ibm datapower handbook - pdf.ebook777.compdf.ebook777.com/030/9780997219623.pdfibm datapower...
TRANSCRIPT
IBMDataPowerHandbookSecondEdition
VolumeV:DataPowerSecurityHardeningBillHines
TerrillKramerDerekDoerr
LenMcWilliams
WildLakePress
Alsoavailable!VolumesonDataPowerIntro/Setup,Networking,Development, andB2B/FileTransfer.
IBMDataPowerApplianceHandbook
SecondEdition,VolumeV:DataPowerSecurityHardeningTheauthorshavetakencareinthepreparationofthisbook,butmakenoexpressorimpliedwarrantyofanykindandassumenoresponsibilityforerrorsandomissions.Noliabilityisassumedforincidentalorconsequentialdamageswithorarisingoutoftheuseoftheinformationorprogramscontainedherein.
NotetoU.S.GovernmentUsers:Documentationrelatedtorestrictedright.Use,,duplication,ordisclosureissubjecttorestrictionssetforthinGSAADPScheduleContractwithIBMCorporation.
Copyright©2016WildLakePress
Allrightsreserved.Nopartofthisbookmaybereproducedinanyformbyanymeanswithouttheexpresspermissionoftheauthors.Thisincludesreprints,screenprints,excerpts,photocopying,recording,oranyfuturemeansofreproducingtext.
ThefollowingtermsaretrademarksorregisteredtrademarksofInternationalBusinessMachinesCorporationintheUnitedStates,othercountries,orboth:IBM,theIBMlogo,IBMPress,CICS,Cloudscape,DataPower,DataPowerdevice,DB2,developerWorks,DFS,Domino,Encina,IMS,iSeries,NetView,Rational,Redbooks,Tivoli,TivoliEnterprise,andWebSphere.JavaandallJava-basedtrademarksandlogosaretrademarksorregisteredtrademarksofOracleand/oritsaffiliates.Microsoft,Windows,WindowsNT,andtheWindowslogoaretrademarksofMicrosoftCorporationintheUnitedStates,othercountries,orboth.VMWareisaregisteredtrademarkortrademarkofVMWare,Inc.intheUnitedStatesand/orotherjurisdictions.UNIXisaregisteredtrademarkofTheOpenGroupintheUnitedStatesandothercountries.LinuxisaregisteredtrademarkofLinusTorvaldsintheUnitedStates,othercountries,orboth.Othercompany,product,orservicenamesmaybetrademarksorservicemarksofothers.
Version1.0
ISBN:0997219637
ISBN-13:978-0997219630
WildLakePress
LakeHopatcong,NJ,USA
www.wildlakepress.com
[email protected]/correctionstoerrata@wildlakepress.comandincludethebooktitleandpage.Codelistings,images,andotherresourcesinthisbookcanbedownloadedfromhttp://wildlakepress.com/books/15-information-technology/18-datapower-handbook-resourcesThereisadiscussionforumforallDataPowerHandbooksathttp://wildlakepress.com/kunena/datapower-books
TomybraveandbeautifullatesisterDonna,tomymotherCarol,whoencouragedmetolearn,read,andwrite;tomywonderful,beautifulwifeLoriwhoinspiresmeandmakesmelaughwhenIneeditmost;tomychildrenJennifer,Brittany,andDerek,mybeautifulgrandchildren,andmystep-daughtersLorianaandMarie;tomysisterPatty,andtherestofmyextendedfamily,whoarealwaysthereforme;andlastbutnotleast,inmemoryofmybelovedfather.—BillHines
ToMaryforbeingmyconfidant,myparttimepsychologist,andmylove;tomywonderfulchildrenZachandAislinnwhomIamsoproudof;tomymomandmyextendedfamilywhomIdonotseeenoughbutareinmythoughts;andtoallthepeoplethatIhavebeenluckyenoughtohavecrossmypathandenrichmylife.—TerrillKramer
TomyamazingandlovingwifeMauraforalwayssupportingmeandencouragingmetofollowmypassions;tomyparentswhogavememystartandstillcan’tquitefigureoutwhatIdoforaliving;tomychildrenKathleen,Maureen,BridgetteandPhillip;tomygrandchildren(allsevenofthemasofnow!)tomyextendedfamily;andfinally,toallofthebrilliantanddedicatedprofessionalswithwhomI’vehadthehonorofworkingwithandlearningfrom.—DerekDoerr
Tomymother,whowhenIsaidIcouldn’tdomyspellinghomeworkbecausemybookwasatschool,mademewalkbackandgetit.AndtoHaShem’sgiftstomylife:mywife,fourchildren,andeightgrandchildren.—LenMcWilliams
ContentsPreface
Chapter1DataPowerInherentlyHardenedFeatures
1.1Role-BasedAdministration
AuditingPreamble
1.2AuditingAccountCreationandModification
1.3AuditingAdministrativeCommands
1.4ProhibitingUnnecessary/UnusedPorts,Services,andProtocols
1.5EncryptedProtocolsforAdministrativeAccess
1.6AdminAuthenticationReplayProtection
1.7PasswordProtection
1.8ValidatingPKIAdminAuthentication
1.9AuthenticationFeedbackShouldBeObscured
1.10TerminateNon-LocalAdministrativeConnections
1.11AdministrativeSessionIdentifiersShouldBeDeleted
1.12ProtectingDataatRest
1.13ErrorMessagesandLogsShouldOnlyBeVisibletoAuthorizedUsers
1.14OnlyPrivilegedUsersShouldExecuteAdminFunctions
1.15AuditRecordTimestampGranularity
1.16InstallationofSoftwareModules
1.17TemporaryPasswords
1.18DenialofServiceAttacks
1.19AuditofAdministrativeActions
1.20ConfigurationChangesShouldBeImmediate
1.21UnnecessaryFunctionsShouldNotBeEnabled
1.22SecureFailure
1.23PhysicalSecurity
1.24SecureAdministrativeProtocols
Summary
Chapter2ApplianceAdministrativeHardening
2.1UserInterfaceIdleTimeoutsandCachedAdminCredentials
2.2EncryptingAdministrativeProtocols
2.3Off-loadSystemAuditRecords
2.4SendImmediateThreatAlarms
2.5ConfigureSNMPTrapEventsforAccountEnablingActions
2.6Selective,TargetedAuditing
2.7ExternalAdminAuthenticators
2.8SecureBackups
2.9CryptoKeysandCertificates
2.10AuditAccountEnablingActions
2.11AlertAuditRecordStorageCriticallyLow
2.12GenerateAlertsforAuditFailureEvents
2.13ConfigureNTPService
2.14ConfiguretheDesiredTimestampFormat
2.15GenerateanAlertifApplianceConfigurationsAreChanged
2.16ProtectingAuditInformation
2.17PasswordPolicy
2.18NISTSP800-131aandFIPS140-2Compliance
2.19PKICertificateAuthenticationforAdminUsers
2.20ConfigureMultifactorAuthenticationforNetworkAccesstoNon-PrivilegedAccounts
2.21EnforcingAdministrativeUserPrivileges
2.22CustomizingLoginandLogoutMessages
2.23CapturingSystemEventDatawithLogTargets
2.24RestrictingAccesstoaSpecificLogTarget
2.25NotificationsforLoggingFailure
2.26ConfiguringOff-ApplianceLogging
2.27ControllingtheDefaultDomain
Summary
Chapter3Message-LevelHardening
3.1ValidateInboundData
3.2UseStrongCryptoforMessageTraffic
3.3SecureLoggingforTransactions
3.4ConfigureIndividualandGroupAuthenticationMethods
3.5MultifactorAuthenticationforNetworkAccesstoProtectedResources
3.6ConfigureReplay-ResistantMutualSSL/TLS
3.7DefineCryptoValidationCredentialsandCertificateRevocationPolicy
3.8ConfigurePKI-BasedCredentialMappingforMessage-levelAuthenticationandAuthorization
3.9ConfigureDeviceFailureNotificationFunctions
3.10SQLInjectionProtection
3.11DenialofService(DoS)AttackMediation
3.12VirusScanning
3.13ViewingUserActivityLog
3.14FICAM-IssuedProfileSupport
3.15AccessControlLists
3.16UsingFilterActionstoPreventReplayAttacks
3.17CachingUserAuthenticationandAuthorizationResults
3.18ConfiguringTransportLayerSecurityConsistentwithNISTSP800-52
3.19SecurelyTransmitAuthenticationInformation
3.20ServerNameIndication(SNI)Profiles
3.21ConfigureXMLandJSONThreatProtection
Summary
AppendixA:DataPowerResources
DataPowerResources
Acknowledgements
TheAuthorTeam:
BillHines:
TerrillKramer:
DerekDoerr:
LenMcWilliams:
AbouttheAuthors
BillHines
TerrillKramer
DerekDoerr
LenMcWilliams
Afterword
AfterwordbyEugeneKuznetsov
AfterwordbyJerryCuomo
AfterwordbyKyleBrown
Preface
It iswith great pleasure that I introduce the security hardening volume in our series ofhandbooksontheIBMDataPowerGateway(IDG).WepublishedVolumeIofthisseries“DataPowerIntro&Setup”inOctoberof2014,thenupdateditinJune2015forfirmwareversion 7.2 and added a valuable new chapter on common use cases and deploymentscenarios.WepublishedVolumeII,“DataPowerNetworking” in June2015;Volume IV,“DataPower B2B and File Transfer” in December 2015; and Volume III, “DataPowerDevelopment”inJanuary2016.Ourconcepthasbeentosplittheoriginal,monolithicfirstedition DataPower Handbook into separate, more easily consumable volumes that aremoremanageable insize,andso thatcustomerscouldonlypurchase the topics theyareinterestedin.
Much of my career at IBM has been spent in the security space, in terms of mytechnology focus. I have also spent most of my career working IBM’s US Federalgovernmentorganizationandwithclientsinthefinancialservices/bankingsector.Bothofthosegroupsofclientstakesecurityveryseriously.Thatiswhy,whenIfirstlearnedabouttheDataPoweracquisitionbackin2005,Iwasveryexcitedtoseethehardenedaspectandsecurity features of those products. However, even great security products can becompromisedbymisconfiguration.DataPowerprovidesthetools,butittakestoolsinthehandsofskilledcraftsmen/womencreatesuccessfulimplementations.
Thesecurityspaceandpreventingcyber-attacksisalwaysanarmsracebetweenthegoodguysandthebadguys.InthebookDarkTerritory-TheSecretHistoryofCyberWarby Fred Kaplan, the author refers to a 2013 report commissioned by the federalgovernment(DefenseSciencetaskforce):
“With present capabilities and technology,” the report stated, “it is not possible todefendwithconfidenceagainstthemostsophisticatedcyberattacks.”GreatWalldefensescouldbeleaptoverormaneuveredaround.Instead,thereportconcluded,cybersecurityteams,civilianandmilitary,shouldfocusondetectionandresilience—designingsystemsthatcouldspotanattackearlyonandrepairthedamageswiftly.
Assuch,goodsecuritymustbeacombinationofprevention,detection,andresponse.Securitypractitionersmustbeinformedaboutallmannerofpotentialattacksandupdatetheirknowledgeas frequentlyasvirus scannershave toupdate theirprofiles,or sooner.AnothergreatsetofresourcesarethebooksandblogbyBruceSchneier,whoisnowanIBMer.HisbookSecrets andLies:DigitalSecurity in aNetworkedWorld is a securityclassic.
Thisvolumeisnotanupdateofmaterialfromthefirstedition.Itisnewmaterialthatsprings from a requirement from the US Department of Defense’s IT arm, called theDefense Information SystemsAgency (DISA). The requirement states that any productsoldordeployedintotheUSDepartmentofDefensedatacentersmusthaveanapproved
Secure Technical Implementation Guide (STIG). The STIG is essentially a securityhardening guide—instructions on how to harden a platform to military specifications.Approved STIGs are published at http://iase.disa.mil/stigs/Pages/index.aspx. There aresimilarhardeningguides(calledbenchmarks)atTheCenterforInternetSecurity(CIS)athttps://www.cisecurity.org/andotherwebsites.
InordertobecompetitiveinsellingproductstotheUSgovernment,IBMneededtocreateaSTIGthatshowedhowtohardentheproducttothesestringentmilitarycriteria.Theteamwhoputthisbooktogetheraccomplishedthat,workingovermuchof2015.Wedecided to take that information (which is publicly available athttp://iase.disa.mil/stigs/net_perimeter/network-infrastructure/Pages/other.aspx) alongwith a great deal of hardening information and experience from our many years asDataPower technical practitioners to create this volume. In that sense, this volume is aguidetohardeningyourDataPowerappliancetomilitaryspecifications.
We actually created two STIGs. One is the Network DeviceManagement (NDM)STIG,whichfocusesonhardeningtheapplianceandadministrativeinterfaces.ThesecondSTIG isApplicationLayerGateway (ALG),which focuses onhardeningmessage-leveltrafficmoving though the appliance.Wewill structure thisvolume into twochapters tocorrespond to those categories, plus a chapter on the criteria thatDataPower inherentlymet(noconfigurationnecessary).
ThisvolumeismeanttobeaguideforthosewhoarealreadyexperiencedDataPoweradministrators.Togainexperience,seetheothervolumesinthisseriesandtheresourcesinAppendixAof thisbook.Becauseweassumethat thereader isalreadyfamiliarwithDataPowerconceptsandconfiguration,wetooktheapproachofbeingconcise in listingthehardeningsteps,andwillpointtooutsidesourcesformoredetailwhennecessary.Wewillnotdrilldownintodetailssuchasconfiguringandsettingupexternalservers(LDAP,SNMP,etc.)butratherprovidehigh-leveltipsontestingeachconfigurationitem.
WhenweworkedontheSTIGs,wewerehappythatDataPoweralreadymetmanyofthecriteria“outofthebox.”Asthoseitemsrequirenoconfiguration,therearenostepstocomplete.WeprovideasummaryofthemforyourawarenessinChapter1,“DataPowerInherentlyHardenedFeatures.”Thisbookisbasedonfirmwareversion7.2.0.1.Asv7.5isnewly released,we did notwant to base the book on it, as it is unlikely to be alreadyrunningincustomerinfrastructures.However,severalfeaturesin7.5willbeinterestingtosecurityadministrators.AfewexamplesareadditionalsupportforEllipticCurveDigitalSignatureAlgorithm (ECDSA), and networkHardware StorageModule (HSM) supportforcryptomaterial.
The vast majority of these steps apply to both physical and virtual DataPowerappliances.Twobigexceptionsare that thephysicalappliancesoffer intrusiondetection(theabilitytobenotifiedordisabletheapplianceifsomeoneremovesthecover)andaninternal HSM optional to store keys and certificates. Many customers do theirdevelopmentand testingon thevirtualappliances,butonly trust thephysicalappliances
fortheirproductioninfrastructure,althoughbotharesuitable.Itdependsonyourlevelofsecurityrequirements.
As always, all of thismust bedonewithin the rules of yourownorganization’s ITsecurityteam,whoshouldbeconsultedaboutanysecuritychanges.Securitycanonlybeachieved with constant, thorough testing and validation, and as such it is an ongoingprocess,notaone-timeseriesofstepstotake.
—BillHines,July2016
Chapter1DataPowerInherentlyHardenedFeaturesLet’sstart thevolumeoutwith theeasypart—thesecurity requirements thatDataPowermeetsrightoutofthebox.Youdon’thavetodoathingforthese,andforthemostpart,youcan’tturnthemoff.There’snothingtoscrewup!
1.1Role-BasedAdministration
Platformsintendingtobecomesecureparticipantsinanenterprisenetworkshouldprovidea role-based administration capability. This includes creation of administrative useraccounts,andsomesortofroleand/orgrouphierarchythatallowsthedefinitionoffine-grained privileges. There is typically a need for super-users/root-admins, and read-onlyusers for troubleshooting or monitoring tasks. Ideally, the validity of these users andgroups,andtheirassociatedprivilegesshouldbevalidatedbyanexternalrepository,suchasLDAPorRADIUS.
These functions and rolesmust support the organization’s security policies and becapableofreflectingtherolesthattheorganizationmayhavealreadydefinedinternally.
InDataPower, caremust be taken to create secondary administrative accounts thatensurerecoveryfromeventssuchasalossofconnectivitytotheexternalrepositoryorthelossof theprimary administrator’s password. Instructions for thesepreventive tasks areincludedinthisvolume.
Alsonote, thatwhileDataPoweremploysmany inherent securitycapabilities, thesecan be weakened or compromised by ignoring basic security concepts such as notrequiringandenforcingastrongpasswordpolicy.DataPower’sinherentsecurityfootprintcan also be decreased by “mundane” oversights such as a failure to train admin andsupportpersonnelinthedetectionofsocialhackingtechniquesandphishingtypeattacks(wheresomeoneistrickedintodisclosingtheirpassword).
AuditingPreamble
Securitysystemsneedtohavetheabilitytocreatealertandauditrecords.Theseareusefulboth in forensicpost-mortemanalysis and aspart of regular security audits.These logsshouldbesecurelycopiedoff-deviceasameasureofsafety.We’llshowyouhowlaterinthisvolume.
Thecodemodulesthathandleauditcapabilitiesshouldinitiateassoonaspossibleonsystemstartup,anditshouldnotbepossibletodisablethem.Ifthereisanyfailureoftheaudit subsystem, due to such things as out of storage space or hardware failure, animmediate administrative alert should go out and the system should shut down asgracefullyaspossible.
Itshouldnotbepossibletotamperwithormodifyauditlogs.Theyshouldbedifficulttoaccess,shouldbewrittentoencryptedstorageandshouldbe,themselves,encryptedandsigned,particularlywhenmovingoff-platform.
Thelogentriesshouldbeproperlydateandtimestamped,withsourceidentitiesandothermetainformationsuchasclientIPaddresses.Aswenotelater,relianceoninsecureexternalNTPservers canaffect the reliabilityof this informationandhelphackershidetheir tracks.MultipleDataPower devices should ensure that their clocks are all set andsynchronizedproperlyinordertofacilitatemulti-devicelogcorrelation.
1.2AuditingAccountCreationandModification
Ifhackersareabletogainaccesstoaplatform,typicallytheywillfirstattempttocreateanadministrative account for themselves in order to make subsequent access easier. Inaddition,someonemaytaketheopportunitytomodifytheirexistingaccount(orsomeoneelse’s), elevating it to higher privilege. This also includes disabling and removingaccounts.
If anyof theseaccountchangesoccur, it is imperative that theproperpersonnelbenotified.DataPoweralwayslogsthesetypesofactivitiesintoitssystemlog.Anadditionalmeasure,asshowninthisvolume,wouldbetosetupsometypeofalert,suchassendinganSNMPtraporotherimmediateadministrativenotificationthataneventofconcernhasoccurred.
1.3AuditingAdministrativeCommands
It is essential, for forensic and security audit purposes, to keep a log of administrativecommandsthathavebeenexecuted,alongwithothercontextual informationsuchas theauthenticateduserwhoexecutedthem,sourceIP,etc.DataPowerdoesfull-textloggingofallCLIcommandsinthelogtemp:///cli-logfileofthedefaultdomain.
Note that the on-box cli-temp log is circular—it will be overwritten when itsallocated space is full.Therefore, these critical audit logs shouldbemaintainedoff-boxusing external logging targets, as described in Section 2.3, “Off-load System AuditRecords.”
1.4ProhibitingUnnecessary/UnusedPorts,Services,andProtocols
Acommonentrywayforhackersisthroughportsleftopenandunsecured.Systemsshouldnot enable these by default. For example, non-secure services like telnet are often leftopenandrepresentawelcomemattointruders.
DataPowerhasallports,protocols,andadministrativeservicesshutdownbydefaultandthesecanonlybeenabledbyadministrativechoice.
1.5EncryptedProtocolsforAdministrativeAccess
Allowing administrative access via an unencrypted protocol should never be permitted;thisleavessensitiveadministrativetrafficexposedtonetworksniffing.
DataPower’s WebGUI/browser and SOAP administrative entry points use TLS bydefault.SSHusesacustomizedvariantofOpenSSH.Thesecannotbedisabled.
1.6AdminAuthenticationReplayProtection
Systems should not allow for replay of authentication attempts—for example, thecapture/recording and replay of a login.This can be defeated by using nonces (randomnumbers generated for one-time use), challenges, one-time authenticators, and two-stepauthentication.
DataPoweruses theTLSprotocolforWebGUIloginandSSHforCLIlogin,whichpreventsreplayattacksviatheuseofMessageAuthenticationCodes(MAC).
1.7PasswordProtection
For thosewith dishonest intentions, discoveringpasswords is like finding the keys to awarehousefullofgoldasitprovideseasyaccesstosystems.Systemsoftenstoreahashofthepasswordthatiscomparedtoahashofwhattheclienthasentered,thusensuringtheintegrity of the password and eliminating the need for passwords to be stored andtransmitted un-securely to trusted parties. If passwordsmust be stored, this should bedoneinasecurefashion—oversecureprotocolsandontoencryptedmedia.
WhenDataPowerstorespasswords,theyarestoredontheencryptedflashfilesystem,and as such, are not viewable or retrievable by any means other than their intendedpurpose.Ifpasswordsneedtobetransmitted,it’salwaysdonesecurely.
1.8ValidatingPKIAdminAuthentication
It is common to use certificate-based authentication for administrative access. Thecertificatemetadataischeckedtoensureitisnotexpired,andthatatrustedauthorityhasissuedit.However,acommonshortcomingofPKIisthatsystemsoftendonotchecktosee if thecertificatehasbeen invalidatedprior to itsnormalexpirationdate.Trustpathsmustultimatelynavigatetoatrustedauthority.
DataPower does fullX.509 certificate path checking andvalidation, and allows fortheuseofOnlineCertificateStatusProtocol(OSCP)forintermediaterevocationchecking,inadditiontoCertificateRevocationLists(CRLs).Thesefeaturesmustbeconfiguredontheappliancebytheproperpersonnel.
1.9AuthenticationFeedbackShouldBeObscured
This is kindof ano-brainer, aswe all expect to see things like asteriskswhenenteringpasswords.However,other thingsshouldbeobscuredaswell,suchas“toomuch”errorinformation. Reporting that the external user repository is down could be enough
knowledgeforahackertofindanotherwayin.Iftheloginisincorrect,simplystatethattheuseridorpasswordisincorrectbutdonotsaywhichofthetwofailed.
DataPower,asafullyhardenedplatform,implementsallofthesemeasuresoutofthebox.
1.10TerminateNon-LocalAdministrativeConnections
Remoteadministrativeconnectionsareprimeturfforattackersiftheyareleftopen.Theyshouldbesubjecttoreasonableinactivitytimeoutvalues,andtheseconnectionsdroppedafter admin sessions are completed. These types of connections should be subject tofrequent audit, as administrators typicallydonotwant tobe subject to re-authenticationandwillrelaxthesesettings.
DataPoweravoids thisvulnerabilitybydefault.Forexample, enabling theWebGUIforbrowser-basedadministration,thedefaulttimeoutvalueis600seconds(fiveminutes).However,beadvisedthatthiscanbechangedtozeroinordertodisablethetimer,whichis not recommended as this eliminates the timeout capability. The command-line (CLI)administrativeinterfacewillnottimeoutbydefault,andmustbeconfigured,asshowninSection2.1,“UserInterfaceIdleTimeoutsandCachedAdminCredentials.”
1.11AdministrativeSessionIdentifiersShouldBeDeleted
Webbrowserstypicallyusesessionidentifierstopointtoback-endsessioninformation,sothatsessionscanbecontinuedwithoutlosinginformationiftheconnectionisbrokenandthen reconnected.While this is convenient, it alsomakes systems susceptible to replayattacks.
Session identification tokens should be unique and temporary. They should not beeasyforattackerstoguess(e.g.auserid).
DataPower generates unique session identifiers. The session information is deletedandtheidentifiernolongervalidafteradministrationsessionshavedisconnected.
1.12ProtectingDataatRest
Inadditiontocapturingsensitivedataflowingacrossthenetwork,anothercommonwayfor hackers to obtain sensitive data is from storage. If the system is compromised, andflashorharddrivesareaccessible,thisisadangerunlessthefilesystemsareencrypted.Also,considerthatwhensystemsarediscarded,orshippedsomewhereformaintenance,thesestoragesystemscouldberemovedandanalyzed.
DataPower’sflashfilesystemfeaturesencryptionbydefaultforsensitivedirectories,suchasthosethatholdPKIkeysandcertificates.Thisincludesthelocal,store,logstore,cert, pubcert, sharedcert, chkpoints, config, and tasktemplates directories aswell as theauditlogandpersistedinternalfirmwarefiles.Auxiliarystorage,suchastheRAIDharddrivesonphysical appliances, canbeencryptedaspartof the initializationprocess.For
moreinformation,seehttps://ibm.biz/BdXQCXandhttps://ibm.biz/BdXRSw.
1.13ErrorMessagesandLogsShouldOnlyBeVisibletoAuthorizedUsers
Errormessagesandlogstypicallycontainawealthofinformationaboutsystemsandwaystocompromisethem.Logsshouldbevisibleonlytoapprovedpersons.
ErrormessagesandsystemlogsareprotectedbyDataPower’sfine-grainedrole-basedmanagement system; privileges can be assigned as needed by administrators, and thesystem will enforce access. Since DataPower is not meant to be a persistent storageappliance, these log files canbemovedoff the appliance tomorepermanent storageasoutlinedinSection2.3,“Off-loadSystemAuditRecords.”
1.14OnlyPrivilegedUsersShouldExecuteAdminFunctions
Ifnon-privilegeduserscangetaccess toexecuteprivilegedcommands, suchasaccountcreation, log viewing, key management, they can gain access to systems and sensitiveinformation.Anexamplemightbetocreateaprivilegedaccount,whichwouldthenallowmuchgreateraccessthanoriginallyintendedandpotentiallycreatingasecuritygap.
