Mark Bakker from Xebia -- a specialized international IT consultancy focusing on Enterprise Java -- published an interesting overview of IBM DataPower Security Gateway and Forum Sentry. Mark writes:
"The Forum sentry has some advantages when you compare it to the IBM Datapower XML Security Gateway XS40. The main difference is that you can do more whith only one appliance. You can replace an IBM Webseal, a virus scanner and an IBM Datapower XS40 with only one device.
My advice is to take this device in considerations where you have to choose for an XML firewall/ hardware ESB."
For full article, see: http://blog.xebia.com/2011/03/15/forum-sentry-xml-gateway/
Tuesday, February 7, 2012
Friday, December 9, 2011
XML Security Gateway plugging holes for Public Clouds
Recently, there has been a flurry of news emanating from the XML security world related to researchers demonstrating an attack on Amazon's AWS cloud management interface. The attack takes advantage of a well known exploit known as XML signature wrapping or XML signature manipulation.
Amazon since the publication of this paper has plugged the security hole in its interface. It is a labor intensive effort to plug these holes that requires constant monitoring especially when cloud service interfaces are public facing. Risk can be more easily mitigated by a deployment of an XML security gateway without requiring custom code changes.
An XML security gateway prevents exploit like these in several ways. The XML gateway primary defense against this type of signature manipulation is via signed element verification. In the Amazon scenario, an XML gateway would verify that the soap:Body and wsu:Timestamp elements were processed during signature verification. A secure XML gateway verifies by checking the actual elements, not the Id attributes. This type of secure verification is the default behavior for XML gateways such as Forum Sentry.
XML security gateway's WSDL validation would also prevent the duplicate soap:Body and wsu:Timestamp elements used in this exploit. Such schema validation is important, but it is not a substitute for signed element verification, because there are alternate places to hide arbitrary content in most schema.
Amazon mistakenly assumed that ID attributes mapped to only one element without enforcing the ID uniqueness constraint. When Amazon verified that the soap:Body and wsu:Timestamp were signed, they only checked whether a matching ID was referenced in a signature, not whether signature verification actually processed all the intended elements, a subtle but important distinction. Amazon's use of signed ID verification instead of signed element verification could also allow additional exploits not mentioned here. Amazon also neglected to check for multiple soap:Body and wsu:Timestamp elements, but that is a lesser security flaw. These flaws could be the result of a misguided attempt to optimize performance by inspecting only initial portions of the document during certain security processing phases.
This specific signature exploit and other critical flaws are well-known and common in do-it-yourself security implementations, so it's essential for companies like Amazon to leverage proven security solutions and partners. These exploits indicate an apparent lack of gateway protection that could make Amazon a popular target for new exploits. Perhaps Amazon has already been the target of other undisclosed exploits. And just imagine how many other companies are hosting sensitive services without adequate gateway protection. Amazon and other web service providers need a viable commercial security strategy, and customers should expect real protection for their sensitive data and infrastructure.
Amazon since the publication of this paper has plugged the security hole in its interface. It is a labor intensive effort to plug these holes that requires constant monitoring especially when cloud service interfaces are public facing. Risk can be more easily mitigated by a deployment of an XML security gateway without requiring custom code changes.
An XML security gateway prevents exploit like these in several ways. The XML gateway primary defense against this type of signature manipulation is via signed element verification. In the Amazon scenario, an XML gateway would verify that the soap:Body and wsu:Timestamp elements were processed during signature verification. A secure XML gateway verifies by checking the actual elements, not the Id attributes. This type of secure verification is the default behavior for XML gateways such as Forum Sentry.
XML security gateway's WSDL validation would also prevent the duplicate soap:Body and wsu:Timestamp elements used in this exploit. Such schema validation is important, but it is not a substitute for signed element verification, because there are alternate places to hide arbitrary content in most schema.
Amazon mistakenly assumed that ID attributes mapped to only one element without enforcing the ID uniqueness constraint. When Amazon verified that the soap:Body and wsu:Timestamp were signed, they only checked whether a matching ID was referenced in a signature, not whether signature verification actually processed all the intended elements, a subtle but important distinction. Amazon's use of signed ID verification instead of signed element verification could also allow additional exploits not mentioned here. Amazon also neglected to check for multiple soap:Body and wsu:Timestamp elements, but that is a lesser security flaw. These flaws could be the result of a misguided attempt to optimize performance by inspecting only initial portions of the document during certain security processing phases.
