IBMDataPowerHandbookSecondEdition

VolumeV:DataPowerSecurityHardeningBillHines

TerrillKramerDerekDoerr

LenMcWilliams

WildLakePress

Alsoavailable!VolumesonDataPowerIntro/Setup,Networking,Development, andB2B/FileTransfer.

IBMDataPowerApplianceHandbook

SecondEdition,VolumeV:DataPowerSecurityHardeningTheauthorshavetakencareinthepreparationofthisbook,butmakenoexpressorimpliedwarrantyofanykindandassumenoresponsibilityforerrorsandomissions.Noliabilityisassumedforincidentalorconsequentialdamageswithorarisingoutoftheuseoftheinformationorprogramscontainedherein.

NotetoU.S.GovernmentUsers:Documentationrelatedtorestrictedright.Use,,duplication,ordisclosureissubjecttorestrictionssetforthinGSAADPScheduleContractwithIBMCorporation.

Copyright©2016WildLakePress

Allrightsreserved.Nopartofthisbookmaybereproducedinanyformbyanymeanswithouttheexpresspermissionoftheauthors.Thisincludesreprints,screenprints,excerpts,photocopying,recording,oranyfuturemeansofreproducingtext.

ThefollowingtermsaretrademarksorregisteredtrademarksofInternationalBusinessMachinesCorporationintheUnitedStates,othercountries,orboth:IBM,theIBMlogo,IBMPress,CICS,Cloudscape,DataPower,DataPowerdevice,DB2,developerWorks,DFS,Domino,Encina,IMS,iSeries,NetView,Rational,Redbooks,Tivoli,TivoliEnterprise,andWebSphere.JavaandallJava-basedtrademarksandlogosaretrademarksorregisteredtrademarksofOracleand/oritsaffiliates.Microsoft,Windows,WindowsNT,andtheWindowslogoaretrademarksofMicrosoftCorporationintheUnitedStates,othercountries,orboth.VMWareisaregisteredtrademarkortrademarkofVMWare,Inc.intheUnitedStatesand/orotherjurisdictions.UNIXisaregisteredtrademarkofTheOpenGroupintheUnitedStatesandothercountries.LinuxisaregisteredtrademarkofLinusTorvaldsintheUnitedStates,othercountries,orboth.Othercompany,product,orservicenamesmaybetrademarksorservicemarksofothers.

Version1.0

ISBN:0997219637

ISBN-13:978-0997219630

WildLakePress

LakeHopatcong,NJ,USA

www.wildlakepress.com

Pleasesendquestionstoinfo@wildlakepress.comanderrors/correctionstoerrata@wildlakepress.comandincludethebooktitleandpage.Codelistings,images,andotherresourcesinthisbookcanbedownloadedfromhttp://wildlakepress.com/books/15-information-technology/18-datapower-handbook-resourcesThereisadiscussionforumforallDataPowerHandbooksathttp://wildlakepress.com/kunena/datapower-books

TomybraveandbeautifullatesisterDonna,tomymotherCarol,whoencouragedmetolearn,read,andwrite;tomywonderful,beautifulwifeLoriwhoinspiresmeandmakesmelaughwhenIneeditmost;tomychildrenJennifer,Brittany,andDerek,mybeautifulgrandchildren,andmystep-daughtersLorianaandMarie;tomysisterPatty,andtherestofmyextendedfamily,whoarealwaysthereforme;andlastbutnotleast,inmemoryofmybelovedfather.—BillHines

ToMaryforbeingmyconfidant,myparttimepsychologist,andmylove;tomywonderfulchildrenZachandAislinnwhomIamsoproudof;tomymomandmyextendedfamilywhomIdonotseeenoughbutareinmythoughts;andtoallthepeoplethatIhavebeenluckyenoughtohavecrossmypathandenrichmylife.—TerrillKramer

TomyamazingandlovingwifeMauraforalwayssupportingmeandencouragingmetofollowmypassions;tomyparentswhogavememystartandstillcan’tquitefigureoutwhatIdoforaliving;tomychildrenKathleen,Maureen,BridgetteandPhillip;tomygrandchildren(allsevenofthemasofnow!)tomyextendedfamily;andfinally,toallofthebrilliantanddedicatedprofessionalswithwhomI’vehadthehonorofworkingwithandlearningfrom.—DerekDoerr

Tomymother,whowhenIsaidIcouldn’tdomyspellinghomeworkbecausemybookwasatschool,mademewalkbackandgetit.AndtoHaShem’sgiftstomylife:mywife,fourchildren,andeightgrandchildren.—LenMcWilliams

ContentsPreface

Chapter1DataPowerInherentlyHardenedFeatures

1.1Role-BasedAdministration

AuditingPreamble

1.2AuditingAccountCreationandModification

1.3AuditingAdministrativeCommands

1.4ProhibitingUnnecessary/UnusedPorts,Services,andProtocols

1.5EncryptedProtocolsforAdministrativeAccess

1.6AdminAuthenticationReplayProtection

1.7PasswordProtection

1.8ValidatingPKIAdminAuthentication

1.9AuthenticationFeedbackShouldBeObscured

1.10TerminateNon-LocalAdministrativeConnections

1.11AdministrativeSessionIdentifiersShouldBeDeleted

1.12ProtectingDataatRest

1.13ErrorMessagesandLogsShouldOnlyBeVisibletoAuthorizedUsers

1.14OnlyPrivilegedUsersShouldExecuteAdminFunctions

1.15AuditRecordTimestampGranularity

1.16InstallationofSoftwareModules

1.17TemporaryPasswords

1.18DenialofServiceAttacks

1.19AuditofAdministrativeActions

1.20ConfigurationChangesShouldBeImmediate

1.21UnnecessaryFunctionsShouldNotBeEnabled

1.22SecureFailure

1.23PhysicalSecurity

1.24SecureAdministrativeProtocols

Summary

Chapter2ApplianceAdministrativeHardening

2.1UserInterfaceIdleTimeoutsandCachedAdminCredentials

2.2EncryptingAdministrativeProtocols

2.3Off-loadSystemAuditRecords

2.4SendImmediateThreatAlarms

2.5ConfigureSNMPTrapEventsforAccountEnablingActions

2.6Selective,TargetedAuditing

2.7ExternalAdminAuthenticators

2.8SecureBackups

2.9CryptoKeysandCertificates

2.10AuditAccountEnablingActions

2.11AlertAuditRecordStorageCriticallyLow

2.12GenerateAlertsforAuditFailureEvents

2.13ConfigureNTPService

2.14ConfiguretheDesiredTimestampFormat

2.15GenerateanAlertifApplianceConfigurationsAreChanged

2.16ProtectingAuditInformation

2.17PasswordPolicy

2.18NISTSP800-131aandFIPS140-2Compliance

2.19PKICertificateAuthenticationforAdminUsers

2.20ConfigureMultifactorAuthenticationforNetworkAccesstoNon-PrivilegedAccounts

2.21EnforcingAdministrativeUserPrivileges

2.22CustomizingLoginandLogoutMessages

2.23CapturingSystemEventDatawithLogTargets

2.24RestrictingAccesstoaSpecificLogTarget

2.25NotificationsforLoggingFailure

2.26ConfiguringOff-ApplianceLogging

2.27ControllingtheDefaultDomain

Summary

Chapter3Message-LevelHardening

3.1ValidateInboundData

3.2UseStrongCryptoforMessageTraffic

3.3SecureLoggingforTransactions

3.4ConfigureIndividualandGroupAuthenticationMethods

3.5MultifactorAuthenticationforNetworkAccesstoProtectedResources

3.6ConfigureReplay-ResistantMutualSSL/TLS

3.7DefineCryptoValidationCredentialsandCertificateRevocationPolicy

3.8ConfigurePKI-BasedCredentialMappingforMessage-levelAuthenticationandAuthorization

