Large Enterprises face a constant challenge in balancing technology costs with new business goals. Many enterprises have existing business processes bound up in applications that communicate using ‘legacy’ protocols such as FTP and MQ, which were really designed for behind the firewall operation in a trusted network. Given these constraints what’s the best way for a large Enterprise to extend these applications to external customers and partners without relying on an expensive re-engineering effort or concentrating risk in a single vendor? One option is to use a security gateway such as the Intel® Expressway Service Gateway to centralize security policy deployment, increase performance, reduce development costs, and simplify the architecture. In this post, I will describe a recent customer use case for a service gateway that highlights the value of this class of products. Secure Multi-Protocol Handling Recently, a large auto manufacturer chose Intel® Expressway as a key component of their extended enterprise, which included features and capabilities beyond the standard “trust” and “threat” capabilities around XML/SOAP, web services and SOA. This case really shows the value of a service gateway beyond a traditional SOAP proxy; Expressway was used to create a secure façade or veneer for external and internal applications using a mix of protocols, while at the same time providing a centralized point of control across the architecture. In this particular case, secure FTP (SFTP and FTPS), secure SOAP (WS-Security) and secure REST (HTTP/SSL) services were offered externally and Expressway was used to broker these invocations to various systems across network segments and firewalls over FTP, HTTP, HTTPS, and IBM Websphere MQ. In addition, the gateway performed X.509 authentication against the Enterprise’s LDAP directory for inbound SSL connections. Moreover, the service gateway was acting in a bi-directional manner, as a traditional reverse proxy as well as an internal to external proxy for internal service calls initiating outbound connections across FTP, MQ, (S)FTP(S), HTTP(S) and SOAP. In the external proxy case, the service gateway was really acting more like a traditional web proxy, but extended to protocols beyond web or HTTP traffic. To get an idea of the scope of this particular deployment, see the following Figure. In the previous figure, the problem is clear, we need a way to build a secure proxy assuming both client and server roles for both incoming and outgoing requests. That is, in addition to enforcing security policies for inbound requests, the same must be done in the outbound direction as well. This bidirectional deployment also allowed this customer to take advantage of the PKI and certificate management capabilities in the gateway for initiating outbound SSL connections as well as hide the internal IP addresses of public networks, which was another key consideration. To make this case concrete and show off some of the capabilities of the Intel® Expressway service gateway lets define three separate usage models: outbound proxy, inbound FTP server, and inbound proxy. Secure Outbound Proxy Outbound proxy consists of protocols that originate from within the datacenter and target a partner application over the Internet/Extranet. In this case, it was also important that persistent web single login cookies (WSL) were preserved in the HTTP layer. Expressway was deployed to handle the following: • Internal FTP to SFTP gets and puts • Internal SOAP calls to SFTP or FTPS gets and puts • Internal MQ to external SFTP or FTPS gets and puts • Internal SFTP based on a Timer to MQ or SOAP • Internal SOAP calls over HTTP to external SOAP using HTTP(S) and WS-Security Secure Inbound FTP Server A secure inbound FTP server mediates between FTP over SSH services exposed to the Internet or Extranet and mediates these to internal MQ, SOAP or plain FTP invocations. In this case, the Expressway service gateway is representing itself as an FTP server accessible over both SFTP and FTPS. Expressway was deployed to handle the following: • External SFTP put to internal MQ • External SFTP put to internal SOAP • Inbound FTP proxy that exposes an SFTP interface to an internal FTP server Secure Inbound Proxy (Reverse Proxy) The inbound proxy model is a more traditional orientation for a security gateway that protects services and enforces authentication for inbound requests. This model is also referred to as a reverse proxy model, where the service gateway is providing a virtual service endpoint to the caller. Expressway was deployed to handle the following: • Inbound Web Service client over HTTP/HTTPS and WS-Security to internal SOAP services, include pass-through of WSL (Web Single Login) cookies • SSL/TLS mutual authentication based on X.509 certificate trust processing • Extended X.509 authentication of additional fields using LDAP directories Further Thoughts: Considering Alternatives Given the scope of this particular customer project, a number of different alternatives were also considered, including custom hardware appliances as well as ESB solutions. In both of these cases, the alternatives didn’t end up meeting the specific customer requirements. This customer needed the following: 1. Linear Scalability – The end solution was required to scale without relying on custom hardware appliances. Scalability had to be achieved using standard, off the shelf Intel® Multi-Core servers. Further scalability had to be possible without a forklift upgrade of the large number servers spread throughout the Enterprise. 2. Protocol Flexibility – The solution was required to support secure file transfer protocols, including FTPS and SFTP in combination with HTTP, SOAP, WS-Security and IBM Websphere MQ. The middleware solution considered didn’t have this flexibility (Microsoft BizTalk) 3. TCO / Reduced Development Costs – Anything can be done given enough time and developers. What was needed in this case was a way lower the project costs, speed the time to market, and lower the overall total cost of ownership over the long run. The service gateway proved itself to be easier to use with a lower cost. What would you do? Here is a question to throw out for the comments – if you had a problem like this in your Enterprise, would you consider solving with a service gateway, ESB, custom hardware appliance, open source or some other solution? How would you keep the costs down and manage scalability and security over time?