Via the use of a fine grained role-based management system, DataPower can letadministrators apply the concept of “least privileges,” effectively locking down useraccesstoonlynecessaryfunctions.Role-basedaccounts,users,andgroupsshouldalsobeauditedfrequently.
1.15AuditRecordTimestampGranularity
Logrecordtimestampsarecrucialtopiecetogetherthesequencesofeventsthathaveledto a problem. Sometimes the log records frommultiple devicesmust be correlated formeaningfulanalysis.Ifallofthesystemsarenotinsyncwiththeirdate/timesettings,orthesystemhasadiscrepancyofmorethanasecond,orlogsdonotreporttimestampswithsub-secondgranularity,thiscanbecomeverydifficult.
DataPower timestampsare recordedwithmillisecondgranularity.SystemclocksonclusteredDataPowerappliancesshouldalwaysbesyncedandthis isoftenaccomplishedbypointingsystemstowell-known,secureNTPservers.Beawarethatusinganon-secureNTP server, such as the Internet-based ones, could open systems up to certain types ofattack.
By default, the DataPower appliance records time stamps for audit records inCoordinatedUniversalTime(UTC).Forexample,thefollowingisanexample:March30,2015 followed by the number ofmilliseconds since January 1, 1970would translate to20150330T072434.296Z.
1.16InstallationofSoftwareModules
Systemsoftencanbecompromisedbytheinstallationofsoftwaremodules,suchasthosethatprovideadditionalcapability,orfixpacksandupdatesthatcontainroguecode.Thismaliciouscode insideof thesemodulesmaynotbedetectedduring installationwith theunfortunateconsequenceofsendingimportantinformationacrossthenetworktothosenotintended to see it.Malicious code can contain time-bombsor systemhijack capabilitiesthatcantakeproductionsystemsofflinewithoutwarning.
Diagnosticoranalyticalsoftwareadditionsarealsooftenpronetoexposingsensitivedata to unauthorized parties. Only approved administrators should be permitted to usetheseonasystem,andthetoolsshouldbecarefullyvetted.
As a closed and hardened system, DataPower does not allow the installation ofoutside software. Only IBM firmware modules, firmware fixes and updates may beinstalled. All IBM software modules are signed and encrypted to prevent any outsidetampering, andas such theyare safe from thesekindsof attacks.Nooutsidediagnostictoolsorsoftwarecanbeinstalledontheappliances.
1.17TemporaryPasswords
Systemsthatallowtemporarypasswordsmustenforcethattheybechangedimmediatelyupon the first login.Temporary or default systempasswords for a product are typicallywell-knownandaneasywayforhackerstoaccesssystems.
DataPower shipswith only one default administrative account,which has a defaultpassword.Thesystemcannotbeinitializedorusedwithoutimmediatelychangingthistoanacceptablepassword.Ifanadministratorcreatesanewadminaccountforanotheruser,theuserisforcedtochangeitupontheirfirstlogin.
1.18DenialofServiceAttacks
Despitealloftheinternalprotectionsagainstsystemcompromise,themosttypicalformofattackisexternal—overanetwork.DenialofService(DoS)attacksareattemptstofloodasystemwithsomuchnetwork traffic that itbecomesoverwhelmed.Theconsequenceofthis type of attack is the over utilization of system resources causing a reboot of thesystem.Anotherconsequenceofthistypeofattackisthatthesystemissobusysortingoutmalicioustrafficthatlegitimatetrafficcan’tbeprocessedinatimelyfashion.
DataPowerhasbuilt-inprotectionagainstdenialofserviceattacks.Thiscanbefine-tuned, as shown in Section 3.11, “Denial of Service (DoS) Attack Mediation.”Organizations that are subject to legitimate high traffic rates, such as retailers during apeakholiday season, should pay attention to these settings and test carefully, so that inthosecases,legitimatetrafficisnotturnedaway.
1.19AuditofAdministrativeActions
All administrative actions, such as account creation/deletion/modification and otheractivitiesthatalterthesystem,shouldbelogged.Administratorloginandlogoutshouldbe
logged,alongwiththeuseridandsourceIPaddress.Itshouldnotbepossibletoalterordeletetheselogrecords.
DataPower logsallactivity,alongwithessentialmetadatasuchasdate/timestamps.By default, these log records cannot be deleted ormodified and this setting cannot bechanged.ThesourceIPaddressesanduserIDswillbeincludedinlogrecords.
See Section 2.10, “AuditAccount EnablingActions” to see an example of how toconfigurethiscapability.
1.20ConfigurationChangesShouldBeImmediate
Changesmade to the configuration should be implemented immediately for all runningcomponents. Detected problems can be fixed immediately without requiring a systemshutdownorotherserviceinterruption.
Changes made to DataPower configuration via administrative interfaces areimmediately saved in flash memory. These changes should be persisted by saving theconfiguration(byusingtheSaveConfigurationlinkonWebGUI,and“writememory”intheCLI).Savingtheconfigurationwillallowthemostrecentchangestosurvivearestart,whereas not saving the configuration will cause the system to boot to the last savedconfigurationuponthenextrestart.
1.21UnnecessaryFunctionsShouldNotBeEnabled
Oftentimes, systems will be configured to start services by default that may not benecessaryforthedesiredusage.Servicessuchastelnetandsendmailcanprovideentryforhackers.
DataPowershipswithallservices,protocols,andfunctionsdisabledbydefault.Theonlyway touse a functionor service is for an authorized administrator to intentionallyenableandconfigureit.
1.22SecureFailure
Whensystemsareunderduress,theyshouldhavesomecapabilitytoself-determinewhenthereisnorecoverypossiblewithoutsometypeofhumanadministrativeintervention.Inthese cases, rather than attempt to limp along, they should provide some kind of safe,secure failure mode. At this point, the enterprise’s high availability capabilities shouldtakeoverforthefailedsystems,sothattrafficisnotaffected.
DataPower appliances have a failsafe mode which, when entered, restrictsfunctionality,butwillprovideasubsetofdiagnosticcommandsforuseintroubleshooting.Iftheappliancesdeterminethatthereisnotareliablewaytofunction(forexample,iftheappliancedetectsanintrusion),theywillenterthismode.Onceinfailsafemode,warningmessageswillbedisplayedintheWebGUIandCLI.Ifproperlyconfigured,asdescribedinthisvolume,administrativealertswilloccur.DataPowerappliancesalsohaveextensive
capabilities for high availability configuration. Learn more about fail-safe mode athttps://ibm.biz/Bd4JrY.
1.23PhysicalSecurity
Datacentersrelyonphysicalsecuritytopreventphysicalintrusionandaccesstohardwaresuch as servers and network equipment. If the equipment is physically accessed,manytypesofcompromisemaybecomepossible,suchasattachingdiagnosticequipment,trafficsniffers,keyboardcapturedevices,andremovingoralteringinternalcomponents.
Physical DataPower appliances have intrusion switches built into the inside of thecaseinordertopreventunwantedindividualsfromaccessingtheinternalcomponents.Bydefault,iftheappliancedetectsanintrusion,theWebGUIinterfacedisplaysawarningfornew user sessions and the appliance restarts in failsafe mode. The intrusion protectionfeaturecanbedisabled,however,ifintrusiondetectionisdisabled,itwillremaindisableduntilitisexplicitlyre-enabled,whichcouldleadtounwantedtamperingoftheappliance.Learnmoreaboutmanagingintrusiondetectionathttps://ibm.biz/Bd4Jrv.
1.24SecureAdministrativeProtocols
AnylocalorremotenetworkconnectionendpointsforwhichtheappliancewillbesendingorreceivingmanagementtrafficshouldbeauthenticatedviaTLS/SSLbeforeestablishingaconnection.Theauthenticationshouldbebidirectionalandcryptographicallybased.
Management traffic on DataPower includes the typical appliance managementinterfacessuchasCLI,WebGUI,andSOMAwhicharesecurebydefault.Note that thetransportlayersecurityfortheseinterfaces(TLSfortheWebGUIandSOMA,SSHfortheCLI)willmakeuseofanonboardappliancecertificate.Thiscertificateisprovidedwiththe appliance, by default and should be replaced with a certificate generated by yourorganization.WeshowyouhowinSection2.2,“EncryptingAdministrativeProtocols.”IfSNMPisgoingtobeused,secureconfigurationforthatprotocolisdiscussedinSection2.4,“SendImmediateThreatAlarms.”
Summary
ThischapterservedasanintroductiontotheinherentlyhardenedsecurityfeaturesinIBMDataPowerGatewayappliances.Forthemostpart,thesefeaturesrequirenoconfigurationand cannot be turned off. However, continual and thorough testing and auditing arenecessaryforanysecureplatform.
Our next chapter, Chapter 2, “ApplianceAdministrativeHardening”will introduceyoutothestepstolockdownyourapplianceadministratively.
Chapter2ApplianceAdministrativeHardeningIn this chapter, we will cover administrative hardening of the physical and virtualDataPowerappliances.
2.1UserInterfaceIdleTimeoutsandCachedAdminCredentials
Rationale
It is common to terminate admin user connections to the appliance after idle timeoutperiods as well as remove any cached admin login credentials. Admin authenticationinformation (credentials) is commonly cached for reliability and performance reasons.Thesecachedcredentialstypicallyhaveapre-definedlifetime,afterwhichtheywillexpireand be purged from the cache object. Security is reduced with longer lifetime/timeoutsettings;sorelativelyshort timeframesshouldbeconfigured.Allowingexcessively longidle connection periods risks exposing confidential configuration information when theadmin does not sign out of the appliance. Of course, setting the timeout to a shorterinterval may affect the load on the credential server. This interval needs carefulconsiderationtofindthebalancethatsatisfiesorganizationalpolicies.
TheuserinterfaceidletimeoutsettingsfortheWebGUIandtheCLIshouldbesettosamevalueandshouldbeconsistentwithyourorganization’ssecuritypolicy. Note thatthedefaultfortheWebGUIis600seconds(5minutes)whileitiszeroseconds(nolimit)for theCLI. Lacking specific organizational guidance, setting the idle timeouts to fiveminutes is a reasonable starting point. Establishing theWebGUI cache timeout periodshouldbebasedonseveralfactors.Forexample,adevicewithjustafewadministrators,whoareusingnetworkswithpoorconnectivity,mightrequirelongertimeoutperiods.
The WebGUI interface timeout value should be consistent with the guidelinesestablished by your organization’s security team and used across any type ofadministrativesession,e.g.,WebGUI,CLI,andXMLManagement.
Configuration
First, configure the idle timeout for the WebGUI. From the default domain, go toNetwork → Management → Web Management Service. Update the “Idle Timeout”settingtothedesiredvalue.ClickApplyandSaveConfigurationbeforemovingon.
Figure2-1WebGUIconfiguration.
TIP—LocalAddressBindingforAdministrativeInterfaces
The“Localaddress”fieldfortheWebGUI(aswellasallotherinterfaces–CLI,XMLManagement,RESTManagement),isboundto“0.0.0.0”bydefault.Thismeansthattheseinterfacesareaccessible,bydefault,fromanyconfiguredEthernetinterfaceontheappliances.Itishighlyrecommendedthatadministrativeinterfacesbeexplicitlyboundtospecificnetworkinterfacesdedicatedtonetworktraffic.Todothis,createaHostAlias(Network → Interface → HostAlias)thatrelatesalogicalinterfacenamesuchas“managementNIC”totheinterface’sIPaddress.Leavingtheadministrativeinterfacesopentorequestsfromanynetworkinterfaceexposestheappliancetopotentialintrusionattemptsfromoutsideyouradministrativesubnet.
TIP—HostAliasesversusStaticDNS
HostAliasesareintendedtoprovidelogicalnamesfortheappliance’snetworkinterfaces.Commonexamplesare“localhost”(e.g.,127.0.0.1)and“managementNIC”(configuredtotheIPaddressoftheEthernetinterfaceusedformanagementtraffic.HostAliasesarenotintendedtobeusedtoreferenceexternalentities(i.e.,anLDAPserver’sIPaddressorhostname).Toreferenceexternalentities,createaStaticHostunderDNSSettings(Network → Interface → DNSSettings)orconfigureDataPowertouseyourorganization’sDNSserverstoresolvehostnamestoIPaddresses.
Next, configure the RBM Settings for Authentication Cache Lifetime. Go toAdministration → Access → RBM Settings. Click on the Authentication tab. Set theAuthenticationcachemodetoAbsolute.Setatimeoutvalue.Theconfigurationisshown
inFigure2-2.
Figure2-2Configurationfortimeoutofadministrativeauthentication.
Finally,click theAccountpolicy tab toconfigureRBMsettings for theCLI. Click“on”toenableRBMenforcementfor theCLIandset theCLIidle time-out to thesamevalueasprescribedfortheWebGUI(e.g.,600seconds).
Applyyourchangesandsavetheconfigurationbeforetesting.
Figure2-3RBMconfigurationfortheCLI.
TIP—ConfigureMaximumFailedLogins
WhileyouareontheAccountpolicyconfigurationtab,itisadvisabletoconfigurethe“Maximumfailedlogins”and“Lockoutduration”parameterstovaluesconsistentwithyourorganization’ssecuritypolicy.
TestingTips
LogintothedeviceWebGUIasanadministrator.Leavethesessionidleordisconnectthesessionwithoutloggingout.Waituntilwellafterthetimeoutperiodandattempttousethesessionagain.Thisshouldresultinarequesttore-authenticate.RepeattheprocessfortheCLI. ReviewtheDataPowerlogstoensurethat theappropriatemessagesappear.Theseshoulddescribetheloginattempt, thefact that thecredential isnolongervalidorinthecache,andthatre-authenticationisbeingrequested.
Also,performa test touse thesessionprior to the timeoutperiod toensure that re-authenticationisnotrequired.
2.2EncryptingAdministrativeProtocols
Rationale
Administrative connections and communications carry sensitive information. Theseshouldalwaysbetransmittedoverencryptedprotocols.Bydefault,DataPowerusessecureprotocolsforadminaccesstoCLI,XMLManagement,andtheWebGUI.DataPowerwillinitiallyusebuilt-inSSL/TLScertificates suppliedby IBM,but as abest practice thoseshouldbechangedtoyourownorganization’ssecuritycertificates.
One exception to the above tip is the use of theTelnet protocol.WhileDataPowerdoessupporttheTelnetprotocol,itisinherentlynon-secureandshouldnotbeused.
Configuration
Bydefault,DataPower uses a self-signed certificate (signed byDataPowerTechnology,Inc.) forWebGUI,XMLManagement Interface andRESTManagement interfaces.Thecertificate is not signed by a well-known Certificate authority (CA). The signer is notincluded in the list of trusted third parties with internet browsers, and therefore theconnectionisflaggedas“untrusted.”
In order to change the certificate to a trusted certificate, each interface must beupdated separately. To update the certificate used by the WebGUI, go toNetwork → Management → Web Management Service and click the “Advanced” tab.Select thedesiredSSLserver typeandconfigure theSSLserverprofile to reference thetrustedcertificate.RepeattheprocessfortheXMLManagementInterfaceandtheRESTManagementInterfaceviatheNetwork → Managementmenupath.Allinterfacescanuseacommoncertificate,orseparatecertificates.
In the DataPower WebGUI, go to Network → Management → Telnet Service andensurethatnoenabledTelnetconfigurationsexist.
TIP—ConfiguringTLSConnectionsforAdminInterfaces
Makeuseof“ServerProfiles”whenconfiguringTLSfortheadministrativeinterfaces,ratherthanSSLProxyProfiles.“ServerProfiles”arethenewerconfigurationapproach
forTLS(asoffirmware7.2)andaremoreintuitivetosetupandmaintain.WhileSSLProxyProfileswillstillwork,theywilleventuallybedeprecated.
TestingTips
TesttheadministrativeinterfacesoverTLSandlookatthelogstoensurethatthecorrectcertificateandvalidationprocesswereused.
Attempt to use a Telnet session from a remote device to log into the device as anAdministrator. This should fail. If a connection is established, check the DataPowerconfigurationand logsagainand takeaction to remediate theconfiguration.RetestuntilTelnetconnectionsarerefused.
2.3Off-loadSystemAuditRecords
Rationale
It is a good security practice to copy system audit records to a safe, non-local storagemedium.Theyarecircular,inordertoavoidover-runningthedevicelocalstorage.Thismeansthatolderlogswillatsomepointbeoverwritten,whichiswhyoff-loadingtheauditlogstosecure,externalstoragewillpreventanylossoflogdata.
Configuration
Audit logs can be copied to a remote destination using either the command-line admininterfaceandCLIcommands(whichcanbescripted),ortheWebGUI.
TomoveauditlogsusingCLI,usetheCLIcopycommand:Syntax:copy-fsourceURLdestinationURL
-fisanoptionalswitchthatforcesanunconditionalcopy.Forexample:xi52(config)#copy–faudit:audit-logsftp://[email protected]/LOGS/x/AuditLog.log
Seehttps://ibm.biz/Bd4Tw6foradditionaldetailsonuseoftheCLIcopycommand.
To move audit logs automatically, use the WebGUI and go toAdministration → Miscellaneous → Manage Log Targets. Click the Add button to addone,orchooseanexistingone(notdefault-log,whichcan’tbemodified).NamethenewlogtargetintheNamefield.SwitchtotheEventSubscriptionTab.PresstheAddbutton,chooseCategory“audit”andclicktheApplybutton.GobacktotheMaintab,chooseFileintheTargetTypedropdownandconfigureit.ThisisshowninFigure2-4and2-5.Notethatifyouwishtodokey-basedauthenticationratherthanuseridandpassword,thereisatechnotethatdescribestheconfigurationathttps://ibm.biz/Bd4Ata.
Figure2-4Configuringtocopyauditlogs.
Figure2-5ConfigurationforSFTPlogfileupload.
TestingTips
Thisprocesscanbetestedbysettinguparemoteserver,andthencreatingaconditionthatwillresultinalogmessagebeinggenerated,andthenviewingtheremoteserverlog.
2.4SendImmediateThreatAlarms
Rationale
Administrators shouldbenotified immediately in thecaseofanyseriousadverseevent.Timeisoftheessencewhensomethingisgoingwrong,orwhensomeoneisattemptingtocompromisethesystem.
Potentialsecurityviolationsshouldbeidentifiedquickly—evenwhenadministratorsarenotloggedintoDataPower.ThebestwaytofacilitatethisisbysendingSNMPTrapsandNotificationsgeneratedbythelocalSNMPagentorengine.
Generating these Traps and Notifications is important both for preventing systemincursionsandprovidinglogsforafter-the-factforensicanalysis.
Configuration
In the DataPowerWebGUI, go to Administration → Access → SNMP Settings. On theMaintab,youmustspecifytheLocalDataPowerapplianceIPAddressandportthatyourSNMPserverwillconnectto.AddSNMPv3usersthatwillhaveauthoritytoconfigureaconnectionfromanSNMPservertothisDataPowerappliance.SettheSNMPv3SecurityLevel.Forproduction, thesettingshouldbe“Authentication,Privacy.”Set theSNMPv3AccessLevel:usuallyeither“read-only”or“read-write.”ThisconfigurationisshowninFigure2-6.
Figure2-6ConfigureSNMPmainsettings.
TIP—SNMPVersions
CommonSNMPversionsare1,2c,and3.Version3istheonlyonethatshouldbeemployedforsecureconfigurations,asit’stheonlyonethatallowsforauthenticationand
encryption.
Next,movetothe“TrapEventSubscriptions”tab.OntheTrapEventSubscriptionstab,setto“on”the“EnableDefaultEventSubscriptions”option.SetMinimumPrioritytoyour desired level, e.g., “warning,” or “error.” Select the specific event codes thatwillgenerateSNMPtraps.
TIP—UsetheSelectCodeButton
NotethatyoucanclicktheSelectCodebuttontobrowseforadditionaldesirednotifications.
InorderforDataPowertoprovidenotificationtoyourSNMPserver,aneventmustbepresentinthelistofEventSubscriptions.Forexample,toprovidenotificationofaccount-enabling actions, you could add 0x8240001c and 0x8240001f events. This is shown inFigure2-7.
Figure2-7SNMPSettings:TrapEventSubscriptions.
Finally, move to the Trap and Notification Targets tab. Click the Add button toconfigure a target SNMP server. Add the server name or IP address, port, and version(which shouldbev3) for allSNMPservers thatmust receiveyour trapandnotificationevents.ThetargetSNMPserver(s)bear theresponsibilityfornotifyingthoseindividualswhoareresponsiblefortakingappropriateaction.TheSecurityNameisthenameofthelocal SNMPv3 user to use for notifications to this recipient. It determines whatauthenticationandprivacyencryptionprotocols areused, andwhat associatedkeys.SettheSecurityLeveldropdowntoAuthentication,Privacy.
Figure2-8SNMPSettings:TrapandNotificationTargets.
Figure 2-9 shows the completed configuration. On the Main tab, set the“Administrativestate”to“enabled.”Click“SaveConfiguration.”
Figure2-9SNMPEditandNotificationTargetsconfiguration.
TIP—MessageReferences
ForacompletereferencetoDataPowerlogmessages,eventcodes,andauditseventssee:https://ibm.biz/Bd4pkj
TIP—ConfigureanSNMPLogTarget
Inadditiontoconfiguringthe“TrapEventSubscriptions”,youcanalsoconfigurealogtarget,settingthe“TargetType”toSNMP.AgeneralpurposelogtargetofferstheadvantageofbeingabletoconfigureawiderrangeofeventstobesentasSNMPtraps(thegeneralSNMPconfigurationislimitedtoconfiguringspecificeventcodes).
TestingTips
ConfigureyourSNMPserverperyourorganization’sguidelines.Oneapproachtotestingis to create any condition that violates an on-device security policy, such as sending amessage that violates the constraints in theXMLThreats policy (too large, too deeplynested,etc.).SendthemessagetoaserviceonDataPower.Asecond,easierapproachistogeneratespecificlogevents(seetheTIPlaterinthissection).ChecktheDataPowerandSNMP server logs, as well as the log receiver, to ensure that the proper results wereachieved.
TIP—SNMPTesting
TolearnhowtosendtestSNMPtrapsfromDataPower,seethefollowingIBMsupportarticle:HowtoTestSNMPTrapsonIBMDataPowerGatewayhttps://ibm.biz/Bd4TtD.
InordertoconfirmthatyourSNMPalertsaresetupproperly:
In the DataPower web interface, navigate to
Administration → Access → SNMP Settings. Verify that “Trap EventSubscriptions”includestheEventSubscriptioncodesthatindicateconditionsthatviolateon-devicesecuritypolicy;suchassendingamessagethatviolatestheconstraintsintheXMLThreatspolicy(toolarge,toodeeplynested,etc.).On the “Trap and Notification Targets” tab, verify that this configurationincludes theRemoteHostAddress andRemotePort of an approvedSNMPserver that generates alerts that will be forwarded to the appropriateadministratorswhenaccountmodificationeventsoccur.OntheMaintab,confirmthatthe“Administrativestate”issetto“enabled.”Additionally,confirmthatthattheruntimestate(shownatthetopofthepageafterthetext“SNMPSettings”)indicatesinbracketsthattheSNMPobjectisinan“up”state.
Finally, perform an end-to-end test by confirming that the event appears in theDataPowerauditlog,andthatanappropriatenotificationissentbythedesignatedSNMPserver(s) specified on the “Trap andNotificationTargets” tab of theDataPower SNMPSettings,and,ofcourse,ultimatelyreceivedbythedesignatedadministrator(s).
TIP—GenerateTestEvents
FromtheControlPanel,selectthe“Troubleshooting”toolandusethe“GenerateLogEvent”tooltogeneratespecificeventswhichwilltriggerSNMPtrapsandultimately,appropriatenotifications.
2.5ConfigureSNMPTrapEventsforAccountEnablingActions
Rationale
Aspreviouslydescribed inSection2.4, “Send ImmediateThreatAlarms,” alerts canbeconfiguredusingSNMPtrapeventsubscriptionsthataresenttoanexternalSNMPserver.Thatservercaninturn,providenotificationstosystemsadministrators.Oneofthemostseriouseventsiswhensomeoneisenablingorcreatingnewaccounts.Mostintruderswilldothistomakelatersystemaccesseasier.
Configuration
See Section 2.4, “Send Immediate ThreatAlarms” for the steps to set up SNMP traps.Followthoseinstructionsfor theconfigurationandtesting,butaddtheaccountenablingcodesdescribedinthatsection.
TestingTips
TestusingtheproceduredescribedinSection2.4,“SendImmediateThreatAlarms,”butwhileenablinganewadministrativeaccount.
2.6Selective,TargetedAuditing
Rationale
Auditingandloggingarekeycomponentsofanysecurityarchitecture.Eachorganizationwilllikelyhaveitsownitemsofinterestintermsofthetypesofeventsthatcanoccuronthesystem.TheDataPowerGatewaycangenerateauditlogeventsforacustomizedlistofauditable events. Logging specific events provides ameans to investigate an attack, torecognize resource utilization or capacity thresholds, or to identify an improperlyconfigured network device. Auditing is also useful for intrusion monitoring,troubleshooting, quick resolution of problems, security investigations, and forensicanalysis.
Configuration
Go to Administration → Miscellaneous → Manage Log Targets. Click an existing logtarget (other thandefault-log,whichcan’tbechanged)oraddone.Name the log in theName field. Go to the Event Subscriptions tab and add the event categories that arerequired tobeaudited for this log target.Figure2-10showsanexample log targetwithcategoriesthatmightbeofinteresttothesecurityteam.