This specific signature exploit and other critical flaws are well-known and common in do-it-yourself security implementations, so it's essential for companies like Amazon to leverage proven security solutions and partners. These exploits indicate an apparent lack of gateway protection that could make Amazon a popular target for new exploits. Perhaps Amazon has already been the target of other undisclosed exploits. And just imagine how many other companies are hosting sensitive services without adequate gateway protection. Amazon and other web service providers need a viable commercial security strategy, and customers should expect real protection for their sensitive data and infrastructure.
Wednesday, July 27, 2011
Managed File Transfer belongs under SOA Governance umbrella.
Jack Vaughan's recent article covers an important emerging trend: convergence between SOA and MFT technologies. Managed File Transfer (MFT) is a baseline mechanism for information movement within and across corporations using legacy protocols such as FTP. However, with the emergence of modern SOA-related protocols, companies are now migrating away from less secure and less reliable MFT transport protocols. This trend is also driven by regulatory requirements including PCI, HIPPA, and GLB
Link to Jack's article: Updated XML gateway brings FTP under SOA Governance umbrella.
Excerpt from the article:
Link to Jack's article: Updated XML gateway brings FTP under SOA Governance umbrella.
Excerpt from the article:
Despite SOAP and SOA inroads, the vaunted File Transfer Protocol (FTP) continues to flourish in organizations that - not surprisingly – need to transfer files. Finance and banking both represent FTP bastions – although both sectors are also on their way to becoming SOA strongholds of sorts.
Bringing FTP - originated in the 1970s - under the general umbrella of governance is an eventual goal for many of these companies. Forum Systems, a Crosscheck Networks' subsidiary, seeks to support such efforts with a recent update to the Forum Sentry Gateway.
The latest version of the gateway offers content-level security for structured and unstructured data for documents of unlimited size using the OpenPGP standard, while also enabling message transfers over a variety of secured and unsecured transport protocols. Moreover, the software allows organizations to plan migrations from batch FTP processing to SOAP with Attachments (SwA)(MIME, DIME, MTOM), while using existing centralized governance policies across both legacy and modern message formats.
Tuesday, April 19, 2011
Evolving from Static HTML to Dynamic Portals: Security Implications
Companies that deploy websites with static HTML content typically use Web Application Firewalls (WAFs) to protect their static HTML content. With the proliferation of social media-type interaction via browsers and mobile devices, corporate portals are evolving from a "Refresh-mode" to "Widget-mode" portals that integrate disparate company systems into a unified customer portal. Each widget may be an independent unit with its own data feeds and update intervals. The rapid evolution of static HTML websites to dynamic web portals that function as composite applications could not be more evident in the banking applications that we are are now accustomed to. The security implication of dynamic portals is primarily driven by the following factors:
- Content Complexity: HTML, XML, SOAP, JSON, MTOM, SwA, PDFs, GIFS, JPEGS are a few of the content types that are generated and consumed by web portals.
- Identity Diversity: From simple cookies to signed SAML tokens, web portals have to handle a plethora of token types and provide Federated Identity capabilities for single sign on.
- Malware Matrixing: A matrixed set of channels via different content types are now available for malware to make its way into the enterprise. For example, in the static HTML days, SQL Injection could come over HTML data, but now can readily move over XML.
Forum Systems, the only patented XML Gateway in the industry, has now extended its technology leadership by addressing security for dynamic web portals with the announcement of Forum Sentry WAF at Infosec UK, 2011. For details, see Forum Sentry WAF.
For product announcement, see: Forum Systems delivers Industry's First Unified Content Firewall.
For product announcement, see: Forum Systems delivers Industry's First Unified Content Firewall.
