xml-aware networking datapower technology, inc. one alewife center cambridge, ma 02140 +1 617 864...
TRANSCRIPT
XML-Aware NetworkingXML-Aware Networking
DataPower Technology, Inc.DataPower Technology, Inc.One Alewife CenterOne Alewife CenterCambridge, MA 02140Cambridge, MA 02140http://www.datapower.comhttp://www.datapower.com+1 617 864 0455+1 617 864 0455
Rich Salz,Chief Security Architect
2Copyright 2005 DataPowerCopyright 2005 DataPower
XML Benefits and CostsXML Benefits and Costs
XML Has Many Architectural & Business BenefitsXML Has Many Architectural & Business Benefits Dramatically lowering cost & time for EAI / b2bDramatically lowering cost & time for EAI / b2b Flexible websites and one-source publishing Flexible websites and one-source publishing Code reuse, easy debuggingCode reuse, easy debugging XML is foundation for web servicesXML is foundation for web services Broadest industry support since HTTPBroadest industry support since HTTP
……But Also Some Real World DrawbacksBut Also Some Real World Drawbacks Scalability: XML is bandwidth, CPU and memory intensiveScalability: XML is bandwidth, CPU and memory intensive Performance: some XML apps literally grind to a haltPerformance: some XML apps literally grind to a halt Insecure: connecting systems never before connectedInsecure: connecting systems never before connected Insecure: clear text over HTTP with no inherent securityInsecure: clear text over HTTP with no inherent security Standards are still in fluxStandards are still in flux Financial, technical and organizational challengeFinancial, technical and organizational challenge
3Copyright 2005 DataPowerCopyright 2005 DataPower
Historical Trend Favors XAN
“Commodity” Processes Migrate to Hardware
4Copyright 2005 DataPowerCopyright 2005 DataPower
XML-aware Network InfrastructureXML-aware Network Infrastructure
TheThe PerformancePerformance SecuritySecurity ManageabilityManageability
that you expect from that you expect from your IP network your IP network for your XML appsfor your XML apps
5Copyright 2005 DataPowerCopyright 2005 DataPower
Security and Protocol Layers
XML/SOAP
HTTP
Intermediary
HTTP
WS-SecurityXML DSig
point-to-point point-to-point
Sender Receiver
end-to-end
S
XML Encryption
S
XML Access Control
6Copyright 2005 DataPowerCopyright 2005 DataPower
Measuring XML Performance
Broad range of XML operations – parse, validate, Broad range of XML operations – parse, validate, transform, route, encrypttransform, route, encrypt
Applications operate on messages, not packetsApplications operate on messages, not packets Message size varies from 10 bytes to 1+ gigabyteMessage size varies from 10 bytes to 1+ gigabyte XML content complexity variesXML content complexity varies Processing can change message size & contentProcessing can change message size & content PPS or TPS not very usefulPPS or TPS not very useful DataPower XSLTMark (2000) – defined throughput asDataPower XSLTMark (2000) – defined throughput as
(bytes_in + bytes_out)/ 2(bytes_in + bytes_out)/ 2 Good: gives useful rule-of-thumbGood: gives useful rule-of-thumb Bad: does not account for type of XML processing Bad: does not account for type of XML processing
7Copyright 2005 DataPowerCopyright 2005 DataPower
Anatomy of XML Security Performance
Performance is key to securityPerformance is key to security Each security function requires XML processingEach security function requires XML processing Must implement all services without any compromiseMust implement all services without any compromise Need ability to scale as content and user base growsNeed ability to scale as content and user base grows
Encrypted & Signed SOAP/XML Transaction
Approved, decrypted and validated
SOAP/XML Transaction
Processing StepsProcessing StepsSchema
ValidationParsingParsing XPath
FilteringXML
DecryptionXML
EncryptionSignature
VerificationSchema
ValidationXML
TransformationXML
Signing
1 3 5 8 8 1 3 10 6 8
-- Crypto Ops
-- XML Ops
8Copyright 2005 DataPowerCopyright 2005 DataPower
Software
Tim
eT
ime
Tim
eT
ime
XMLSecurity
Tasks
XMLCryptoTasks
PureXML
Tasks
XMLProc.
CryptoProc.
Contribution of XML Processing to SecurityBasic XML Processing
Impact of Crypto Accel. XAN Advantage
Software Software w/ Crypto
Acceleration
Software Software w/ Crypto
Acceleration
x10
XML Security Performance Analysis
DataPower
DataPower
9Copyright 2005 DataPowerCopyright 2005 DataPower
XML Processors XML-specific hardware for:XML-specific hardware for:
• XPath• XML Schema• XML parsing• Text inspection
Implements Key Standards:Implements Key Standards:• XML 1.0 & 1.1• XML Namespaces• XML Schema• XPath 1.0• XSLT 1.0
PCI-X InterfacePCI-X Interface Parallel processingParallel processing Much more power efficient than Much more power efficient than
systems using general purpose systems using general purpose CPUCPU
10Copyright 2005 DataPowerCopyright 2005 DataPower
Vendor Example: DataPowerVendor Example: DataPower
XA35 XML AcceleratorXA35 XML Accelerator Offload XML processingOffload XML processing No more hand-optimizing XMLNo more hand-optimizing XML
XS40 XML Security GatewayXS40 XML Security Gateway SecuritySecurity Agility – future-proofAgility – future-proof True network deviceTrue network device
XG4 XML-aware subsystemsXG4 XML-aware subsystems First to break XML gigabit barrierFirst to break XML gigabit barrier Highly embeddable OEM solutionHighly embeddable OEM solution Broad applicationsBroad applications
XI50 Integration ApplianceXI50 Integration Appliance Application-oriented networkingApplication-oriented networking Groundbreaking DOP architectureGroundbreaking DOP architecture Integrated message-level securityIntegrated message-level security
XI50 Integration Device