XML firewall service

© Copyright IBM Corporation 2009

Course materials may not be reproduced in whole or in part without the prior written permission of IBM. 5.3
4.0
Unit objectives
After completing this unit, you should be able to:
• List the features and functions of an XML firewall service
• Configure an XML firewall service on a WebSphere
DataPower SOA Appliance

© Copyright IBM Corporation 2009

What is an XML firewall service? (1 of 2)
• An XML firewall service protects and
accelerates XML-based applications
– Process XML documents at near wirespeed
– Increase back-end application performance by
taking on processor-intensive XML manipulation
tasks
• Perform schema validation on incoming and
outgoing messages
– Most organizations disable schema validation for their
XML-based applications
– Monitor traffic to and from the service using
message monitors

© Copyright IBM Corporation 2009

What is an XML firewall service? (2 of 2)
• Provides XML threat protection from XML-
based attacks
– Protect against single and multiple message DoS
attacks
• Offloads Web service security processing
from application servers
• Encrypts and decrypts using XML encryption
– Signs and verifies using XML signatures
• Decouples service client from provider
through service virtualization
– Rewrites client URLs to mask underlying
resource
– Provides dynamic message routing based on
message content

© Copyright IBM Corporation 2009

Configuring an XML firewall service
1. Create an XML firewall DataPower object by:
● Invoking the XML firewall wizard
● Creating a new XML firewall object in the Objects section

2. Configure service-wide settings:

● Front and back-end network settings
● Client/server SSL
● XML Manager
● URL rewrite policy
● HTTP headers
● Monitors
● XML threat protection

3. Implement the service policy

● Create request, response, or error rules
 Each rule uses a single Match action and one or many processing actions

© Copyright IBM Corporation 2009

XML firewall service — Object model
Crypto Shared Secret Key
• The XML firewall Crypto FW Creds
Crypto Key
object diagram
Crypto ID Creds Crypto Certificate
SSL Proxy Profile Crypto Profile
Crypto Val Creds CRL Retrieval Policy

Access Control List

AAAPolicy Kerberos KDC Server
Load Balancer Group
Tivoli Access Mgr
XML Manager* HTTP User Agent*
>SSL
URL Refresh Policy URL Map
Compile Options Policy > Crypto

Schema Exception Map

Matching Rule
XML Firewall Processing Policy Document Crypto Map
Processing Rule Processing Action
HTTP Input Convers. Map

XPath Routing Map

URL Rewrite Policy

Duration Monitor Message Type Message Match

Count Monitor Message Filter

Service Level Monitor Log Target Log Category

Statistics
Host Alias
© Copyright IBM Corporation 2009
Step 1: Create an XML firewall
1. Select the XML Firewall icon in the DataPower Control Panel

2. Use the Add Wizard button to create the XML firewall

configuration objects or to manually define them using the Add
Advanced button

3. All configurations can be performed using the Configure an XML

firewall page

© Copyright IBM Corporation 2009

Step 2: XML firewall configuration (1 of 2)
• Configure the following fields when creating an XML firewall:
1. Provide a unique name for the XML firewall service 3. Choose an XML Manager to handle
2. Choose one of the three connection types: XML data within messages
4. Define a document processing policy
● Loopback
for request and response messages
● Static back-end 5. Decide whether to implement a URL
● Dynamic back-end rewrite policy

1 3

2 5
© Copyright IBM Corporation 2009
Step 2: XML firewall configuration (2 of 2)
1. Enter the network
location and port of
the back-end server
● The WebGUI only
provides this field
for the Static
Backend proxy
type
1 2. Describe the
network location and
2 port for clients to
access the XML
firewall
3. Select the secure
3 sockets layer (SSL)
settings for the front
and back-end
connections
4 4. Choose the
expected message
and message
attachment types for
the front- and back-
end connections
© Copyright IBM Corporation 2009
Planning for configuration migration
• The idea is to not hardcode external references
– It is easier to migrate from development to test to production
• Define a name to use for configuration definitions
– Elsewhere, assign an IP address to the name
– Name: IP address relationship is unique to each appliance
• Host Alias
– Name the Ethernet interfaces according to their usage
• External access, back-end connection, administration
• Static Host
– Name the servers of the back-end resources

© Copyright IBM Corporation 2009

Request/response message processing
• Select the expected message type entering to and from the
service
– Non-XML
• Message is treated as a binary document
– SOAP
• Message is formatted as SOAP and validated against a SOAP schema
– Pass-thru
• Traffic is passed through without execution of the service policy
– XML
• Message is formatted as XML and validated for XML well-formedness

© Copyright IBM Corporation 2009

Request/response attachment processing
• Process SOAP message with attachments (SwA)
– Uses MIME to encode attachment inside message