Tuesday, November 2, 2010
Cisco ACE gateway EOL: How to Pick a Replacement XML Gateway
It's official: Cisco has published End-of-Life announcements for it's Cisco ACE XML Gateway. Here are the top factors that end customers must consider in making replacement decisions:
- Select a Patented Product: Going with non-patented XML Gateway means that customers will have to replace their XML Gateways in the future yet again. Customers tend to select innovative and leading technology providers with defensible Intellectual Property (IP). They prefer to minimize their risk by avoiding trailing "me-too" technologies that continue to copy the leading patented XML Gateways.
- Conclusion: Ask for vendors patents. Forum Sentry is the only XML Gateway Appliance with a published patent (Patent #7,516,333).
- Understand XML Gateway vs. ESB: Would you add custom code to your network packet firewall? Then why would you ever consider adding custom code to your XML Gateway? A clear separation of roles should be enforced between an XML Gateway and an ESB/Application Server. When replacing Cisco ACE XML Gateway, focus on security. Let the ESBs and Application Servers run your custom code. If you choose an XML Gateway that allows you to drop jar files, shared objects or any arbitrary code into its runtime environment, then you have selected and XML Gateway with a flawed security model. Such XML Gateway architectures can make you feel safe while compromising your corporate infrastructure, especially your sensitive data.
- Conclusion: Review vendors' XML Gateway architecture before replacing the Cisco ACE Gateway. Don't make the same mistake twice. Cisco's architecture permitted dropping code on the Gateway that resulted in a poor security model. Other XML Gateway vendors have followed Cisco's XML Gateway architecture that permits adding custom code. IBM DataPower and Forum Sentry are the only products that do not permit arbitrary code to be dropped into their XML Gateways and stay true to the XML Gateway roles.
- Demand Independent Security Assessment: XML Gateways are typically deployed close to the corporate boundary and serve as a centralized conduit for information exchange between corporations and their trading partners. The nature, volume, and value of transactions flowing through the XML Gateway requires a high degree of security and reliability.
- Conclusion: Review vendors independent security assessment. FIPS 140-2 is the gold standard for independent security assessment. Demand certification details from vendors. Sticking an HSM crypto card into a hardware appliance and claiming FIPS certification is not sufficient. The ENTIRE XML Gateway, not just the HSM crypto card should be FIPS 104-2 certified. For any other certification, ask for the "boundary" of certification. Most vendors have never subjected their entire XML Gateway Appliance to an independent security evaluation. Forum Sentry is the only product in the industry to have achieved FIP 140-2 security certification across the entire hardware boundary.
- Validate Comparable Features: Migration of your policies from the Cisco ACE Gateway to the replacement XML Gateway should be seamless. The selected XML Gateway should be architected with modular policy design for fundamental constructs such as Keys, Encryption/Signature Policies, Firewall rules can be readily moved from the ACE Gateway to the selected replacement platform. The selected gateway should have the same or better functionality than Cisco ACE Gateway.
- Conclusion: Selecting patented, industry-leading XML Gateway is paramount. This ensures that there are no functional gaps between existing and replacement products. XML Gateway companies that continue to innovate and patent their IP are more sustainable and provide broader features than vendors that follow the leaders.
- Replacement Costs: For corporations that have made a bet on technology that has been EOLed, there are a number of costs including: i) Product Cost ii) Configuration Cost iii) Transition Costs. iv) On-going support and maintenance costs. Replacement vendors should have flexible pricing models to accommodate your corporate EOL plan.
- Conclusion: Select vendors that can work within your budget and time-lines. Vendors should be flexible in reducing your CapEX expense while working with your planned multi-year support and maintenance budgets. Depending on the complexity of your policies, vendors should be open to helping you with your migration costs. For a duration, you may be required to run both Cisco ACE and your new XML Gateway together while you migrate away from the ACE Gateway. Your selected XML Gateway vendor should provide pricing options to accommodate this transition process.
Wednesday, October 6, 2010
Next Generation of patented XML Gateway - Forum Sentry v8.0 - announced in Berlin, Germany
New Capabilities for Company's Flagship XML Gateway Ease Enterprise-to-Cloud Migration; Enable Seamless Extension of SOA to the Cloud
BOSTON and BERLIN, Oct. 5 /PRNewswire/ -- Crosscheck Networks, Inc. today introduced the next generation of its flagship product, Forum Sentry v8.0, helping organizations seamlessly migrate their enterprise SOA deployments to the cloud while capitalizing on the cloud computing model for business and competitive advantage. The company unveiled the latest version of Forum Sentry at the International SOA & Cloud Symposium, the world's largest international SOA and cloud computing conference.