Figure2-10Examplelogtargetandcategoriesrelatedtosecurity.
TestingTips
For an off-box logging target, review your log target configuration to confirm that the“Administrativestate”isenabled.Ifthereisaproblemwiththeconfiguration,itwillshowa“disabled”state.Additionalexaminationshouldbedoneontheexternalloggingservertoensurethatlogentriesarearrivingandtheyareintheproperformat.
Log into the device as anAdministrator.Either create a condition thatmatches theselected event or use the Troubleshooting Tool to generate specific events. Review theDataPowersystemlogsandconfiguredlogtarget(s) toensure thateverythingworkedasexpected.
2.7ExternalAdminAuthenticators
Rationale
DataPowersupportsa localregistryofadministrativeusers,but this isonlypracticalfordemo and isolated development/test scenarios, or as a fallbackmechanism in the event
thattheremoteauthenticationserverisunreachable.Forrobustimplementations,LDAPistypicallyusedasthecentralregistryofadministrativeusers,passwords,andgroups.
DataPowerallowsforalternativessuchasPKIcertificatesandRADIUS.But,inthevast majority of cases, LDAP or its Microsoft cousin, Active Directory, will be used.LDAPv3is recommendedoverV2due to theadditionofseveral features important forsecurity.LDAPS(LDAPoverTLS)isrecommended.
You may want to configure a local administrative account as a backup, in casesomethinggoeswrongwiththeconfigurationorLDAPenvironment.Also,notethecachesettings thatareavailable in thisconfigurationandbear inmindthat longercache timeswillreducesecurity.
TIP—EnterpriseRBM
UsersmaybeauthenticatedbyaremoteauthenticationsystemsuchasLDAP,RADIUS,SAF,orSPNEGO.TheRoleBasedManagementpolicydetermineswhethertoallowanauthenticatedusertoaccessspecificresources.
Configuration
IntheDataPowerWebGUI,gotoAdministration → Access → RBMSettings.GototheAuthenticationtab.
SettheAuthenticationMethodtoLDAP.SettheLDAPconfigurationtobeconsistentwithyourenvironmentandsecuritypolicy.AnexampleisshowninFigure2-11.NotethatTLS shouldbeused, andyouwouldmost likely loadbalancemessages to anumberofLDAPservers.
Figure2-11RBMLDAPsettings.
TIP—LDAPServerConnectionConfiguration
TheinformationnecessarytoconfiguretheLDAPinformationmayneedtobeobtainedfromyourorganization’sLDAPadministrator.InformationsuchasLDAPprefix,suffixandLDAPSearchparameterswillvarybyorganization.
While you are on this page, configure the fallback section for at least one localadministrativeaccount (it isnot recommended toselectallusers).Thisensures thatyoucanlogintotheapplianceifsomethinggoeswronginconfiguringtheLDAPconnection,or later when using an external LDAP server for DataPower administration. This isparticularly useful while you are configuring and testing any changes for externalauthentication.Yourenterprisesecuritypoliciesmayprohibittheuseoflocalaccountsforproductionorongoingpurposes.ThisconfigurationisshowninFigure2-12.
Figure2-12Configurationoflocalfallbackadministrativeaccount.
TestingTips
Gather the information for your enterprise’s LDAP or RADIUS server, and use it toconfigureDataPower.After this is done, attempt toopen aWebGUIadmin session andloginusingavalidcredentialfromtheLDAPorRADIUSserver.UsetheDataPowerandexternal authentication server logs to troubleshoot. If problems occur, log in using thebackuplocaladminaccounttomakechanges.
Ifyouhaveconfigured fallbackuser accounts, confirm that thisworkscorrectlybychanging the LDAP server configuration information (e.g. Host/IP address) withinDataPower,suchthattheLDAPservercannotbereached.
Youmay also want to keep an admin session open while you are testing this, forexample through the command line interface, so that you can troubleshoot yourconfiguration,aswellas“recover”fromtestingyourfallbackaccountfunctionality.
TIP—TestingFallbackUsersfromtheWebGUI
IfyouaretestingthefallbackuserfromtheDataPowerWebGUI,youmaywanttousetwodifferentbrowsersfortesting,suchasGoogleChromeandMozillaFirefox.Thiswillallowyoutohaveyouradminsessionopeninonebrowserwhiletestingthefallbackconfigurationinanother.
2.8SecureBackups
Rationale
Systembackupsareacritical,essentialpartofanyorganization’sdisasterrecoveryplan.However,thesewillbynatureincludeverysensitiveinformation(suchasprivatekeysandotherauthentication/configurationinformation)andshouldbehandledwithgreatcare.
DataPower allows for secure backups, inwhich the entire backup is encrypted andcontainsallsensitivematerialfromtheconfiguration.Thisallowsthebackuptobeusedtoreplicatethedeviceconfigurationbyrestoringittoacompatibleappliance(samefirmwareandstoragecapacity).Normal(non-secure)backupsarenotencryptedanddonotcontainthesensitivematerial(keys,certificates,passwords).
Secure backups can only be created if ‘y’ was answered to the prompt ‘EnableDisasterRecoverymode?’ondeviceinitialization(first-timedevicesetup).Ifthiswasnotselected initially, the appliance would have to be re-initialized, or the Secure BackupEnablertoolrequestedthroughIBM(seetheTIPbelow).
For more information on secure backup and restore, see the article athttps://ibm.biz/BdRHq8.
TIP—SecureBackupEnabler
IBMhascreatedatoolthatallowsDisasterRecovery/SecureBackuptobeenabledonthefly,withouthavingtore-initializetheappliance.ItcanberequestedthroughtheDataPowersupportorganization,asitiscreatedforspecificappliances(basedonphysicalapplianceserialnumberorUUIDforvirtualappliances).
Configuration
GotoAdministration → Main → SystemControlandconfigureSecureBackup.Figure2-13showsthissection.Youwillneedtheprivatekeyandcertificatethatisusedtocreatethebackupinordertorestorethisconfigurationonanotherappliance,sobesuretoexportitandhaveitavailable.
Figure2-13SecureBackupconfiguration.
Note,thatasofversion7.2ofthefirmware,thedestinationonlysupportsuseoftheFTPprotocol.AsFTPisnotconsideredasecureprotocol,approachessuchasthatadvisedin the technote “DataPower Secure Backup to an SFTP Destination” athttps://ibm.biz/Bd4T68shouldbeconsidered.
TIP—AutomatingSecureBackups
TheSecureBackupcanbeautomatedviaexternalscriptingoraScheduledProcessingPolicyRuleintheXMLManagerobjectinthedefaultdomain.Ineithercase,arequestwouldbesenttoeithertheXMLManagementInterface,ortotheRESTManagementInterface,toperformtheSecureBackupandtransferthebackuptoaremoteserver.
TestingTips
ConfigureanFTPservertoreceivethebackup,orgathertheinformationforanexistingFTPserver.Configurethesecurebackupasdescribedabove.Attemptthesecurebackup,and check the logs on theDataPower appliance andFTP server.Verify that the backupexists in the target FTP server directory. Try to restore the saved backup to a newappliance. Take care, as this will completely remove any existing configuration on thetargetappliance.
2.9CryptoKeysandCertificates
Rationale
DataPowerappliancesshipwithacommonsetofcryptokeysandcertificatesthatallow
basefunctionalityoutofthebox,butofcourse,asthesearesharedwitheverycustomer,theyarenotsecure(leavingthedefaultsignercertificatesforCAssuchasVerisign,andothers,couldinadvertentlyallowTLSconnectionsthatshouldnotbeallowed).Theoutoftheboxcryptomaterialshouldbereplacedassoonaspossiblewithkeysandcertsthatareapprovedbyyourorganization’ssecurity team.Youshouldalso reviewallof thepubliccertificatesinthepubcert:directoryandremoveanythatwillnotbeneeded.
Configuration
Go toObjects → CryptoConfiguration → CryptoCertificate (for certificates) orCryptoKey(forkeys)touploadexternalkeys/certificatestotheencryptedflashortoaFIPS140-2Level3HSM.CreatethenecessaryDataPowercryptoobjectsfromthesefiles.
TIP—KeyandCertificateObjects
Aspreviouslydescribed,thekey(s)/certificate(s)usedforDataPower’sadministrativeinterfacesarestoredinthedefaultdomain,commonlyinthesharedcert:directory.IfaHardwareSecurityModule(HSM)isbeingused,theprivatekeymaybestoredintheHSM.CertificateAuthoritysignercertificatesarecommonlystoredinthepubcert:directoryofthedefaultdomain,howeverthecryptoobjectsthatreferencethemareconfiguredinapplicationdomains,notthedefaultdomain.
TestingTips
WhenthecorrectcryptofilesareinplaceandtheappropriateDataPowerobjectscreatedfromthem,doallnecessarytestingofprotocol-levelcommunications,fileencryptionandfilesigningwiththesecryptoobjects.ReviewtheDataPowerandexternalserverlogstoensure that the appropriate keys/certificates are used. When debugging SSL/TLSconnectionissues,itmaybeusefultousetoolssuchasWireshark.
2.10AuditAccountEnablingActions
Rationale
Logging all attempts at administrative actions such as enabling user/admin accounts isimportantbothforpreventingunwantedsystemincursionsandforprovidingafter-the-factforensicinformation.
Adequateauditingsupportstheenforcementofaccessrestrictionsagainstchangestothe appliance configuration. Audit logging also can provide the ability to identifyattempted attacks. A complete audit trail will be invaluable for forensic investigationleadingtoappropriateafter-the-factactions.
TIP—ThreatandForensicAnalysis
Itisprudenttoestablishrobustloganalysismethodstoassistinidentifyingpotentialthreatsandtoprovidepost-incidentforensicanalysis.
Auditing the use—and potential misuse—of privileged appliance functions isimportant inpreventing insider threatsandadvancedpersistent threats.Detectioncanbeaccomplished by ensuring that the appliance audit log is enabled, set to capture at anappropriatelevel,andhasadequatestorageavailable.
Configuration
DataPowerprovidesextensiveloggingconfigurationoptions.Amongthem,istheabilitytospecify the levelofAudit logging. Bydefault,audit logsarekepton theDataPowerappliance in the “audit:” directory, accessible via the default domain. By default, theDataPower appliance logs the executionof all privileged functions, and the audit log isenabledbydefault.
To configure a comprehensive audit trail, from the default domain, go toObjects → Logging Configuration → Audit Log Settings. Set the Audit Level to Full.Specify the desired Log Size, Number of Rotations, and audit level. PressApply, thenSaveConfiguration.Themaximumavailablelogspaceisapproximately50GBlessspaceconsumed by other data on the device. Save the configuration. Make sure that theAdministrativestateappearsas“enabled.”ThisconfigurationisshowninFigure2-14.
Figure2-14AuditLogSetting–Fullauditlevel.
TIP—LogAnalyticalTools
Forproduction,makesurethatyouconfigureanexternallogtargetforauditlogs.Inaddition,thiscomprehensiveexternalauditloggingshouldbesupportedbystrongloganalyticaltools.
TIP—AuditLogSettings
InadditiontosettingtheAuditLevelyoucanalsomodifytheauditlogsizeandthenumberofgenerationsofthelogmaintainedintheauditdirectory.Ifyouchangethedefaultvalues,makesurethatyoualsoallocatesufficientspaceforstorageoftheselogs.
WARNING—On-boxLoggingwillbeOverwritten
Itisessentialthatproductionauditloggingbedirectedtoanoff-boxserver,e.g.,syslog,usingLogTargetconfiguration.Duetospacelimitations,on-boxlogging,suchastheAuditLogandtheSystemLog,willeventuallybeoverwritten.
TestingTips
In order to confirm that on-box audit logging is configured to provide comprehensiveinformation,viewtheloggingsettingsatObjects → LoggingConfiguration → AuditLogSettings.Forlocallogging,checkthelocalsystemlogtoensurethatthefollowingeventmessage is not displayed in the log: “0x82400067 Audit log space low - using auditreserve space.” Set up SNMPmonitoring to monitor for this condition on an ongoingbasis.Then,executeaprivilegedfunction(likeaddingchanging,ordeletingauser).Themost recent entrywill be at thebottomof the log. If properly configured, the logwillshowevidenceofthataccountchange.
2.11AlertAuditRecordStorageCriticallyLow
Rationale
In order to avoid the loss of important audit information, it is essential that systemsadministrators be notified when audit log storage capacity is critically low. DataPowerAudit Logging, by default, is local to the appliance (see Section 2.10, “Audit AccountEnablingActions”formoreinformation).Assuch,thespaceavailableforauditloggingiscritically important. Should the available space become critically low,DataPowerwillautomaticallyissueaneventcodeforlogging,thendisableallactiveservicessuchthatnonewtransactionscanbeprocessed.
Configuration
As previously described in Section 2.4, “Send Immediate ThreatAlarms,” SNMP trapscanbeconfigured tocommunicatecriticalevents tooperations staff, so thatappropriateadministrativeactioncanbecarriedout.ConfigureSNMPmonitoringfortheeventcode“0x80400080” (“Audit log space low - using audit reserve space. Shutting down allservices.”).
Figure2-15Auditlogspacelow.
Additionally,itisarecommendedpracticetoconfigurealogtargetforcriticaleventsto be sent to off-appliance logging such as syslog. See Section 2.3, “Off-load SystemAuditRecords”foradditionaldetails.
TIP—ExpandingAuditLogStorage
Establish—andpractice—aminimallydisruptiveprocedureforrespondingtoanearout-of-spacecondition.
TestingTips
Testalertgenerationusing theGenerateLogEventTroubleshooting tool togenerate theevent “0x80400080”. Then confirm that an SNMP trap was sent to the organization’smonitoringsolution.
2.12GenerateAlertsforAuditFailureEvents
Rationale
Administrativepersonnelmustbealertedifasystemisatriskoffailingtoprocessauditlogs.SNMPeventsubscriptionsmustbeconfiguredtosendfailurerelatedtrapeventstoanSNMPserver.TheSNMPservermustbeconfiguredtonotifythepersonnelresponsibleforremediatingtheproblem.
Configuration
In order to generate alerts associated with audit failure events, navigate toAdministration → Access → SNMPSettings.Configure SNMPMonitoring as describedinSection2.4,“SendImmediateThreatAlarms.”Configure“TrapEventSubscriptions”toincludeEventSubscriptionsthatindicateauditlogfailurebyaddingthefollowingevents:0x80c0006a,0x82400067,0x00330034,and0x80400080.
Figure2-16Auditfailureevents.
Onceyou’veconfiguredEventSubscriptions,youmustspecify theSNMPserver(s)DataPowermustnotify.Onthe“TrapandNotificationTargets”tab,addallRemoteHostAddressesandRemotePortsfortheSNMPserversthatmustreceiveyourtrapevents.
Figure2-17Trapandnotificationtarget.
TIP—LogFailoverCapability
Ensurethatafailoverlogtargetisavailableatalltimesinordertominimizethelossoflogdata.
TestingTips
Reviewalloftheaboveconfigurationstoensurethatsettingsareasdesired.Then,gototheDataPowerTroubleshootingPanel.UsetheGenerateLogEventcapabilitytogenerateanytrapeventsubscriptionsyouwishtotest.Thiswillallowanend-to-endtestfromeventtoSNMPservertonotificationrecipient.
2.13ConfigureNTPService
Rationale
Accurate time stamps are essential for correlating events and supporting an accurateanalysis.Determiningtheexacttimethataparticulareventoccurredonasystemiscriticalwhen conducting forensic analysis and investigating system events. Time referenceprecisionmaybeachievedontheappliancebyconfiguringseveralapprovedNTPservers.
Configuration
InordertoconfiguretheDataPowerappliancetosynchronizeinternalinformationsystemclockstoanauthoritativetimesource(NTPservers),gotoNetwork → Interface → NTPService.Specify the IP addressesof several approvedNTP servers.The refresh intervalmaybedefinedatanyvaluebetween60and86400seconds.
Figure2-18NTPserverconfiguration.
WARNING—ExternalNTPServerVulnerabilities
Connectingtoanexternaltimeserverrepresentsapotentialsecurityvulnerability—especiallywhentheconnectionisnotoverTLS.Availabilitymayalsorepresentapointoffailure.Manysecurity-conscioussitesuseinternalNTPserversasanalternative.
TestingTips
Check the system time for the DataPower appliance—and ideally, all those back endservicestheapplianceconnectsto.Ensurethatthetimesareinsync.Anin-syncconditionwillbearfruitwhensystem-widetroubleshootingneedstobeaccomplished.Also,checktheDataPowersystemlogstoconfirmthattherearenoerroreventsrelatedtoconnectionstotheNTPserver(s).
2.14ConfiguretheDesiredTimestampFormat
Rationale
Time stamps used by the appliance must be in a common, known format in order toprovideacommontimereferenceandsupportloganalysis.
Configuration
Bydefault,theDataPowerappliancerecordstimestampsforauditrecordsinCoordinatedUniversal Time (UTC). The following is an example:March 30, 2015 followed by thenumberofmillisecondssinceJanuary1,1970.Forexample,20150330T072434.296Z
Thetimestampformatmaybereconfiguredusingthe“timestamp”CLIcommand.Forexample,timestamp{numeric|syslog}
“numeric”istheUTCformat,while“syslog”isthesyslogtimestampformat.
TestingTips
GotoStatus → ViewLogs → AuditLogtodisplaycurrenttimestampedlogentries.
2.15GenerateanAlertifApplianceConfigurationsAreChanged
Rationale
Anessential step inprotecting theappliance fromunauthorizedaccessandattack is theconfiguration of alerts that indicate unauthorized configuration changes. On theDataPowerappliance,thismaybeaccomplishedbysendingappropriateSNMPtrapeventstoanSNMPserverthatisconfiguredtoprovidenotifications.
Configuration
In order to generate alerts associated with changed configurations, navigate toAdministration → Access → SNMPSettings.Configure SNMPMonitoring as describedinSection2.4,“SendImmediateThreatAlarms.”Configure“TrapEventSubscriptions”toincludeEventSubscriptionsthatindicateconfigurationchange(s).Theseeventsmaybeadded and deleted on an ad hoc basis. The “Select Code” button allows for browsingavailableeventcodes.ForacompletereferencetoDataPowerlogmessages,eventcodes,andauditseventssee:https://ibm.biz/Bd4pkj.
TIP—SelectionofTrapsandNotificationTargets
Workwithyoursecurityofficerinordertobestidentifytrapevents,threatpatterns,andnotification.
TestingTips
GototheDataPowerTroubleshootingPanel.UsetheGenerateLogEventcapabilitytodoatestgenerationofanytrapeventsubscriptionsyouwishtotest.Thiswillallowanend-to-endtestfromeventtoSNMPserver.
2.16ProtectingAuditInformation
Rationale
Systemeventsrelatedtofunctioningoftheappliance,useraccess,configurationchanges,firmware changes, and to a lesser extent, metadata, are commonly referred to as auditdata.
All appliance activity, regardless of the application domain in which it occurs, isrecorded via logging in the default domain. As such, restricting access to the defaultdomainachievestheobjectiveofsecuringthistypeofdata.Auditlogsprovideahistoryofalladministrativeactivitiesthatoccurontheappliance.TheauditlogisseparatefromthestandardDataPowerapplicationlogs.
Adequateauditingsupportstheenforcementofaccessrestrictionsagainstchangestothe device configuration. Audit logging can provide the ability to identify attemptedattacks.Acompleteaudittrailwillalsobeinvaluableforforensicinvestigationleadingtoappropriateafter-the-factactions.
Ifauditdata iscompromised, thencompetentforensicanalysisanddiscoveryof thetruesourceofpotentiallymalicioussystemactivitywillbedifficult,ifnotimpossible,toachieve. In addition,unsecuredaccess to audit recordsprovides informationanattackercouldusetohisorheradvantage.
Toensuretheveracityofauditdata,theinformationsystemand/orthenetworkdevicemust protect audit information from any and all unauthorized access, including readaccess.
TIP—LimitAccesstotheDefaultDomain
Auditlogscanbeaccessedfromthedefaultdomain.Bestpracticestatesthatthedefaultdomainshouldonlybeaccessedbytheappropriateprivilegedusers.
TIP—ProductionAuditLogExternalTarget
Inordertopreventauditlogdataloss,allauditloggingshouldbesenttoanappropriatelysecuredexternallogtarget.
Configuration
Bydefault, theDataPower appliance logs the executionof all privileged functions.Theauditlogisenabledbydefault.Toconfigure,seeSection2.10,“AuditAccountEnablingActions.”
Tolimitdefaultdomainaccesstoonlyprivilegedusers,logintodefaultdomainthengo to Administration → Access → User Account. Select a previously defined nonprivilegeduseraccount, suchasaguestuseraccount.Verify thatAccessLevel is set to
“GroupDefined”andthattheuseristhememberofanappropriatenonprivilegedgroup.Clickthe“…”buttonnexttoUserGroupfield.Enter*/default/*?Access=NONEintotheAccessprofilefield.Add → Apply → Apply → SaveConfiguration(seeFigure2-19).
Figure2-19ConfigureUserGroup.
Alternatively, a more granular approach can be taken which allows access to thedefaultdomain,butlimitsaccesstoDataPower’sbuilt-inauditlogdataandconfiguration,as well as log targets and locally logged data. To implement this alternative approach,appropriateusergroupswouldhavethefollowingAccessprofilesadded.
Listing2-1MoregranularAccessprofilesforlimitingaccesstoauditdata.
*/*/file/auditRemoveItem
*/*/logging/audit-log?Access=rRemoveItem
*/default/file/logtemp?Access=NONE
*/default/logging/target?Name=ISSMLogTarget&Access=r
TheseAccessprofileshavethefollowingeffects:*/*/file/audit
Limitsaccesstothe“audit:”directoryofeachapplicationdomain,includingdefault.*/*/logging/audit-log?Access=r
Providesforread-onlyaccesstotheDataPowerAuditlogconfigurationsettings.*/default/file/logtemp?Access=NONE
Makesthelogtemp:directoryofthedefaultdomaininvisibletousersintheaffectedgroups. The logtemp:directory isacommonplace towritecustom log filedataon theappliance. Local logsmight also bewritten to theRAID array. Include an additionalAccessprofilesforeachdirectory/locationtowhichlogfilesarewritten.*/default/logging/target?Name=ISSMLogTarget&Access=r
Makes the log target configuration read-only. In this case the log target is namedISSMLogTarget. TherewouldbeonesuchAccessprofile foreach log targetdefinition
thatistobeprotected.
TIP—RemotelyLoggedData
AuditdatathatiswrittentolocationsoutsideoftheDataPowerappliance–NFSdrives,SFTP,syslog,etc.mustbesecuredbothduringtransmissionandatrest.
TestingTips
LogintotheDataPowerapplianceasauserwithlimitedauditdataaccess.Confirmthattheuser’sabilitytoaccesstheauditlog,specificlogtargetsandthelogtemp:directoryis,indeed,restricted.
TIP—UseLocalUserAccountsandGroupstoSimplifyAccessProfileConfiguration
Useoflocalloginaccountsmappedtolocalusergroupssimplifiesthedevelopmentandtestingprocessofusergroupsandrelatedaccessprofiles.ThiscanreadilybeaccomplishedusinganinstanceofDataPowerVirtualEdition,specificallydesignatedforRBMconfiguration/testing.Thisvirtualinstancecanthenbeshutdownwhennotinuse,sothatthisVirtualEditionlicensecanbeusedforothervirtualinstances.
2.17PasswordPolicy
Rationale
Anenterpriseshouldhaveapasswordhardeningpolicyforlocalaccountsonservers.Thisprotectstheintegrityofthesystembymakinguseraccountslessvulnerabletobruteforceanddictionaryattacks.
Configuration
TocreateapasswordpolicyonDataPower,typeRBMintheWebGUIsearchbar → RBMSettings → PasswordPolicytab.Belowaresuggestedvalues,butalwayscheckwithyoursecurityorganizationfortheircorporatestandards.
MinimumLength–15charactersRequireMixedCase–OnRequireNonAlphanumeric–OnRequireDigit–OnDisallowUsernameSubstring–On(passwordcannotcontaintheusername)EnableAging–OnMaximumPasswordAge–90daysDisallowPasswordReuse–OnReuseHistorySize–5(usercannotreuselastfivepasswords)
PasswordHashalgorithm–sha256crypt
(SeeFigure2-20)
Figure2-20Passwordpolicyconfiguration.
TIP—PasswordPolicies
TheabovepasswordattributesaretherecommendedsettingsforallusersaccessingtheDataPowersystem.PasswordMinimumLengthcanbeadjusteddownslightly,butshouldalwaysbegreaterthan8characters.
TestingTips
Totest,createatemporaryuseraccount.Whensettingtheuserpassword,trytoviolatetheabove password policy rules by entering a non-compliant password combination, thenNextandCommit.DataPowershouldenforcetheattributessetinthepasswordpolicyanddisplayanderrormessage.
2.18NISTSP800-131aandFIPS140-2Compliance
Rationale
SP800-131a is a recommendation that was developed by the National Institute of
StandardsandTechnology(NIST).Itrequireslongkeylengthsandstrongcryptographicalgorithms.Protectionofacryptographicmodulewithinasecuritysystemisnecessarytomaintaintheconfidentialityandintegrityoftheinformationsecuredbythemodule.
NIST issues standards and guidelines that address security and interoperabilityrequirements ofUS FederalGovernment users. These standards are known as FederalInformationProcessingStandards(FIPS).Specifically,theFIPS140-2standardrequiresthat products such as DataPower use FIPS-approved key management technology andprocessesintheproductionandcontrolofprivate/secretcryptographickeys.