3.9ConfigureDeviceFailureNotificationFunctions

3.10SQLInjectionProtection

3.11DenialofService(DoS)AttackMediation

3.12VirusScanning

3.13ViewingUserActivityLog

3.14FICAM-IssuedProfileSupport

3.15AccessControlLists

3.16UsingFilterActionstoPreventReplayAttacks

3.17CachingUserAuthenticationandAuthorizationResults

3.18ConfiguringTransportLayerSecurityConsistentwithNISTSP800-52

3.19SecurelyTransmitAuthenticationInformation

3.20ServerNameIndication(SNI)Profiles

3.21ConfigureXMLandJSONThreatProtection

Summary

AppendixA:DataPowerResources

DataPowerResources

Acknowledgements

TheAuthorTeam:  

BillHines:

TerrillKramer:  

DerekDoerr:

LenMcWilliams:

AbouttheAuthors

BillHines

TerrillKramer

DerekDoerr

LenMcWilliams

Afterword

AfterwordbyEugeneKuznetsov

AfterwordbyJerryCuomo

AfterwordbyKyleBrown

Preface

It iswith great pleasure that I introduce the security hardening volume in our series ofhandbooksontheIBMDataPowerGateway(IDG).WepublishedVolumeIofthisseries“DataPowerIntro&Setup”inOctoberof2014,thenupdateditinJune2015forfirmwareversion 7.2 and added a valuable new chapter on common use cases and deploymentscenarios.WepublishedVolumeII,“DataPowerNetworking” in June2015;Volume IV,“DataPower B2B and File Transfer” in December 2015; and Volume III, “DataPowerDevelopment”inJanuary2016.Ourconcepthasbeentosplittheoriginal,monolithicfirstedition DataPower Handbook into separate, more easily consumable volumes that aremoremanageable insize,andso thatcustomerscouldonlypurchase the topics theyareinterestedin.

Much of my career at IBM has been spent in the security space, in terms of mytechnology focus. I have also spent most of my career working IBM’s US Federalgovernmentorganizationandwithclientsinthefinancialservices/bankingsector.Bothofthosegroupsofclientstakesecurityveryseriously.Thatiswhy,whenIfirstlearnedabouttheDataPoweracquisitionbackin2005,Iwasveryexcitedtoseethehardenedaspectandsecurity features of those products. However, even great security products can becompromisedbymisconfiguration.DataPowerprovidesthetools,butittakestoolsinthehandsofskilledcraftsmen/womencreatesuccessfulimplementations.

Thesecurityspaceandpreventingcyber-attacksisalwaysanarmsracebetweenthegoodguysandthebadguys.InthebookDarkTerritory-TheSecretHistoryofCyberWarby Fred Kaplan, the author refers to a 2013 report commissioned by the federalgovernment(DefenseSciencetaskforce):

“With present capabilities and technology,” the report stated, “it is not possible todefendwithconfidenceagainstthemostsophisticatedcyberattacks.”GreatWalldefensescouldbeleaptoverormaneuveredaround.Instead,thereportconcluded,cybersecurityteams,civilianandmilitary,shouldfocusondetectionandresilience—designingsystemsthatcouldspotanattackearlyonandrepairthedamageswiftly.

Assuch,goodsecuritymustbeacombinationofprevention,detection,andresponse.Securitypractitionersmustbeinformedaboutallmannerofpotentialattacksandupdatetheirknowledgeas frequentlyasvirus scannershave toupdate theirprofiles,or sooner.AnothergreatsetofresourcesarethebooksandblogbyBruceSchneier,whoisnowanIBMer.HisbookSecrets andLies:DigitalSecurity in aNetworkedWorld is a securityclassic.

Thisvolumeisnotanupdateofmaterialfromthefirstedition.Itisnewmaterialthatsprings from a requirement from the US Department of Defense’s IT arm, called theDefense Information SystemsAgency (DISA). The requirement states that any productsoldordeployedintotheUSDepartmentofDefensedatacentersmusthaveanapproved

Secure Technical Implementation Guide (STIG). The STIG is essentially a securityhardening guide—instructions on how to harden a platform to military specifications.Approved STIGs are published at http://iase.disa.mil/stigs/Pages/index.aspx. There aresimilarhardeningguides(calledbenchmarks)atTheCenterforInternetSecurity(CIS)athttps://www.cisecurity.org/andotherwebsites.

InordertobecompetitiveinsellingproductstotheUSgovernment,IBMneededtocreateaSTIGthatshowedhowtohardentheproducttothesestringentmilitarycriteria.Theteamwhoputthisbooktogetheraccomplishedthat,workingovermuchof2015.Wedecided to take that information (which is publicly available athttp://iase.disa.mil/stigs/net_perimeter/network-infrastructure/Pages/other.aspx) alongwith a great deal of hardening information and experience from our many years asDataPower technical practitioners to create this volume. In that sense, this volume is aguidetohardeningyourDataPowerappliancetomilitaryspecifications.

We actually created two STIGs. One is the Network DeviceManagement (NDM)STIG,whichfocusesonhardeningtheapplianceandadministrativeinterfaces.ThesecondSTIG isApplicationLayerGateway (ALG),which focuses onhardeningmessage-leveltrafficmoving though the appliance.Wewill structure thisvolume into twochapters tocorrespond to those categories, plus a chapter on the criteria thatDataPower inherentlymet(noconfigurationnecessary).

ThisvolumeismeanttobeaguideforthosewhoarealreadyexperiencedDataPoweradministrators.Togainexperience,seetheothervolumesinthisseriesandtheresourcesinAppendixAof thisbook.Becauseweassumethat thereader isalreadyfamiliarwithDataPowerconceptsandconfiguration,wetooktheapproachofbeingconcise in listingthehardeningsteps,andwillpointtooutsidesourcesformoredetailwhennecessary.Wewillnotdrilldownintodetailssuchasconfiguringandsettingupexternalservers(LDAP,SNMP,etc.)butratherprovidehigh-leveltipsontestingeachconfigurationitem.

WhenweworkedontheSTIGs,wewerehappythatDataPoweralreadymetmanyofthecriteria“outofthebox.”Asthoseitemsrequirenoconfiguration,therearenostepstocomplete.WeprovideasummaryofthemforyourawarenessinChapter1,“DataPowerInherentlyHardenedFeatures.”Thisbookisbasedonfirmwareversion7.2.0.1.Asv7.5isnewly released,we did notwant to base the book on it, as it is unlikely to be alreadyrunningincustomerinfrastructures.However,severalfeaturesin7.5willbeinterestingtosecurityadministrators.AfewexamplesareadditionalsupportforEllipticCurveDigitalSignatureAlgorithm (ECDSA), and networkHardware StorageModule (HSM) supportforcryptomaterial.

The vast majority of these steps apply to both physical and virtual DataPowerappliances.Twobigexceptionsare that thephysicalappliancesoffer intrusiondetection(theabilitytobenotifiedordisabletheapplianceifsomeoneremovesthecover)andaninternal HSM optional to store keys and certificates. Many customers do theirdevelopmentand testingon thevirtualappliances,butonly trust thephysicalappliances

fortheirproductioninfrastructure,althoughbotharesuitable.Itdependsonyourlevelofsecurityrequirements.

As always, all of thismust bedonewithin the rules of yourownorganization’s ITsecurityteam,whoshouldbeconsultedaboutanysecuritychanges.Securitycanonlybeachieved with constant, thorough testing and validation, and as such it is an ongoingprocess,notaone-timeseriesofstepstotake.

—BillHines,July2016

Chapter1DataPowerInherentlyHardenedFeaturesLet’sstart thevolumeoutwith theeasypart—thesecurity requirements thatDataPowermeetsrightoutofthebox.Youdon’thavetodoathingforthese,andforthemostpart,youcan’tturnthemoff.There’snothingtoscrewup!

1.1Role-BasedAdministration

Platformsintendingtobecomesecureparticipantsinanenterprisenetworkshouldprovidea role-based administration capability. This includes creation of administrative useraccounts,andsomesortofroleand/orgrouphierarchythatallowsthedefinitionoffine-grained privileges. There is typically a need for super-users/root-admins, and read-onlyusers for troubleshooting or monitoring tasks. Ideally, the validity of these users andgroups,andtheirassociatedprivilegesshouldbevalidatedbyanexternalrepository,suchasLDAPorRADIUS.