Notably, at the show today, Crosscheck Networks (Booth # 13) CEO Mamoon Yunus will explore enterprise-to-cloud migration in the session, "Requirements for Extending Enterprise SOA to Public Clouds." Additionally, company CTO Jason Macy will share best practices in SOA threat defense in "SOA Threat Modelling: Attacking and Defending REST, XML and SOAP based Services."
With patented XML security acceleration technology and an architecture certified by NIST and the U.S. Department of Defense, the Forum Sentry XML Gateway is the industry standard for XML and SOAP security, access control and integration. Deployment highlights include processing:
Underscoring its increasing adoption worldwide, Forum Sentry serves as the transactional foundation at more than 300 global organizations including:
According to Lydia Leong, Research VP, Gartner, "Although many organizations first look at cloud IaaS [Infrastructure as a Service] because they're interested in cost savings, agility and flexibility, rather than cost, tend to be the eventual primary drivers; the cost of the cloud IaaS, especially in comparison to efficient large-enterprise IT, can be higher than IT managers expect."(1)
"As organizations scale their infrastructures to accommodate rapid business growth and increased customer demand, they are frequently looking to the public cloud to help them offset capital expense and operational costs. But without the appropriate tools, businesses are unable to determine the true costs of cloud migration," said Crosscheck Networks CEO Mamoon Yunus. "With our simulation tool, CloudPort, we enable enterprises and government entities to perform the requisite cost analysis, and evaluate and select a provider for migrating all or parts of their infrastructure to the cloud."
Yunus continued: "Once organizations determine that moving to the public cloud makes business and fiscal sense, Forum Sentry's next-generation platform empowers them to take the next step -- migrating to the cloud cost effectively while securely extending their SOA deployments for the most seamless enterprise-to-cloud integration."
Helping organizations to successfully leverage the cloud computing model, key new capabilities in Forum Sentry v8.0 include:
About Crosscheck Networks
Crosscheck Networks and its wholly owned subsidiary Forum Systems deliver solutions for deploying robust, resilient, secure and reliable Service Oriented Architecture (SOA). More than 50,000 users in 42 countries across organizations such as the U.S. Treasury, British Telecommunications, Fidelity, Premera Blue Cross and the Dutch Health Care System rely on Crosscheck Networks and Forum Systems as the backbone of their secure transaction processing. Recognized as a technology innovator and security leader, Crosscheck Networks is the only company granted a patent for its Forum Sentry XML Gateway and has been certified by NIST and the U.S. Department of Defense. Forum Sentry is the de facto standard for XML and SOAP security, and Forum Systems has key OEM relationships with Barracuda Networks and Radware, among others. For more information, please visit www.crosschecknet.com.
(1) Gartner, "Cloud Infrastructure as a Service: An Essential Overview" by Lydia Leong, September 8, 2010
BOSTON and BERLIN, Oct. 5 /PRNewswire/ -- Crosscheck Networks, Inc. today introduced the next generation of its flagship product, Forum Sentry v8.0, helping organizations seamlessly migrate their enterprise SOA deployments to the cloud while capitalizing on the cloud computing model for business and competitive advantage. The company unveiled the latest version of Forum Sentry at the International SOA & Cloud Symposium, the world's largest international SOA and cloud computing conference.
Notably, at the show today, Crosscheck Networks (Booth # 13) CEO Mamoon Yunus will explore enterprise-to-cloud migration in the session, "Requirements for Extending Enterprise SOA to Public Clouds." Additionally, company CTO Jason Macy will share best practices in SOA threat defense in "SOA Threat Modelling: Attacking and Defending REST, XML and SOAP based Services."
With patented XML security acceleration technology and an architecture certified by NIST and the U.S. Department of Defense, the Forum Sentry XML Gateway is the industry standard for XML and SOAP security, access control and integration. Deployment highlights include processing:
- More than one billion transactions per day globally;
- 95% of the world's credit card information; and
- 80% of the traffic at one of the world's largest and most respected telecommunications services companies.