Unapprovedmechanismsthatareusedforauthenticationtothecryptographicmodulearenotverifiedandthereforecannotbereliedupontoprovideconfidentialityorintegrity,anddatamaybecompromised.NetworkdevicesutilizingencryptionarerequiredtouseFIPS-compliantmechanismsforauthenticatingtocryptographicmodules.
TIP—NISTSP800-131aCompliance
SeetheDataPowerKnowledgeCenterformoredetailsonconfiguringNISTSP800-131acompliance:https://ibm.biz/Bd4uBD.
Commonly,theclientthatisconnectingtotheDataPowergatewayisoutsideofyourorganizations’control.Confirmthattheclientcansupportprotocolsandciphersthatareconfigured for the SSL Server Profile to ensure that the organizations will be able toexchangemessages.
As previously described, a component ofDataPower’s client-side processing is theSSL/TLS negotiation and decryption of the data stream. Organizationswill frequentlyrequirecompliancewiththeTransportLayerSecurity(TLS)requirementsidentifiedintheNISTSpecialPublication(SP)800-52. Specifically,NISTSP800-52requires thatTLS1.1 be configured with FIPS-based cipher suites as the minimum appropriate securetransport protocol and recommended that agencies developTLS1.2migration plans byJanuary1,2015.
TIP—NISTSP800-52Revision1
SeetheNISTpublicationsiteformoredetailsontheNISTSP800-52requirements:http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf.
See the IBM Knowledge Center page at https://ibm.biz/BdXRae for moreinformation. With respect to FIPS-compliance, DataPower firmware can run in twodifferentmodes:
Permissive:Inpermissivemode,theappliance’scryptographicbehavioristhesameasitwasinDataPowerfirmwarebefore6.0.1.0.VariousalgorithmsthatarebannedinFIPS140-2arestillsupportedinthismode.
FIPS 140-2 Level 1: FIPS 140-2 is a US government computer securitystandardthatisusedtoaccreditcryptographicmodules.Inthismode,themaintask of the DataPower firmware does all of its cryptography by using acryptographicsoftwaremodulethatisvalidatedtoFIPS140-2Level1.ThealternativeistogothroughtheNISTpublicationandattempttoconfiguretocompliancemanually.Ofcourse, thisapproach ismore likely to result inhumanerror,andshouldbetestedmorecarefullyafterimplementation.
TIP—FIPS140-2SecurityLevels
TheFIPS140-2standardcoversthesecurityrequirementsforcryptographicmodules.http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf
Thereare4increasingsecuritylevelsdefined(1–4)forcryptographicmodules.Levels1through3areapplicabletoDataPowerappliancesinitsvariousformfactors.
Level1–Providesthelowestlevelofsecurityforacryptographicmodule,meaningthatitemploysatleastoneapprovedalgorithmorapprovedsecurityfunctionwillbeused.BothDataPowerphysicalandVirtualEditionformfactorshavethecapabilitytomeetthisspecification.
Level2–Requirestamper-evidentfeaturesbeemployedsuchasatamper-proofcase,tamper-evidentcoatings,andpick-resistantlocks.TheDataPowerphysicalformfactormeetsthisrequirement.Note:DataPowerVirtualEditiondoesnotmeetthisrequirement,asthisisdependentonthehardwarethattheVirtualEditionisinstalled.
Level3–Requiresatamper-evidentphysicalsecuritymechanism,suchasaHardwareSecurityModule(HSM).Note:asoffirmwareversion7.2.x,onlythephysicalDataPowerformfactoroffersthisHSMprotection.Firmwareversion7.5.xsupportsanetworkHSMforbothphysicalandvirtualappliances.
Configuration
In order forDataPower to operate in themost secure cryptographicmode in any formfactor, e.g. appliance, virtual, cloud, etc., type Crypto Tools in the WebGUI searchbar → Crypto Tools → Set Cryptographic Mode → FIPS140-2 Level 1 → SetCryptographicModebutton.ThisconfigurationisshowninFigure2-21.
Figure2-21SettingFIPS140-2Level1cryptographicmode.
TheapplianceisnowsettousetheFIPS140-2Level1algorithmsandkeylengths;however, youmust reload the firmware for these changes to take effect.To accomplishthis, in the default domain → Control Panel → System Control → Shutdown → ReloadFirmware → Shutdownbutton.ThisconfigurationisshowninFigure2-22.Theappliancewillreloadthefirmwarewithoutshuttingtheappliancedown.
Figure2-22Reloadappliancefirmware.
WARNING—OperatinginFIPS140-2Level1Mode
WhenyousetthemodetoFIPS140-2Level1mode,youmustunderstandthefollowing:
FIPS140-2Level1moderemovessupportinthefirmware’smaintaskforMD2,MD4,MD5,RIPEMD160,singleDES,RC2,RC4,Blowfish,andCASTbecausethesealgorithmsareprohibitedbythecorrespondingspecification.Thesealgorithmsareonlyavailableinthefirmware’smaintaskinpermissivemode.
FIPS140-2Level1modeprohibitstheuseofpublickeyssmallerthan1024bits.
FIPS140-2Level1moderequiresthatthefirmware’smaintaskuseapseudorandomnumbergeneratorcompliantwithNISTSP800-131aandFIPS140-2.
AnycryptographichardwarecardsthatarenotvalidatedtoFIPS140-2willhavetheirRSAfunctionalitydisabledwhentheapplianceisinFIPS140-2Level1mode.
Inaddition,RADIUSauthenticationisdisabledasitrequiresuseofMD5.KerberossupportisalsodisabledasitmayrequiretheuseofMD4,MD5,DES,orRC.
Foradditionaldetail,see:https://ibm.biz/Bd48AS
IfyouareusinganHSM,inordertoconfiguretheapplianceforFIPS140-2Level3mode, use the Command Line Interface (CLI). Enter Crypto Configuration mode bytyping “configure terminal” then “crypto”. Next, issue the “hsm-reinit” command withappropriate parameters for your organization’s requirements and follow the resultingprompts.Finally,reboottheappliancebyissuingthe“shutdownreboot”command.
TIP—hsm-reinitCommand
FromtheDataPowerKnowledgeCenter,searchforthe“hsm-reinit”commandtodetermineparametervaluesapplicabletoyourorganization.Selectionofthemostappropriateparametersmayinvolveconsultationwithyourorganization’sSecurity/InformationAssuranceOfficer.
Configuring theappliance forFIPS140-2Level3mode requires that theappliancehave access to a Hardware Security Module (HSM). From the CLI, issue the “showfeatures”commandinordertodetermineyourappliance’ssupportforanHSM.
TestingTips
To ensure that the change has taken place and the appliance is in FIPS 140-2 Level 1mode,intheWebGUIsearchbarentercrypto → selectCryptographicModeStatus.ThisconfigurationisshowninFigure2-23.
Figure2-23ViewingCryptographicmode.
This shows the target cryptographicmode, thecurrent cryptographicmode, and thetargetcryptographicmodeafterthenextfirmwarereload.
ToconfirmFIPS140-2Level3mode,logintotheCLIusingaprivilegedaccountandenter “show crypto-engine”. Confirm “Crypto Accelerator Type” is “hsm2”; confirm“CryptoAccelerator Status” is “fully operational”; finally, confirm “CryptoAcceleratorFIPS140-2Level”is“3.”
TIP—Warning,WillRobinson!!
Normally,thetargetcurrentcryptographicmodeisthesameasthecurrentcryptographicmode.Iftheydonotmatch,alogmessageisdisplayedinthesystemlogstoindicatethereason.ThereasonmightbethatyousetthemodetoFIPS140-2Level1modebutthepasswordfilestillcontainedMD5CryptentriesthatarenotallowedinFIPS140-2Level1mode.Whenthishappens,thenextfirmwarereloadresultsinatargetmodeofFIPS140-2Level1butthecurrentmoderemainsatpermissive.
2.19PKICertificateAuthenticationforAdminUsers
Rationale
As part of any login process, authenticated access to a network device requires anapprovedandassignedindividualaccountidentifier.WhileaccountIDsandpasswordsarecommonlyusedtosecureaccesstoservers,networkdevices,andDataPowerappliances,
enterprisesareincreasinglymovingawayfromtheuseofIDsandPasswordsduetotheirinherent security limitations. Theuseof smartcardsand/or softcertificatesaregainingpopularityasprovidingamoresecuremeansofidentifyingadministrativeusers.Theseare based on embedded PKI certificates. To ensure that only the assigned individual isusing theaccount, theusermustbebound toa trusted,CAsignedusercertificatewhenPKI-basedauthenticationisimplemented.
DataPower’s Role-Based Management (RBM) authentication policy can beconfigured to use a Validation Credential (ValCred) object that acts as a trust store toincludemultiple“trustedthirdparty”certificateobjects(seeSection3.7,“DefineCryptoValidationCredentialsandCertificateRevocationPolicy”).WhenauserattemptstologintoDataPower, theValCredwill ensure, that in addition to a user id and password, theuser’sSSLcertificatewillbeconfirmedascomingfromatrustedcertificateauthority.
Trusted parties can have their certificates uploaded to a DataPower ValidationCredential (trust store) object. As part of the login process, the validation credential isusedtoauthenticatetrustedusercertificatesduringtheSSLhandshake.
Configuration
After the Validation Credential has been loaded with the appropriate certificate, in theWebGUI search bar,go to RBM→ RBM Settings → Authentication. Select theappropriate validation credential from the Validation Credentials drop down. ThisconfigurationisshowninFigure2-24.
Figure2-24UserCertificateCredential.
TIP—EnhancedPKI-BasedAuthentication
TheusercertificatepresentedfromtheSSL/TLSconnectionwillbeusedtoauthenticatetheuser.WhilethisapproachissuperiorapproachtousingonlyIDsandpasswords,manyorganizationsimplementadditionalprocessingstepssuchaslookupoftheuser(basedontheSubjectDNinthecertificate)inanLDAPdirectory,aswellasretrieving
groupinformation.Theseadditionalprocessingstepsmaybeconfiguredbychangingthe“Authenticationmethod”to“LDAP”or“custom”andisshowninSection2.20,“ConfigureMultifactorAuthenticationforNetworkAccesstoNon-PrivilegedAccounts.”
TestingTips
Create a “trusted” certificate (either CA or self-signed) and add it to a ValidationCredentialobject.Usinganexistinguseraccount,attempttologintoDataPowerwithabrowserthathasaddedthe“trusted”certificate.EnsurethatthiscertandhasbeenaddedtotheValidationCredentialasa“trusted”CA.Theusershouldbeabletologinsuccessfully.
Createasecondcertificatebutdonotaddit totheRBMValidationCredential.Addthiscertificatetoyourbrowserforthistest.Anattempttologinwiththiscertificateshouldfail.
2.20ConfigureMultifactorAuthenticationforNetworkAccesstoNon-PrivilegedAccounts
Rationale
Itisfrequentlyarequirementthatnon-privilegedusersmustusemultifactorauthenticationinordertoassureaccountabilityandpreventunauthenticatedaccess.
Multifactorauthenticationusestwoormorefactorstoachieveauthentication.Factorscan include: something you know (password/PIN), something you have (cryptographic,identificationdevice,token),andsomethingyouare(biometriccharacteristics).
Authenticating with a smart card’s authentication certificate, then entering theassociated PIN is an example of multifactor authentication. When used in relation toDataPower, that certificate can be used to negotiate an HTTPS connection to theappliance. The certificate presented to DataPower could also be a “soft certificate”embeddedinabrowser,applicationonadesktop,laptop,ormobiledevice.
Configuration
Theconfigurationdescribedherewill requiremultifactor authenticationbeforeauser isallowedtologontotheDataPowerWebGUI.Authenticationfortheuserwillbedefinedusing theappliance’sRoleBasedManagement (RBM) feature.Theuser’s IDandPWDwill be authenticated using an authentication server e.g., LDAP/AD. MutualauthenticationwillbeconfiguredfortheconnectionbetweenDataPowerandtheclient.
To configureRBMauthentication for theuser, first assign theuser to a single usergroup possessing the desired access profile. Then, use the WebGUI to go toAdministration → Access → RBM Settings. On the Authentication tab, specify a“custom”Authenticationmethod.AcustomURLmustthenbeenteredpointingtoeitheran XSL stylesheet or GatewayScript file residing on the appliance. TheXSL/GatewayScript will receive an XML node at runtime. This node will contain theuser’s ID and PWD—as submitted via the user’sWebGUI login page. The scriptmust
thenauthenticatetheIDandPWDcredentialsusinganauthenticationserver.
For mutual authentication, DataPower’s WebGUI interface must be configured torequire a client-supplied digital certificate. DataPower must also provide its ownidentification credentials. These two objectives are accomplished as follows:Using theWebGUIgotoNetwork → Management → WebManagementService.OntheAdvancedtab,specify“ServerProfile”astheCustomSSLServertype.
Figure2-25WebManagementServiceSSLServerProfile.
AddaCustomSSL serverprofile.Name it.Configure Identification credentials forthe appliance. Turn on “Request client authentication” then configure validationcredentialsfortheclientspecifying“on”forboth“UseCRL”and“RequireCRL.”CRLretrieval is configured via Objects → Crypto Configuration → CRL Retrieval. On the“CRLUpdatePolicy”tab,configureCRLretrievalpolicies.Detailedinformationonthesedefinitionsmay be found here: Section 3.7, “Define CryptoValidation Credentials andCertificateRevocationPolicy.”
TestingTips
GototheTroubleshootingPanel.Settheloglevelto“debug.”Thiswillproducedetailedtrace information.Confirm that theuser’s identity/attributes,DistinguishedName (DN),and DataPower group membership are stored in the configured authentication server.Confirm that the user has access to their digital certificate via a security card readerconnectedtoalaptop/desktopcomputer.
Forthetest,theuserinsertstheircard,andenterstheirPIN,thenopensabrowserandnavigates to theDataPowerWebGUI. TheuserprovidesDataPowerwiththeirassignedIDandpassword.IftheuserdoesnotgainaccesstotheDataPowerappliance,reviewtheDataPowerlogtoexaminethedetailsofthisconnectionprocess.
2.21EnforcingAdministrativeUserPrivileges
Rationale
DataPower appliances will typically have different types of user groups, each withdifferent levels of administrative authority. These different groups should have theirpermissionsdefinedandenforced insuchamanner that there isclearaccountability forthe execution of administrative functions compliant with organization’s governanceprocess.
Configuration
The DataPower functions available to a given user are defined via permissions at thegroup level,with users being assigned to groups. There are several components to beconfiguredinordertodefineandenforcegrouppermissions.
First,groupsarecreatedandpermissionsaredefined.Toconfigureausergroup,gotoAdministration → Access → User Group in theWebGUImenu and click the “Add”button.
Figure2-26ConfiguringaUserGroup.
Provideagroupnameandapplicablecomments. Grouppermissionsaredefinedbyadding one, or more, Access profiles. The default access profile allows for read-onlyaccessviaallnetworkinterfaces,forallobjects inallapplicationdomains. Toviewthedetails of the Access profile, click on the Access profile definition (e.g. “*/*/*?Access=r”).Thiswillpopulatethedefinitionintoaneditablefield.ClicktheBuildbuttontoseethefullprofiledefinition.
Figure2-27ViewanAccessprofile.
ClicktheBuildbuttontoseethefullprofiledefinition.
Figure2-28EditinganAccessprofile.
Make appropriate changes in order to define the desired access profile, then clickSave. ThestringrepresentationoftheAccessprofilewillbepopulatedintotheeditablefield.ClickAddtoaddthedefinitiontotheUserGroup.AddadditionalAccessprofilesasrequiredforthegroupdefinition.
TIP—UserGroupPermissionGranularity
Generally,keepyourusergrouppermissionsascoarse-grainedaspossible,withoutcompromisingsecurity.Gettingtoofine-grainedwithpermissionsconsumesalotoftimetodefineandtest.
TIP—AccessProfilePrecedence
AstheuserisaccessingtheDataPoweruserinterface,DataPowercontinuallyevaluatestheAccessprofilesthatareconfiguredfortheirUserGroup.IfmultipleAccessprofilesareconfiguredwithdifferentpermissionsforthesameobject,DataPowerwillmakeuseofthemostrestrictiveoftheAccessprofiledefinitions.
Second, definehowuser accountswill be authenticated.SeeSection2.7, “ExternalAdminAuthenticators”foradiscussionofhowtoconfigureRBMtomakeuseofaremoteLDAPdirectory.
Third,configureCredentialMapping.Ifusinglocalusersandgroups,thenthedefaultsettingsareapplicable.Itisalsopossible,however,todefinegrouppermissionsusingan
externalizedXMLfile—theAAAInformationfile.WithintheAAAInformationFile,youcan provide user group permissions, andmappings of local credentials to LDAP groupnames. If user accounts are authenticated via LDAP, then their assigned DataPowerGroups are also, normally, stored inLDAP. To configure this, click on theCredential-mappingtabontheRBMSettingspage.
TIP—AAAInformationFile
FormoreinformationontheAAAInformationFileformat,searchtheDataPowerKnowledgeCenterfor“aaainfo”.Theschemaforthisfileislocatedinthestore:///AAAInfo.xsdschemafileandasampleAAAInfofilecanbefoundinstore:///AAAInfo.xml.
AsRBMsettingsareconfiguredin thedefaultdomain, theAAAinfofilewillmostcommonlybestoredinthe“local:”directoryofthedefaultdomain.
To search an LDAP directory for the user group, select the On radio button for“SearchLDAPforgroupname,”andprovidetheLDAPserverinformation.
Figure2-29ConfiguringLDAPSearchfortheuser’sGroupname.
TestingTips
Log into thedeviceasanadministrator/privilegeduser, in thedefaultdomain. Confirmthat user groups are setup with appropriate permissions (go toAdministration → Access → UserGroupintheWebGUImenu).Next,confirmthatuserAuthenticationandCredentialMappingareproperlyconfiguredintheRBMsettings(gotoAdministration → Access → RBMSettingsintheWebGUImenu).Finally,logoutandlogin again using a previously configured test user account. Confirm that user grouppermissions (either defined as a local user group, or in the AAA Info file) are beingenforcedasexpected.
TIP—BuildandTestYourPermissionsPoliciesIncrementally
Buildyourlocalusergroupsandpermissionsusinglocallydefineduseraccounts.GetthemworkingasexpectedbeforeconfiguringRoleBasedManagement(RBM)togetgroupmembershipfromanLDAPdirectory.Thiswilldramaticallysimplifytheprocessofsettingupandtestinggrouppermissions.
Add permissions to a group, one at a time (or just a few) then test the grouppermissionsby logging inwitha testuseraccount tomakesureyouachieved theresultyouexpected.
2.22CustomizingLoginandLogoutMessages
Rationale
Itisfrequentlynecessarytodisplayconsentinformationduringtheloginprocess,makingtheuseraware that theiruseof theDataPowerappliance is subject to theorganization’ssecuritypoliciesandprocedures.Itisalsodesirabletopresenttheuserwithapostlog-outmessagesothatamanagementsessionisnotinadvertentlyleftun-terminated.
NotificationthattheusermustconsenttothepolicyshouldbedisplayedatboththeWebGUIloginaswellastheCLIlogin.
Configuration
First,configureaUserInterfaceCustomizationfile.Thisfilemustbestoredineitherthelocal: or store: directory of the default domain and must be compliant with thestore:///schemas/dp-user-interface.xsd.
TIP—LogoutMessagesandSessionTimeout
Forthelogoutmessages,itwillalsobenecessarytoconfigureanappropriatesessiontimeoutasdescribedinSection2.1,“UserInterfaceIdleTimeoutsandCachedAdminCredentials.”
TIP—UserInterfaceCustomizationDocumentation
SearchtheDataPowerKnowledgeCenterfor“Userinterfacecustomization”(thiscanalsobefoundunderthe“Administration”documentationsectionviathemenutree).Thedocumentationalsoincludesasampletemplatethatcanbeusedasthestartingpointforyourcustomtemplate.SeetheKnowledgeCenter(https://ibm.biz/Bd4wpJ)forthemostrecentversionofthistemplate.
CopythesampletemplatefromtheDataPowerKnowledgeCentertoalocalfileandopenthefileinatexteditor.AcopyofthetemplatefromtheDataPower7.2KnowledgeCenterisshowinthefollowinglisting.
Listing2-2UserInterfaceCustomizationTemplate.
<User-Interface
xmlns=“http://www.datapower.com/schemas/user-interface/1.0”>
<!—Markupforthepromptextensiontocommandlineinterface—>
<CustomPrompt>%s</CustomPrompt>
<!—MarkupforcustommessagesfortheWebGUIinterface—>
<MarkupBannertype=“pre-login”foreground-color=“red”background-color=“blue”>
WebGUIpre-loginmessage
</MarkupBanner>
<MarkupBannertype=“post-login”foreground-color=“blue”background-color=“yellow”>
WebGUIpost-loginpopupmessage
</MarkupBanner>
<MarkupBannertype=“system-banner”location=“header”foreground-color=“green”
background-color=“red”>
WebGUIsystemmessage-header
</MarkupBanner>
<MarkupBannertype=“system-banner”location=“footer”foreground-color=“blue”
background-color=“yellow”>
WebGUIsystemmessage-footer
</MarkupBanner>
<!—Ifthefollowingmarkupwasoutsideofcomments,thefilewouldnot
conformtotheschema.Cannotdefinemultiplesystemmessagesastheheaderorfooter.—>
<MarkupBannertype=“system-banner”>
WebGUIsystemmessage-headerandfooter
</MarkupBanner>
<!—Markupforcustommessagesforthecommandlineinterface—>
<TextBannertype=“pre-login”>
Commandlinepre-loginmessage
</TextBanner>
<TextBannertype=“post-login”>
Commandlinepost-loginmessage
</TextBanner>
<TextBannertype=“system-banner”>
Commandlinesystemmessage
</TextBanner>
</User-Interface>
The two most commonly updated are the MarkupBanner for pre-login and theTextBannerforpre-login.
TIP—UsesfortheCustomUserInterfaceFile
Thisfilecanbeusedtoprovideusefulcustominterfacedisplaysforpre-loginandpost-login.Itcanalsoprovideasystem-bannerthatdisplaysoneachWebGUIscreen.Fortheformatofthisfile,see:https://ibm.biz/Bd4pkE
To configure the User Interface to make use of the UI customization file, go toAdministration → Device → SystemSettings and scroll to thebottomof thepage. UsetheUpload…tooltouploadthefiletothelocal:directoryofthedefaultdomain.
Figure2-30ConfiguringSystemSettingstouseacustomuserinterfacefile.
Apply your changes, save the configuration and log out. You should see yourWebGUIpre-loginmessagedisplayedontheloginform.
Figure2-31WebGUIloginformwithpre-loginmessagedisplayed.
Figure2-32CLIloginpromptwithpre-loginmessagedisplayed.
TestingTips
Inorder toconfirmthecustomUI’sappearance, logintoboththeWebGUIandCLI.Toconfirm log out of a web session and an SSH command line session, log out of eachsession. Upon logout from theWebGUI, the DataPower appliance should display yourcustomWebGUIloginpage,includingyourorganization’susagemessage.
2.23CapturingSystemEventDatawithLogTargets
Rationale
Organizations will frequently wish to generate a consistent set of system-level loggingevents,independentofprocessingforanyspecifictypeofmessageprocessing.Examplesof these types of system events include certificate expiration, appliance reboot, andmodificationstotheRole-BasedManagementconfiguration.
Configuration
Accessthedefaultdomainasauserwithappropriateadministrativepermissions.Toaddalogtarget,gotoObjects → LoggingConfiguration → LogTargetandclickAdd.Providealogtargetnameandconfigurethetypeoflogtargetthatyouwanttocreate–e.g.File,Syslog,etc.
Figure2-33SampleLocalLogTargetConfiguration.
Next, configure thevarious filters and subscription events that youwant capture inyourlogtarget.Forexample,acommonEventSubscriptionFilterincludestheeventsinthefollowinglisting.
Listing2-3Commonlyloggedevents.
0x00330002(Memoryfull)
0x00340017(Serviceremovedfromport)
0x00350016(Serviceinstalledonport)
0x00360026(Domainisdown)
0x00530001(Networkerror)
0x01a30002(Restartduetolowmemory)
0x01a30015(Outofmemory)
0x01b20002(HSMisuninitialized)
0x01b6000c(Certificateisabouttoexpire)
0x02220004(Systembatterymissing.)
0x02220005(Systembatteryfailed.)
0x02220006(PowersupplyACisnotconnected)
0x02240002(Internalcoolingfanhasslowed)
0x02b30002(DNSlookupfailed.)
0x02c30005(Maximumnumberoffailedlogins.)
0x02c30008(Lockoutduetonumberoffailedlogins)
0x02c60002(Configurationadded)
0x02c60003(Configurationdeleted)
0x02c60004(Passwordchanged)
0x03120015(InsufficientdiskspaceonRAIDvolume)
0x03130040(Unauthorizedinboundmessage)
InadditiontoEventFilters,itisalsocommontoconfigureEventSubscriptions.Forexample,allEventCategoriesatanErrorlevel,andabove,aswellasallAuditeventsataninfolevelandabove.
Figure2-34SampleEventSubscriptions.
TIP—SelectingEventstobeFiltered
Inordertofine-tuneyourEventFiltersandSubscriptions,configureyourlogtargetastype“file”first,beforesendingloggingoffoftheappliance.
TestingTips
YourlogtargetcanbetestedbygeneratingtestlogeventsusingtheGenerateLogEventtool on the Troubleshooting Panel then checking the log target endpoint (e.g. file) toconfirmthattheeventwasloggedasexpected.
2.24RestrictingAccesstoaSpecificLogTarget
Rationale
InformationSystemSecurityManagers(ISSM)maywishtocontrolwhattypesofsystemevents are logged as part of the “common set of system events” as defined for theenterprise/programasawhole.