These functions and rolesmust support the organization’s security policies and becapableofreflectingtherolesthattheorganizationmayhavealreadydefinedinternally.

InDataPower, caremust be taken to create secondary administrative accounts thatensurerecoveryfromeventssuchasalossofconnectivitytotheexternalrepositoryorthelossof theprimary administrator’s password. Instructions for thesepreventive tasks areincludedinthisvolume.

Alsonote, thatwhileDataPoweremploysmany inherent securitycapabilities, thesecan be weakened or compromised by ignoring basic security concepts such as notrequiringandenforcingastrongpasswordpolicy.DataPower’sinherentsecurityfootprintcan also be decreased by “mundane” oversights such as a failure to train admin andsupportpersonnelinthedetectionofsocialhackingtechniquesandphishingtypeattacks(wheresomeoneistrickedintodisclosingtheirpassword).

AuditingPreamble

Securitysystemsneedtohavetheabilitytocreatealertandauditrecords.Theseareusefulboth in forensicpost-mortemanalysis and aspart of regular security audits.These logsshouldbesecurelycopiedoff-deviceasameasureofsafety.We’llshowyouhowlaterinthisvolume.

Thecodemodulesthathandleauditcapabilitiesshouldinitiateassoonaspossibleonsystemstartup,anditshouldnotbepossibletodisablethem.Ifthereisanyfailureoftheaudit subsystem, due to such things as out of storage space or hardware failure, animmediate administrative alert should go out and the system should shut down asgracefullyaspossible.

Itshouldnotbepossibletotamperwithormodifyauditlogs.Theyshouldbedifficulttoaccess,shouldbewrittentoencryptedstorageandshouldbe,themselves,encryptedandsigned,particularlywhenmovingoff-platform.

Thelogentriesshouldbeproperlydateandtimestamped,withsourceidentitiesandothermetainformationsuchasclientIPaddresses.Aswenotelater,relianceoninsecureexternalNTPservers canaffect the reliabilityof this informationandhelphackershidetheir tracks.MultipleDataPower devices should ensure that their clocks are all set andsynchronizedproperlyinordertofacilitatemulti-devicelogcorrelation.

1.2AuditingAccountCreationandModification

Ifhackersareabletogainaccesstoaplatform,typicallytheywillfirstattempttocreateanadministrative account for themselves in order to make subsequent access easier. Inaddition,someonemaytaketheopportunitytomodifytheirexistingaccount(orsomeoneelse’s), elevating it to higher privilege. This also includes disabling and removingaccounts.

If anyof theseaccountchangesoccur, it is imperative that theproperpersonnelbenotified.DataPoweralwayslogsthesetypesofactivitiesintoitssystemlog.Anadditionalmeasure,asshowninthisvolume,wouldbetosetupsometypeofalert,suchassendinganSNMPtraporotherimmediateadministrativenotificationthataneventofconcernhasoccurred.

1.3AuditingAdministrativeCommands

It is essential, for forensic and security audit purposes, to keep a log of administrativecommandsthathavebeenexecuted,alongwithothercontextual informationsuchas theauthenticateduserwhoexecutedthem,sourceIP,etc.DataPowerdoesfull-textloggingofallCLIcommandsinthelogtemp:///cli-logfileofthedefaultdomain.

Note that the on-box cli-temp log is circular—it will be overwritten when itsallocated space is full.Therefore, these critical audit logs shouldbemaintainedoff-boxusing external logging targets, as described in Section 2.3, “Off-load System AuditRecords.”

1.4ProhibitingUnnecessary/UnusedPorts,Services,andProtocols

Acommonentrywayforhackersisthroughportsleftopenandunsecured.Systemsshouldnot enable these by default. For example, non-secure services like telnet are often leftopenandrepresentawelcomemattointruders.

DataPowerhasallports,protocols,andadministrativeservicesshutdownbydefaultandthesecanonlybeenabledbyadministrativechoice.

1.5EncryptedProtocolsforAdministrativeAccess

Allowing administrative access via an unencrypted protocol should never be permitted;thisleavessensitiveadministrativetrafficexposedtonetworksniffing.

DataPower’s WebGUI/browser and SOAP administrative entry points use TLS bydefault.SSHusesacustomizedvariantofOpenSSH.Thesecannotbedisabled.

1.6AdminAuthenticationReplayProtection

Systems should not allow for replay of authentication attempts—for example, thecapture/recording and replay of a login.This can be defeated by using nonces (randomnumbers generated for one-time use), challenges, one-time authenticators, and two-stepauthentication.

DataPoweruses theTLSprotocolforWebGUIloginandSSHforCLIlogin,whichpreventsreplayattacksviatheuseofMessageAuthenticationCodes(MAC).

1.7PasswordProtection

For thosewith dishonest intentions, discoveringpasswords is like finding the keys to awarehousefullofgoldasitprovideseasyaccesstosystems.Systemsoftenstoreahashofthepasswordthatiscomparedtoahashofwhattheclienthasentered,thusensuringtheintegrity of the password and eliminating the need for passwords to be stored andtransmitted un-securely to trusted parties. If passwordsmust be stored, this should bedoneinasecurefashion—oversecureprotocolsandontoencryptedmedia.

WhenDataPowerstorespasswords,theyarestoredontheencryptedflashfilesystem,and as such, are not viewable or retrievable by any means other than their intendedpurpose.Ifpasswordsneedtobetransmitted,it’salwaysdonesecurely.

1.8ValidatingPKIAdminAuthentication

It is common to use certificate-based authentication for administrative access. Thecertificatemetadataischeckedtoensureitisnotexpired,andthatatrustedauthorityhasissuedit.However,acommonshortcomingofPKIisthatsystemsoftendonotchecktosee if thecertificatehasbeen invalidatedprior to itsnormalexpirationdate.Trustpathsmustultimatelynavigatetoatrustedauthority.

DataPower does fullX.509 certificate path checking andvalidation, and allows fortheuseofOnlineCertificateStatusProtocol(OSCP)forintermediaterevocationchecking,inadditiontoCertificateRevocationLists(CRLs).Thesefeaturesmustbeconfiguredontheappliancebytheproperpersonnel.

1.9AuthenticationFeedbackShouldBeObscured

This is kindof ano-brainer, aswe all expect to see things like asteriskswhenenteringpasswords.However,other thingsshouldbeobscuredaswell,suchas“toomuch”errorinformation. Reporting that the external user repository is down could be enough

knowledgeforahackertofindanotherwayin.Iftheloginisincorrect,simplystatethattheuseridorpasswordisincorrectbutdonotsaywhichofthetwofailed.

DataPower,asafullyhardenedplatform,implementsallofthesemeasuresoutofthebox.

1.10TerminateNon-LocalAdministrativeConnections

Remoteadministrativeconnectionsareprimeturfforattackersiftheyareleftopen.Theyshouldbesubjecttoreasonableinactivitytimeoutvalues,andtheseconnectionsdroppedafter admin sessions are completed. These types of connections should be subject tofrequent audit, as administrators typicallydonotwant tobe subject to re-authenticationandwillrelaxthesesettings.

DataPoweravoids thisvulnerabilitybydefault.Forexample, enabling theWebGUIforbrowser-basedadministration,thedefaulttimeoutvalueis600seconds(fiveminutes).However,beadvisedthatthiscanbechangedtozeroinordertodisablethetimer,whichis not recommended as this eliminates the timeout capability. The command-line (CLI)administrativeinterfacewillnottimeoutbydefault,andmustbeconfigured,asshowninSection2.1,“UserInterfaceIdleTimeoutsandCachedAdminCredentials.”

1.11AdministrativeSessionIdentifiersShouldBeDeleted

Webbrowserstypicallyusesessionidentifierstopointtoback-endsessioninformation,sothatsessionscanbecontinuedwithoutlosinginformationiftheconnectionisbrokenandthen reconnected.While this is convenient, it alsomakes systems susceptible to replayattacks.

