Forum XWall and Oracle Application Server 10...

Fo r u m X W a l l™

a n d O r a c l e ® A p p l i c a t i o n S e r v e r 1 0 g

technical white paper

Forum Systems, Inc.

BOSTON, MA95 Sawyer Road, suite 110

Waltham, MA 02453

SALT LAKE CITY, UT45 West 10000 South, suite 415

Sandy, UT 84070

TOLL FREE1-866-333-0210

www.forumsystems.com

Table of Contents

FORUM SYSTEMS AND ORACLE APPLICATION SERVER 10g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

AUDIENCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

CONTACT INFORMATION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

SCALABLE WEB SERVICES FULFILLMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Oracle Application Server 10g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Forum XWall Web Services Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Forum Sentry Web Services Security Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

ORACLE APPLICATION SERVER 10g AND FORUM SYSTEMS INTEGRATION . . . . . . . . . . . . . . . . . . . . . . . 5Oracle HTTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Oracle Application Server Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Oracle Internet Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Oracle Application Server Certificate Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

FORUM XWALL™ XML INTRUSION PREVENTION. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Forum Complements Oracle Application Server 10g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

FORUM XWALL™ EXAMPLE USE-CASES. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Deployment Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Government Requirements Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

FORUM XWall™ AT NO CHARGE TO QUALIFIED ORACLE USERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

ABOUT FORUM SYSTEMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Forum Systems Inc.Release Date: Spring 2004

w w w . f o r u m s y s t e m s . c o m2

FORUM SYSTEMS AND ORACLE APPLICATION SERVER 10g

Enterprises of all sizes are getting committed to Service Oriented Architectures (SOAs) and Webservices. Web services will become the standard deployment model for internal-to-external, internal-to-internal and external-to-DMZ strategic and tactical applications. Regardless of the specific application,enterprises must quickly identify the best-of-breed infrastructure that will enable the secure andscalable fulfillment of Web services to customers, partners, employees and service providers.

The right choice in development tools, architecture frameworks, business processes, applicationservers and security networking infrastructures will be critical in the success of enterprise Web services.

To ensure that deployed Web services do not pose business risk, deliver their return on investmentand complement existing IT infrastructures, Forum Systems and Oracle have partnered to delivera best-of-breed solution for Web services fulfillment. This includes the tools, technology andprocesses for the development through deployment life-cycle of enterprise Web services.

Without doubt, the most significant impediment to Web services deployments is the consistent,managed and reliable implementation of Web services security. The Forum Systems suite of Webservices security products builds upon the Oracle Application Server 10g to effectively secure Webservices.

AUDIENCE

This paper is geared toward the developer, application architect, information security manager ornetwork administrator that takes part in the development and deployment life-cycle of secure Webservices applications. It introduces the Forum Systems suite of products as a complement to OracleApplication Server 10g delivering secure Web services.

CONTACT INFORMATION

For more information please contact:

Walid Negm Vice President, Product MarketingForum Systems, [email protected]

WP-ASF-SE-00092


SCALABLE WEB SERVICES FULFILLMENT

Oracle Application Server 10gOracle Application Server 10g is an application server that provides a comprehensive set of featuresbuilt on the Java 2 Platform Enterprise Edition foundation. It includes extended scalability, systemsmanagement, Web services support, application integration and specific grid computing features.

Forum SystemsForum Systems, Inc. is the leader in Web services security with a comprehensive suite of trust management and threat protection solutions for the Automated Web. Forum Systems’ flexible hardware,software and embedded products actively protect Web services from the network edge to theapplication server.

Forum XWall™ Web Services Firewall

Forum XWall™ is the industry’s first Web Services Firewall equipped with XML intrusion preventioncapabilities to protect enterprises against a new breed of networked threats including XMLviruses, data-level invasions and denial of Web service attacks. Forum XWall™ ensures criticalapplications are appropriately accessible and continuously available by allowing networkadministrators to enforce perimeter policies that check the integrity of data and control accessto exposed enterprise Web services.