• The following modes are supported for Request/Response

Attachments
– Allow: Message with attachment is unaltered and processed by service policy
– Reject: Message with attachment is rejected
– Streaming: Message attachment is streamed
– Strip (default): Attachment is stripped from message and processed by service
policy
– Unprocessed: Attachment in message is allowed and not processed by service
policy

© Copyright IBM Corporation 2009

Advanced XML firewall configuration
• The Advanced tab of the XML firewall allows you to configure:
– Access control lists
– HTTP network settings
– Style sheet namespace values
– Firewall credential objects: Restricts the key and certificates to use in an XML
firewall policy

• The Stylesheet Params tab is used to configure the style sheet

name-value pairs passed to XSL style sheets in a service policy

© Copyright IBM Corporation 2009

Header injection and suppression parameters
• HTTP header injection
– Insert HTTP header fields into the HTTP request
– Header can be inserted into either request or response messages
• HTTP header suppression
– Remove HTTP header fields from the message
– Header can be removed from either the request or response message

© Copyright IBM Corporation 2009

Associate monitors to XML firewall
• Monitors are used to measure traffic entering into the service
– Can associate multiple monitors of different types
• Three types of monitors:
– Message count monitors
• Increments a counter every time messages of a particular type pass through a service
– Message duration
monitors
• Increments a
counter every
time a configured
amount of time
passes during the
processing of
messages of a
particular type
– Service level
monitors
• Monitors traffic
from a Web
services endpoint
• Needs WSDL file
© Copyright IBM Corporation 2009
 XML threat protection
• Protection against XML-
based threats:
– Single message XML
denial-of-service (xDoS)
protection
• Overrides XML parser
limits
– Multiple message XML
denial-of-service
(MMXDoS) protection
– Protocol threat protection
• Valid HTTP versions
– XML virus (X-virus)
protection
• Scans attachments for
viruses using the ICAP
protocol
– Dictionary attack protection
• Uses a count monitor to
track invalid
authentication attempts

© Copyright IBM Corporation 2009

Step 3: Implement a service policy
• Create (+) or modify (…) a firewall policy for the XML firewall
– Policies can be reused across services
– Each policy has multiple rules
– Each rule has a single Match action and one or many processing actions

© Copyright IBM Corporation 2009

Create a Match action
• A Match action specifies the criteria for executing the rule
– The following matching types are supported: URL, Full URL, Host,
Error Code, XPath, and HTTP
– Match type of Error Code is used in error rules to catch specific
DataPower error codes

© Copyright IBM Corporation 2009

Processing actions
Action Description
Filter Performs an accept or reject on incoming documents

Sign Attaches a digital signature to a document

Verify Verifies the digital signature contained in an incoming document

Validate Performs schema-based validation of XML documents

Encrypt Performs complete and field-level document encryption

Decrypt Performs complete and field-level document decryption

Transform Uses a specified style sheet to perform XSLT processing on XML

or non-XML documents
Route Implements dynamic style sheet-based or XPath-based routing

AAA Invokes a AAA policy

Results Sends a message in specific context to an external destination

Advanced A grouping of lesser-used actions

© Copyright IBM Corporation 2009

More processing actions
Action Description
For-each Loops through each defined action, either being triggered by an
XPath expression or iterating a predetermined number of times
Conditional Implements programmatic if-then-else processing

Event-sink Causes processing to wait until specific asynchronous actions

complete
Antivirus Invokes a named, reusable rule that sends messages to a virus
scanning server defined as host, port, or URI

© Copyright IBM Corporation 2009

Validate action
• Perform schema-based validation of XML documents:
– Validate Document via Attribute Rewrite Rule
• Scans the document for xsi:schemaLocation attribute, applies a URL rewrite policy, and
uses the result to find schemas to apply to the document
– Validate Document via Schema URL
• Specifies a schema URL of an XML schema file
– Validate Document via Schema Attribute (default)
• Documents are validated by using an with an xsi:schemaLocation attribute to locate an
XML schema document
– Validate Document with Encrypted Sections
• Uses a schema exception map object to validate a document with encrypted parts
– Validate Document via WSDL URL
• Uses an XML schema contained in a WSDL document

© Copyright IBM Corporation 2009

Transform action
• Use XSLT to perform XSLT processing on XML documents
– Use XSLT specified in this action
• Identifies the XSL style sheet referenced in the Processing Control File (PCF) field
– Use XSLT specified in XML document processing instructions, if available
• Incoming XML document contains a processing instruction that identifies the XSL
style sheet to use in transformation
– Use XSLT specified in this action on a non-XML message
• XSL style sheet is used on a non-XML message (binary transform)