Session identification tokens should be unique and temporary. They should not beeasyforattackerstoguess(e.g.auserid).

DataPower generates unique session identifiers. The session information is deletedandtheidentifiernolongervalidafteradministrationsessionshavedisconnected.

1.12ProtectingDataatRest

Inadditiontocapturingsensitivedataflowingacrossthenetwork,anothercommonwayfor hackers to obtain sensitive data is from storage. If the system is compromised, andflashorharddrivesareaccessible,thisisadangerunlessthefilesystemsareencrypted.Also,considerthatwhensystemsarediscarded,orshippedsomewhereformaintenance,thesestoragesystemscouldberemovedandanalyzed.

DataPower’sflashfilesystemfeaturesencryptionbydefaultforsensitivedirectories,suchasthosethatholdPKIkeysandcertificates.Thisincludesthelocal,store,logstore,cert, pubcert, sharedcert, chkpoints, config, and tasktemplates directories aswell as theauditlogandpersistedinternalfirmwarefiles.Auxiliarystorage,suchastheRAIDharddrivesonphysical appliances, canbeencryptedaspartof the initializationprocess.For

moreinformation,seehttps://ibm.biz/BdXQCXandhttps://ibm.biz/BdXRSw.

1.13ErrorMessagesandLogsShouldOnlyBeVisibletoAuthorizedUsers

Errormessagesandlogstypicallycontainawealthofinformationaboutsystemsandwaystocompromisethem.Logsshouldbevisibleonlytoapprovedpersons.

ErrormessagesandsystemlogsareprotectedbyDataPower’sfine-grainedrole-basedmanagement system; privileges can be assigned as needed by administrators, and thesystem will enforce access. Since DataPower is not meant to be a persistent storageappliance, these log files canbemovedoff the appliance tomorepermanent storageasoutlinedinSection2.3,“Off-loadSystemAuditRecords.”

1.14OnlyPrivilegedUsersShouldExecuteAdminFunctions

Ifnon-privilegeduserscangetaccess toexecuteprivilegedcommands, suchasaccountcreation, log viewing, key management, they can gain access to systems and sensitiveinformation.Anexamplemightbetocreateaprivilegedaccount,whichwouldthenallowmuchgreateraccessthanoriginallyintendedandpotentiallycreatingasecuritygap.

Via the use of a fine grained role-based management system, DataPower can letadministrators apply the concept of “least privileges,” effectively locking down useraccesstoonlynecessaryfunctions.Role-basedaccounts,users,andgroupsshouldalsobeauditedfrequently.

1.15AuditRecordTimestampGranularity

Logrecordtimestampsarecrucialtopiecetogetherthesequencesofeventsthathaveledto a problem. Sometimes the log records frommultiple devicesmust be correlated formeaningfulanalysis.Ifallofthesystemsarenotinsyncwiththeirdate/timesettings,orthesystemhasadiscrepancyofmorethanasecond,orlogsdonotreporttimestampswithsub-secondgranularity,thiscanbecomeverydifficult.

DataPower timestampsare recordedwithmillisecondgranularity.SystemclocksonclusteredDataPowerappliancesshouldalwaysbesyncedandthis isoftenaccomplishedbypointingsystemstowell-known,secureNTPservers.Beawarethatusinganon-secureNTP server, such as the Internet-based ones, could open systems up to certain types ofattack.

By default, the DataPower appliance records time stamps for audit records inCoordinatedUniversalTime(UTC).Forexample,thefollowingisanexample:March30,2015 followed by the number ofmilliseconds since January 1, 1970would translate to20150330T072434.296Z.

1.16InstallationofSoftwareModules

Systemsoftencanbecompromisedbytheinstallationofsoftwaremodules,suchasthosethatprovideadditionalcapability,orfixpacksandupdatesthatcontainroguecode.Thismaliciouscode insideof thesemodulesmaynotbedetectedduring installationwith theunfortunateconsequenceofsendingimportantinformationacrossthenetworktothosenotintended to see it.Malicious code can contain time-bombsor systemhijack capabilitiesthatcantakeproductionsystemsofflinewithoutwarning.

Diagnosticoranalyticalsoftwareadditionsarealsooftenpronetoexposingsensitivedata to unauthorized parties. Only approved administrators should be permitted to usetheseonasystem,andthetoolsshouldbecarefullyvetted.

As a closed and hardened system, DataPower does not allow the installation ofoutside software. Only IBM firmware modules, firmware fixes and updates may beinstalled. All IBM software modules are signed and encrypted to prevent any outsidetampering, andas such theyare safe from thesekindsof attacks.Nooutsidediagnostictoolsorsoftwarecanbeinstalledontheappliances.

1.17TemporaryPasswords

Systemsthatallowtemporarypasswordsmustenforcethattheybechangedimmediatelyupon the first login.Temporary or default systempasswords for a product are typicallywell-knownandaneasywayforhackerstoaccesssystems.

DataPower shipswith only one default administrative account,which has a defaultpassword.Thesystemcannotbeinitializedorusedwithoutimmediatelychangingthistoanacceptablepassword.Ifanadministratorcreatesanewadminaccountforanotheruser,theuserisforcedtochangeitupontheirfirstlogin.

1.18DenialofServiceAttacks

Despitealloftheinternalprotectionsagainstsystemcompromise,themosttypicalformofattackisexternal—overanetwork.DenialofService(DoS)attacksareattemptstofloodasystemwithsomuchnetwork traffic that itbecomesoverwhelmed.Theconsequenceofthis type of attack is the over utilization of system resources causing a reboot of thesystem.Anotherconsequenceofthistypeofattackisthatthesystemissobusysortingoutmalicioustrafficthatlegitimatetrafficcan’tbeprocessedinatimelyfashion.

DataPowerhasbuilt-inprotectionagainstdenialofserviceattacks.Thiscanbefine-tuned, as shown in Section 3.11, “Denial of Service (DoS) Attack Mediation.”Organizations that are subject to legitimate high traffic rates, such as retailers during apeakholiday season, should pay attention to these settings and test carefully, so that inthosecases,legitimatetrafficisnotturnedaway.

1.19AuditofAdministrativeActions

All administrative actions, such as account creation/deletion/modification and otheractivitiesthatalterthesystem,shouldbelogged.Administratorloginandlogoutshouldbe

logged,alongwiththeuseridandsourceIPaddress.Itshouldnotbepossibletoalterordeletetheselogrecords.

DataPower logsallactivity,alongwithessentialmetadatasuchasdate/timestamps.By default, these log records cannot be deleted ormodified and this setting cannot bechanged.ThesourceIPaddressesanduserIDswillbeincludedinlogrecords.

See Section 2.10, “AuditAccount EnablingActions” to see an example of how toconfigurethiscapability.

1.20ConfigurationChangesShouldBeImmediate

Changesmade to the configuration should be implemented immediately for all runningcomponents. Detected problems can be fixed immediately without requiring a systemshutdownorotherserviceinterruption.

Changes made to DataPower configuration via administrative interfaces areimmediately saved in flash memory. These changes should be persisted by saving theconfiguration(byusingtheSaveConfigurationlinkonWebGUI,and“writememory”intheCLI).Savingtheconfigurationwillallowthemostrecentchangestosurvivearestart,whereas not saving the configuration will cause the system to boot to the last savedconfigurationuponthenextrestart.

1.21UnnecessaryFunctionsShouldNotBeEnabled

Oftentimes, systems will be configured to start services by default that may not benecessaryforthedesiredusage.Servicessuchastelnetandsendmailcanprovideentryforhackers.

DataPowershipswithallservices,protocols,andfunctionsdisabledbydefault.Theonlyway touse a functionor service is for an authorized administrator to intentionallyenableandconfigureit.

1.22SecureFailure

Whensystemsareunderduress,theyshouldhavesomecapabilitytoself-determinewhenthereisnorecoverypossiblewithoutsometypeofhumanadministrativeintervention.Inthese cases, rather than attempt to limp along, they should provide some kind of safe,secure failure mode. At this point, the enterprise’s high availability capabilities shouldtakeoverforthefailedsystems,sothattrafficisnotaffected.

