PLoP2004_ndelessygassant0_0.doc

Problem some enterprise applications use tunneling

Info icon This preview shows pages 12–15. Sign up to view the full content.

View Full Document Right Arrow Icon
Problem Some enterprise applications use tunneling into authorized flows (HTTP, SMTP,…) to communicate with the outside. They use higher level protocols such as SOAP and communicate through XML documents or XML-wrapped remote procedure calls. The 12
Image of page 12

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
XML content of these messages can contain harmful data and can be used to perform attacks against applications. Network firewalls provide infrastructure security but become useless when these high level protocols and formats are used. Forces Document or remote procedure calls formats are subject to change, some new ones may appear (XML dialects); the firewall must adapt easily to these changes. New types of harmful data may be used by attackers, the firewall must adapt easily to these new types of attacks. There are many ways to filter, we need to separate the filtering code from the application code. There may be numerous applications that may require different levels of security. New applications may be integrated into the system after the firewall has been put into operation. This integration should not require significant additional costs. Network firewalls cannot understand the contents of XML messages or application semantics and do not stop potentially harmful messages. Solution Use a firewall that intercepts XML messages and can understand their contents. A client can access a service of an application only if a specific policy authorizes it to do so and if the content of the message is considered to be safe for the application. Policies for each application are centralized in the XML Firewall and they are accessed through a PolicyAuthorizationPoint. Each application is accessed by a client through a PolicyEnforcementPoint that enforces access control for the applications. The authorization decision may include authenticating the client through its identity data stored in the IdentityBase. It also includes looking for a matching policy for the request in the PolicyBase and checking the content of the message. First, its structure is validated through a list of valid XML schemas, and the data it conveys is checked through a HarmfulDataDetector. Class diagram Figure 7 shows the class diagram for this pattern. Some of the classes are similar to those of Figure 2. 13
Image of page 13
They include an IdentityBase, a collection of the Client identities registered in the system. A PolicyBase stores authorization policies that define the rights of those users. A PolicyAuthorizationPoint collects both identity and authorization information. A PolicyEnforcementPoint performs access control checks. The new classes include the ContentInspector , which checks the content of the XML messages sent from/to the applications. Figure 7: Class diagram for the XML Firewall Application Level Implementation Level * * * communicatesThrough Application * Service uri executeService() Client id credentials PolicyBase IdentityBase Identity id credentials roles Policy serviceId role predicate 1 accessService * * 1 * 1 1 * * 1 PolicyEnforcementPoint interceptMessage()
Image of page 14

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Image of page 15
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern