• No results found

IONA Security Platform

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "IONA Security Platform"

Copied!
23
0
0

Loading.... (view fulltext now)

Download now ( 23 Page )

Full text

(1)

© Copyright IONA Technologies 2001 End 2 Anywhere™

IONA Security Platform

IONA Security Platform

February 22, 2002

Igor Balabine, PhD

(2)

Agenda

• IONA Security Platform (iSP)

architecture

• Integrating with Enterprise security

services and administration

• iSP adapter internals

• Protecting Web Services

• Q&A

(3)

© Copyright IONA Technologies 2001 End 2 Anywhere™

(4)

Why A Security Platform?

IONA Security Platform (iSP):

– allows to insulate applications from the diverse and changing enterprise security infrastructures. – provides a uniform standards based approach to

communicating security related requests across the enterprise.

– provides applications a single access point to

multiple security services such as authentication, authorization and PKI.

iSP binds IONA products with any enterprise security infrastructure via development of a custom adapter!

(5)

© Copyright IONA Technologies 2001 End 2 Anywhere™ 5

iSP Architecture

Application

App ↔↔↔↔ iSP Adapter

Native API calls: no changes in the application code! Request/Response

messages over IIOP/http(s)/RMI: support for distributed and co-located deployments

IONA Security Service (iS2) iSP ↔↔↔↔ ESS Adapter

Enterprise Security System (ESS)

Third party security system native protocol

JART

Native API example:

EJBContext.getCallerPrincipal() EJBContext.isCallerInRole()

(6)

IONA Security Service (iS2)

IONA Security Service (iS2):

– Is a servlet running in JART or in any standard application server.

– Uses a very simple flow:

• receives a request message

• determines the request type from the message content • loads an appropriate protocol specific module (if the

module is not loaded yet)

• dispatches message content to protocol specific module.

– In short: iS2 is a scaleable (intelligent) dispatcher!

iS2 is iSP’s focal point but not a

bottleneck!

(7)

© Copyright IONA Technologies 2001 End 2 Anywhere™

Integration With Enterprise

Security Services And

(8)

AuthN and AuthZ Services

• Authentication and authorization services are supported via iS2 adapters.

• Internal protocol: SAML – satisfies purposes and allows extensibility. Could be easily replaced if necessary: internal interface is generic.

• Supported authorization models: coarse grain – RBAC (J2EE, Web Services), fine grain – DAC (CORBASEC, B2Bi).

SAML protocol allows communicating

arbitrary security assertions between

(9)

© Copyright IONA Technologies 2001 End 2 Anywhere™ 9

PKI Services

• PKI services are supported via iS2 adapters.

• Internal language: XKMS – powerful and

extensible. Endorsed by industry leaders

(Verisign, Entrust, MSFT).

• Initial use: integration with certificate stores.

• Advanced use: validation services.

Many PKI vendors are expected to

adopt XKMS: iS2 PKI adapter

(10)

iSP At Work

IONA Security Server (iS2)

IONA Java SAML/XKMS Library Product specific adapter A2 System SAML/A2 adapter To Au+Az system

3rdparty A2

system adapter: Netegrity, Windows Domain, LDAP, Evidian, etc. http/https Interface IIOP Interface

CORBA or Web Application

JART IONA C/C++ SAML/XKMS Library Product specific adapter

CSI v.2/SAML Mapper

Product specific interface example:

EJBContext.getCallerPrincipal() EJBContext.isCallerInRole()

PKI System

XKMS/PKI

adapter To PKI

system

3rd party PKI

system adapter: Entrust Authority, Baltimore,

(11)

© Copyright IONA Technologies 2001 End 2 Anywhere™ 11

iSP Administration

• Solutions integrated with 3rd party systems are

managed using native administrative tools, e.g. SiteMinder console for an enterprise which uses Netegrity SiteMinder

• IONA applications use iSP authorization models (RBAC, DAC) class libraries to manage native authorization policies via IONA Administrator

• iSP Auditing Component provides logs in a standard format (syslog) easily consumable by event

monitoring systems.

iSP offloads administrative tasks to 3

rd

party

tools where possible and provides

components to manage custom security

information!

(12)
(13)

© Copyright IONA Technologies 2001 End 2 Anywhere™ 13

Application Adapter Architecture

Product specific service adapter

Protocol Library (iSAML, iXKMS)

iS2 Bind

ings

Librar

y

Application specific interface

Support for message formatting and transport

(14)

iS2 Plug-In Modules

IONA Security Service iS2 Message over

http(s)/IIOP/RMI

iS2 Plug-in Module SPI

Verifies and decrypts protected iS2 messages and dispatches to the appropriate plug-in adapter based on the message type.

iS2

Java object mapper

Converts iS2

message into a Java object

JART or App Server

Native Service Protocol

(15)

© Copyright IONA Technologies 2001 End 2 Anywhere™

(16)

Typical “Secure” Deployment

Fire wal l Fire wal l Prox y serv let We b Se rv ic e In te rn al Ap plic at io n Incoming http/https connection Secondary protocol connection (IIOP, SSH, FTP, etc.)