DataPower appliances have a failsafe mode which, when entered, restrictsfunctionality,butwillprovideasubsetofdiagnosticcommandsforuseintroubleshooting.Iftheappliancesdeterminethatthereisnotareliablewaytofunction(forexample,iftheappliancedetectsanintrusion),theywillenterthismode.Onceinfailsafemode,warningmessageswillbedisplayedintheWebGUIandCLI.Ifproperlyconfigured,asdescribedinthisvolume,administrativealertswilloccur.DataPowerappliancesalsohaveextensive

capabilities for high availability configuration. Learn more about fail-safe mode athttps://ibm.biz/Bd4JrY.

1.23PhysicalSecurity

Datacentersrelyonphysicalsecuritytopreventphysicalintrusionandaccesstohardwaresuch as servers and network equipment. If the equipment is physically accessed,manytypesofcompromisemaybecomepossible,suchasattachingdiagnosticequipment,trafficsniffers,keyboardcapturedevices,andremovingoralteringinternalcomponents.

Physical DataPower appliances have intrusion switches built into the inside of thecaseinordertopreventunwantedindividualsfromaccessingtheinternalcomponents.Bydefault,iftheappliancedetectsanintrusion,theWebGUIinterfacedisplaysawarningfornew user sessions and the appliance restarts in failsafe mode. The intrusion protectionfeaturecanbedisabled,however,ifintrusiondetectionisdisabled,itwillremaindisableduntilitisexplicitlyre-enabled,whichcouldleadtounwantedtamperingoftheappliance.Learnmoreaboutmanagingintrusiondetectionathttps://ibm.biz/Bd4Jrv.

1.24SecureAdministrativeProtocols

AnylocalorremotenetworkconnectionendpointsforwhichtheappliancewillbesendingorreceivingmanagementtrafficshouldbeauthenticatedviaTLS/SSLbeforeestablishingaconnection.Theauthenticationshouldbebidirectionalandcryptographicallybased.

Management traffic on DataPower includes the typical appliance managementinterfacessuchasCLI,WebGUI,andSOMAwhicharesecurebydefault.Note that thetransportlayersecurityfortheseinterfaces(TLSfortheWebGUIandSOMA,SSHfortheCLI)willmakeuseofanonboardappliancecertificate.Thiscertificateisprovidedwiththe appliance, by default and should be replaced with a certificate generated by yourorganization.WeshowyouhowinSection2.2,“EncryptingAdministrativeProtocols.”IfSNMPisgoingtobeused,secureconfigurationforthatprotocolisdiscussedinSection2.4,“SendImmediateThreatAlarms.”

Summary

ThischapterservedasanintroductiontotheinherentlyhardenedsecurityfeaturesinIBMDataPowerGatewayappliances.Forthemostpart,thesefeaturesrequirenoconfigurationand cannot be turned off. However, continual and thorough testing and auditing arenecessaryforanysecureplatform.

Our next chapter, Chapter 2, “ApplianceAdministrativeHardening”will introduceyoutothestepstolockdownyourapplianceadministratively.

Chapter2ApplianceAdministrativeHardeningIn this chapter, we will cover administrative hardening of the physical and virtualDataPowerappliances.

2.1UserInterfaceIdleTimeoutsandCachedAdminCredentials

Rationale

It is common to terminate admin user connections to the appliance after idle timeoutperiods as well as remove any cached admin login credentials. Admin authenticationinformation (credentials) is commonly cached for reliability and performance reasons.Thesecachedcredentialstypicallyhaveapre-definedlifetime,afterwhichtheywillexpireand be purged from the cache object. Security is reduced with longer lifetime/timeoutsettings;sorelativelyshort timeframesshouldbeconfigured.Allowingexcessively longidle connection periods risks exposing confidential configuration information when theadmin does not sign out of the appliance. Of course, setting the timeout to a shorterinterval may affect the load on the credential server. This interval needs carefulconsiderationtofindthebalancethatsatisfiesorganizationalpolicies.

TheuserinterfaceidletimeoutsettingsfortheWebGUIandtheCLIshouldbesettosamevalueandshouldbeconsistentwithyourorganization’ssecuritypolicy. Note thatthedefaultfortheWebGUIis600seconds(5minutes)whileitiszeroseconds(nolimit)for theCLI. Lacking specific organizational guidance, setting the idle timeouts to fiveminutes is a reasonable starting point. Establishing theWebGUI cache timeout periodshouldbebasedonseveralfactors.Forexample,adevicewithjustafewadministrators,whoareusingnetworkswithpoorconnectivity,mightrequirelongertimeoutperiods.

The WebGUI interface timeout value should be consistent with the guidelinesestablished by your organization’s security team and used across any type ofadministrativesession,e.g.,WebGUI,CLI,andXMLManagement.

Configuration

First, configure the idle timeout for the WebGUI. From the default domain, go toNetwork → Management → Web Management Service. Update the “Idle Timeout”settingtothedesiredvalue.ClickApplyandSaveConfigurationbeforemovingon.

Figure2-1WebGUIconfiguration.

TIP—LocalAddressBindingforAdministrativeInterfaces

The“Localaddress”fieldfortheWebGUI(aswellasallotherinterfaces–CLI,XMLManagement,RESTManagement),isboundto“0.0.0.0”bydefault.Thismeansthattheseinterfacesareaccessible,bydefault,fromanyconfiguredEthernetinterfaceontheappliances.Itishighlyrecommendedthatadministrativeinterfacesbeexplicitlyboundtospecificnetworkinterfacesdedicatedtonetworktraffic.Todothis,createaHostAlias(Network → Interface → HostAlias)thatrelatesalogicalinterfacenamesuchas“managementNIC”totheinterface’sIPaddress.Leavingtheadministrativeinterfacesopentorequestsfromanynetworkinterfaceexposestheappliancetopotentialintrusionattemptsfromoutsideyouradministrativesubnet.

TIP—HostAliasesversusStaticDNS

HostAliasesareintendedtoprovidelogicalnamesfortheappliance’snetworkinterfaces.Commonexamplesare“localhost”(e.g.,127.0.0.1)and“managementNIC”(configuredtotheIPaddressoftheEthernetinterfaceusedformanagementtraffic.HostAliasesarenotintendedtobeusedtoreferenceexternalentities(i.e.,anLDAPserver’sIPaddressorhostname).Toreferenceexternalentities,createaStaticHostunderDNSSettings(Network → Interface → DNSSettings)orconfigureDataPowertouseyourorganization’sDNSserverstoresolvehostnamestoIPaddresses.

Next, configure the RBM Settings for Authentication Cache Lifetime. Go toAdministration → Access → RBM Settings. Click on the Authentication tab. Set theAuthenticationcachemodetoAbsolute.Setatimeoutvalue.Theconfigurationisshown

inFigure2-2.

Figure2-2Configurationfortimeoutofadministrativeauthentication.

Finally,click theAccountpolicy tab toconfigureRBMsettings for theCLI. Click“on”toenableRBMenforcementfor theCLIandset theCLIidle time-out to thesamevalueasprescribedfortheWebGUI(e.g.,600seconds).

Applyyourchangesandsavetheconfigurationbeforetesting.

Figure2-3RBMconfigurationfortheCLI.

TIP—ConfigureMaximumFailedLogins

WhileyouareontheAccountpolicyconfigurationtab,itisadvisabletoconfigurethe“Maximumfailedlogins”and“Lockoutduration”parameterstovaluesconsistentwithyourorganization’ssecuritypolicy.

TestingTips

LogintothedeviceWebGUIasanadministrator.Leavethesessionidleordisconnectthesessionwithoutloggingout.Waituntilwellafterthetimeoutperiodandattempttousethesessionagain.Thisshouldresultinarequesttore-authenticate.RepeattheprocessfortheCLI. ReviewtheDataPowerlogstoensurethat theappropriatemessagesappear.Theseshoulddescribetheloginattempt, thefact that thecredential isnolongervalidorinthecache,andthatre-authenticationisbeingrequested.