Configuration
Givenanexisting log target that isconfiguredwith theISSM’sdesiredevent filtersand
subscriptions(e.g.ISSMLogTarget),createaUserGroup(e.g.ISSMUsers)thatisgrantedaccesstothattarget.GotoAdministration → Access → UserGroupintheWebGUImenuandclicktheAddbutton.Updatethenamefield(e.g.ISSMUsers)andaddthefollowingAccessprofiles.
Listing2-4ISSMUserGroupAccessProfilefortheISSMLogTarget.
“*/*/*?Access=r”
“*/default/logging/target?Name=ISSMLogTarget&Access=r+w+a+d+x”
Theseaccessprofilesprovidegroupmemberswithread-onlyaccesstoallapplicationdomainsand fullpermissionswith the log targetnamed ISSMLogTarget. Alternatively,theseISSMLogTargetAccessprofilescouldbeaddedtoanother,pre-existingusergrouptowhichISSMusersalreadybelong.
Finally,modify all other user groups such that other users are limited to read-onlyaccess to the ISSM log target. Add the following access profile to the non-ISSMusergroups.
Listing2-5Non-ISSMUserGroupAccessProfilefortheISSMLogTarget.
“*/default/logging/target?Name=ISSMLogTarget&Access=r”
Next, confirm that Role-BasedManagement (RBM) is configured to enforce user-group permissions appropriate for ISSM users. To review RBM settings, go toAdministration → Access → RBMSettingsintheWebGUImenu.Reviewthesettingsineachtab.
TestingTips
LogintotheDataPowerapplianceasauserthatshouldbepartoftheISSMusergroupandconfirmthattheuserhaschangeaccesstotheISSMlogtarget.Conversely,loginasauserthatshouldnothavechangepermissionsfortheISSMlogtarget.Confirmthattheuserhasonlyreadpermissionsonthelogtargetconfiguration.
TIP—UseLocalUserAccountsandGroupstoSimplifyAccessProfileConfiguration
Useoflocalloginaccountsmappedtolocalusergroupssimplifiesthedevelopmentandtestingprocessforusergroupsandrelatedaccessprofiles.ThiscanreadilybeaccomplishedusinganinstanceofDataPowerVirtualEditionspecificallydesignatedforRBMconfiguration/testing.Thisvirtualinstancecanthenbeshutdownwhennotinuse,sothattheproductlicensecanbeusedforothervirtualinstances.
2.25NotificationsforLoggingFailure
Rationale
DataPowersystemeventloggingcommonlytakesplacebysendinglogoutputtoeitherthelocalfilesystemorforaproductionsystem,streamingthelogeventstoaremoteloggingsystemsuchassyslogserver.Operationsstaffmustbenotifiedintheeventofaloggingfailure.
Configuration
Access the default domain as a user with appropriate administrative permissions.Configure SNMP Monitoring as described in Section 2.4, “Send Immediate ThreatAlarms.” Configure“TrapEventSubscriptions” tocaptureeventscommonlyassociatedwith system resources (e.g., availabledisk space, I/Oerrors). Add the followingEventFilterstotrapsuchevents.
Listing2-6Systemresourceeventsthatcandisrupteventlogging
0x00330034(Lowauditdiskspace)
0x01a40001(Throttlingconnectionsduetolowmemory)
0x01a30002(Restartduetolowmemory)
0x01a30003(Restartduetoresourceshortagetimeout)
0x01a40005(Throttlingconnectionsduetolowtemporaryfilespace)
0x01a30006(Restartduetolowtemporaryfilespace)
0x01a30014(I/Oerror)
0x01a30015(Outofmemory)
0x01a30017(Restartduetolowfiledescriptor)
TIP—EventCodes
YoucanseealistingofalleventcodesbygoingtoAdministration → Debug → ViewListofEventCodes.
Also,betweenfirmwareversions,neweventcodesmaybeadded.Itisadvisabletoperiodicallyreviewthelistofeventcodestodetermineifanyneweventshavebeenaddedto DataPower that should be included in the Event Filter configuration for yournotification log target. Visit https://ibm.biz/Bd48xW for an up-to-date list of Logmessages,Eventcodes,andAuditevents.
TestingTips
GeneratetestmessagesusingtheGenerateLogEventtoolontheTroubleshootingpanel.Confirmthatlogeventsareprocessedbythelogtarget,asexpected.
2.26ConfiguringOff-ApplianceLogging
Rationale
It is a commonpractice to store logdata forDataPower appliances on remote systems,suchas syslogserver, inorder toconsolidate log information frommultiple systems,aswellastoprovidecentralizedmechanismsforbackupandmanagementoflogdata.
Configuration
Accessthedefaultdomainasauserwithappropriateadministrativepermissions.Toaddalogtarget,gotoObjects → LoggingConfiguration → LogTargetandclickAdd.Providealogtargetnameandconfigurethetypeoflogtargetthatyouwanttocreate.Forremotelogging,acommonoptionistousesyslog.SyslogleveragestheUDPprotocolbydefaultand is an exceptionally efficient means of broadcasting log data to remote loggingsystems.ATCPversionisalsoavailable.
Figure2-35SampleRemoteLogTargetConfiguration.
Next,configurethefiltersandsubscriptioneventsthatyouwanttocaptureatyourlogtarget. Aspreviously stated, theEventFilter for common loggingeventswill, inmanycases, be the same as those used for local logging purposes. Local logging is oftenconfiguredtoduplicateremotelogginginordertoprovideameasureofredundancyintheeventthatremoteloggingisnotavailable(e.g.,networkissues,orissueswiththecentralremoteloggingservers).Seesection2.3“CapturingSystemEventDatawithLogTargets”foradiscussionofloggingeventselection.
TestingTips
YourlogtargetcanbetestedbygeneratingatestlogeventsGenerateLogEventtoolontheTroubleshootingPanelthencheckingthelogtargetendpoint(e.g.,file)toconfirmthattheeventwasloggedasexpected.
2.27ControllingtheDefaultDomain
Rationale
ThedefaultdomainhousestheDataPowerGateway’scentralconfiguration,andshouldbeprotectedagainstunwantedaccess.
For example, aDataPower appliance’s features and functionality aredeterminedbythespecificversionofthefirmwarethatisinstalledandrunningontheappliance.Thus,the DataPower configuration for proxying and processing various types of requests isdependentontheunderlyingfirmware.
Assuch, it isdesirable tocontrolaccess to thedefaultdomain. Inourexample, thepotentialimpacttotheconfigurationoftheappliancebymodifyingfirmware—upgradingordowngrading—isverydisruptivesinceitrequiresanappliancereboot.Duringareboot,theapplianceisnotavailableformessageprocessing.
This is just one example of many disruptive and damaging acts that can be done(intentionallyorunintentionally)bysomeonewhohasaccesstothedefaultdomain.Ifthedefaultdomainisnotprotectedfromaccess,it’sverycommonforadminuserstomakethemistakeofchanging theconfiguration there,while thinking theyare in theirapplicationdomain.
Configuration
Themost direct approach topreventingunauthorized access to thedefault domain is torestrict access to it. This can be done by adding the following Access profile to theappropriateusergroups.
Listing2-7Accessprofiletorestrictaccesstothedefaultdomain.
*/default/*?Access=NONE
ThisAccessprofilewillhavetheeffectofmakingthedefaultdomaininaccessibletousers in those groups it is added to. Privileged groups would, on the other hand, bepermittedaccesstothedefaultdomain.
TIP—AccesstoUserGroupDefinitions
GotoAdministration → Access → UserGroupintheWebGUImenu,inordertomaintainusergroups.
Amore granular approach would be to explicitly allow access to firmware-relatedmanagement functions to selected user groups, while blocking such access by othergroups.Toallowaccessforprivilegedusergroups,thefollowingAccessprofilescouldbeconfigured.
Listing2-8Accessprofilestoallowfirmwaremaintenance.
*/default/device/boot-delete?Access=r+w+a+d+x
*/default/device/boot-image?Access=r+w+a+d+x
*/default/device/boot-switch?Access=r+w+a+d+x
*/default/device/boot-update?Access=r+w+a+d+x
*/default/device/delete-file?Access=r+w+a+d+x
*/default/device/fetch-file?Access=r+w+a+d+x
*/default/device/initialize-raid-volume-filesystem?Access=r+w+a+d+x
*/default/device/move-file?Access=r+w+a+d+x
*/default/device/shutdown?Access=r+w+a+d+x
*/default/file/image?Access=r+w+a+d+x
Inaddition toAccessprofiles, theprivilegedusergroupsshouldbeconfiguredwiththefollowingCLIcommandgroups.
Figure2-36CLIcommandgroupstoallowfirmwaremodification.
User groups that are not allowed to modify firmware are configured with thefollowingAccessprofiles.
Listing2-9Accessprofilestorestrictabilitytomodifyfirmware.
*/default/device/boot-image?Access=r
*/default/device/boot-switch?Access=r
*/default/device/boot-update?Access=r
*/default/device/delete-file?Access=r
*/default/file/image?Access=r
*/default/file/image=r
TestingTips
Inordertoconfirmthatyouraccesscontrolconfigurationissetupproperly:
Setup two test user accounts: one that is in a group that is able to updatefirmware,andanotherthatisnot.Next, log into theappliance’sWebGUIasauserwho isallowed toupgradefirmware.Thisusershouldbeabletouploadanewfirmwarefileandexecutea firmware update.Confirm that this user can also update firmware via theCLI.Finally,usinganaccountthatshouldnotbeabletoupdatefirmware,confirmthatsuchupdatesareprohibitedinboththeWebGUIandCLI.
Summary
Inthischapter,weshowedtwenty-sevenitemsthatcanbeconfiguredtoadministrativelyhardenanIBMDataPowerGatewayappliance.
Inthenextchapter,Chapter3,“Message-LevelHardening,”wewillshowstepsthatcanbetakentolockdownmessagetrafficflowingthroughtheDataPowerappliance.
Chapter3Message-LevelHardeningInthischapter,wewillcovermessage/transactionlevelhardeningforphysicalandvirtualDataPowerappliances.
3.1ValidateInboundData
Rationale
Often,whenapplicationserverperformancebecomesanissue,messagevalidationis thefirstthingtobesacrificed.Sometimes,eliminatingmessagevalidationisintendedtobeatemporaryfixtoaslowsystem,untiltherealculpritcanbefound.We’veallbeeninthosestressfulsituationsduringpeaktimes,whentheproductionsystemhasslowedtoacrawl,executives are demanding remediation, and jobs are on the line.Most times, the “fix”becomes permanent, andmessage validation is never turned back on. This results in aserioussecurityvulnerability.Someofthemostcommonattackstoday—suchasinjection—areenabledbysuchmessagecompromises.
A key value proposition for DataPower is the ability to dramatically accelerateessential security functions such as schema validations and cryptography. Due toDataPower’shighly-tunedarchitecture,thesefunctionswillperformdramaticallybetteronDataPowerthanoncommodityback-endservers.
Beyondthat,stoppinganinvalidmessageattheDataPowerappliancetier,meansthatthemessagewillnevermake it to theback-end server to consumecomputing resourcesand/or compromise security.DataPower has built-inmessage checking features in areassuch as the XML Parser tab of the XMLManager object. Some basic JSONmessagesettingscanbeconfiguredintheJSONSettingsobject.Theseshouldalwaysbereviewedandcustomizedtofittheexpectedinboundandoutboundpayloadsofeachmessageflow.This includes outboundmessages aswell—if our internal systems become infected,wedon’twanttosendbadmessagesbacktoourclientsorpartners!Schemavalidationmayalsoactasawarningsystemthatsomethinghasgoneawry.Thisincludesnotonlyhackingbutalsoproblemswithnewcodereleases.
Because XML schema validation is usually resource-intensive (particularly whencontentmust be decrypted first), it has not been used inmany systems.DataPower hassolved that problem using its high speed crypto and message processing capabilities.JSONwasaprobleminitsearlydays,beforetheadventoftheJSONschema.Nowthatit’savailable,systemsshouldusevalidationonbothXMLandJSONmessages.
Configuration
In the DataPower WebGUI, type ‘Processing Policy’ in the search bar. Open theProcessingPolicyforyourservice.Revieweachrequestandresponseruletoensurethatit
containsaValidateactionwhenappropriate.Ifoneisnotpresent,andshouldbe,configuretheprocessingpolicytouseaValidateaction.
Figure3-1showstheValidateActionconfiguration.Noticethechoicesavailable.Asyoumightguess,itwouldbelesssecuretoallowvalidationbasedonaschemaattributeinthe message itself. Unless the message is signed and encrypted to prevent alteration,validationbasedonaschemaattributewouldcreateavulnerabilitytoaschemapoisoningattack.Any schema originating outside your secure environment ismore susceptible totamperingandcorruption thanawellvalidated, trusted schema that is retrieveddirectlyfromtheDataPowerfilesystem,orfromasecureserverwithinyourinfrastructure.
Figure3-1ValidateActionconfiguration.
TestingTips
ConfiguretheValidateActionasprescribedabove.Inthe“SchemaURL”field,selectanexisting schema file or upload a schema file to the appliance by selecting the Uploadbutton.Designtestmessagesbasedonspecificitemsintheschema.Theseshouldtestbothvalidandinvalidscenarios.Useanautomated,testingsystem(suchasLoadUI)toproducerepeatabletests,andensurethatinallcasesbadmessagesarerejected,andvalidmessagespass.Test for problempossibilities beyond schemavalidation, such asunusualmessagesizesandotherproblemsthatcanbeaddressedbyconfigurableXMLManagerandJSONsettings.
Test cases must be continually updated along with your applications. Up-to-dateschemas and testing are an essential part of system’s lifecycle application developmentanddeploymentmethodologies.
3.2UseStrongCryptoforMessageTraffic
Rationale
Please refer to the discussion in Section 2.18 “NIST SP800-131a and FIPS 140-2Compliance”aboutplacingtheapplianceintoFIPS140-2Level1mode.Thissectionwillexpanduponthatsettingtoshowitsrelevancetomessage-leveltraffic.
The National Institute of Standards and Technology (NIST) created SpecialPublication 800-131A (SP800-131A) to provide guidelines for strong cryptoconfigurations.SomeofthebasicSP800-131Acompliancerequirementsare:
SSLovertheTLSprotocolSHA-256orstrongerhashingfunctions2048-bitorstrongerRSAkeys
Configuration
WhentheapplianceisconfiguredforFIPS140-2Level1mode,asdescribedinSection2.18 “NIST SP800-131 Compliance,” all protocols and crypto actions will use FIPS-approvedconfigurations.
TestingTips
ConfigureaHTTPSFrontSideHandleronaservice.Submitatestmessagetotheserviceand thencheck the logs to ensure that the expectedalgorithmswereused for all cryptooperations.
3.3SecureLoggingforTransactions
Rationale
In Section 2.3, “Off-load System Audit Records” we discussed sending system auditrecordstooff-appliancelogtargets.Inthissectionwediscussmoregranularloggingatanindividualtransactionlevel.Thistypeofloggingisperformedinreal-timeandcancontainanytypeofcontentthatyoudefine.Therearetwovariationsofthistypeoflogging—the“logtarget”approachandoff-applianceapproach.LoggingofarbitraryinformationtothesystemlogcanbedoneusingXSLTorGatewayScript.Suchlogrecordsarethenwrittento DataPower’s logging event bus and are picked up by appropriately configured logtargets.
Alternatively, logmessaging can be sent to remote services for long-term storage.ThiscanbeaccomplishedbyusingaLogaction inaprocessing rule.Thereare severaladvantagestoreal-timeoffloadingofmessage-levellogrecords.
First,itensuresthatlocalstoragewillnotbecomeover-written—aparticularconcernwithmessage-levellogging.
Second,message-level logging canhelp to ensure that if somekindof catastrophicfailure occurs and the device is not recoverable, log records needed for auditingcomplianceareretained.
Finally,thoughlocallogging,viathe“logtarget”approach,canacceptanystringofdatathatyousendit,itisintendedforloggingoftransientsystemeventsandtransactionalmeta-data, not large payloads. In fact, logging via the log-target approach limits themessagepayloadto1024characters.Anydataoverthatlimitwillbetruncated.TheLogAction approach, by contrast, can accept arbitrarily large payloads, limited only by thecapacityofthebackendservicethatreceivessuchmessages.
Of course, moving log records—and the sensitive data they contain—often comeswithasecurityrisk.SendingapplicationlevellogmessagestoexternallogtargetsmustbedoneinasecuremannerandthelogmessagesshouldbesentoverasecureprotocolusingTLS.Additionally,youmaywishtoencryptthemessagepayload,orportionsofit.
Configuration
In the WebGUI, ensure that the appropriate application domain is chosen. Select theexisting service object (e.g., Multi-Protocol Gateway) and then choose and edit theprocessing policy. Drag the Advanced action to the rule, scroll down, and select LogActionandclickNext.Fillouttheparametersforthelogaction,takingcaretospecifyasecurelogdestination.SeeFigure3-2foranexample.
Figure3-2DefiningLogaction.
Notice that in thisexample, themessagebeing loggediswhateverhappens tobe intheinputcontext“PIPE.”Thatcontentmaybetherequestmessagethatwassenttotheservice,someportionofit,orarbitrarycontentthatyouconstruct.Ifyouaregoingtologonlyaportionofamessage(e.g.,thepayloadwithinaSOAPEnvelope),orsomearbitrarydata (e.g., a JSONorXMLnodecontainingmeta-dataabout the request), thenyouwillfirstneedtoconfigureanXSLTorGatewayScriptactionfirst,whichwillthenwritedataintothecontextthatistheninputintotheLogAction.
TIP—SendingLogMessagesAsynchronously
SettingtheAsynchronousparameterto“on”willallowthemulti-steppolicytoimmediatelycontinueprocessinginsteadofwaitingforareplyfromtheexternallogserver.
TestingTips
Configuretheexternallogserver(orperhapsjustasimpleloopbackproxyonDataPower).Thencreatesometestcasesthatshouldcausemessageloggingtooccur.MonitorthelogsonbothsidestoensurethattheDataPowerlogsareproperlyandsecurelytransmittedto
the remote server.Make sure that the logs on the external server contain the expectedmessagecontent.
3.4ConfigureIndividualandGroupAuthenticationMethods
Rationale
DataPowerappliancesprovidingserviceproxyfunctions(e.g.,proxyingWebApplication,Web Services, andWebAPIs)must commonly identify and authenticate organizationalusers(orprocessesactingonbehalfoforganizationalusers).Identifyingindividualusersand/or system level user accounts is an integral component of determining whetherDataPowershouldallowarequesttobeprocessedorrejected.
It isessential thatusersandservices thatsendrequestmessages to theappliancebeappropriately authenticated and authorized. The DataPower appliance’s AAA Policy(Authentication,Authorization,Audit)providesawiderangeofcapabilitiesforpreventingthemisuseandcompromiseofboththeapplianceandtheorganizationalassetsitsupports.Awell-consideredAAAPolicymustbeapplied toallusersandservices thatconnect totheapplianceasagatewaytobackendresources.
TIP—CredentialsMapping
CredentialsfromtheAAAPolicyauthenticationphasemaybemappedtoaformatthatiscongruentwithyourbackendauthorizationmethod.Forexample,youcanmapanauthenticatednameandpasswordforanaccounttoanLDAPgroup.Foradditionalinformationsee:https://ibm.biz/Bd4pky
Configuration
In order to configure individual and group authentication methods, navigate toObjects → XMLProcessing → AAAPolicy.Add(oropenanexisting)AAApolicy.ThisAAAPolicyisthenusedbyanAAAActionconfiguredaspartofarulethatis, inturn,part of a service’s processing policy. At a minimum, an AAA Authentication requiresconfigurationof threemajorprocessingsteps–IdentityExtraction,UserAuthentication,andUserAuthorization.On themain tab, specify those parameters required to supportyourintendedauthenticationprocess.OntheIdentityextractiontab,checkthosemethodsofidentityextractionthatwillprovidewhatyourauthenticationserverrequires.
Figure3-3AAAPolicy:IdentityExtractiontab.
On the Authentication tab, specify all parameters associated with your desiredauthenticationmethod(e.g.,LDAP).
TIP—CentralizedUserValidation
Useraccountandprivilegevalidationmustbecentralizedinordertopreventunauthorizedaccessusingchangedorrevokedprivileges.Centralizedmanagementofprivilegevalidation(e.g.,ActiveDirectoryorLDAP)iskeytoensuringthatprivilegesarebothprotectedandcarefullymanaged.Exclusivelyon-boxprivilegevalidationshouldonlybeusedinadevelopmentenvironment.
Figure3-4AAAPolicy:Authenticationtab.
TIP—AvailableAuthenticationandAuthorizationMethods
DataPowerprovidesalargenumberofmethodsforimplementingcentralizedauthenticationandauthorizatione.g.,LDAP,ClearTrust,IBMSecurityAccessManager,Siteminder,NSS,Oauth,SAML,XACML,WS-Trust,Radius,andKerberos.
On the Authentication tab, define the specific external control server that willaccomplishauthentication(e.g.,LDAP).Thenspecifyallparametersassociatedwiththatmethod.GivespecialcaretoensuringasecureconnectiontoyourserverbydefininganSSLClientprofilethatsupportsTLS1.1/1.2.
If there is a requirement for credential mapping, on the Credential mapping tab,specifythemethodandassociatedpolicy.
Figure3-5AAAPolicy:CredentialMappingtab.
Next,clickonthe“ResourceExtraction”tabinordertoconfigurewhich“resource”whichisbeingprotected.
ForSOAPmessages,theresourceiscommonlythe“URIoftoplevelelementinmessage”,as this represents thenamespaceURIof thenameof thechildelementoftheSOAPBodyelement.Whilethenameoftheoperationmaynotbe unique across all of your organization’s SOAP Web Services, thecombinationofthenamespaceandtheoperationnameshouldbeunique.For Web API messages (e.g., REST), the resources to be used are mostcommonly the (1) the “URL sent by client” and (2) the “HTTP operation(GET or POST)”. Note that while the label (and, indeed, the onlinedocumentation) indicates that this operation is either a GET or POST, inpractice, this selection will return whatever the HTTP method is,encompassingallHTTPverbs, asdefined theWorldWideWebConsortium(W3C).
Figure3-6AAAPolicy–ResourceExtractionmethods.
TIP—HTTPVerbs
ForafulldiscussionofHTTPMethods,seehttps://ibm.biz/Bd4wJP
TestingTips
GototheTroubleshootingPanel.Settheloglevelto“debug.”PerformatestrunofyourauthenticationscenariobyinitiatinganexternalrequesttoaDataPowerserviceconfiguredwithyourAAAPolicy.Then,examinethesystemlogtoobservethesuccessorfailureofeach step in theauthenticationprocess.Forexample,was theconnectinguser’s identityappropriately extracted? An overview of AAA processing steps may be found here:https://ibm.biz/Bd48YE.
TIP—AAAPolicies
BuildyourAAApoliciesincrementally:firstfocusonfront-sideconnectivitybetweenatestclientandDataPowerthenfocusonconnectivitybetweenDataPowerandyourback-endserver.ConfirmtheresultsofeachAAAphaseusingthetransactionprobe(https://ibm.biz/Bd4wJa)toexamineprocessingresults.
3.5MultifactorAuthenticationforNetworkAccesstoProtectedResources
Rationale
It is frequently a requirement that users access web applications using multifactorauthentication,as thisformofauthenticationismoregenerallymoresecure thanIDandPasswordlogin.Fromthewebapplicationperspective,multifactorauthentication(MFA)helpsassureaccountabilityandpreventunauthenticatedaccess.
Multifactorauthenticationusestwoormorefactorstoachieveauthentication.Factors
can include: something you know (password/PIN), something you have (cryptographic,identificationdevice,token),orsomethingyouare(biometriccharacteristics).
User authentication inmany government and private organizationsmakes use of asmart card which stores certificate that is linked to a specific user. The certificate isunlockedandmadeavailableforusebyinsertingthesmartcard(somethingyouhave)intoaspeciallydesignedreaderandthenenteringanaccesscode(somethingyouknow).
Onceunlocked,thecertificatecanbeusedwhenopeningsecureconnectionsfromtheuser’sbrowsertoaremotewebapplication.WhenDataPowerispartofthearchitecture,that certificatewould be used to negotiate anHTTPS connection to the appliance. Thecertificate presented to DataPower could also be a “soft certificate” embedded into abrowserorapplicationonadesktop,laptop,ormobiledevice.
Configuration
DataPower’sAAAframeworkcanusetheClientCertificatefromtheTLS/SSLconnectionastheauthenticationtoken.AswasdoneinSection2.19“PKICertificateAuthenticationforAdminUsers,” start by creating aValidation credential,with anoptionalCertificateRevocation List Policy, in order to validate the user’s certificate. Next, add an AAAActiontotherequestprocessingruleofyourservice.ConfigureaAAAPolicytoextractthe Client Certificate from the SSL Connection in the Identity Extraction tab. Finally,configure the Authentication processing to validate the certificate using the ValidationCredentialthatyouconfigured.
TIP—AdditionalAuthenticationProcessing
Asdescribed,above,thecertificateisconsideredtrustedifitcanbedeterminedthatitisstillvalid(hasnotexpired)andthatitissignedbyatrustedCertificateAuthority.ItiscommonlyrequiredtoperformadditionalcheckssuchasconfirmingthattheSubjectDNfromtheuser’scertificateisinaparticularLDAPdirectoryandpartofaspecificgroup.Suchprocessingcanbeaccomplishedinanumberofways.OneapproachistoaddasecondAAAPolicy,immediatelyfollowingthefirstone,inordertoextracttheSubjectDNfromtheSSLConnection.Then,configureAuthenticationtosearchfortheSubjectDNinaspecificLDAPdirectory.AnotherapproachmakesuseofGatewayScriptorXSLTtoaccomplishthesameobjective.