The following table illustrates the differences between Forum XWall™ and traditional firewalls:


Objects Controlled

Objective

Firewall Objective

Access Control

Object Encryption

Attack Protection

IP addresses and ports, transportprotocols (e.g. HTTP, FTP) and network packet flows

Once filtered and authorized network packets can flow into the network

Allow or deny packets across thenetwork using rules such as sourceIP address and port

Access control rules are definedusing IP addresses, ports, protocols,and where the traffic is originatingand destined

Encryption is applied on the protocol stream such as SSL

Recognize attacks on transportprotocols

Application URL’s, Web services (e.g. operations and messages) andXML/SOAP message flows

Once filtered and authorized Web servicescan flow into the network

Allow or deny XML/SOAP messagesacross the network using rules such asaccess privileges to specific Web serviceoperations

Access control rules are defined using service requester identity andread/write/execute privileges on Webservice operations

Encryption is applied on entire messagesor message elements

Recognize attacks on Web service operations and message content

traditional firewalls web services firewall

Forum Sentry™ Web Services Security GatewayForum Sentry™ is a comprehensive Web Services Security Gateway that functions as a trustedintermediary for exchanging secure Web services between an enterprise and its business partners.Sentry™ enables enterprises to achieve a higher ROI through secure e-business process integration.

Forum Sentry™ supports WS-Security with Digital Signatures, XML-Encryption, WS-Security Headerand SAML. Forum Sentry™ also includes protocol gateway support for FTP, HTTP(S), TibcoRendezvous™ and IBM WebSphere® Message Queues.

ORACLE APPLICATION SERVER 10g AND FORUM SYSTEMS INTEGRATION

Oracle HTTP Server

The Forum XWall Web Services Firewall provides proxy capability to intercept HTTP messagesbetween a client and a back end web server. Security policies can be built to interpret the HTTPpayloads and perform operations on the data stream between client and server (request), andbetween server and client (response).

The Oracle HTTP Server’s full support for HTTP(S), Basic Authentication and SOAP / XML messaginginteroperates with Forum XWall’s proxy mode deployment including HTTP with and without basic authentication and HTTPs with and with and without basic authentication. HTTPs interoperabilityincludes SSL initiation and X.509 certificate path validation on the Oracle HTTP Server X.509 certificate.

Oracle Application Server Web Services

Oracle Application Server Web Services can be deployed and accessed through the Forum XWall WebServices Firewall using the Oracle Application Server generated client. Additionally, the OracleApplication Server WS client can be used to access Oracle Application Server Web Service throughForum XWall. Web Services and SOAP messages can be processed through XWall against the WS-IBasic Profile 1.0, SOAP validation, Archiving, XSLT Transformation, WS-Signature, WS-Encryption,WSDL Policy, and WSDL Access Control.

The Forum XWall Web Services Firewall has full WSDL support to build security policies for thedefined services, ports and operations of a published Web Service. The defined security policiescan be applied to intercepted request and response messages in the Web Service SOAP messagestream.

Oracle Internet Directory

The Oracle Internet Directory can be configured for users and groups that are subsequently importedinto the Forum XWall for policy configuration. XWall uses LDAP for user and group management, X.509 certificate import, and Certificate Revocation List (CRL) retrieval.


Oracle Application Server Certificate AuthorityX.509 Certificates can be generated using the Oracle Application Server CA with PKCS#10 CSRrequests which are generated by Forum XWall. The certificates are published to the OracleInternet Directory and subsequently imported onto Forum XWall using the LDAP protocol. Securitypolicies are built using Oracle CA X.509 certificates including SSL Authentication. All X.509 certificaterevocation checking is performed using CRLs published to the Oracle Internet Directory from theOracle CA.

The following diagram illustrates the network architecture with the above components:


high level invocation path

1. Forum intercepts in-bound request2. Forum proxies request to Oracle Application

Server 10g3. Oracle Application Server 10g executes web

service operation4. Forum intercepts out-bound response5. Forum proxies response to consumer

7

The following table lists the benefits of Forum XWall™ as an in-line policy enforcement serverfor Web services security:

FORUM XWALL™ XML INTRUSION PREVENTION

An administrator would rely on Forum XWall™ to apply security checks on, for example, purchaseorder data flows that exceed a specific total amount. The administrator can configure granularrules that are more or less restrictive. For example, SOAP Header elements can be sanity checkedas SOAP 1.1/1.2 documents.