Also,performa test touse thesessionprior to the timeoutperiod toensure that re-authenticationisnotrequired.

2.2EncryptingAdministrativeProtocols

Rationale

Administrative connections and communications carry sensitive information. Theseshouldalwaysbetransmittedoverencryptedprotocols.Bydefault,DataPowerusessecureprotocolsforadminaccesstoCLI,XMLManagement,andtheWebGUI.DataPowerwillinitiallyusebuilt-inSSL/TLScertificates suppliedby IBM,but as abest practice thoseshouldbechangedtoyourownorganization’ssecuritycertificates.

One exception to the above tip is the use of theTelnet protocol.WhileDataPowerdoessupporttheTelnetprotocol,itisinherentlynon-secureandshouldnotbeused.

Configuration

Bydefault,DataPower uses a self-signed certificate (signed byDataPowerTechnology,Inc.) forWebGUI,XMLManagement Interface andRESTManagement interfaces.Thecertificate is not signed by a well-known Certificate authority (CA). The signer is notincluded in the list of trusted third parties with internet browsers, and therefore theconnectionisflaggedas“untrusted.”

In order to change the certificate to a trusted certificate, each interface must beupdated separately. To update the certificate used by the WebGUI, go toNetwork → Management → Web Management Service and click the “Advanced” tab.Select thedesiredSSLserver typeandconfigure theSSLserverprofile to reference thetrustedcertificate.RepeattheprocessfortheXMLManagementInterfaceandtheRESTManagementInterfaceviatheNetwork → Managementmenupath.Allinterfacescanuseacommoncertificate,orseparatecertificates.

In the DataPower WebGUI, go to Network → Management → Telnet Service andensurethatnoenabledTelnetconfigurationsexist.

TIP—ConfiguringTLSConnectionsforAdminInterfaces

Makeuseof“ServerProfiles”whenconfiguringTLSfortheadministrativeinterfaces,ratherthanSSLProxyProfiles.“ServerProfiles”arethenewerconfigurationapproach

forTLS(asoffirmware7.2)andaremoreintuitivetosetupandmaintain.WhileSSLProxyProfileswillstillwork,theywilleventuallybedeprecated.

TestingTips

TesttheadministrativeinterfacesoverTLSandlookatthelogstoensurethatthecorrectcertificateandvalidationprocesswereused.

Attempt to use a Telnet session from a remote device to log into the device as anAdministrator. This should fail. If a connection is established, check the DataPowerconfigurationand logsagainand takeaction to remediate theconfiguration.RetestuntilTelnetconnectionsarerefused.

2.3Off-loadSystemAuditRecords

Rationale

It is a good security practice to copy system audit records to a safe, non-local storagemedium.Theyarecircular,inordertoavoidover-runningthedevicelocalstorage.Thismeansthatolderlogswillatsomepointbeoverwritten,whichiswhyoff-loadingtheauditlogstosecure,externalstoragewillpreventanylossoflogdata.

Configuration

Audit logs can be copied to a remote destination using either the command-line admininterfaceandCLIcommands(whichcanbescripted),ortheWebGUI.

TomoveauditlogsusingCLI,usetheCLIcopycommand:Syntax:copy-fsourceURLdestinationURL

-fisanoptionalswitchthatforcesanunconditionalcopy.Forexample:xi52(config)#copy–faudit:audit-logsftp://test@xx.xx.x.xxx/LOGS/x/AuditLog.log

Seehttps://ibm.biz/Bd4Tw6foradditionaldetailsonuseoftheCLIcopycommand.

To move audit logs automatically, use the WebGUI and go toAdministration → Miscellaneous → Manage Log Targets. Click the Add button to addone,orchooseanexistingone(notdefault-log,whichcan’tbemodified).NamethenewlogtargetintheNamefield.SwitchtotheEventSubscriptionTab.PresstheAddbutton,chooseCategory“audit”andclicktheApplybutton.GobacktotheMaintab,chooseFileintheTargetTypedropdownandconfigureit.ThisisshowninFigure2-4and2-5.Notethatifyouwishtodokey-basedauthenticationratherthanuseridandpassword,thereisatechnotethatdescribestheconfigurationathttps://ibm.biz/Bd4Ata.

Figure2-4Configuringtocopyauditlogs.

Figure2-5ConfigurationforSFTPlogfileupload.

TestingTips

Thisprocesscanbetestedbysettinguparemoteserver,andthencreatingaconditionthatwillresultinalogmessagebeinggenerated,andthenviewingtheremoteserverlog.

2.4SendImmediateThreatAlarms

Rationale

Administrators shouldbenotified immediately in thecaseofanyseriousadverseevent.Timeisoftheessencewhensomethingisgoingwrong,orwhensomeoneisattemptingtocompromisethesystem.

Potentialsecurityviolationsshouldbeidentifiedquickly—evenwhenadministratorsarenotloggedintoDataPower.ThebestwaytofacilitatethisisbysendingSNMPTrapsandNotificationsgeneratedbythelocalSNMPagentorengine.

Generating these Traps and Notifications is important both for preventing systemincursionsandprovidinglogsforafter-the-factforensicanalysis.

Configuration

In the DataPowerWebGUI, go to Administration → Access → SNMP Settings. On theMaintab,youmustspecifytheLocalDataPowerapplianceIPAddressandportthatyourSNMPserverwillconnectto.AddSNMPv3usersthatwillhaveauthoritytoconfigureaconnectionfromanSNMPservertothisDataPowerappliance.SettheSNMPv3SecurityLevel.Forproduction, thesettingshouldbe“Authentication,Privacy.”Set theSNMPv3AccessLevel:usuallyeither“read-only”or“read-write.”ThisconfigurationisshowninFigure2-6.

Figure2-6ConfigureSNMPmainsettings.

TIP—SNMPVersions

CommonSNMPversionsare1,2c,and3.Version3istheonlyonethatshouldbeemployedforsecureconfigurations,asit’stheonlyonethatallowsforauthenticationand

encryption.

Next,movetothe“TrapEventSubscriptions”tab.OntheTrapEventSubscriptionstab,setto“on”the“EnableDefaultEventSubscriptions”option.SetMinimumPrioritytoyour desired level, e.g., “warning,” or “error.” Select the specific event codes thatwillgenerateSNMPtraps.

TIP—UsetheSelectCodeButton

NotethatyoucanclicktheSelectCodebuttontobrowseforadditionaldesirednotifications.

InorderforDataPowertoprovidenotificationtoyourSNMPserver,aneventmustbepresentinthelistofEventSubscriptions.Forexample,toprovidenotificationofaccount-enabling actions, you could add 0x8240001c and 0x8240001f events. This is shown inFigure2-7.

Figure2-7SNMPSettings:TrapEventSubscriptions.

Finally, move to the Trap and Notification Targets tab. Click the Add button toconfigure a target SNMP server. Add the server name or IP address, port, and version(which shouldbev3) for allSNMPservers thatmust receiveyour trapandnotificationevents.ThetargetSNMPserver(s)bear theresponsibilityfornotifyingthoseindividualswhoareresponsiblefortakingappropriateaction.TheSecurityNameisthenameofthelocal SNMPv3 user to use for notifications to this recipient. It determines whatauthenticationandprivacyencryptionprotocols areused, andwhat associatedkeys.SettheSecurityLeveldropdowntoAuthentication,Privacy.

Figure2-8SNMPSettings:TrapandNotificationTargets.

Figure 2-9 shows the completed configuration. On the Main tab, set the“Administrativestate”to“enabled.”Click“SaveConfiguration.”

Figure2-9SNMPEditandNotificationTargetsconfiguration.