Posts Tagged ‘Security’
Beyond the Simple Proxy: Using a Service Gateway to Secure the Extended Enterprise with Bi-Directional Protocol Handling
Posted in Software Tools 
Tags: Case, enterprise, ftp, internal, Internet, open source, project, rest, Security, soap, thoughts, time 
Comments OffBlackBerry maker risks Indian ban – The Guardian
The Hindu BlackBerry maker risks Indian ban The Guardian BlackBerry maker Research In Motion (RIM) could be kicked out of India, one of the world's fastest-growing mobile markets, after the government refused to accept 11th-hour security concessions on access to users' emails and messages. … Govt wants RIM to give email access Business Standard India Insists on Access to BlackBerry Corporate Emails Wall Street Journal BlackBerry deadline expires with no action Livemint Reuters
Posted in Software Tools Tags: berry-corporate, Corporate, guardian, India, india-insists, indian, kicked-out, maker-risks, news-articles, Security, street-journal, table-border, world Comments OffRIM Unable To Help India Monitor Corporate Emails
Research In Motion has expressed its inability to aid the Indian government in Monitoring Corporate Mail. The Blackberry makers had recently provided encryption keys for its Messenger and Internet services to Indian security agencies. The Government fears that the encryption on BlackBerry smartphones will be used by terrorists for carrying out violent, destructive and illegal activities. With several deadlines extended, the last being the end of January 2011, the company officials have accepted their incapability in providing the intelligence agencies with access to its enterprise email services. The company issued a statement “We can’t give a solution for enterprise services. It’s not possible to do so, because the keys of that service are with the corporate enterprises and corporate entity that owns the server” With RIM providing access to its Messenger and Internet service, one will have to wait and watch to see if the Indian government will extend the deadlines or ban the service in India.
Posted in Software Tools Tags: being-the-end, deadlines, encryption, encryption-keys, gadgets, government, incapability, indian, january31, mobile phones, rim, Security, technology Comments OffDesktops and Laptops on Life Support?