TestingTips
GototheTroubleshootingPanel.Settheloglevelto“debug”.Thiswillgeneratedetailedtraceinformation.Confirmthattheuserhasaccesstotheirdigitalcertificateviaasmartcardreaderconnectedtoalaptop/desktopcomputer.
For the test, theuser inserts their smartcard,enters theirPIN, thenopensabrowserandconnectstoadesiredDataPowerservice(e.g.Multi-ProtocolGateway)thatisactingasaproxyforaprotectedWebApplication.Iftheuserdoesnotgainaccesstothebackend
WebApplicationviaDataPower,reviewtheDataPowerlogtoexaminethedetailedresultsof this connection process. Retest the process with a user that does not have a validcertificatetoconfirmthattheyarebarredfromaccesstotheWebApplication.
3.6ConfigureReplay-ResistantMutualSSL/TLS
Rationale
Through the use of SSL Client and Server profiles, the DataPower appliance providesprotection againstman-in-the-middle attacks and the insertion of false information intoapplicationsessions.SSLclientsandserversthatdonotsupportRFC5746arevulnerableto man-in-the-middle (MITM) attacks as documented in CVE-2009-3555(https://ibm.biz/Bd48Vk). Though exceptions can be configured, by default DataPowerrequiresRFC5746connections.
Areplayattackmayenableanunauthorizedusertogainaccesstoanapplication.Inthis attack, amessage is captured and resent.Digital signatures, by themselves, cannotprevent a replay attack because a signedmessage can be captured and resent (until thesignatureorattachedtokenexpires).
The primary method of defense provided by DataPower is to define mutuallyauthenticatedTLS/SSL tunnels, such thatmessages in-flight cannotbe intercepted.Thisrequirestwosidestotheconfiguration(mutualauthentication):bothwhenDataPoweractsasaclientandwhenitactsasaserver.
ThissectiondiscusseshowtocombatreplayattacksbyconfiguringmutualTLS/SSLtunnels.SeeSection3.16,“UsingFilterActions toPreventReplayAttacks” foranothermethodtocombatreplayattacks.
Configuration
To define mutually authenticated TLS connections when DataPower is the requestingclient,go toObjects → CryptoConfiguration → SSLClient Profile.Add anSSLClientProfile.Provideaname.DeselectallProtocolsexceptTLSversion1.1and1.2.Deselect“UseSNI.”ToidentifytheapplianceinaTLSnegotiation,chooseanappropriateactiveIdentification Credential from the drop down list. If no ID Credential exists for theDataPowerappliance,createone.Youwillneedaccesstothekeyfilesyouwishtouse.(Seethefollowingfordetailsonhowtodothis:https://ibm.biz/Bd48KQ.)
Next,chooseanactiveValidationcredential(ValCred)objectfromthedropdownlist.IfanappropriateValCreddoesnotexist,youmustcreateone.(SeeSection3.7,“DefineCryptoValidationCredentialsandCertificateRevocationPolicy.”)Youwillneedaccesstothe certs for the server youwish to validate.Save the configuration.Use this newSSLClientProfilewhenconfiguringaservice.SuchaswhenaMulti-ProtocolGatewayorWebServiceProxyisusedtoconnect(asaclient)tootherservers.Iftheremoteserverwillnotagree to TLS v1.2 or v1.1 and does not provide a certificate that is validated, theconnectionwillnotbeestablished.
To define mutual TLS connections when DataPower is the responding server, thesteps are similar to those for the SSLClientwith aminor difference at the end.Go toObjects → Crypto Configuration → SSL Server Profile. Add an SSL Server Profile.Provideaname.Deselect allProtocols exceptTLSversion1.1 and1.2.Ensure that theFeature,“permitconnectionstoinsecureSSLservers”,isnotenabled.
Ontheadvancedtab,ensurethat“Allowlegacyrenegotiation”issetto“off.”
Specifytheidentificationcredentialsthattheapplianceusestoidentifyitself.IfnoIDCredentialsexist,createone. Youwillneedaccesstothekeyfilesyouwanttouse.Set“RequestclientauthenticationtoOn.”ChooseanactiveValidationcredentialsobjectfromthe list. If an appropriateValCred does not exist, youmust create one. Youwill needaccesstotheservercertsyouintendtovalidate.Savetheconfiguration.UsethisnewSSLServerProfilewhenconfiguringanHTTPSFrontSideHandler(FSH).ThisFSHwouldbeusedbyaserverservice—suchasaMulti-ProtocolGatewayorWebServiceProxy—toacceptincomingrequests.IftheremoteclientwillnotagreetoTLSv1.2orv1.1anddoesnotprovideacertificatethatisvalidated,theconnectionwillnotbeestablished.
TestingTips
To verify that DataPower requires mutual authentication when establishing TLSconnections to remotehosts, firstconfirm that theSSLClientandServerconfigurationsaredoneproperly.Then,makesure that theseSSLClientandServerprofileshavebeenassociated with the intended DataPower services. For example, for a Multi-ProtocolGateway,ensurethat:
On theGeneral tab,SSLType isset to“ClientProfile,” that theappropriateSSLClientprofileisselected,andIn theFrontSideProtocolsettings, theHTTPSFrontSideHandlersettings’SSL server type is set to Server Profile, and SSL server profile is set to acorrectlyconfiguredprofile.
Next,Go to theTroubleshootingPanel.Set the log level to“debug.”Performa testrunofyourauthenticationscenariobyconnecting,overHTTPS,toyourSSL-configuredDataPowerservice.Thenexaminethesystemlogtoobservethesuccessorfailureofeachstepintheauthenticationprocess.
3.7DefineCryptoValidationCredentialsandCertificateRevocationPolicy
Rationale
TheDataPowerapplianceprovidestheabilitytodefineCryptoValidationCredentialsthatcanvalidateacertificate’scertificationpathfromtheendentitycertificatetoatrustedrootcertificationauthority(CA).ThiscapabilityiskeytoproperlyperformingtheRFC5280-compliantcertificationpathvalidationrequiredbyTLS/SSL.
DataPower’scertificationpathvalidationcanincludecheckssuchascertificateissuer
trust, time validity and revocation status for each certificate in the certification path.Revocationstatus informationforCAandsubjectcertificates inacertificationpathmaybeprovidedviacertificaterevocation lists (CRLs).Withoutconfiguringa localcacheofrevocation data, there is the potential to allow access to users who are no longerauthorized(userswithrevokedcertificates).
DataPower can invoke CRLs, published in a format defined in RFC3280, that listcertificates thatareno longerconsideredvalid.DataPowercanbeconfigured toretrieveandusetheseCRLs.
Though not covered here, DataPower also provides the ability to validate usingOnlineCertificateStatusProtocol(OCSP).
Configuration
First, set up aCRLUpdatePolicy.From thedefault domain, typeCRL in theWebGUIsearchbarandgotoCRLRetrieval → CRLUpdatePolicytab.ClickAdd.EntertheFetchURL value and click the + icon next to the CRL Issuer Validation Credential. TheconfigurationshowninFigure3-7specifiesaCRLrefreshofeveryfourhours.
Figure3-7CertificateRevocationListUpdatePolicy.
ConfiguringCryptoValidationCredentialsprovides the foundation forDataPower’sability toprovideFRC5280-compliant certificatepathvalidation.Here’show it’sdone.Go to Objects → Crypto Configuration → Crypto Validation Credentials. Add a newCrypto Validation Credential. Provide a name. For the certificates parameter, definecertificatealiasesfortheValidationCredential.EachcertificatelistedhereisaValidationCredentialobjectrepresentingthecertificatethatanSSLpeermightsend.ItiseitherthecertificateoftheCertificationAuthority(CA)thatsignedthecertificatesentbyapeer,orthe root certificate. Set Certificate ValidationMode to “Full certificate chain checking(PKIX).” Set both Use CRL and Require CRL to “on.” Set CRL Distribution PointsHandlingto“Require.”
TIP—RequireCRLOption
Specifyingthe“Require”optionwillresultinchecksagainst(butdoesnotfetch)theCRLsintheX.509CRLDistributionPointextensions.IfanyCRLinaCRLDistributionPointextensionnolongerexistsintheCRLcache,thecertificatevalidationfails.
SavethenewValidationCredential.
Figure3-8CryptoValidationCredentials.
Now, the ValCred must be incorporated in an SSL Client Profile(https://ibm.biz/Bd48sk)andanSSLServerProfile(https://ibm.biz/Bd48gM).TheprocessforcreatingthoseprofilesisdescribedinSection3.6,“ConfigureReplay-ResistantMutualSSL/TLS.”
TIP—OperatinginFIPS140-2Level3Mode
TheDataPowerHardwareSecurityModule(HSM)providessecurestorageforRSAkeysandacceleratesRSAoperations.TheHSMoperatesinFIPS140-2Level3mode.Itcan:acceleratesynchronousandasynchronousRSAoperations-sign,verify,encrypt,anddecrypt;provideencryptedpassword-basedlogin;generateandstoreRSAprivatekeysontheHSM;exportandimportkeymaterialamongHSM-equippedappliances;aswellasdeleteRSAprivatekeysfromtheHSM.
TestingTips
GotoObjects → CryptoConfiguration → CryptoValidationCredentials.Confirmthatallsettingsarecorrect.OnceassociatedwithSSLClientandServerProfiles, theValidationCredentialwillcomprisepartofthetestingdescribedinSection,3.6,“ConfigureReplay-ResistantMutualSSL/TLS.”
CreateaCRLintheformatspecifiedbyRFC3280.Createacertificatetobeaddedtothat CRL, thus flagging this certificate as being revoked. Send a message using the“revoked”certificateaspartofa two-waySSLconnectiontoaDataPowerservice(e.g.,Multi-Protocol Gateway) configured with an HTTPS front side handler. Configure theServerProfiletomakeuseofaValidationCredentialthatchecksCRLs,andconfigureaCRL update policy that loads the CRL that you created earlier. Check the DataPowersystemlogstoconfirmthattherequestwasrejectedduetoarevokedcertificate.
3.8ConfigurePKI-BasedCredentialMappingforMessage-levelAuthenticationandAuthorization
Rationale
Authenticationofthesenderofagivenmessage–whetherthat“message”isXML,SOAP,JSON,oranHTTPrequestfromawebbrowser–hasbeenfoundtobesignificantlymoresecurewhenthecredentialsfortheuserarebasedonPKIcertificates,versustheIDandPassword model. Once a requestor – a human user or system account – has beenauthenticated, then, and only then, can the request be Authorized (i.e., make a yes/nodecisionregardingwhether,ornot,theauthenticateduserisallowedtoperformtheactionthat they are requesting). In its role as an application security gateway, theDataPowerappliance’s AAA Policy configuration can ensure that authorization for access to anyserviceisapprovedandhasbeenassignedanindividualaccountidentifier.Toensurethatonly an assigned individual is using the account, the accountmust be bound to a usercertificate.
Configuration
Throughtheconfigurationofanauthentication,authorization,andauditpolicy(AAA),theDataPower provides PKI-based user authentication intermediary services that mapauthenticated identities to theuseraccount.Thiscanbe implemented in twoways. Forsmallscaleimplementations,theDataPowerAAAInformationFilecanbeused.Forlargerscale implementations, the mapping of PKI credentials to a mapped credential morecommonlytakesplaceviaacentralauthentication/authorizationserver(e.g.,LDAP).ThefollowingexamplemakesuseoftheAAAInformationfile.
TheAAApolicymustbeconfiguredasfollows.IntheDataPowerWebGUInavigateto Objects → XML Processing → AAA Policy. Add a new policy. On the Main tab,configure all general policy parameters. On the Identity extraction tab, select from thefollowing PKI-based methods to extract the claimed identity of the service requestor:“SubjectDNofSSLcertificatefromconnectionpeer”or“SubjectDNfromcertificateinmessagesignature,”asappropriateforyourspecificscenario.
Figure3-9AAAPolicy:IdentityExtractiontab.
On the Authentication tab, define the external control server that will accomplishauthentication.OntheResourceextractiontab,selecttheappropriatemethodDataPowershouldusetoextracttherequestedresourcefromtherequestmessage,e.g.,“URLsentbyclient”of“localnameofrequestelement.”
TIP—CredentialMapping
Itisfrequentlyusefultomapindividualcredentials(e.g.,“CN=MarshallT.Rose,O=DoverBeachConsulting,L=SantaClara,ST=California,C=US”)toamoregenericidentifiersuchas“SYSTEM-USER”.Fromthatpoint,forward,intheAAAprocess,theuserisnowidentifiedas“SYSTEM-USER”includingintheAuthorizationphase.Thereareanumberofmethodsavailableformappingusercredentials,including“Custom”(IdentifiesacustommappingresourcesuchasastylesheetorGatewayScriptfile),“AAAinformationfile”(IdentifiesaDataPowerAAAinformationfile,whichisanXMLfile,asthemappingresource),aswellasseveralothers.
See Section 3.4, “Configure Individual andGroupAuthenticationMethods” for anexpandeddiscussiononuserauthentication.ForinformationonthestructureoftheAAAInformationfile,seehttps://ibm.biz/Bd4AWV.
Policyimplementation
In order for the definedAAAPolicy to becomeoperative, itmust be associatedwith aDataPowerservice.Forexample, ifusing theMulti-ProtocolGateway(MPGW)service,anAAAactionmustbeaddedtoitspolicy.
TestingTips
Verify that aDataPower service processing policy includes an appropriately configuredAAApolicyaction.
Oncethepolicyhasbeenassociatedwithaservice, testauthentication/authorization
bysendingarequestmessagefromanauthorized,thenanunauthorizeduser.Examinethelogtoconfirmthattheauthenticationisasexpected.
3.9ConfigureDeviceFailureNotificationFunctions
Rationale
By default, the DataPower Gateway, in the event of a system failure, saves diagnosticinformation,logsystemmessages.Andwhenrestarted,DataPowerloadsthemostcurrentsecuritypolicies,rules,andsignaturesthenrevertstoFailsafeMode.
In addition, the DataPower Gateway supports the configuration of optional failurenotification functions.These include the following: upload error report, include internalstate,backgroundpacketcapture,backgroundlogcapture,andbackgroundmemorytrace.
Configuration
To configure these additional failure notification functions, go toAdministration → Device → FailureNotification.
Selectthecapabilitiesdesired.
Figure3-10FailureNotificationOptions.
TIP—BacktraceFile
Anunscheduleddevicefailuremayresultinabacktracefile.ThisfilecontainsdiagnosticdatawhichwillassistDataPowercustomersupportindebuggingthefailure.Inordertocheckforabacktrace,fromtheCLIenter‘showfailure-info’.
TestingTips
Verify that all desired optional failure notification functions are configured by going toAdministration → Device → FailureNotification.Totest thenotificationprocess,selecteither“AlwaysOnStartup”or“AlwaysOnShutdown”.Then, restart theappliance:Onthe WebGUI Control Panel, click System Control. At the Shutdown section, select“RebootSystem”thenclickShutdown.
Login to the WebGUI after the DataPower appliance reboots and view theconfiguration.Confirmthattheconfigurationistheonelastsaved.
3.10SQLInjectionProtection
Rationale
ASQLInjectionattackconsistsof insertionor“injection”ofaSQLqueryvia the inputdata from the client that targets the application. SQL injection is mostly known as anattackvectorforwebsitesbutalsocanbeusedtoattackanytypeofSQLdatabase.
SQL injection attacks allow attackers to spoof identity, tamper with existing data,cause repudiation issues such as voiding transactions or changing balances, allow thecomplete disclosure of all data on the system, destroy the data or make it otherwiseunavailable,andbecomeadministratorsofthedatabaseserver.
Configuration
To implement this protection inDataPower requires the addition of a Filter action in aprocessing policy (e.g., in a Multi-Protocol Gateway). The filter action allows theinclusionofanXSLTfilethatwillrunoneachmessageprocessedthroughthepolicyrule.ThisXML file includes anXML file that outlines the protections to apply in the filteraction.
DataPower includesa standardXSLTandXMLfile in the store:///directory (SQL-Injection-Filter.xsl and SQL-Injection-Patterns.xml). This file covers most of the SQLInjectionattacksknownatthetimeofthefirmwarerelease.
As an example, add an SQL injection filter action to a Multi-Protocol Gateway(MPGW)policy.First,addafilteractiontooneoftheMPGW’spolicyrules.SeeFigure3-11.
Figure3-11AddaFilterActiontoanMPGWRule.
Double-click the filter icon thatyou just added.EnteranXSLfile locationand filename e.g., store:///SQL-Injection-Filter.xsl. Click Done → Apply Policy → CloseWindow → Apply.ThisconfigurationisshowninFigure3-12.
Figure3-12AddtheSQL-Injection-Filter.xsltothefilter.
TestingTips
Set up tests that inject SQL code into andXMLmessage and send themessage to theDataPowerMPGWservice.Themessage should be caught and an error logged. If not,thentheSQL-Injection-Patterns.xmlfilemayneedtobemodifiedtoincludethisparticularattack.
If a known injection attack is not listed in theSQL-Injection-Patterns.xml file, thisfilemaybecopiedandupdatedmanuallybytheDataPowersystemadministrator.
TIP—ManuallyCreatedFiles
Filesthataremanuallycreatedorcopiedfromfilesinthestore:///directoryonDataPowercannotbesavedinthestore:///directory.Thesefilesmustbelocatedinafolderinthelocal:///directory.
3.11DenialofService(DoS)AttackMediation
Rationale
Denial of service (DoS) attacks deny service to valid users trying to access servicesmediatedby theDataPowerappliance.Anattackermightattempt to flood theappliancewith requests—rendering its services temporarily unavailable or unusable. Denial ofserviceattacksareproblematicbecausetheyareeasytoachieveandcanbeanonymous.The DataPower appliance provides multiple avenues of defense against DoS attacks.Mitigating such attacks at the DataPower gateway insulates backend resources fromnegativeimpact.Onedefenseis tocreateaccesscontrol lists.Accesscontrol listsdefineclausesthatidentifywhichIPaddressestoallowordenyaccesstoaservice.ThistopiciscoveredinSection3.15,“AccessControlLists.”
Installation of content filtering gateways and application layer firewalls at keyboundaries in the architecture mitigates the risk of DoS attacks. These attacks can bedetectedbymatchingobservedcommunicationstrafficwithpatternsofknownattacksandmonitoringforanomaliesintrafficvolume,type,orprotocolusage.Detectioncomponentsthatusesignaturescandetectknownattacksbyusingknownattacksignatures.
ConfigurationEmployMessageCountMonitors
DataPowerMessageCountMonitors can be applied to anyDataPower object (e.g., theMulti-ProtocolGateway)andcanlimittheeffectivenessofaDoSattack.
AMessageMonitorobservestrafficthatistargetedbyaMessageTypeconfiguration(whichinturnisacollectionofMessageMatchingobjects).TheMonitormeasuresonlythattrafficselectedbytheMeasurefield.Onthefilterspage,trafficwhichmeetsthefiltercriteria causes the Monitor to take the corresponding action (which is defined by aMessageFilterActioncommand).
TIP—IPv6Addresses
Eachoftheseconfigurations,whenenabled,providesfullaccessfromallIPv4addresses.IfIPv6addressesaresupported,modifytheACLtoincludeanallowclauseforeitherspecific,orallIPv6addresses.
IntheWebGUIsearchbartypeMessageCountMonitorandcreateaMessageCountMonitor with the appropriate values. This monitor can then be applied to any runningserviceobject.ThisconfigurationisshowninFigure3-13.
Figure3-13MessageCountMonitor.
XMLDoS–DataPowerServiceThreatProtection
EachserviceinDataPower,e.g.,MPGW,WSP,etc.,containsabuiltinThreatProtectioncapability, for this example we will use anMPGW service object. From theWebGUIsearch bar, typeMulti-Protocol. Click Edit Multi-Protocol Gateway. Select or create aMulti-ProtocolGatewayobject.GototheThreatProtectiontab.
This tab provides configuration options for the types of XML attacks DataPowerprotectsagainst:SinglemessageXMLdenial-of-service(XDoS)attacks,multiplemessageXMLdenial-of-service (MMXDoS) attacks, paddingOracle protection,SQLandXPathinjection attacks, protocol threats, XML viruses (X-Virus), and dictionary attacks. The
types of XML Threats that are protected in DataPower can be viewed herehttps://ibm.biz/Bd4wAy.
AAA–DoSFloodingAttackValve
Messagesmay legitimately contain a number of signatures (including referenceURI’s)thatmust bevalidated, e.g., in aSAML token.From theWebGUI searchbar, type aaa.ClickAAAPolicy.SelectorcreateanAAAPolicy.GotoMaintab → DoSfloodingattackvalve parameter.More than a pre-defined number of signatures contained in amessagemayindicateaDoSFloodingattackisinprogress.Thistypeofattackcantieupsystemresourcesintheirattempttovalidateallthesignatures.
To prevent this type of attack, you may specify the number of times allowed toperformthesameXMLprocessingperuser.TheAAApolicyassumesthatmorethanthisvalueofthesameprocessingiscausedbypotentialDoSfloodingattacks.TheAAApolicylimits the number of times to process the same request. These processes can includeencryption, decryption, message signing, or signature verification. These methodsdesignatetheallowednumberofsignaturesorsigningreferenceURIs.
Thedefaultvalueisthree.ThisvaluemeansthattheAAApolicyprocessesonlythefirstthreesignaturesandeachsignaturecancontainuptothreereferenceURIs.Additionalsignaturesor referenceURIsare ignored. (Note:Currently,only identityextractionwithsubjectDNfromcertificateinmessagesignatureandauthorizationwithsignercertificatefordigitallysignedmessagessupportthissetting.)ThisconfigurationisshowninFigures3-14and3-15.
Figure3-14ConfigureAAADoSFloodattackvalve.
Figure3-15ConfigureAAADoSFloodattackvalve.
PKCS7-MaximumNumberofSignaturestoVerify
AnothertypeofDoSattackwillincludealargenumberofbinarysignaturesinamessage.
This can result in a systemallocating amajorityof its processing toverifyingPKCS#7signatures.
IfamessageflowneedstovalidatePKCS#7signatures,DataPower’sCryptoBinaryprocessingactioncan limit themaximumnumberofsignatures thatcanbeverified inaPKCS#7object.This provides protection against a denial of service attack inwhich anobjectcontaininganexceedinglylargenumberofsignaturesissubmittedforverification.ThedefaultvaluefortheCryptoBinaryactionisten.Theminimumisone;themaximumistwentyfive
ThisfeatureisusuallyemployedasanAdvancedactionwithinaprocessingruleofanMPGW. To examine this configuration, add an Advanced action to an MPGW rule.Double click the Advanced action. Select “Crypto Binary” and click Next to see theconfigurationpanel.
Consider adding a Crypto Binary action to your processing rule and setting theMaximumNumberofSignaturestoVerifyvaluetopreventasignature-basedDoSattack.ThisconfigurationisshowninFigure3-16.
Figure3-16CryptoBinaryAction.
TestingTips
Tochecktheseconfigurations:
XMLDoS
SetupaMessageCountMonitor(seehttps://ibm.biz/BdrFXQ)andsetaratelimitinlinewithexpectedtransactionspersecond(TPS).AttachthisMessageCountMonitor(MCM)
to a pre-defined service object such as a Multi-Protocol Gateway. Send a volume ofmessagesthatexceedtheratelimittotheURLprotectedbytheMCM.Messagesoverthislimit should initiate the action you defined in theMCM action, e.g., Notify, Shape, orReject.
AAADoS
ConfiguretheAAADoSFloodattackvalue(thedefault is three).Createamessagethathasmore than the configuredmaximumnumber of signatures allowed to be processed.Check the log files to validate that the AAA policy only allowed messages with asignaturecountwithinthedefinedlimit.
PKCS#7
Createabinaryobjectandsignthatbinaryobjectanumberoftimesthatisgreaterthanthevalue defined by the Crypto Binary action. DataPower will only verify the number ofsignaturesspecifiedintheMaximumNumberofSignaturestoVerifyfield.
3.12VirusScanning
Rationale
XMLVirusProtection isused tocheckmessagesandattachmentsforembeddedvirusesusinganexternalICAPserver.Thetypesofattacksthatcanbeeliminatedbythisactionare XML virus attacks, XML encapsulation attacks, payload hijack attacks, and binaryinjectionattacks. DataPower integrateswith3rdpartyanti-virus serversover the ICAPprotocol(https://ibm.biz/Bd4ucC).
Configuration
FromtheWebGUIsearchbar,selectthedesiredserviceobject.EdittheStylePolicy,thendraganAdvancedaction toa request rule.Doubleclick theAdvanced icon, thenselectAnti-Virus,andpresstheNextbutton.ThisconfigurationisshowninFigure3-17.
Figure3-17Anti-Virusaction.
Select thetypeofscanningtobeperformedintheAnti-VirusScanType.Select theenterprise anti-virus scanner from thewell-knownproviders.Enter the host name, port,andURIvaluesforthescanner.ThisconfigurationisshowninFigure3-18.
Figure3-18DefiningAnti-virusaction.
TestingTips
Your test environment will need to have an Anti-Virus server that supports the ICAPprotocol. Workwith your security staff to create amessagewith a virus signature andsubmit the message to a DataPower service that is configured to perform Anti-Virusscanning. DataPower will send the message to the defined virus scanner. It shouldidentify the threat signature. Review the DataPower System Logs to confirm that themessagewasrejectedbytheanti-virusscan.
3.13ViewingUserActivityLog
Rationale
Without the ability to select a user session to capture or view, investigations intosuspiciousorharmfuleventswouldbehamperedbythevolumeofinformation.