Underscoring its increasing adoption worldwide, Forum Sentry serves as the transactional foundation at more than 300 global organizations including:
- One of world's premier treasuries, which leverages Forum Sentry to accommodate the increased volume, and processing, of large data files -- up to 10 GB each in size;
- Europe's top counter-terrorism organization, which utilizes Forum Sentry to coordinate rapid information sharing among its neighbor countries; and
- One of the U.S.'s longest-standing and largest health benefits companies, which uses Forum Sentry to promote secure exchange of its Electronic Health Records (EHR).
According to Lydia Leong, Research VP, Gartner, "Although many organizations first look at cloud IaaS [Infrastructure as a Service] because they're interested in cost savings, agility and flexibility, rather than cost, tend to be the eventual primary drivers; the cost of the cloud IaaS, especially in comparison to efficient large-enterprise IT, can be higher than IT managers expect."(1)
"As organizations scale their infrastructures to accommodate rapid business growth and increased customer demand, they are frequently looking to the public cloud to help them offset capital expense and operational costs. But without the appropriate tools, businesses are unable to determine the true costs of cloud migration," said Crosscheck Networks CEO Mamoon Yunus. "With our simulation tool, CloudPort, we enable enterprises and government entities to perform the requisite cost analysis, and evaluate and select a provider for migrating all or parts of their infrastructure to the cloud."
Yunus continued: "Once organizations determine that moving to the public cloud makes business and fiscal sense, Forum Sentry's next-generation platform empowers them to take the next step -- migrating to the cloud cost effectively while securely extending their SOA deployments for the most seamless enterprise-to-cloud integration."
Helping organizations to successfully leverage the cloud computing model, key new capabilities in Forum Sentry v8.0 include:
- Integrated Cloud Adaptors for dynamic provisioning, auto scaling and load balancing across multiple cloud providers including Amazon EC2, OpSource Cloud, GoGrid and Rackspace.
- A Centralized WSDL Library and Extended Virtualization Support via Virtual WSDL and WSDL Versioning for increased collaboration and control of business services across diverse application development, security and testing roles.
- A Robust Management API for enhanced policy life cycle management, and secure, versatile cloud configuration, deployment and administration.
- Oracle WebLogic and JBoss Enterprise Middleware Adaptors to bolster federated SOA deployments. This support builds on Crosscheck Networks', a Red Hat Ready Partner, announcement earlier this year that the company has joined the Red Hat Independent Software Vendors (ISV) Partner Program.
- REST Identity Adaptor for flexible integration with custom enterprise identity systems.
About Crosscheck Networks
Crosscheck Networks and its wholly owned subsidiary Forum Systems deliver solutions for deploying robust, resilient, secure and reliable Service Oriented Architecture (SOA). More than 50,000 users in 42 countries across organizations such as the U.S. Treasury, British Telecommunications, Fidelity, Premera Blue Cross and the Dutch Health Care System rely on Crosscheck Networks and Forum Systems as the backbone of their secure transaction processing. Recognized as a technology innovator and security leader, Crosscheck Networks is the only company granted a patent for its Forum Sentry XML Gateway and has been certified by NIST and the U.S. Department of Defense. Forum Sentry is the de facto standard for XML and SOAP security, and Forum Systems has key OEM relationships with Barracuda Networks and Radware, among others. For more information, please visit www.crosschecknet.com.
(1) Gartner, "Cloud Infrastructure as a Service: An Essential Overview" by Lydia Leong, September 8, 2010
Monday, February 8, 2010
XML Gateway Myths
There are some common XML Gateway myths that this post would like to dispel. These myths are a manifestation of vendors overwhelming the customers with the latest bells and whistles of their product without explaining to the user fundamental basic capabilities of the product.
Myth #1: FTP protocol is only used to transfer unstructured bulk data to our back end systems.
FTP (File Transport Protocol) is the workhorse protocol that is still used today for majority bulk file transfers between enterprise corporations. FTP maybe a legacy protocol, but this legacy protocol is one of the most reliable and interoperable file transfer protocols available today to businesses. FTP can be used not only to transfer unstructured data but it can also be used to transfer SOAP or XML data between various different systems. An XML Gateway provides the capability to support XML data transfers over FTP for inbound or outbound traffic. Alternatively, an XML Gateway provides the means to protocol mix between FTP and HTTP protocol. For example, an incoming HTTP protocol carrying XML can be transformed into an FTP protocol carrying XML data or vice versa.