If you went to or read about the Consumer Electronics Show that happened in Vegas earlier this month, you couldn’t help but be inundated with all the talk about tablets and smartphones. In fact, it was a tablet that won the coveted Best in Show award. I’ve got nothing against them and in fact I’m a user myself. The part that gets my goat is that there are a lot of “experts” greatly exaggerating the death of desktops and laptops at the hands of the smartphones and tablets. If I was a software developer and I took all these expert opinions to heart, I just might be inclined to scrap my development efforts for desktop and laptop software. But that would be a huge mistake. Desktops and Laptops are not going away anytime soon. Tablet and smartphones are platforms that are complementary to the technologies and platforms that I already use. When I go looking at tablets or smartphones, I’m not looking to replace my PC. I’m looking for cool new technologies and form factors to complement my PC. I’m never going to give up my home PC unless the tablets and smartphones have all the same functionality and usability as the PC. And my guess is that it’s going to take quite a while for that to happen, if it even happens at all. And this is just on the personal side. From a business perspective, I’m even more pessimistic about tablets or smartphones having what I need to do my job. As I sit here typing this blog on a laptop, I can’t imagine trying to do the same with a tablet. Oh sure I could enlist the help of an external keyboard and monitor, but wouldn’t that defeat the portability of the tablet? And what if I wanted to finish up my writing somewhere else? Would I really want to lug around a monitor and keyboard? No thanks – I’ll keep my laptop. So what does this mean to ISVs and developers? If you’re developing consumer apps, it’s glaringly obvious that you need to port your apps across multiple platforms. The more platforms you can work on, the more likely your app is to be purchased. And that’s really what’s it’s all about. If I have a laptop, desktop, smartphone and tablet, I’ll want Angry Birds available on them all. If you’re developing business applications, I think I wouldn’t take my focus off of the desktops and laptops. They are still going to be your bread and butter platforms on which your applications are installed for quite some time. Keep your eye of the other platforms and be ready to adapt, but don’t make a major directional change based on a premature obituary. But this is just my humble opinion. What’s yours?
Posted in Software Tools Tags: angry-birds, consumer, desktops, Development, laptop, manageability, personal, Portability, Security, smartphone, tablet, Technologies, Writing Comments OffDistribution Release: Mandriva Linux 2010.2
Eugeni Dodonov has announced the release of Mandriva Linux 2010.2: “Welcome the Mandriva 2010.2 release which is coming to a mirror nearby you right now. As announced previously, Mandriva 2010.2 is an incremental update on top of Mandriva 2010.1, incorporating all the security and bug-fix updates since its….
Posted in Software Tools Tags: announced-the-release, eugeni-dodonov, mandriva, mandriva-linux, release, Security, the-release, welcome-the-mandriva Comments OffNorton Internet Security
Norton Internet Security is a very useful internet security utility that will protect your computer while you surf online Norton Internet Security offers comprehensive protection against all types of online threats. This release offers superior performance, improved protection, and features to… [ Internet Security ]
Posted in Software Tools Tags: all-types, improved-protection, Internet, internet-security, norton, norton-internet, offers-comprehensive, release, release-offers, Security, surf-online, very-useful, will-protect, your-computer Comments OffThe Intel(r) SCS 7.0 – here is what’s new
The Intel(r) SCS is getting updated! I wanted to use this blog to highlight some of the changes and to provide a quick cheat-sheet for things that you will need to know when you start using it and then managing your Intel® AMT systems. New: Host Based Configuration. Now we can locally configure the AMT device via a configuration application running on the AMT Client. This is accomplished via an XML configuration profile. The application and profile can be sent to the Intel AMT system(s) in a deployment package and run via a script. (If this isn’t exciting, I don’t know what is!!) Once you have successfully configured your AMT systems, the AMT device will be in one of the following control modes: Client Control Mode: This is the default mode for host based configuration. When in this mode, you will need to take the following into consideration due to the need to maintain secure operations. System Defense feature is not available User Consent* is required for all redirection operations or changes to the boot process Permission from the Auditor user (if defined) is not required to unconfigure the AMT system. Some AMT functions are blocked in order to ensure that untrusted users cannot get control of the Intel AMT system. Admin Control Mode: All Intel AMT features are available. All non-host based configuration methods will automatically put the Intel AMT 7.0 device in this mode. In this mode you can define which operations require user consent . *And now you might be wondering what “User Consent” is? This is also a new feature. It shows up when a remote connection to the AMT is established and a message appears on the AMT Client. This message contains a code that the user must give to the person who wants to connect to his/her computer. The remote user must type in the code on his/her console in order to continue with the remote operation. New: Unified Configuration Process. This process allows the definition of one deployment package to configure all Intel AMT versions in their network and automatically uses the necessary configuration method for each Intel AMT device. How is this done? This process uses two copies of the same XML profile. The first copy is created and stored in the RCS (the Remote Configuration Service.) This is necessary for remotely configuring Intel AMT 2.2 to Intel AMT 6.x devices The second copy is exported from the Remote Configuration Server (RCS) and must be included in the deployment package and is used by the Configurator to locally configure devices that support host based configuration. This copy also includes information (added during export) about the RCS and the required control mode for the Intel AMT device. Note that configuration that utilizes the RCS implies “Admin Control Mode” and that configuration that strictly is Host Based (i.e. no use of the RCS) is by default Client Control Mode. The arrival of the Intel(r) SCS 7.0 will be announced on our Manageability and Security Community as soon as it becomes available.
