Implementing SOA Patterns: The Service Firewall
SOA Enterprise Patterns has a great discussion of SOA security and patterns, including a nice article on the composite domains and implementation of a security pattern.
There are several mechanisms through which the Service Firewall pattern can be implemented, each with pros and cons that should be considered before deciding which to implement. Security professionals generally suggest a layered approach, with multiple solutions in order to address all the security-based concerns inherent in a SOA.
Reduces Complexity | Loosely Coupled | Centralized (Resuable) | Last Mile Addressed | Stops Logic Exploits | |
Web Application Firewall | X | X | X | ||
Agent-based Solution | X | X | X | ||
Custom code | X | X |
Regardless of the solution architected, the solution should address all (or at least as many as possible) the threats against XML related messages. Arnon Rotem-Gal-Oz does a good job of categorizing these into four basic sets of threats:
- Tampering
Parameter and content tampering - Information Disclosure
Content scrubbing, such as scanning for SSN in outbound messages or removing credit card numbers - Denial of Service
Message size and connection limiting - Elevation of Privilege
Buffer overflows and injection attacks designed to obtain escalated privileges
The Service Firewall becomes, then, more difficult to implement because there are several ways in which it can implemented, using several different technologies. You could use BIG-IP Application Security Manager (ASM) as a centralized WAF to implement the pattern, placing ASM at the edge of the network as a transparent or inline proxy-service that bi-directionally scans messages for potential threats. This has the advantage of providing protection for all services and reduces complexity through centralization. You could also use iRules to implement any number of centralized, reusable threat-based protections, particularly those launched via content and connections, such as an xDoS attack. This has the benefit of customization to the environment, but may not offer advanced features included in WAF products such as signature scanning and policy-based security. Neither address logic-based exploits, which are typically cited as the primary driver for custom-code based security solutions in a SOA environment.
As noted above, no single solution can address all the issues inherent in securing SOA from the myriad attack vectors possible. A layered defense is likely the best option if you're hoping to address all the threats and reap the benefits of your SOA implementation.
Additional Resources:
Arnon Rotem-Gal-Oz's Service Firewall Pattern preview
Imbibing: Coffee