Constraint-based filtering applied to attributes of SOAP Body elements trap (allow/deny orquarantine) targeted document instances. Purchase order messages could also be blocked ifthey contain unrecognized, unapproved or forbidden data within the transport protocol (e.g.HTTP). If a breach is detected, such as message traffic rates have increased beyond a specificthreshold, XML anomaly detection rules alert an administrator, quarantine requests and preventfurther similar requests from entering the network.

The administrator could also configure a policy to automatically trigger more restrictive rulesprocessing such as XML Schema validation as a precautionary measure if, for example, risk levelsare elevated. Forum XWall™ makes it simple for IT to manage and maximize the flow of Webservices according to system resources and business priorities.

• Terminate (as well initiate) SSL with acceleration• Mutual client and server authentication• Hardened key storage and certificate management

• Trusted and centralized policy enforcement • Parse, inspect and validate messages• XML Schema Validation• SOAP attachments, WSDL, WS-I Basic Profile and SOAP filtering

• WSDL-based protection to control accessibility to Web services• Protect against XML-parser vulnerabilities• Guard against XML-related attacks

• Fine-grained message-level access control • Privileges to read/write/execute Web services operations

A. SSL Concentration Point

B. Bi-Directional XML Proxy

C. XML Intrusion Prevention

D. Transactional Authorization


Forum Complements Oracle Application Server 10gOracle Application Server 10g application developers and IT deployment can rely on Forum XWall™ andForum Sentry™ to provide threat-side and trust-side Web services security including:

DATA–LEVEL NETWORKING

Protocol Gateway• HTTP (S)• FTP• Tibco/Rv• IBM WebSphere MQ• Routing/Quality of

Service• Message Transformation

Transport Level Security• SSL Encryption• SSL X.509 Authentication• HTTP Authentication• Session Access Control

Application Level Protection• URI Virtualization • URI Filtering• URI Access Control

WEB SERVICES SECURITY

Threat Protection• Web Service Cloaking• Message Filtering• Message Validation• Service Access Control• XML Intrusion Prevention

Rules

Trust Services• WS-Security

Authentication • WS-Security Identity

Mgmt / Access Control• WS-Security

Federation/Trust• WS-Security Encryption • Message Archiving

Compliance• FIPS 140-2 Level III HSM• JITC DoD PKI Certification • WS-I Basic Profile

Enforcement

MANAGEMENT & ADMINISTRATION

Policy Management• Roles based access

control• WSDL Authoring Model• Policy Variability Control• Rules-driven policies

Deployment• In-Line Policy Enforcement• Shared Service • Global Device

Management• Software, Appliance,

PCI-Blade• Enterprise Security

Infrastructure Integration

Hardened Security • Hardware Acceleration • FIPS 140-2 Level III HSM• DoD PKI Certification • Secure Operating

Environment


FORUM XWall™ EXAMPLE USE-CASES

The Forum XWall™ administrator has the flexibility to configure any number of content securityprocessing rules as well as associated action rules. Together, these rules make up a comprehensiveWeb services security policy within Forum XWall.

Processing rules identify and control access to specific web services requests and responses, andinclude deep content filtering, web services access management and XML intrusion prevention rules.

