Implementing SOA Patterns: The Service Firewall

SOA Enterprise Patterns has a great discussion of SOA security and patterns, including a nice article on the composite domains and implementation of a security pattern.

There are several mechanisms through which the Service Firewall pattern can be implemented, each with pros and cons that should be considered before deciding which to implement. Security professionals generally suggest a layered approach, with multiple solutions in order to address all the security-based concerns inherent in a SOA.

Reduces ComplexityLoosely CoupledCentralized (Resuable)Last Mile AddressedStops Logic Exploits
Web Application FirewallXXX
Agent-based SolutionXXX
Custom codeXX

Regardless of the solution architected, the solution should address all (or at least as many as possible) the threats against XML related messages. Arnon Rotem-Gal-Oz does a good job of categorizing these into four basic sets of threats:

  1. Tampering
    Parameter and content tampering
  2. Information Disclosure
    Content scrubbing, such as scanning for SSN in outbound messages or removing credit card numbers
  3. Denial of Service
    Message size and connection limiting
  4. Elevation of Privilege
    Buffer overflows and injection attacks designed to obtain escalated privileges

The Service Firewall becomes, then, more difficult to implement because there are several ways in which it can implemented, using several different technologies. You could use BIG-IP Application Security Manager (ASM) as a centralized WAF to implement the pattern, placing ASM at the edge of the network as a transparent or inline proxy-service that bi-directionally scans messages for potential threats. This has the advantage of providing protection for all services and reduces complexity through centralization. You could also use iRules to implement any number of centralized, reusable threat-based protections, particularly those launched via content and connections, such as an xDoS attack. This has the benefit of customization to the environment, but may not offer advanced features included in WAF products such as signature scanning and policy-based security. Neither address logic-based exploits, which are typically cited as the primary driver for custom-code based security solutions in a SOA environment.

As noted above, no single solution can address all the issues inherent in securing SOA from the myriad attack vectors possible. A layered defense is likely the best option if you're hoping to address all the threats and reap the benefits of your SOA implementation.

Additional Resources:

Arnon Rotem-Gal-Oz's Service Firewall Pattern preview

Imbibing: Coffee

Published May 14, 2007
Version 1.0

Was this article helpful?

No CommentsBe the first to comment