Privilegedusersneedaccesstotheauditloginordertoevaluatetheeventsthattakeplaceonasystem,ortosendtheseeventstoananalyticsengineforevaluation.
Configuration
Auditdatacanbeviewedinseveralways.First,DataPower’sbuilt-inAuditLogcanbeviewedbytyping“auditlog”intotheWebGUIsearchbarandselecting“AuditLog”fromthe results. Second, a custom log target can be configured that subscribes to audit logdata. Thisdata canbe stored locally,on theappliance’sRAIDarray,or remotely (e.g.,syslog).
Creating an audit log target in the default domain will have visibility to all useractivitycapturedbyaudit logevents.SeeSection2.3,“Off-loadSystemAuditRecords”forhowtoconfigureLogTargets.
TIP—ObjectCreationintheDefaultDomain
DataPowerserviceobjects,suchasMulti-ProtocolGatewayandWebServiceProxy,shouldnotbecreatedinthedefaultdomain.Thedefaultdomainshouldonlybeaccessedbyprivilegedusers.Accessbynon-privilegedusersshouldberestrictedtonon-defaultdomains.
TestingTips
To test if the appropriate information is logged, first create a file-based log target, asdescribedabove. Next,createa temporaryuseraccount. Finally,access theViewLogstoolfromtheControlPanelandselectthelogtargetfromtheTargetdrop-downlist.Thenview theuseraudit log file.Thenewlycreateduser shouldbe logged.TheSystemLogdisplayisshowninFigure3-19.
Figure3-19UserAuditlogresults.
3.14FICAM-IssuedProfileSupport
Rationale
FICAMistheUSFederalGovernment’simplementationofidentity,credential,andaccessmanagement.ItismeanttoprovideacommonsetofICAMstandards,bestpractices,andimplementationguidanceforFederalagencies (seehttps://ibm.biz/BdrBWx). FICAMisbeing positioned as a component of federated identity management for US FederalGovernment agencies. Without conforming to FICAM-issued profiles, the informationsystemmaynotbeinteroperablewithFICAM-authenticationprotocols,suchasSAML2.0or OpenID 2.0. Use of FICAM-issued profiles addresses open identity management
standards.Theuseof theDataPowerAAApolicyallowsauthenticationofusersagainstFICAM-issuedProfiles.
Configuration
IntheWebGUIsearchbar,typeAAA.SelecttheappropriateexistingAAApolicy,oraddanewone.SelecttheIdentityExtractiontab.Clicktheboxnexttothe‘NamefromSAMLAuthenticationassertion’entry.ThisconfigurationisshowninFigure3-20.
Figure3-20ExtractIdentityfromSAMLassertion.
Click the Authentication tab. In the Method drop down, select ‘Accept SAMLAssertionwithvalidsignature.’ThisconfigurationisshowninFigure3-21.
Figure3-21SAMLAssertionauthentication
TestingTips
Configureyourapplicationdomaintodebuglevellogging.ConfigureaDataPowerservice(e.g., Multi-Protocol Gateway service) with a AAA action, as previously described.
Submit to the DataPower service a test request which contains a signed SAMLAuthentication Assertion. Check the system logs to confirm that the message wasprocessedsuccessfully.SendaSAMLassertionwithaninvalidsignatureandconfirmthatthemessageisrejectedbyDataPower.
3.15AccessControlLists
Rationale
Unrestricted trafficmay containmalicious traffic that poses a threat to a business or tootherconnectednetworks.Additionally,unrestrictedtrafficmaysendmanymessagestoanetworkconsumingbandwidthandotherresources.
Implementingaccesscontrolpoliciesandaccesscontrollistsondevicesthatcontrolthe flow of network traffic (e.g., application level firewalls and Web content filters),ensurethattheflowoftrafficisallowedonlyfromauthorizedsourcesandtoauthorizeddestinations.
Theconfigurationofanaccesscontrollist(ACL)consistsofasequenceofallowanddenyclauses.EachclauseidentifiesanIPaddressorrangeofaddressesthatallowordenyaccesstoaservice.
Configuration
Type “access control list” in theWebGUI searchbar.Select theEntry tab. In theEntrybox, click theAdd button.AddAlloworDeny access to a range of IP addresses.ThisconfigurationisshowninFigure3-22.
Figure3-22AccessControlList.
TIP—UsingCIDRNotations
TheuseofClasslessInter-DomainRouting(CIDR)allowseasierdefinitionofarangeofcontiguousIPhostandsubnetaddresses.(https://ibm.biz/Bd4bHX)
TIP—Don’tRelyExclusivelyonACLs
ACLsrelyontheIPaddressoftheclientcomputersendingtherequest.However,IPaddressescanbespoofed.Consequently,ACLsshouldneverbeusedastheonlymeansofauthentication.Instead,coupletheuseofACLswithadditionalmeasuressuchastwo-waySSL.
TestingTips
CreateanaddressrangewithinyourcontrolandadditasanAllowclause,thentest.ThisshouldallowtheIPaddresstoconnecttoDataPower.Next,addthesamerangetoaDenyclauseandretest.Thisshouldfail.
3.16UsingFilterActionstoPreventReplayAttacks
Rationale
Replayattacksdependuponinterceptinglegitimatemessages,thenalteringthem.Areplayattackmayenableanunauthorizedusertointerceptamessage,masqueradeastheoriginalsender,thengainaccesstoinformationabovetheiraccesslevel.
TechniquesusedtopreventareplayattackincludeAAAFilteraction,protocolsusingnonces(e.g.,numbersgeneratedforaspecificonetimeuse),andchallenges(e.g.,TLS).Additional techniques include time-synchronous and challenge response one-timeauthenticators. Section 3.6, “Configure Replay-Resistant Mutual SSL/TLS” discussesanotherwaytocombatreplayattacksbyconfiguringmutualTLS/SSLauthentication.
Configuration
AFilter action is part of a processing policy for aDataPower service such as aMulti-ProtocolGateway(MPGW)orWebServiceProxy(WSP).TheFilteractionsavailableintheir policies canbe leveraged toprevent replay attacks. This filter uses a directory tocache a selected value from submitted documents. When this value is part of anysubsequentrequest,thatrequestisrejected.
Selecttheproperserviceobject,suchasaMPGW,andedittheStylePolicy.DragtheFilteractionto theappropriateprocessingrule.ThisconfigurationisshowninFigure3-23.
Figure3-23AddingaFilteraction.
Double click the Filter action. Select the Advanced tab → Filter Method. SelectReplayFilter.Thereplay-filter.xsl isautomaticallyentered into theTransformFilefield.ThisconfigurationisshowninFigure3-24.
TIP—ReplayFilterStylesheet
Thereplay-filter.xslfileexistsinthestore:///directory.Filesinthisdirectorycannotbeedited.However,theymaybecopied,augmented,andsavedinthelocal:///directory.
Figure3-24AdvancedtabforFilteraction.
Next,specifytheReplayduration.Thisparameterspecifiesthatifyouseeamessagewith thesamecredentialswithin thedefined time limit,consider it tobea replayattackandrejectit.Thedefaultvalueis600seconds.
Finally, provide a custom XPath expression that points to the part of the requestdocumentcontainingthecredentialinformation.Ifyoudon’tknowtheXPathexpressionoffhand, you can upload a sample document, via the XPath Tool. Select the XMLnode/elementandtheXPathstatementwillbegeneratedforyou.
TestingTips
Thescenariotobetestedisthattheclientapplication(“Alice”)sendsatestmessagetotheserver(“Bob”).Theobjectiveistoconfirmthataneavesdropper(“Eve”)cannotinterceptthefirstmessage,extractcredentials,then“replay”thosemessagesatalaterdate.Todothis, firstconstructa testmessage(SOAPorXML)thatcontainsusercredentials (e.g.aWS-Security User Name Token). Next, setup a DataPower service (e.g.Multi-ProtocolGateway)configuredwithaReplayFilter,aspreviouslydescribed.Setthereplaydurationto 60 seconds, for test purposes. And configure the Replay Filter XPath expression toretrievetheusercredentials.Setyourapplicationdomainloggingtodebuglevel.Submitthetestmessagetoyourservice,thenre-submititwithin60seconds. Checkthelogstoconfirmthatthesecondsubmissionisrejectedbythereplayfilter.
3.17CachingUserAuthenticationandAuthorizationResults
Rationale
Caching of user authentication and authorization decisions can significantly improvetransactional performance by eliminating the need to reprocess authentication andauthorizationstepswitheachrequest.Sincetheauthenticationserverdoesnotneedtobeaccessedoneveryrequest,bothnetworktrafficandloadontheauthenticationservercanbereduced.
DataPower’s AAA processing is predicated upon having a set of user credentials(presentedinatransaction)andarequested“resource”.Theresourceistheservice(e.g.SOAPoperation,orRESTURI)thattheuserisattemptingtoaccess.TheresultofAAAprocessing–permitordeny—canbecached for adefinedperiodof time such that anysubsequentrequestusingthesameusercredentialsandrequestingthesameresourcecanre-usethepreviouslyrendereddecision.
However,cachingthisauthenticationobjectfortoolongcouldexposethesystemtoexploitation of the cached user information.DataPower can be configured to delete thecacheafteraspecifiedtimeperiod.
InDataPower’sAAA action, a user authentication request can be cached for a setperiod of time in order to alleviate multiple authentication requests to an externalauthenticationservice.Eachentry in thecachemusthaveauniquekey.Whenthere isamatchagainstauniquekey,thecachereturnstheresultsfromthepreviousauthentication.
Configuration
ThestepslistedinthissectionassumetheexistenceofapreviouslydefinedAAAPolicythatwillbeusedinaserviceobjectsuchasaMulti-ProtocolGateway.
In the appropriate application domain (not the default domain), from theWebGUIsearchbar.TypeAAAPolicy.Select theexistingAAAPolicy.Select theAuthenticationtab.SettheCacheAuthenticationResults.SettheCachelifetimevalue.
TIP—DataPowerAAACachingModes
Absolute–Cachestheresultsfortheperiodoftimethatisspecifiedbythecachelifetime.Thelifetimeistheexplicittime-to-live(TTL).
Disabled–Disablescaching.Thesystemwillnotcacheresults.
Maximum–ComparestheexplicitTTLtotheprotocolTTL,ifany.TheeffectiveTTListhelesserofthetwovalues.IftheexplicitTTLisfiveandtheprotocolTTListen,thentheeffectiveTTLisfive.WithoutaprotocolTTL,Itisequivalenttoabsolute.
Minimum–ComparestheexplicitTTLtotheprotocolTTL,ifany.TheeffectiveTTListhegreaterofthetwovalues.IftheexplicitTTLisfiveandtheprotocolTTListen,thentheeffectiveTTListen.WithoutaprotocolTTL,theeffectiveTTLisequivalentto86,400.See:https://ibm.biz/BdrEHG
TheCacheLifetimecanbesettoavaluethatmakessenseforthemessageflowandexternalauthenticationserverThisconfigurationisshowninFigure3-25.
Figure3-25AAAAuthenticationcache.
TIP—AAACacheAuthenticationandAuthorization
Thecachecanbesetindependentlyinboththeauthenticationtabandtheauthorizationtab.
TestingTips
SendamessagetothetargetservicethatwillmatchtoaProcessingRulecontainingtheAAAaction.Wait longer than the cachevalue, then resend the samemessage (with thesame user credentials). The log file will show an attempt to contact the authenticationserviceforbothrequests.SendathirdtestmessagetotheservicewithintheeffectiveTTLlimit. The log file shouldshow that theAuthenticationdecisionwas retrieved from theAAAcache.
3.18ConfiguringTransportLayerSecurityConsistentwithNISTSP800-52
Rationale
As previously described, a component of DataPower’s client-side processing is theSSL/TLS negotiation and decryption of the data stream. Organizationswill frequentlyrequirecompliancewiththeTransportLayerSecurity(TLS)requirementsidentifiedintheNationalInstituteofStandardsandTechnology(NIST)SpecialPublication(SP)800-52.NIST SP 800-52 requires aminimum protocol of TLS 1.1 configuredwith FIPS-basedcipher suites.NIST recommended that agencies developmigration plans toTLS1.2 byJanuary1,2015.
TIP—NISTSP800-52Revision1
SeetheNISTpublicationsiteformoredetailsonNISTSP800-52(revision1)requirements:https://ibm.biz/BdrF8p.
Configuration
First, ensure that the appliance is operating at the appropriate level of FIPs 140-2compliance,asdescribed inSection3.2,“UseStrongCryptoorMessageTraffic.”Next,configure an SSL Server Profile (the Security profile used to secure the connectionbetweentheclientandtheDataPowerappliance).ToaddanewSSLServerProfile,loginto your domain via the WebGUI and go to Objects → Crypto Configuration → SSLServerProfile;clickthe“Add”button.
Figure3-26ConfigureanSSLServerProfile.
Provide an SSL Server Profile name and determine which Protocols to enable.Commonly,SSLv3andTLS1.0aredisabled.ForfullcompliancewiththeNISTSP800-131arequirement,TLS1.0wouldalsobedisabled.
TIP—DisableSSLV3andTLSV1.0
ItisabestpracticetodisableSSLV3andTLSV1.0asthesecryptographicprotocolshavebeenbrokenandareun-secure.
TIP—NISTSP800-131aCompliance
SeetheDataPowerKnowledgeCenterformoredetailsonconfiguringNISTSP800-131acompliance:https://ibm.biz/Bd4uBD.
Commonly,theclientthatisconnectingtotheDataPowergatewayisoutsideofyourorganizations’control.Confirmthattheclientcansupportprotocolsandciphersthatareconfigured for the SSL Server Profile to ensure that the organizations will be able toexchangemessages.
Next, configure the “IdentificationCredentials” by clicking the “+” or selecting anexisting Identification Credential object from the drop-down list. The identification
credentialspecifiestheyKeyandCertificateobjectsthatareusedtoasserttheDataPowerappliance’sidentityduringanSSLnegotiation.
Next, configure Client Authentication. By default, no client authentication isrequired.Ifyouwanttoconfiguremutual-TLS(alsoknownastwo-wayTLSortwo-waySSL),changetheradiobuttonto“on.”Youwillthenbepromptedtoconfigureadditionalitems, includingspecifying theValidationCredentialobject thatwillbeused tovalidatetheclient-sidecertificatespresentedduringtheSSLnegotiation(seeSection3.7,“DefineCryptoValidationCredentialsandCertificateRevocationPolicy”).
Figure3-27ConfigureClientAuthenticationfortheSSLServerProfile.
TestingTips
Inthesearchfield,searchfor“Crypto”andselect“CryptographicModeStatus”fromtheresults.Confirmthatthe“Target”valueissetto“FIPS140-2Level1.”
Next, search for “SSL Server Profile” and select “SSL Server Profile” from theresults.Clickthenameof theSSLServerProfileobject tobeinspectedandconfirmtheconfigurationoftheProtocols(TLS1.1and/orTLS1.2),aswellasthattheIdentificationCredentialand(optional)ClientAuthenticationareconfiguredcorrectly.
3.19SecurelyTransmitAuthenticationInformation
Rationale
Inthecourseofprocessingtransactionaltraffic,requestsaretypicallyauthenticated.Suchauthentication commonly involves remote resources such as external LDAP servers.Securingthetransmissionofauthenticationinformationensuresthatitcannotbeexposed,altered, or otherwise compromised during transmission. The DataPower applianceprovides the following authentication server targets: LDAP, ClearTrust, IBM SecurityAccessManager,SiteMinder,SAML,WS-Trust,andRADIUS.
DataPower provides secure access to all supported authentication methods. Forexample, on the AAA Policy Authentication tab, select “Bind to LDAP server” as theMethod. Parameterswill then appear that allow the configuration of a secure SSL/TLSconnectiontothatauthorizationserver.ForasecureconnectiontoLDAPaswellasallof
theother supportedauthentication servers,youneed toconfigureanSSLClientProfile.Detailsofthatprocessmaybefoundhere:https://ibm.biz/Bd48sk.It ispreferabletouseonlythemostrecentTLSversion,whichis1.2atthetimeofthiswriting.
Configuration
TheDataPowerGateway provides support for the secure transmission of authenticationinformationtoanysupportedauthenticationserver.
To configure secure transmission, use the WebGUI to go to Objects → XMLProcessing → AAA Policy. Press the Add button. Then, on the Authentication tab,complete the parameters associated with the server you have specified in the Methodparameter(e.g.,LDAP).ConfigurationofthedifferentAuthenticationtechniquewillvary,but those involving remote services (e.g. LDAP) will include the ability to establishsecuredconnections,asisthecasebelow,wherethe“SSLclienttype”isdefined.
Figure3-28ConfigureAAAPolicyauthentication.
PleasenotethatthoughourfocushereisoncompletingtheauthenticationportionofourAAAPolicy,theidentityextractionmethodsspecifiedonthe“Identityextraction”tabmustbeinsyncwithyourchosenauthenticationmethod.
TestingTips
VerifythatthesecuretransmissionofauthenticationinformationwithinyourAAAPolicyhas been configured properly. Use the WebGUI to go to Objects → XMLProcessing → AAA Policy, select an existing AAA Policy. Confirm that the identityextractionmethod chosen for this policy is in syncwith the authenticationmethod youhave selected. Confirm that all parameters on the Authentication tab are correctlyconfigured.Confirm that an SSLClient Profile is associatedwith the configuration foraccessingyourauthenticationserver.Also,confirmthattheSSLClientProfileusesonlyTLSv1.1and1.2.
3.20ServerNameIndication(SNI)Profiles
Rationale
Server Name Indication (SNI) is an extension of the TLS protocol that allowsmultiplehostnamestobeservedoverHTTPSfromthesameIPaddress.MakinguseoftheSNIextensionenableswebsitesandwebservicestomakeuseoffewerIPaddressesthroughouttheirenvironment,sinceSNIallowsmultipledomainstosharethesamesecureIPaddress,alimitationinthebaseSSL/TLSprotocol.
Normally,whenmakingaTLSconnectiontoasecure(HTTPS)site,aclientwillsendarequesttoaserverwhichwillreturntotheclientitsdigitalcertificateaspartoftheTLShandshakingsequence.Theclientwillthenexaminethecertificateandcomparethehostnameinthecertificatewiththehostnameitwasexpectingtoconnectwith.Ifadifferenthostnameisgiven in thecertificate, thiscould indicate to theclient that theconnectionmaybecompromised,possiblypartofaman-in-the-middle(MITM)attackforinstance,andrejectthetransaction.
Ideally, theservershouldbeable toserveup thepropercertificate that theclient isexpecting,providedtheserversupportstherequestedclienthostname.Theproblemhereis that the TLS handshake happens before the server sees any client forwarded HTTPheadersthatindicatethedomainorhostnametheclientisexpecting.Therefore,itisnotpossible for the server to use the information in the clientHTTP host header to decidewhichcertificatetopresentandassuchpresentstotheclientthecertificateassociatedwiththerequestedIPaddress.
TheSNIextensionallowstheservertohostmultipledomainnames(certificates)onasingleIPaddressandusesthedomainnametheclientissendingtoselecttheappropriatecertificatefortheTLShandshakethuseliminatingtheTLSconnectionwarning.
Configuration
Inorder toconfigureSNI inDataPower, from theWebGUI, typeSNI in the searchbar.ChooseSSLSNIServerProfile.ClickAdd,thennametheprofile.Deselect“EnableTLS1.0”(thisisalesssecureversionofTLSandshouldnotbeused).SeeFigure3-29.
Figure3-29SNIserverprofile.
In the “Host name to profilemapping” field, choose an existing profile or create anewonefor the“Hostname toprofilemapping.”Tocreateanewprofile,click the“+”icon. Enter thehostname in the“Hostnamematchingexpression” fieldand select theappropriateSSLServerProfilethenclickAdd.SeeFigure3-30.
Figure3-30SSLHostNameMapping.
Next,inthe“Defaultserverprofile”,chooseanexistingSSLServerprofile.ThisSSLserverprofilewillactasthedefaultprofiletousedwhennoClientHelloSNIextensionisprovidedduringtheclientrequest.
TomakeuseoftheSNIprofile,modifytheHTTPSFrontSideHandlerofanexistingDataPower service (e.g.Multi-Protocol Gateway). Select “SNI Server Profile” for thevaluein the“SSLserver type”field. Fromthe“SSLSNIserverprofile”dropdownlist,selectthepreviouslyconfiguredprofilecreated,inthiscase,“testSNIServerProfile.”
Figure3-31HTTPSFrontSideHandlerSSLSNIserverprofile.
TestingTips
First,configureeitheraDNSserver,or/etc/hostsfiletomapthesameIPaddresstotwodifferent hosts names. Use an SNI supported browser and send a command to a pre-definedHTTPS Front SideHandler associatedwith aDataPower service object. In theURL,ensurethatthehostnamechosenmatchesoneofthematchingexpressionsinyourSSLSNIServerProfile. Testwithyoursecondhostname. Bothwebaddressesshouldresolvewithoutanywarningmessagesfromthebrowser.
3.21ConfigureXMLandJSONThreatProtection
Rationale
AsignificantcomponentofDataPower’sroleasasecuritygatewayisthatofensuringthatincoming requests are free from threat signatures. That is content/markup that wouldcompromise an off-the-shelf parser andpossibly the application server. DataPower hasthe ability to performvarious threat checks onXML (includingSOAP) and JSONdataformats.
Configuration
DuringtheClient-Side(Front)ProcessingPhase,thereceivedmessagewillbedirectedtotheserviceobjectthatisconfiguredfortheIPaddressandportcombinationonwhichthemessagewasreceived.Oncetheserviceobject(suchasaMulti-protocolGatewayorWebServiceProxy) receives themessage,asignificantamountofprocessingof themessageoccurs.Forexample:
If SSL is configured for the service, SSL negotiation and decryption of thedatastreamwilloccur;SOAPenvelopevalidation(ifapplicable);Protocol-specificactionssuchasHTTPheadersuppressionorinjection;andInspection for knownXML or JSON threats (assuming that your service isprocessingXML,SOAPorJSON).
With respect to filtering and inspectingmessage traffic, several key configurationsimpact thisprocessingphase. These include therequestandresponsedatatypesand theXMLManagerconfiguration forXML/JSONparser limitsand, finally, threatprotection
checks.
If using the Multi-Protocol Gateway, specify the appropriate type of request andresponse traffic: JSON, Non-XML, Pass through, SOAP or XML. Specifying JSON,SOAP, or XML will automatically trigger a check for well-formedness of the relatedmessage – no other configuration is required. For an XML or JSON document to beconsideredwellformed,itmusthave,ataminimum,adefinedrootelement,allelementsmusthaveclosingtags,andelementsmustbeproperlynested.NotethattheXMLFirewallonlyacceptsXMLmessages.TheWebServiceProxyacceptsonlySOAPmessages.
Once thewell-formednesscheck iscompleted, theJSONorXMLthreatchecksareapplied, as appropriate for the requestmessage type. Initial configuration for theXMLThreat Protection starts by configuring the XML parser limits via the XML Managerobject. Within your application domain, go to Objects → XML Processing → XMLManager. Click“Add” toaddanewXMLManager, thenclick the“XMLParser” tab.Fromthisconfigurationtab,youcancontrolparameterssuchasmaximumnodesizeandelementdepth.NotethatthesechecksareperformedseparatelyfromanyXMLSchemavalidation.
Figure3-32XMLParserLimits.
Fromthe“Main”taboftheXMLManagerconfiguration,youcanalsospecifyJSONSettingstobeappliedtoincomingrequests.
Figure3-33XMLManagerMaintab.
TodefineJSONSettingsclickthe“+”buttonattheJSONSettings.
Figure3-34JSONSettingsObject.
SimilartotheXMLParserLimits,JSONsettingscontrolthe“maximum”parametersforincomingJSONpayloads.
TIP—CustomXMLManager
CreateacustomXMLManagerandforyourservicestouse,separatefromthedefaultXMLManager.ThisapproachmakesitveryclearinyourconfigurationthatyouhavecustomizedXMLManagersettingsthataredistinctlydifferentformthedefaultsettings.
The XML Threat Protection configuration is accessible through the configurationpageofeachofthemainservicetypes–Multi-ProtocolGateway,WebServiceProxyandXMLFirewall. Forexample, in theMulti-ProtocolGateway,clickonthe“XMLThreatProtection”tab.
Figure3-35Multi-ProtocolGatewayXMLThreatProtectiontab.
Using the XML Threat Protection configuration, you have access to configurationoptions forapplyingXMLThreatProtectionmeasures forSingle (XDoS)andMultiple-Message(MMXDoS)DenialofServiceattacks. Youalsohaveaccesstoparametersforconfiguring protection measures during the subsequent service processing phase,includingmessagetamperingprotection,injectionattackprotectionanddictionaryattackprotection.
Figure3-36XMLThreatProtectionconfiguration.
TestingTips
Configureyourserviceobject(e.g.multi-protocolgateway)toacceptaparticulartypeofdata (e.g.XMLorSOAP),andconfigure theXMLManagerandXMLthreatprotectionchecks. Within your development domain, enable logging at the debug level. Then
submit test messages that are configured to violate the parser limits and/or threatprotectionmeasures.Checkthelogstoconfirmthatthetestmessagesarebeingrejectedasexpected.
Summary
In this chapter, we covered twenty-one steps to harden message level traffic flowingthroughtheIBMDataPowerGatewayappliance.