A. DEEP CONTENT FILTERING – Inspect and Validate ContentThis phase allows the administrator to rapidly sanitize data flows for unwanted or forbidden messages, or to target specific messages for further content security processing:

i. Auto-validation, compliance and conformance (WS-I Basic Profile, XML 1.0, SOAP1.1/1.2, SOAP w/Attachments, WSDL Types)

ii. XML Schema Validationiii. Regular Expression Matchingiv. XPath Query

B. WEB SERVICES ACCESS MANAGEMENT – Provision and Authorize MessagesThis phase allows the administrator to control which requesters have appropriate read/write/execute permissions on exposed Web services. This phase allows the admin-istrator to go beyond session access control to set fine-grained, message-level access control privileges:

i. SSL X.509 Authentication ii. HTTP Basic Authentication iii. Service provisioning (deploy, activate, deactivate)iv. Session, service-, operation- and message-level access control

C. XML INTRUSION PREVENTION – Prevent against XML-related ThreatsThis phase allows the administrator to trap malicious or hazardous content and requests from reaching the application. This phase also allows the administrator to prevent specificattack possibilities and protect against well-known Web services threats:

i. Pre-defined detection settings ii. Preventative countermeasure settings

Action rules control the passage of message instances in and out of the network and include thefollowing self-descriptive rules that apply to identified or targeted message instances:

• Log and continue data flow• Log and halt data flow• Allow message• Deny message• Deny by default data flow

• Block message• Stealth Block message• Quarantine message• Email Alert Notification • Throttle data flow


Administration All Forum products share an enterprise-class management interface that offers advanced, ease-of-use capabilities that simplify the complexities of configuring, monitoring and deploying securitypolicies for XML encryption, authentication, access control, schema validation and XMLIntrusion Prevention. The management scheme is based on distributed policy managementarchitecture with a policy creation console, policy storage/server, policy decision point and policyenforcement point.

These components operate as one integrated proxy server at the edge of the network. However,there will be instances when policies may be stored within a third-party’s systems managementenvironment. Forum XWall supports this type of model which leverages existing infrastructureinvestment.

Forum Systems products can be configured using three interfaces:

• Command Line Interface

• Web-based Administration

• SOAP Web Services

The administration is based on roles and responsibilities and can be performed on a single product/multiple product instance(s) for global management. The global management capability enablesa policy profile to be replicated (with or without customization) across a distributed cluster ofproduct instances.

The administration can be delegated to third party products such as Web services management,Identify Management and Access Control or traditional Systems Management products usingthird-party agent software resident on the product instances and a SOAP Web services API.

Deployment Options All Forum products are available in three form factors: software, PCI card and hardware appliance.Forum XWall™ is a Web services firewall proxy that provides inbound and outbound processing of Webservices traffic deployed in front of or behind the network firewall as a proxy or in-line gateway.

Forum Sentry is a Web services security gateway that provides inbound and outbound processingof Web services traffic deployed in front or behind the network firewall as a proxy, inline gatewayor an adjunct network service. The Sentry™ application transport protocol support includesHTTP(S), FTP, Tibco Rendezvous™ and IBM WebSphere® MQ.

• The in-line network configuration is a physical bridge between two networks to create a single entry and exit point for all traffic.

• The shared-service mode allows Sentry™ to respond as a co-processor where the calling application can request (in-process) the Forum product to perform a specific operation, such as Digitally Sign a SOAP message. The “API” is HTTP-based with centralized policies controlling the action to be performed.


• Forum XWall™ should be on a different host than the Application Server for effective XMLthreat mitigation. XML Intrusions prevention consumes CPU cycles as the system processesmalicious messages. Forum XWall™ on a separate host such as an appliance or on a PCI card maintains Application Server performance.

The following diagram illustrates three physical deployment options:

The following diagram illustrates a high availability deployment scenario:

firewall

front end destinationvirtual IP 1:443

cisco CS 1150 serieslayer 4.7 content switch

back end destination:virtual IP 2:80

ssl – F1initiation / termination



soa 2

soa 1

soa 3

ids l2 switch

VIP 2 – SOA1:80 SOA2:80 SOA3:80

VIP 1 – F1:443F2:443F3:443

1

2

3 4

Example Traffic Flow Scenario:

1. SSL connection arrives at VIP 12. VIP 1 request gets redirected to the least

loaded Forum Appliance e.g. F23. Forum Appliance F2 terminates SSL, performs

content security processing and forwards the request to VIP 2 which sends request to least loaded Application Server e.g. SOA 3