TIP—MessageReferences

ForacompletereferencetoDataPowerlogmessages,eventcodes,andauditseventssee:https://ibm.biz/Bd4pkj

TIP—ConfigureanSNMPLogTarget

Inadditiontoconfiguringthe“TrapEventSubscriptions”,youcanalsoconfigurealogtarget,settingthe“TargetType”toSNMP.AgeneralpurposelogtargetofferstheadvantageofbeingabletoconfigureawiderrangeofeventstobesentasSNMPtraps(thegeneralSNMPconfigurationislimitedtoconfiguringspecificeventcodes).

TestingTips

ConfigureyourSNMPserverperyourorganization’sguidelines.Oneapproachtotestingis to create any condition that violates an on-device security policy, such as sending amessage that violates the constraints in theXMLThreats policy (too large, too deeplynested,etc.).SendthemessagetoaserviceonDataPower.Asecond,easierapproachistogeneratespecificlogevents(seetheTIPlaterinthissection).ChecktheDataPowerandSNMP server logs, as well as the log receiver, to ensure that the proper results wereachieved.

TIP—SNMPTesting

TolearnhowtosendtestSNMPtrapsfromDataPower,seethefollowingIBMsupportarticle:HowtoTestSNMPTrapsonIBMDataPowerGatewayhttps://ibm.biz/Bd4TtD.

InordertoconfirmthatyourSNMPalertsaresetupproperly:

In the DataPower web interface, navigate to

Administration → Access → SNMP Settings. Verify that “Trap EventSubscriptions”includestheEventSubscriptioncodesthatindicateconditionsthatviolateon-devicesecuritypolicy;suchassendingamessagethatviolatestheconstraintsintheXMLThreatspolicy(toolarge,toodeeplynested,etc.).On the “Trap and Notification Targets” tab, verify that this configurationincludes theRemoteHostAddress andRemotePort of an approvedSNMPserver that generates alerts that will be forwarded to the appropriateadministratorswhenaccountmodificationeventsoccur.OntheMaintab,confirmthatthe“Administrativestate”issetto“enabled.”Additionally,confirmthatthattheruntimestate(shownatthetopofthepageafterthetext“SNMPSettings”)indicatesinbracketsthattheSNMPobjectisinan“up”state.

Finally, perform an end-to-end test by confirming that the event appears in theDataPowerauditlog,andthatanappropriatenotificationissentbythedesignatedSNMPserver(s) specified on the “Trap andNotificationTargets” tab of theDataPower SNMPSettings,and,ofcourse,ultimatelyreceivedbythedesignatedadministrator(s).

TIP—GenerateTestEvents

FromtheControlPanel,selectthe“Troubleshooting”toolandusethe“GenerateLogEvent”tooltogeneratespecificeventswhichwilltriggerSNMPtrapsandultimately,appropriatenotifications.

2.5ConfigureSNMPTrapEventsforAccountEnablingActions

Rationale

Aspreviouslydescribed inSection2.4, “Send ImmediateThreatAlarms,” alerts canbeconfiguredusingSNMPtrapeventsubscriptionsthataresenttoanexternalSNMPserver.Thatservercaninturn,providenotificationstosystemsadministrators.Oneofthemostseriouseventsiswhensomeoneisenablingorcreatingnewaccounts.Mostintruderswilldothistomakelatersystemaccesseasier.

Configuration

See Section 2.4, “Send Immediate ThreatAlarms” for the steps to set up SNMP traps.Followthoseinstructionsfor theconfigurationandtesting,butaddtheaccountenablingcodesdescribedinthatsection.

TestingTips

TestusingtheproceduredescribedinSection2.4,“SendImmediateThreatAlarms,”butwhileenablinganewadministrativeaccount.

2.6Selective,TargetedAuditing

Rationale

Auditingandloggingarekeycomponentsofanysecurityarchitecture.Eachorganizationwilllikelyhaveitsownitemsofinterestintermsofthetypesofeventsthatcanoccuronthesystem.TheDataPowerGatewaycangenerateauditlogeventsforacustomizedlistofauditable events. Logging specific events provides ameans to investigate an attack, torecognize resource utilization or capacity thresholds, or to identify an improperlyconfigured network device. Auditing is also useful for intrusion monitoring,troubleshooting, quick resolution of problems, security investigations, and forensicanalysis.

Configuration

Go to Administration → Miscellaneous → Manage Log Targets. Click an existing logtarget (other thandefault-log,whichcan’tbechanged)oraddone.Name the log in theName field. Go to the Event Subscriptions tab and add the event categories that arerequired tobeaudited for this log target.Figure2-10showsanexample log targetwithcategoriesthatmightbeofinteresttothesecurityteam.

Figure2-10Examplelogtargetandcategoriesrelatedtosecurity.

TestingTips

For an off-box logging target, review your log target configuration to confirm that the“Administrativestate”isenabled.Ifthereisaproblemwiththeconfiguration,itwillshowa“disabled”state.Additionalexaminationshouldbedoneontheexternalloggingservertoensurethatlogentriesarearrivingandtheyareintheproperformat.

Log into the device as anAdministrator.Either create a condition thatmatches theselected event or use the Troubleshooting Tool to generate specific events. Review theDataPowersystemlogsandconfiguredlogtarget(s) toensure thateverythingworkedasexpected.

2.7ExternalAdminAuthenticators

Rationale

DataPowersupportsa localregistryofadministrativeusers,but this isonlypracticalfordemo and isolated development/test scenarios, or as a fallbackmechanism in the event

thattheremoteauthenticationserverisunreachable.Forrobustimplementations,LDAPistypicallyusedasthecentralregistryofadministrativeusers,passwords,andgroups.

DataPowerallowsforalternativessuchasPKIcertificatesandRADIUS.But,inthevast majority of cases, LDAP or its Microsoft cousin, Active Directory, will be used.LDAPv3is recommendedoverV2due to theadditionofseveral features important forsecurity.LDAPS(LDAPoverTLS)isrecommended.

You may want to configure a local administrative account as a backup, in casesomethinggoeswrongwiththeconfigurationorLDAPenvironment.Also,notethecachesettings thatareavailable in thisconfigurationandbear inmindthat longercache timeswillreducesecurity.

TIP—EnterpriseRBM

UsersmaybeauthenticatedbyaremoteauthenticationsystemsuchasLDAP,RADIUS,SAF,orSPNEGO.TheRoleBasedManagementpolicydetermineswhethertoallowanauthenticatedusertoaccessspecificresources.

Configuration

IntheDataPowerWebGUI,gotoAdministration → Access → RBMSettings.GototheAuthenticationtab.

SettheAuthenticationMethodtoLDAP.SettheLDAPconfigurationtobeconsistentwithyourenvironmentandsecuritypolicy.AnexampleisshowninFigure2-11.NotethatTLS shouldbeused, andyouwouldmost likely loadbalancemessages to anumberofLDAPservers.

Figure2-11RBMLDAPsettings.

TIP—LDAPServerConnectionConfiguration

TheinformationnecessarytoconfiguretheLDAPinformationmayneedtobeobtainedfromyourorganization’sLDAPadministrator.InformationsuchasLDAPprefix,suffixandLDAPSearchparameterswillvarybyorganization.

While you are on this page, configure the fallback section for at least one localadministrativeaccount (it isnot recommended toselectallusers).Thisensures thatyoucanlogintotheapplianceifsomethinggoeswronginconfiguringtheLDAPconnection,or later when using an external LDAP server for DataPower administration. This isparticularly useful while you are configuring and testing any changes for externalauthentication.Yourenterprisesecuritypoliciesmayprohibittheuseoflocalaccountsforproductionorongoingpurposes.ThisconfigurationisshowninFigure2-12.

Figure2-12Configurationoflocalfallbackadministrativeaccount.

TestingTips

Gather the information for your enterprise’s LDAP or RADIUS server, and use it toconfigureDataPower.After this is done, attempt toopen aWebGUIadmin session andloginusingavalidcredentialfromtheLDAPorRADIUSserver.UsetheDataPowerandexternal authentication server logs to troubleshoot. If problems occur, log in using thebackuplocaladminaccounttomakechanges.

Ifyouhaveconfigured fallbackuser accounts, confirm that thisworkscorrectlybychanging the LDAP server configuration information (e.g. Host/IP address) withinDataPower,suchthattheLDAPservercannotbereached.