DMZ Intranet

(17)

© Copyright IONA Technologies 2001 End 2 Anywhere™ 17

Problems With Traditional

Deployment

• Internal firewall has to be opened for secondary IIOP

connections: nothing prevents the attacker from penetrating internal firewall using the secondary protocol!

• Same problem with SSH especially after discovery of a

weakness in the SSH protocol (short byte sequences – e.g. key strokes - allow to recover session key).

• FTP client and server in the active mode open listening ports and require a hole in the firewall.

• FTP client and server in the passive mode suffer from the server side PASV exploits (“Pizza Thief”: rogue client connects to a newly opened port) and from port number substitution exploits by rogue servers (see http://www.securiteam.com/exploits/5YP0E000HG.html).

Traditional deployment exposes internal hosts to potentially hostile DMZ environment!

(18)

Deployment With IONA Secure

Gateway (iSG)

Fire wal l Fire wal l Iden ti ty serv let XM L Va li da tion We b Se rv er IONA GW Fr ontend IO NA GW Backend In te rn al Ap plic at io n Incoming http/https connection Pool of outbound

https connections http/https connection DMZ Intranet Internet We b Se rv ic e

(19)

© Copyright IONA Technologies 2001 End 2 Anywhere™ 19

iSG At Work

Fire wal l Fire wal l We b Se rv er We b Se rv er IO NA GW Backend DMZ Internet Intranet REQ

res (REQ*) req ( ) 1

2

3

REQ* 4

RES 5

req (RES) 6

RES 7 Iden ti ty serv let XM L Va li da tion IONA GW Fr ontend We b Se rv ic e

(20)

iSG Benefits

• The internal firewall is closed to all inbound traffic. • HTTP headers of the inbound messages are parsed

and filtered in the DMZ preventing buffer overflow

attacks (e.g. CodeRed Worm, Nimda) on the Intranet machine running Web Service.

• Message headers and content could be scanned for viruses and attack signatures by virus and IDS plug-ins.

• Incoming messages on the DMZ machine are never written to the disk.

(21)

© Copyright IONA Technologies 2001 End 2 Anywhere™ 21

More iSG Benefits

• iSG scales linearly and could be deployed in

n:m configuration.

• Computationally intensive SSL handshake is

offloaded to machines in the DMZ.

• SSL connections between the Internal

Gateway machine and machine in the DMZ

could be authenticated using certificates

issued by a private CA.

iSG offloads computationally intensive

cryptographic computations from internal

application servers!

(22)

Conclusion

• IONA Security Platform (iSP) provides

applications a robust integration layer

with Enterprise wide security services.

• iSP architecture is flexible and allows

integration with diverse security

solutions.

• iSP covers such important aspects of

security as network protection,

authentication, authorization and PKI

services.

(23)

© Copyright IONA Technologies 2001 End 2 Anywhere™

Q&A

References

Download now ( PDF - 23 Page - 97.73 KB )

Related documents

An Evaluation of the Idaho Opportunity Scholarship. Cathleen M. McHugh, Ph.D. November 20, 2015 Updated: January 20, 2016

$0 $1,000 $2,000 $3,000 $4,000 $5,000 $6,000 $7,000 $8,000 $9,000 $10,000. 3 3.2 3.4 3.6

Book Of Kells Letter E

The Book of Kells is now kept in the library of Trinity College in Dublin, the scribes on Iona and at Kells display a breathtaking originality and creativity in their treatment of

Kendra L. Gagnon CURRICULUM VITAE

Section on Pediatrics: Early Intervention Special Interest Group, American Physical Therapy Association Combined Sections Meeting, Chicago, IL, February 2012. Intellectual Property

Basketball. Iona Sport Season Planner. 15 September

On Tuesday, the Iona Year 6 team competed in the Metropolitan East Regional Rugby League Shield.. 2021 Major Rugby League Awards Senior Player of the Year Callum Stoker

Sample Pages. Andreas Gebhardt. Understanding Additive Manufacturing. Rapid Prototyping - Rapid Tooling - Rapid Manufacturing

If an electron beam is used instead of a laser the process is called electron beam melting (EBM), and if the energy is provided by a radiator through a mask, it is called

Inferences for the Lead Time in Breast Cancer Screening Trials under a Stable Disease Model

For each six-month decrease in screening interval length, we estimated the percent increase in mean lead time, as well as the percent increase in the proportion of

Mechanical And Tribological Properties Of Ultra High Molecular Weight Polyethylene With Zinc Oxide Antibacterial Agent For Joint Implant

In a nutshell, the main concern of the present study is the improvement of wear resistance for UHMWPE composite with additional antibacterial properties; seen as the best choice