© Copyright IBM Corporation 2009

Filter action
• A Filter action accepts or rejects an incoming message
– Identifies an XSL style sheet used for message filtering
– Does not perform an XSL transformation
• The XSL style sheet uses the <dp:reject> and
<dp:accept> tags to filter messages
• The Filter action is used to prevent SQL injection and virus
attacks

© Copyright IBM Corporation 2009

Filter action — Replay attack
• Protect against replay attacks using the
Filter Advanced tab.
– Values from messages are cached and
checked on subsequent requests
• Three types are supported:
– WS-Addressing message ID
– WS-Security Username Token nonce
– Custom XPath
• The Replay duration value is the duration
of time to check for potential replays

© Copyright IBM Corporation 2009

Content based routing
• Provides the ability to choose a back-end service at run time
based on incoming message content
– The service type must be dynamic back-end
• Example:
– Route requests to different servers based on <state> value

DataPower Configuration

<state>NC</state> EastAddressSearch
XML firewall
Request

Response AddressRouter EastAddressSearch

XML firewall Web service

Client
WestAddressSearch
XML firewall
<state>CA</state>
WestAddressSearch
Web service
© Copyright IBM Corporation 2009
Route action configuration
• The Route action dynamically routes XML messages using:
– Style sheet (default) — Routes by using a style sheet
– XPath — Routes by using an XPath expression
– Variable — Routes to a specified destination specified in a variable

• Dynamically specify the endpoint host address and port

number

© Copyright IBM Corporation 2009

Style sheet programming with dynamic routing
• <dp:set-target(host, port, isSSL, sslProxyProfile)/>
– Specify the back-end host, port, and optionally SSL
– Cannot specify the protocol
• <dp:xset-target(XPath, XPath, XPath, sslProxyProfile)/>
– Extended version of <dp:set-target> that evaluates attributes as XPath
expressions
• <dp:url-open(…) />
– Opens a URL connection and places the response in the output named in the
OUTPUT context

<dp:url-open
target="http://example.com:2064/echo" response="xml">
<xsl:copy-of select="." />
</dp:url-open>
• dp:soap-call(url, msg, sslProxyProfile, flags, soapAction,
httpHeaders)/>
– Sends a SOAP message and obtains a response from the call
© Copyright IBM Corporation 2009
Results action
• The Results action sends the document in the input context to:
– Destination URL
– Output context, if no destination URL is specified

• Results action is typically the last action in rule

• Use the Results action in the middle of the rule to send results
asynchronously
– Select Asynchronous to send results to destination and continue processing in
the rule

© Copyright IBM Corporation 2009

Results asynchronous and multi-way results mode
• The Results Asynchronous action acts similarly to the Results action
except that it:
– Requires a destination URL
– Does not wait for a
response from the
remote servers

• When a Results action specifies a list of remote server destinations, it

is considered a multi-way Results action
– Three options are given for the list: Attempt All, First Available, Require All
– These options are in the Advanced tab

© Copyright IBM Corporation 2009

Exporting XML firewall configuration
• Export a .zip file of the XML firewall configuration
– The saved configuration can be imported on another device
• Allows for a more productive way to manage multiple configurations

© Copyright IBM Corporation 2009

Cloning an XML firewall configuration
• Cloning
– Creates a “near-copy” of an existing XML firewall
• Referenced objects such as a service policy are referenced but are not copied
– Allows for an existing configuration to be duplicated and configured with
minor changes

© Copyright IBM Corporation 2009

Troubleshooting an XML firewall configuration
• The System log is the first place to start your problem determination exercise
– Select the “magnifying glass” icon to open the System log for entries on the selected
XML firewall

• Logs are arranged in reverse chronological order

– Latest information is at the top

© Copyright IBM Corporation 2009

Checkpoint

1. True or False: A service policy uses a validate action to

schema validate SOAP messages against the SOAP
schema.
2. Explain the differences between a Transform action and a
Filter action.
3. What is the purpose of the request or response type of
pass-thru in an XML firewall?

© Copyright IBM Corporation 2009

Unit summary
Having completed this unit, you should be able to:
• List the features and functions of an XML firewall service
• Configure an XML firewall service on a WebSphere
DataPower SOA Appliance

© Copyright IBM Corporation 2009

Checkpoint solutions
1. False. In the Configure XML firewall page, set the request or
response type to SOAP. This setting automatically validates
all messages against the SOAP schema. The SOAP XML
schema file is specified in the Advanced tab of the XML
firewall.

2. A transform action uses an XSL style sheet to transform an

XML document. A filter action uses an XML style sheet to
either accept or reject an XML message.

3. The request or response type of pass-thru allows traffic to

pass through without execution of the service policy. In a
loopback-proxy type, the response type is set to pass-thru
since a service policy does not execute.
© Copyright IBM Corporation 2009