Myth #2: We don't need to virus scan SOAP with attachments since we have a virus scanner deployed at the edge.
This notion that a virus scanner can take any incoming raw file at the edge of the network before sending it to the back end is sufficient for processing SOAP with attachments provides a false sense of security. First, most SOAP/XML incoming traffic from the internet is SSL enabled. A virus scanner at the edge is not capable of peering into the encrypted data that is being sent to the back end application servers. Second, even if the SSL traffic is being decrypted at the edge, it is possible that SOAP with attachments might be encrypted or Base64 encoded thus rendering a edge virus scanner ineffective. An XML gateway provides the capabilities to terminate SSL connections, perform content-level decryption, and decode attachments for on board virus scanning.
Myth #3: XML Gateways cannot handle non-XML requests for authentication and authorization.
XML gateways always had strong integration capabilities with traditional identity management systems. Authentication and authorization of inbound SOAP or XML traffic is one of the strongest pillars of an XML Gateway. Given the tie in with traditional identity management systems, XML Gateways are no longer relegated to authenticating and authorizing XML traffic only. An XML Gateway today has the same capabilities to authenticate and authorize non-XML data that one would find in a software web agent installed in a Microsoft IIs or an Apache server. In fact, XML gateways make it easier for enterprise users to manage the authentication and authorization of XML and non-XML (HTML) requests on a single gateway.
Enterprise customers that are deploying Service-Oriented Architecture (SOA) using XML web services should be cognizant of these myths. An XML Gateway provides rich functionality that extends its capabilities beyond traditional web services XML integration use cases.
Myth #1: FTP protocol is only used to transfer unstructured bulk data to our back end systems.
FTP (File Transport Protocol) is the workhorse protocol that is still used today for majority bulk file transfers between enterprise corporations. FTP maybe a legacy protocol, but this legacy protocol is one of the most reliable and interoperable file transfer protocols available today to businesses. FTP can be used not only to transfer unstructured data but it can also be used to transfer SOAP or XML data between various different systems. An XML Gateway provides the capability to support XML data transfers over FTP for inbound or outbound traffic. Alternatively, an XML Gateway provides the means to protocol mix between FTP and HTTP protocol. For example, an incoming HTTP protocol carrying XML can be transformed into an FTP protocol carrying XML data or vice versa.
Myth #2: We don't need to virus scan SOAP with attachments since we have a virus scanner deployed at the edge.
This notion that a virus scanner can take any incoming raw file at the edge of the network before sending it to the back end is sufficient for processing SOAP with attachments provides a false sense of security. First, most SOAP/XML incoming traffic from the internet is SSL enabled. A virus scanner at the edge is not capable of peering into the encrypted data that is being sent to the back end application servers. Second, even if the SSL traffic is being decrypted at the edge, it is possible that SOAP with attachments might be encrypted or Base64 encoded thus rendering a edge virus scanner ineffective. An XML gateway provides the capabilities to terminate SSL connections, perform content-level decryption, and decode attachments for on board virus scanning.
Myth #3: XML Gateways cannot handle non-XML requests for authentication and authorization.
XML gateways always had strong integration capabilities with traditional identity management systems. Authentication and authorization of inbound SOAP or XML traffic is one of the strongest pillars of an XML Gateway. Given the tie in with traditional identity management systems, XML Gateways are no longer relegated to authenticating and authorizing XML traffic only. An XML Gateway today has the same capabilities to authenticate and authorize non-XML data that one would find in a software web agent installed in a Microsoft IIs or an Apache server. In fact, XML gateways make it easier for enterprise users to manage the authentication and authorization of XML and non-XML (HTML) requests on a single gateway.
Enterprise customers that are deploying Service-Oriented Architecture (SOA) using XML web services should be cognizant of these myths. An XML Gateway provides rich functionality that extends its capabilities beyond traditional web services XML integration use cases.
Subscribe to:
Posts (Atom)