4. SOA 3 responds back to the Forum Appliance requested session.

Recommended Deployment Architecture with a Load Balancer

• Single Load balancer for in-bound and outbound traffic

• Forum Systems terminates and initiates SSL

• Architecture scales horizontally


Government Requirements Support Forum Systems supports the following key government requirements:

• DoD PKI Certification - The Forum Sentry 1504G appliance has met 100% of the requirementsof the “Department of Defense Class 3 Public Key Infrastructure Public Key-Enabled Application Requirements,” version 1.0 13 July 2000 in the following areas: Retrieving Cer t i f icates, Impor t ing Keys and Cer t i f icates, Stor ing Trust Points, Ver i fy ing Communication Protocols, Checking Certificate Status, Path Development and Processing, Application Configuration and Application Documentation.

• Integrated FIPS Compliance - The Forum Systems Appliance contains an integrated Hardware Security Module (HSM) that is FIPS 140-2 Level III validated. The HSM provides all sensitive cryptographic operations and hardware key storage for both SSL operations and WS-Security operations.

• Digital Signatures - Digital Signatures are digital codes that can be attached to an electronictransmission or document that uniquely identifies the sender. Forum Systems enables Digital Signatures that are essential to secure transmission of content over intranets or the Internet.

• Public Key Infrastructure (PKI) Enablement - PKI employs a two-step approach to protectthe security of communications and business transactions on the Internet. A PKI enabled application must be able to support and work within a Public Key Infrastructure.

• Federal Enterprise Architecture (FEA) - The FEA is an initiative of the federal governmentwhose framework is designed to improve communication flow and efficiency via integrationof disparate systems. It will also enhance cost savings through reuse of technology and components.

• Transaction Archive - A Transaction Archive is a repository for recording the history of XML and non-XML transactions and storing them in an external database. Government agencies must continuously record and audit their mission-critical electronic business transactions to support regular security reviews of all programs and systems. By archivingXML transactions and other content, it is possible to analyze security breaches, maximize operational performance and maintain regulatory compliance.

FORUM XWALL SOFTWARE DOWNLOAD

Thank you for your interest in Forum XWall™ Web Services Firewall. To obtain your FREE TRIALsoftware please complete the request form located at:

http://www.forumsys.com/software_download_oracle.htm

ABOUT FORUM SYSTEMS, INC.

Forum Systems, Inc. is the leader in Web services security with a comprehensive suite of trustmanagement and threat protection solutions for the automated web. Forum Systems hardware,software and embedded products actively protect Web services from the networks edge to theapplication server. Forum Systems products are winners of Network Computing Magazine’sEditor’s Choice Award for 2003, Network Magazine’s Product of the Year 2003 Award, DEMO 2004Innovation and finalist for Network Computing Magazine’s 2003 and 2004 Well-Connected Awards.

Products:

Forum Sentry™ is a comprehensive Web Services Security Gateway that functions as a trustedintermediary for exchanging secure Web services between an enterprise and its business partners.Sentry™ enables enterprises to achieve a higher ROI through secure e-business process integration.

Forum Presidio™ is a comprehensive secure content exchange platform that allows enterprisesto immediately comply with Government privacy regulations using a low cost and easy to managecentralized solution. Presidio™ can be used as a legacy-to-XML security bridge for a smoothmigration to XML Web Services.

Forum XWall™ is the industry’s first Web Services Firewall equipped with XML intrusion pre-vention capabilities to protect enterprises against a new breed of networked threats includingXML viruses, data-level invasions and denial of Web service attacks. XWall™ ensures criticalapplications are appropriately accessible and continuously available by allowing networkadministrators to enforce perimeter policies that check the integrity of data and control accessto exposed enterprise Web services.

Forum FIA™ (Federal Information Assurance Gateway) actively guard’s information as it movesbetween and within federal agencies for secure information sharing. Forum FIA™ meets 100% ofthe DoD’s PKI interoperability testing including FIPS 140-2 Level III Validation.

© 2004 Forum Systems, Inc. All right reserved.


Forum XWall and Oracle Application Server 10...

Documents

Transcript of Forum XWall and Oracle Application Server 10...