Posted in Software Tools Tags: amt, Control, definition, from-the-remote, intel, intel sw partner program, Mode, network, Process, remote, Security Comments OffTrusted Computing and the Enterprise Software Ecosystem: Part 7 (of 7)
Part 7: Enterprise Security Applications While trusted computing represents a significant step forward in insuring an uncompromised software environment, it should not be understood as a replacement for the many other security applications protecting a user’s platform. The distinction to be noted here is that trusted computing measures the software environment to determine whether it can be trusted. Other security applications, for example, antivirus applications, firewalls, and secure web browsers, play a key role in protecting a trusted system from the ongoing threat of malware. One implication of trusted computing to enterprise security applications is the need for integration. One might imagine, for example, a malware detection application that would initiate a platform measurement after malware is detected and removed, or whenever a set of alert criteria is met but no malware found. Conversely, a measured launch failure might be followed by launching a special MLE with a remediation application designed to analyze the current compromised state on the failed MLE image, and to fix the problem. Integration with trusted computing might also take place in the area of access control. For example, single sign on software applications might include a remote attestation step that examines whether the client endpoint is running a measured launch environment and how current the most recent measurement took place. Based on this information, it determines whether to issue a ticket or token, and what the credential level is that can be granted. Software services, especially those managing sensitive enterprise data, might likewise be modified to require similar attestation steps to establish a robust notion of client trust before rendering service. Finally, it might be mentioned that a grand challenge in trusted computing is extending the chain of trust from key OS/VMM kernel modules to application software at every layer. While some work has been done in this area, the goal remains elusive and a great deal of innovation may be needed to fully achieve the vision of trusted computing at the highest layers of the software stack. For example, software environments may need to be structured differently, the manner in which software is modularized may need to change, or software delivery and launch schemes may need to be rethought.
Posted in Software Tools Tags: client, credential, enterprise, enterprise-data, grand-challenge, remains-elusive, require-similar, Security, ticket-or-token, trusted computing, txt Comments OffDistribution Release: BackTrack 4 R2
Offensive Security has announced the release of the second respin of BackTrack 4, an Ubuntu-based distribution featuring a collection of security tools for digital forensics and penetration testing: “Yes, the time has come again — for a new kernel, and a new release of BackTrack. Code-named ‘Nemesis’, this….
Posted in Software Tools Tags: announced-the-release, new-kernel, new-release, offensive-security, release, Security, security tools, the-release, the-second, the-time, time, track-code-named, ubuntu-based Comments OffBlackberry May Continue Its Services In India.
RIM is confident of convincing the Indian Government to allow its services to continue. Canada’s Research In Motion, is confident that its service in India wont be terminated. The blackberry makers were threatened with a ban on its services if they didn’t co-operate with the government officials. RIM has assured the government that they will provide the final solution for lawful interception of Blackberry Messenger services by January 31, 2011. While according to Economic Times, Minister of State for Home Ajay Maken in a reply to a query in rajya sabha stated that “With respect to security solutions for the Blackberry Enterprises Services, mutual consultations are on between the RIM and the government and as such more time is required to achieve a closure,” RIM was asked by the Indian Government to provide access to it service, keeping in mind the security concerns of the country. The company which was given plenty of deadlines to comply to the government directive is in consultation with the government to allow lawful access to its data. The company will have to provide a solution by the end of January which is satisfactory to the Indian government or face a ban of its services in India.
Posted in Software Tools Tags: ban, between-the-rim, Blackberry, economic-times, India, indian, its-services, provide-access, research, rim, Security, technology, the-government Comments Off