AppendixA:DataPowerResources
To download code listings shown in this book, please go tohttp://wildlakepress.com/books/15-information-technology/18-datapower-handbook-resources
DataPowerResources
IBMDataPowerHandbooks:VolumeI:DataPowerIntro&Setup:
http://amzn.to/1IjrEBb
VolumeII:DataPowerNetworking:
http://amzn.to/1Ijrzh3
VolumeIII:DataPowerDevelopment:
http://amzn.to/1JJszf4
VolumeIV:DataPowerB2BandFileTransfer:
http://amzn.to/1Ijrzh3
IBMDataPowerKnowledgeCenter:
http://www-01.ibm.com/support/knowledgecenter/SS9H2Y/welcome
IBMDataPowerInformationCenter:
http://www.ibm.com/software/integration/datapower/library/documentation
IBMDataPowerInternet/WWWMainProductPage:
http://www.ibm.com/datapower
DataPowerGitHub:
https://github.com/ibm-datapower
Twitter:
https://twitter.com/IBMGateways
YouTube:
https://www.youtube.com/channel/UCV2_-gdea5LM58S-E3WCqew
LinkedIn:https://www.linkedin.com/groups?home=&gid=4820454
developerWorksDiscussionForum:
https://www.ibm.com/developerworks/community/forums/html/forum?id=11111111-0000-0000-0000-000000001198
WeeklyDataPowerWebcast:
https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-wdwfw
SlideShare:
http://www.slideshare.net/ibmdatapower/
How-tofindappropriateDataPowerproductinformation:
http://www-01.ibm.com/support/docview.wss?uid=swg21377654
DataPowerProductSupportWebsite:
Contains firmware, documentation, support procedure, technotes and other helpfulmaterial:
http://www.ibm.com/software/integration/datapower/support/
Redbooks:
http://www.redbooks.ibm.com/cgi-bin/searchsite.cgi?query=datapower
SoftwareServicesforWebSphere:
Top-notchDataPowerconsultingfromIBMWebSphere.
http://www.ibm.com/developerworks/websphere/services/findbykeyword.html?q1=DataPower
HermannStamm-Wilbrandt’sBlog:
Hermann is one of the brightest minds in DataPower-land, and his blog ondevelopment topics is incredibly valuable, featuring tips and techniques that can’t befoundelsewhere.
https://www.ibm.com/developerworks/community/blogs/HermannSW/?lang=en
WebSphereGlobalCommunityDataPowerGroup:
http://www.websphereusergroup.org/datapower
IBMWebSphereDataPowerSupport:
http://www.ibm.com/software/integration/datapower/support/
SupportFlashesRSSFeed:
http://www-947.ibm.com/systems/support/myfeed/xmlfeeder.wss?feeder.requid=feeder.create_public_feed&feeder.feedtype=RSS&feeder.maxfeed=25&OC=SS9H2Y&feeder.subdefkey=swgws&feeder.channel.title=WebSphere%20DataPower%20SOA%20Appliances&feeder.channel.descr=The%20latest%20updates%20about%20WebSphere%20DataPower%20SOA%20Appliances
IBMDataPowerSupportTechnotes:
http://www.ibm.com/search/csass/search?
q=&sn=spe&lang=en&filter=collection:stgsysx,dblue,ic,pubs,devrel1&prod=U692969C82819Q63
IBMEducationAssistantDataPowerModules:
http://www-01.ibm.com/support/knowledgecenter/websphere_iea/com.ibm.iea.wdatapower/plugin_coverpage.dita
WAMCTechnote:
http://www-01.ibm.com/support/docview.wss?uid=swg24032265
DataPowerFeatureGrid:
We consider the Feature Grid to be an invaluable resource, and we are excited toprovide it to you. It yields the answers to the most commonly asked questions aboutDataPower(“Isfeature/protocol/specXsupportedonmyYappliance?”)Wehadinitiallyincludedtheentiretablehere,spreadacrossseveralpages.However,duetoitsdensity,itwas hard to read, and it was literally changing under us as productmanagementmadechangesfortheimpendingannouncements.
We debated and felt that the best thing we could do for our readers would be toprovide a URL hyperlink, so that the most up to date information (and not stale orincorrectinformation!)isavailabletoyou.Therearedetrimentstothisapproach,suchasthedreaded‘bustedURL’,butinthisdayandageit’slikelythatyouarereadingthisonadevicewith an Internet connection, or have onewithin reach, and aswellwe have thecapabilitytoupdatethisbookassoonaswefindthatsomethingisamiss.Youcanfindthefeaturesgridat:
http://www.slideshare.net/ibmdatapower/ibm-data-power-gateways-features-comparison
AcknowledgementsTheAuthorTeam: WethanktheIBMmanagementteamforallowingustoaccesstheresourcesnecessarytowritethebook.
BillHines:I’dliketothankKeysBotzumandKyleBrownforbeingrolemodelsforworkethicandintegrity,andmentoringmethroughoutmyIBMcareer.I’dliketothankmyimmediateandextendedfamilyforbeingsupportiveandunderstandingduringthetoughtimes.Lastbutcertainlynotleast,I’dliketothankmyauthorteamforstickingwiththisprojectduringthemanymonths,nights,andweekendsofheateddebatesandstress.Youwereallpickedforareason,andIthinkthefactthatyouhaveallputupwithme,andwehavebeenthroughwhatwehaveandemergedstillgoodfriendswithtremendousrespectforeachother,atteststothosedecisionsbeinggoodones.I’mextremelyproudofthejobyou’vedone.
TerrillKramer: Iwouldfirstandforemost,liketothankmyco-authorBillHines,whoseguidance,cajoling,monitoring,andincessantdriveduringthisprocesswassimultaneouslyannoyingandmuchappreciated;hewasPerryWhitetoourClarkKents.Iwouldalsoliketothankmyotherco-authors,DerekandLen,withwhomIhaveworkedcloselywithovermanyyears,fortheirfeedback,knowledgesharing,andwillingnesstoparticipateinthisendeavor.Thishasbeenalongride,startingwiththeDataPowerSTIGandendingwiththisvolume,andIcouldn’tthinkofabettergroupsoffolkstohavesharedthisexperiencewith.Thankyouall.
DerekDoerr:
I would like to thank Bill Hines for proposing we write this volume of the DataPower Handbook as well as his
seeminglyendlessenergyinshepherdingTerrill,Lenandmyselfthroughthewritingprocess.Wecouldn’thavedoneit
withyou!I’dalsoliketothankBillforbeingagreatinstructorwhenTerrillandIwerejuststartingoutasDataPower
consultants for IBM. Iwould like to thankmy co-authors for their insights, knowledge and patience asweworked
throughmanydraftsandrevisions.Finally,I’dliketoprovideaspecialthankstomyoriginalDataPowermentorsSam
PearsonandRichGrootwho,thankfully,putupwithaneverendingstreamofquestionsandhelpedshapethepast10
yearsofmycareer.
LenMcWilliams:Thankstoallofmyco-authorsfortheirhardworkandsupport-when-I-needed-itinwritingthisbook.It’sbeenaprivilegeworkingwithsuchknowledgeableandself-motivatedtechies.ThanksespeciallytoBillHinesandhiszealthatmadethisefforthappen.
AbouttheAuthorsBillHinesBillisanIBMExecutiveI/TSpecialist.HiscurrentroleisNorthAmericaHybridCloudIntegrationAPIEconomyLeader,workingoutofLakeHopatcong,NJ.HehasmanyyearsofIBMWebSpheresolutiondesignandimplementationexperienceinbothcustomerengagementsanddevelopinganddeliveringinternaltrainingwithinIBM.HeistheleadauthoroftheacclaimedIBMPressbookIBMWebSphereDataPowerSOAApplianceHandbook(firstandsecondeditions)andco-authorofIBMWebSphere:DeploymentandAdvancedConfiguration,aswellasmanyarticlespublishedinWebSphereTechnicalJournalanddeveloperWorks.
TerrillKramerTerrillisaSeniorSolutionsArchitectforAmazonWebServicesintheUSFederalsector.HeisanOpenGroupCertifiedI/TSpecialist.Hehasover22yearsofexperienceintheITindustry-including20yearsatIBM-inavarietyofdifferentrolesfromDeveloper,Consultant,andTechnicalSpecialistforprimarilyDataPowerandvariousWebSphereproducts.Heisco-authorofIBMWebSphereDataPowerB2BApplianceXB60Revealed.
DerekDoerrDerekisaSeniorIBMandOpenGroupCertifiedI/Tspecialist.HiscurrentroleisasaTechnicalSalesSpecialistinIBM’sHybridCloudIntegrationgroupworkingwithUSFederalGovernmentcustomers,workingoutofBradenton,FL.Hehasbeenover20yearsofexperienceintheITindustry–including14yearsatIBM–inavarietyofrolesincludingdevelopment,ManagementConsulting,andasaconsultantforIBMDataPowercustomers.OvertheyearshehasbeeninvolvedindevelopmentoftheDataPowerProof-of-Technologyassets,theDataPowercertificationtest,aswellasvariousDepartmentofDefensecertificationsforIBMDataPowergateways.
LenMcWilliamsLenisanIBMHybridCloudIntegrationTechnicalSalesSpecialistsupportingFederalintelligenceandDoDagencycustomers.Hehasover35years’experienceworkingasanapplicationdeveloper,projectmanager,DBA,technicaltrainer,andspecialistinGeographicInformationSystemsandintegrationmiddleware.InbetweenITgigs,LenhasworkedasacertifiedSpecialEducationteacherandperformedmusicfromEasternEurope,theMiddleEast,andNorthAfrica,aswellasclassicalguitar,andopera.Inhissparetime,hebuildsandfliesradiocontrolledhelicopters.
AfterwordAfterwordbyEugeneKuznetsov
“Theproperplanningofanyjobisthefirstrequirement.Withlimitedknowledgeofatrade,thejobofplanningisdoublyhard,buttherearecertainstepsthatanypersoncantaketowardsproperplanningifheonlywill.”
—RobertOakesJordan,Masonry
IfoundedacompanycalledDataPower®inthespringof1999tobuildproductsbasedonseveral distinct ideas. The first idea involved applying reconfigurable computing anddynamiccodegenerationtotheproblemofintegratingdisparateapplications.Thesecondideacenteredontheconceptofdata-orientedprogramming(DOP)asthemeanstoachievedirect and robust data interchange. The third idea involved deliveringmiddleware as anetworkfunction,enabledbytheDOPtechnologyandinspiredbythesuccessfulmodelsof ubiquitous connectivity. The product’s journey since has been remarkable, and thisgreat book is another milestone for the entire team behind DataPower. Before morediscussionofthebookitself,afewwordsonthesethreeideas.
Rapidlyadaptingtochangeiskeyforeverythingandeveryoneintoday’sworld,andIBMappliancesarenoexception.Whetherit’sapolicy,atransformationmap,aschema,or a security rule, DataPower will try to put it into effect with as little delay andinterruption as possible. Popular methods for maintaining this kind of flexibility comewith a large performance penalty. However, by dynamically generating code andreconfiguringhardwarebasedonthecurrentmessageflow,itbecamepossibletoachievebothflexibilityandnear-optimalperformance.Atanygivenpoint,thedeviceoperatesasacustomengine foraparticular task,butwhen the taskchanges, it can rapidlybecomeadifferentcustomengineunderneaththecovers.
This dynamic adaptability is especially useful when combined with DOP. Statedbriefly, DOP emphasizes formally documenting data formats and using them directly,insteadofencapsulationorabstraction,tointegrateorsecuredifferentmodulesorsystems.Today,XMLisprobablyoneof themostsuccessfulandreadilyrecognizedexamplesofDOP, but the principles are more universal than any particular technology. AnotherexampleofDOPis thewayDataPowerXI52processesbinarydata,byusinghigh-levelformatdescriptorsinsteadofadaptors.
These, in turn, enable the creation of network hardware (also known as appliance)products that operate on whole application messages (rather than network packets) tointegrate, secure, or control applications. Greater simplicity, performance, security, andcost-effectivenesswere envisioned—and are nowproven—with the appliance approach.Beyond the appliance design discipline, the success of IP & Ethernet networking inachievinguniversalconnectivityhasmuchtoteachaboutthebestwaytoachieveradicallysimplifiedandnear-universalapplicationintegration.
Reading this bookwill enable you to benefit from theprevious three ideas in theirconcrete form: the award-winning IBMproducts they became. From basic setup to themostpowerfuladvancedfeatures,itcoversDataPowerappliancesinareadabletonewitha solid balance of theory and examples. For example, Chapter 6 does a great job inexplainingthebig-pictureviewofdeviceoperation,andChapter22givesadetailedhow-toonextendingitscapabilities.Withsomeofthemostexperiencedhands-onDataPowerpractitionersamongitsauthors,itprovidesthekindofreal-worldadvicethatisessentialtolearninganycraft.
When learning IBM DataPower, there is one thing that may be more helpful andrewarding than remembering every particular detail, and that is developing an internal“mentalmodel” of how the devices aremeant to operate and fit into the environment.Especiallywhentroubleshootingorlearningnewfeatures,this“mentalmodel”canmakedevice behavior intuitive.Reading the following pageswith an eye toward not just thedetailsbutalsothismentalmodelwillspeedbothproductivityandenjoyment.
In conclusion, Iwould like to use this occasion to thank the entire team, past andpresent,whomadeandcontinuestomakeDataPowerpossible.TheirworkandthepassionofDataPowerusersisaninspiringexampleofhowgreatpeopleandapowerfulideacanchangetheworldforthebetter.
—EugeneKuznetsov,Cambridge,MAFounderofDataPowerTechnology,Inc.servedasPresident,Chairman, andCTOat various points in the company’s history, and thenserved as director of Product Management and Marketing, SOA Appliances at IBMCorporation.
DataPower’sfirstofficeisontheright.PhotocourtesyofMerrymanDesign.
AfterwordbyJerryCuomo
ItallstartedwhenIwasaskedtoco-hostanIBMAcademyConferenceon“AcceleratorsandOff-Loading”in2004.Iwasfeelinga littleoutofmyelement,soIdecidedto takesomeofthefocusoffmeandputitonothers.IhadbeenreadingaboutsomeofthenewXML-centered hardware devices and was intrigued. I have always been interested insystem performance. With XML dominating our emerging workloads (e.g., ServiceOriented Architecture), the impact of XML performance on system performance wasbecoming increasingly important.Hence, I thought itwould be a good idea to invite a
handfuloftheseXMLvendorstoourconference.
Attheconference,theDataPowerpresentationwasquitedifferentfromtheothers.Itwasn’taboutASICsortransistors;itwasaboutimprovingtimetovalueandtotalcostofoperation.TheDataPowerpresentationfocusedontopicsthatwerealsonearanddeartome,suchassystemsintegration,configurationoverprogramming,andthemeritsofbuilt-for-purposesystems.Inessence,EugeneKuznetsov,theDataPowerfounderandpresenter,wastalkingaboutthevalueofappliances.Whileveryintriguing,Icouldn’thelpbutfeelcuriousaboutwhethertheclaimswereaccurate.So,aftertheconferenceIinvitedEugenetocometoourlabinResearchTriangleParkinNorthCarolinatorunsometests.
I have to admit now that in the back of my mind, I operated on the principle of“keepingyourfriendscloseandyourenemiescloser.”Behindmyintriguewasafeelingofwanting to understand their capabilities so that we could outperform vendors withWebSphere®ApplicationServer.Thetestswentwell;however,theDataPowerteamwassomewhatreluctanttodwellontherawXMLperformancecapabilitiesoftheirappliance.Feeling a little suspicious, I hadmy team run some rawperformance experiments.Theresultswereoffthecharts.Whywasn’ttheDataPowerteamflauntingthiscapability?Thisis when I had my “ah-ha” moment. While performance measured in transactions persecondisimportantandpartofthevalueequation,theoverallperformancemetricsfoundwhile assessing time to value andoverall cost of operation andownership are themostcritical performance metrics to a business. This is where the DataPower appliancesoutperform. I read a paper,written by JimBarton,CTOand co-founder ofTivo, called“Tivo-lution.”ThepaperwasinspiringasitconfirmedthemotivationsandaspirationsthatI’vehadever since I led IBM’sacquisitionofDataPower in2005. In thepaper,Bartondescribes the challenges of making complex systems usable and how “purpose-built”computersystemsareoneanswertothechallenge:
“Oneofthegreatestchallengesofdesigningacomputersystemisinmakingsurethesystemitselfis‘invisible’totheuser.Thesystemshouldsimplybeaconduittothedesiredresult.Therearemanyexamplesofsuchpurpose-builtsystems,rangingfrommodernautomobilestomobilephones.”
Theconceptofpurpose-built systems isdeeplyengrained inourDNAat IBM.Thenameofourcompanyimpliesthisconcept:InternationalBusinessMachines.
IBMhasalonghistoryofbuildingpurposedmachines,suchasthe1933Type285,anelectricbookkeepingandaccountingmachine.Icanimaginethismachinebeingdeliveredto an accountant, plugging it in, immediately followed by number crunching. Theaccountant didn’t have to worry about hard drive capacity, operating system levels,compatibilitybetweenmiddlewarevendors,orapplicationfunctionality.Itjustdidthejob.I can also imagine it followed the 80/20 rule. It probably didn’t do 100% of what allaccountantsneeded.But it probablydid80%ofwhat all accountantsneededverywell.Usersjustdealtwiththeremaining20%,orlearnedtolivewithoutit.
“BusinessMachines,Again” ismy inspiration.Ourcustomers respondpositively to
there-emergenceofthisapproachtoengineeringproducts.It’sallabouttime-to-valueandtotalcostofoperationandownership.AppliancessuchasourWebSphereDataPowerareleadingthewayindeliveringontheseattributes.
At the extreme, purpose-built systems, such as aTivoDVRand anXI52, are builtfromthegroundupfortheirpurposes.Whiletheymightuseoff-the-shelfparts,suchasanembeddedLinux®OS, it is important that all parts are “right sized” for the job.Right-sizingsourcecodeinahardwareapplianceismorelikefirmware(withstrongaffinitytotheunderlyinghardware)thanitissoftware.Assuch,theTivo-lutionpaperdescribestheneed to own every line of source code to ensure the highest level of integration andquality:
“…byhavingcontrolofeachandeverylineofsourcecode…
Tivowouldhavefullcontrolofproductqualityanddevelopmentschedules.Whenthebigbughuntoccurred,asitalwaysdoes,weneededtheabilitytofolloweverylead,understandeverypath,andtrackeveryproblemdowntoitssource.”
The Tivo team even modified the GNU C++ compiler to eliminate the use ofexceptions(whichgeneratealotofcodethatisseldomused)infavorofrigidcheckingofreturncodeusageinthefirmware.DataPowersimilarlycontainsacustomXMLcompilerthatgeneratesstandardexecutablecodefor itsgeneral-purposeCPUs,aswellascustomcodeforthe(XG4)XMLcoprocessorcard.
Aphysicalappliancehastheunparalleledbenefitofbeinghardenedforsecurity.JimtalksaboutthisinhisTivopaper:
“Securitymustbefundamentaltothedesign…Wewantedtomakeitasdifficultaspossible,withintheeconomicsoftheDVRplatform,tocorruptthesecurityofanyparticularDVR.”
The DataPower team has taught me the meaning of “tamper-proof” appliances, ormore precisely “tamper-evident.” Like the 1982 Tylenol scare, we can’t stop you fromopening thebox,butwecanprotectyou, if someonedoesopen it. In fact, thephysicalsecurity characteristics ofDataPowermake it oneof theonly technologies someof ourmost stringent customers will put on their network Demilitarized Zone (DMZ). If aDataPower box is compromised and opened, it basically stops working. An encryptedflashdrivemakesanyconfigurationdata,includingsecuritykeys,difficulttoexploit.“DPisliketheroachmotel;privatekeysgoin,butnevercomeout”isthewaywesometimesdescribethetamper-proofqualitiesofDataPower.
But the truth is, DataPower is not a DVR. DataPower is a middleware appliance.Middleware is a tricky thing to make an appliance out of. Middleware is enablingtechnology and by its nature is not specific to any application or vendor. The Tivoappliance is a specific application (TV and guide) that makes it somewhat easier toconstrain:
“Remember,it’stelevision.Everybodyknowshowtelevisionworks.”
“Televisionneverstops,evenwhenyouturnofftheTVset.Televisionsnevercrash.”
Hence, the challenge (and the art) in building a middleware appliance involvesproviding the right amount of constraint, without rendering the appliance useless. Forexample, DataPower does not run Java™ code (which is the primary means ofcustomizingmuchoftheWebSphereportfolio);instead,itusesXMLastheprimarymodeof behavior customization. So, at some level, DP is not programmed, but instead it isconfigured.Now,forthosewhohaveusedXML(anditscousinXSLT),youknowthatit’smore than configuration; however, it is a constraint over Java programming,which hasunbounded levels of customizability. The combined team of IBM andDataPower havebeenbridgingthisgap(ofspecialtogeneralpurpose)effectively.WehaverecentlyaddedfeaturestoDPtoallowittoseamlesslyconnecttoIBMmainframesoftware(IMS™andDB2®)aswellascapabilitiestomanageacollectionofappliancesasiftheywereone.
IBM has a healthy general-purpose software business. OurWebSphere, Java-basedmiddleware is the poster child for general-purposemiddleware (write once, run almosteverywhere).However,thereisaplaceforbusinessmachinesthatarepurposedbuiltandfocusonprovidingthe80partofthe80/20rule.WeareheadingdownthispathinaBigBlueway.
Thisbook represents an importantmilestone in the adoptionofDataPower into theIBMfamily.TheauthorsofthisbookrepresentsomeofIBM’smostskilledpractitionersofServiceOrientedArchitecture (SOA).This teamisacustomer facing teamandhasagreatdealofexperienceinhelpingourcustomersquicklyrealizevaluefromourproducts.They have also been among themost passionatewithin IBMof adopting the applianceapproach to rapidly illustrating the value of SOA to our customers. The authors haveunparalleled experience in using DataPower to solve some of our customers’ moststringent systems integration problems. This book captures their experiences and bestpracticesandisavaluabletoolforderivingthemostoutofyourWebSphereDataPowerappliance.
—JerryCuomo,IBMFellow,WebSphereCTO
AfterwordbyKyleBrown
Icanstillrememberthedayinlate2005whenJerryCuomofirstcalledmeintohisofficeto tell me about an acquisition (then pending) of a smallMassachusetts company thatmanufacturedhardwaredevices.
“Waitaminute.Hardware??!?”
That’sthefirstincredulousthoughtthatwentthroughmymind.JerrywastheCTOofthe WebSphere brand in IBM, which had become the industry-leading brand ofmiddleware based on Java.Why were we looking at a company that made hardware?Echoing the immortalwordsofDr.“Bones”McCoy from theclassicStarTrekseries, I
thenthought,
“I’masoftwareengineer,notahardwareengineer,dangit!”
Butas I sat inhisoffice, Jerrywovemeastory (ashehadforourexecutives) thatsoonhadmeconvincedthatthisacquisitiondid,infact,makesenseforWebSphereasabrandandforIBMasawhole.JerryhadthevisionofawholenewwayoflookingatSOAmiddleware—avision that encompassed efficient, special-purpose appliances that couldbeusedtobuildmanyof thepartsofanSOA.Keyto thisvisionwastheacquisitionofDataPower, which gave us not only a wealth of smart people with deep experience inNetworking,XML,andSOA,but anentry into this fieldwith theDataPower familyofappliances—notablytheIntegrationappliance.
Sincethatday,I’veneverregrettedourdecisiontobranchouttheWebSpherebrandwell beyond its Java roots. The market response to the introduction of the DataPowerappliancestothebrandhasbeennothingshortofphenomenal.Farfromdistractingus,theability to provide our customers with an easy-to-use, easy-to-install, and remarkablyefficienthardware-basedoptionfortheirESBandsecurityneedshasturnedouttobeanasset thatcreatedsynergywithourotherproduct linesandmadethebrandstrongerasawhole.It’sbeenanincrediblejourney,andaswebegintobringoutnewappliancesintheDataPower line,we’reonlynowbeginning to see the fundamental shift in thinking thatappliance-basedapproachescangiveus.
On this journey, I’vebeenaccompaniedbya fantasticgroupofpeople—somewhocame to us through theDataPower acquisition and somewhowere already part of theWebSpherefamily—whohavehelpedourcustomersmakeuseofthesenewtechnologies.Bill,John,andtherestoftheauthorteamarethetrueexpertsinthistechnology,andtheirexpertiseandexperienceshowinthisbook.
This book provides a wealth of practical information for people who are eithernoviceswith theDataPowerappliances,orwhowant to learnhowtoget themost fromtheirappliances.Itprovidescomprehensivecoverageofallthetopicsthatarenecessarytomaster theDataPower appliance, from basic networking and security concepts, throughadvancedconfigurationoftheAppliance’sfeatures.Itprovidescopious,detailedexamplesof how the features of the appliances work, and provides debugging help and tips forhelpingyoudeterminehow tomake thoseexamples (andyourownprojects)work.Butwhat’smosthelpfulaboutthisbookisthewayinwhichtheteamhasgivenyounotjustanexplanationofhowyouwoulduseeachfeature,butalsowhythefeaturesarebuiltthewaytheyare.Understandingthethinkingbehindtheapproachestakenisanenormoushelpinfullymasteringtheseappliances.Theteamprovidesthat,andprovidesyouwithawealthofhints,tips,andtime-savingadvicenotjustforusingandconfiguringdevices,butalsoforhowtostructureyourworkwiththedevices.
Thisbook is something theDataPowercommunityhasneeded fora long time,andI’mgladthattheauthorshavenowprovidedittothecommunity.Sositback,crackopenthebook,openuptheadminconsole(unlessyouhaveyettotaketheapplianceoutofthe
box—the book will help you there, too!) and begin. Your work with the appliances isabouttogetawholeloteasier,morecomprehensible,andenjoyableaswell.
—KyleBrown,DistinguishedEngineer,IBMSoftwareServicesandSupport