications

  14. XML Entity Expansion and Recursion Attacks XML Document Size Attacks XML Document Width Attacks XML Document Depth Attacks XML Wellformedness-based Parser Attacks Jumbo Payloads Recursive Elements MegaTags – aka Jumbo Tag Names Public Key DoS XML Flood Resource Hijack Dictionary Attack Message Tampering Data Tampering Message Snooping XPath Injection SQL injection WSDL Enumeration Routing Detour Schema Poisoning Malicious Morphing Malicious Include – also called XML External Entity (XXE) Attack Memory Space Breach XML Encapsulation XML Virus Falsified Message Replay Attack …others XML Threats

  15. Web Services Management: Service Level Management 100 msg/min WS 1 .NET Apps 25 msg/min Protocol Termination and Proxing WS 2 75 msg/min J2EE Apps Threat Protection WS 3 No limit WS 4 Internal Clients Security Services SLM WS 1 125 msg/min Legacy System WS 5 WS 2 WS 3 WS 4 External Clients ESB WS 5 No limit WS 6 WS 6 WS 7 No limit WS 7 Systems- Mgmt. Audit, Logging Monitoring Service Registry User Registry

  16. DataPower Deployment Models

  17. Typical Distributed HA Infrastructure Before DataPower DMZ Load Balancers 1. Requests balanced to web servers Web Servers 2. Web server sends through firewalls to 2nd tier of load balancers Corporate Load Balancers 3. Requests balanced to app servers App Servers 4. App servers integrate with corporate infrastructure Logging Infrastructure Op. Mgmt. Infrastructure DB Infrastructure Security Infrastructure Legacy Infrastructure Registry/ Repository

  18. DataPower in the HA Infrastructure DMZ Load Balancers 1. Requests balanced to web servers XS40 Security Gateways Corporate 2. XS40’s balance requests to XI50’s through firewalls using Load Balancer Groups XI50 Integration Appliances 3. XI50’s integrate with corporate infrastructure SAML, XACML, other WS-Policy, UDDI Syslog MQ, FTP, IMS SQL, XQuery SNMP, WSDM Logging Infrastructure Op. Mgmt. Infrastructure DB Infrastructure Security Infrastructure Legacy Infrastructure Registry/ Repository

  19. Security & Integration Scenario – Top 10 Financial Firm HTTP Verify Sign. Authenticate Authorize Decrypt XML DataPower XML Security Gateway XS40 Identity Mgmt System (Tivoli, LDAP, etc) Audit Validate HTTP DataPower Integration Appliance XI50 Transform XML Protocol switch Content Routing MQ, JMS, FTP, HTTP, etc. FI Owned Systems External Systems Payment Account Services CRM HR ERP Credit Card Core Enterprise Systems External Systems: different division, partners, etc Web Services Interfaces Account Aggregation Invoice/ Payment Broker Portal Customer Portal 1. External Party makes Web Service request (Web Services = HTTP with XML Payload) 2. Verify Signature 3. Decrypt & Validate 4. Access Identity Mgmt System 5. Authenticate & authorize 17. Send response back 16. Encrypt & Sign 15. Filter response 6. Insert security token (e.g. SAML, Kerberos) 7. Send request to integration layer Security Layer Integration Layer 8. Transform XML 9. Switch protocol (e.g. HTTP to MQ) 10. Route based on content 14. Send to security layer 13. Transform response 12. Switch protocol 11. Aggregate response Interfaces/Protocols Response Message Request Message HTTP MQ JMS DB FTP other Payment 19

  20. Leveraging DataPower Appliances for PCI Compliance

  21. Complete solution DataPower and the PCI DSS “Dirty Dozen” Part of solution DataPower ideal solution for many requirements: • Build and Maintain a Secure Network • Requirement 1: Install and maintain a firewall configuration to protect cardholder data • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters • Protect Cardholder Data • Requirement 3: Protect stored cardholder data • Requirement 4: Encrypt transmission of cardholder data across open, public networks • Maintain a Vulnerability Management Program • Requirement 5: Use and regularly update anti-virus software • Requirement 6: Develop and maintain secure systems and applications • Implement Strong Access Control Measures • Requirement 7: Restrict access to cardholder data by business need-to-know • Requirement 8: Assign a unique ID to each person with computer access • Requirement 9: Restrict physical access to cardholder data • Regularly Monitor and Test Networks • Requirement 10: Track and monitor all access to network resources and cardholder data • Requirement 11: Regularly test security systems and processes • Maintain an Information Security Policy • Requirement 12: Maintain a policy that addresses information security

  22. XML Security Gateway XS40Key Functions for PCI Compliance Easy to Use Appliance Purpose-Built for SOA Security Req. 1 • Web Services (XML)- Filter on any content, metadata or network variables • Web Application Firewall - HTTP Protocol Filtering, Threat Protection, Cookie Handling • Data Validation -Approve incoming/outgoing Web traffic, Web Services, XML at wirespeed • Field Level Security -WS-Security, encrypt & sign individual fields, non-repudiation • Encryption of transport layer - HTTP, HTTPS, SSL. • Anti Virus Protection -messages and attachments checked for viruses; integrates with corporate virus checking software through ICAP protocol • XML Web Services Access Control/AAA - SAML, LDAP, RADIUS, etc • Management & Logging -manage & track services, logging of all activities, audit. • Security Policy Management - security policies “universally understood” by multiple software solutions, eases PCI certification process. • Easy Configuration & Management -WebGUI, CLI, IDE and Eclipse Configuration to address broad organizational needs (Architects, Developers, Network Operations, Security) Req. 3,4 Req. 5 Req. 7,8,9 Req. 10 Req. 12

  23. DataPower Configuration

  24. Configuration Driven, NO Programming

  25. Example: Build Web Service Proxy with AAA

  26. Add a AAA Security Action

  27. Choose Authentication Method

  28. Que es XML-aware Networking Procesamiento Offload XSLT,, Conversiones legacy-XML y otras tareas de recurso intensivo de servidores a la capa de red. Esto reduce la latencia, mejora el rendimiento de procesamiento y libera los recursos de los servidores. Resultado: El performance, la seguridad y administración que se espera de la red IP está disponible para las aplicaciones XML.

  29. a division of McGraw-Hill

  30. Clientes en Latinoamerica

  31. Muchas Gracias!

More Related