Youmay also want to keep an admin session open while you are testing this, forexample through the command line interface, so that you can troubleshoot yourconfiguration,aswellas“recover”fromtestingyourfallbackaccountfunctionality.

TIP—TestingFallbackUsersfromtheWebGUI

IfyouaretestingthefallbackuserfromtheDataPowerWebGUI,youmaywanttousetwodifferentbrowsersfortesting,suchasGoogleChromeandMozillaFirefox.Thiswillallowyoutohaveyouradminsessionopeninonebrowserwhiletestingthefallbackconfigurationinanother.

2.8SecureBackups

Rationale

Systembackupsareacritical,essentialpartofanyorganization’sdisasterrecoveryplan.However,thesewillbynatureincludeverysensitiveinformation(suchasprivatekeysandotherauthentication/configurationinformation)andshouldbehandledwithgreatcare.

DataPower allows for secure backups, inwhich the entire backup is encrypted andcontainsallsensitivematerialfromtheconfiguration.Thisallowsthebackuptobeusedtoreplicatethedeviceconfigurationbyrestoringittoacompatibleappliance(samefirmwareandstoragecapacity).Normal(non-secure)backupsarenotencryptedanddonotcontainthesensitivematerial(keys,certificates,passwords).

Secure backups can only be created if ‘y’ was answered to the prompt ‘EnableDisasterRecoverymode?’ondeviceinitialization(first-timedevicesetup).Ifthiswasnotselected initially, the appliance would have to be re-initialized, or the Secure BackupEnablertoolrequestedthroughIBM(seetheTIPbelow).

For more information on secure backup and restore, see the article athttps://ibm.biz/BdRHq8.

TIP—SecureBackupEnabler

IBMhascreatedatoolthatallowsDisasterRecovery/SecureBackuptobeenabledonthefly,withouthavingtore-initializetheappliance.ItcanberequestedthroughtheDataPowersupportorganization,asitiscreatedforspecificappliances(basedonphysicalapplianceserialnumberorUUIDforvirtualappliances).

Configuration

GotoAdministration → Main → SystemControlandconfigureSecureBackup.Figure2-13showsthissection.Youwillneedtheprivatekeyandcertificatethatisusedtocreatethebackupinordertorestorethisconfigurationonanotherappliance,sobesuretoexportitandhaveitavailable.

Figure2-13SecureBackupconfiguration.

Note,thatasofversion7.2ofthefirmware,thedestinationonlysupportsuseoftheFTPprotocol.AsFTPisnotconsideredasecureprotocol,approachessuchasthatadvisedin the technote “DataPower Secure Backup to an SFTP Destination” athttps://ibm.biz/Bd4T68shouldbeconsidered.

TIP—AutomatingSecureBackups

TheSecureBackupcanbeautomatedviaexternalscriptingoraScheduledProcessingPolicyRuleintheXMLManagerobjectinthedefaultdomain.Ineithercase,arequestwouldbesenttoeithertheXMLManagementInterface,ortotheRESTManagementInterface,toperformtheSecureBackupandtransferthebackuptoaremoteserver.

TestingTips

ConfigureanFTPservertoreceivethebackup,orgathertheinformationforanexistingFTPserver.Configurethesecurebackupasdescribedabove.Attemptthesecurebackup,and check the logs on theDataPower appliance andFTP server.Verify that the backupexists in the target FTP server directory. Try to restore the saved backup to a newappliance. Take care, as this will completely remove any existing configuration on thetargetappliance.

2.9CryptoKeysandCertificates

Rationale

DataPowerappliancesshipwithacommonsetofcryptokeysandcertificatesthatallow

basefunctionalityoutofthebox,butofcourse,asthesearesharedwitheverycustomer,theyarenotsecure(leavingthedefaultsignercertificatesforCAssuchasVerisign,andothers,couldinadvertentlyallowTLSconnectionsthatshouldnotbeallowed).Theoutoftheboxcryptomaterialshouldbereplacedassoonaspossiblewithkeysandcertsthatareapprovedbyyourorganization’ssecurity team.Youshouldalso reviewallof thepubliccertificatesinthepubcert:directoryandremoveanythatwillnotbeneeded.

Configuration

Go toObjects → CryptoConfiguration → CryptoCertificate (for certificates) orCryptoKey(forkeys)touploadexternalkeys/certificatestotheencryptedflashortoaFIPS140-2Level3HSM.CreatethenecessaryDataPowercryptoobjectsfromthesefiles.

TIP—KeyandCertificateObjects

Aspreviouslydescribed,thekey(s)/certificate(s)usedforDataPower’sadministrativeinterfacesarestoredinthedefaultdomain,commonlyinthesharedcert:directory.IfaHardwareSecurityModule(HSM)isbeingused,theprivatekeymaybestoredintheHSM.CertificateAuthoritysignercertificatesarecommonlystoredinthepubcert:directoryofthedefaultdomain,howeverthecryptoobjectsthatreferencethemareconfiguredinapplicationdomains,notthedefaultdomain.

TestingTips

WhenthecorrectcryptofilesareinplaceandtheappropriateDataPowerobjectscreatedfromthem,doallnecessarytestingofprotocol-levelcommunications,fileencryptionandfilesigningwiththesecryptoobjects.ReviewtheDataPowerandexternalserverlogstoensure that the appropriate keys/certificates are used. When debugging SSL/TLSconnectionissues,itmaybeusefultousetoolssuchasWireshark.

2.10AuditAccountEnablingActions

Rationale

Logging all attempts at administrative actions such as enabling user/admin accounts isimportantbothforpreventingunwantedsystemincursionsandforprovidingafter-the-factforensicinformation.

Adequateauditingsupportstheenforcementofaccessrestrictionsagainstchangestothe appliance configuration. Audit logging also can provide the ability to identifyattempted attacks. A complete audit trail will be invaluable for forensic investigationleadingtoappropriateafter-the-factactions.

TIP—ThreatandForensicAnalysis

Itisprudenttoestablishrobustloganalysismethodstoassistinidentifyingpotentialthreatsandtoprovidepost-incidentforensicanalysis.

Auditing the use—and potential misuse—of privileged appliance functions isimportant inpreventing insider threatsandadvancedpersistent threats.Detectioncanbeaccomplished by ensuring that the appliance audit log is enabled, set to capture at anappropriatelevel,andhasadequatestorageavailable.

Configuration

DataPowerprovidesextensiveloggingconfigurationoptions.Amongthem,istheabilitytospecify the levelofAudit logging. Bydefault,audit logsarekepton theDataPowerappliance in the “audit:” directory, accessible via the default domain. By default, theDataPower appliance logs the executionof all privileged functions, and the audit log isenabledbydefault.

To configure a comprehensive audit trail, from the default domain, go toObjects → Logging Configuration → Audit Log Settings. Set the Audit Level to Full.Specify the desired Log Size, Number of Rotations, and audit level. PressApply, thenSaveConfiguration.Themaximumavailablelogspaceisapproximately50GBlessspaceconsumed by other data on the device. Save the configuration. Make sure that theAdministrativestateappearsas“enabled.”ThisconfigurationisshowninFigure2-14.

Figure2-14AuditLogSetting–Fullauditlevel.

TIP—LogAnalyticalTools

Forproduction,makesurethatyouconfigureanexternallogtargetforauditlogs.Inaddition,thiscomprehensiveexternalauditloggingshouldbesupportedbystrongloganalyticaltools.

TIP—AuditLogSettings

InadditiontosettingtheAuditLevelyoucanalsomodifytheauditlogsizeandthenumberofgenerationsofthelogmaintainedintheauditdirectory.Ifyouchangethedefaultvalues,makesurethatyoualsoallocatesufficientspaceforstorageoftheselogs.

WARNING—On-boxLoggingwillbeOverwritten

Itisessentialthatproductionauditloggingbedirectedtoanoff-boxserver,e.g.,syslog,usingLogTargetconfiguration.Duetospacelimitations,on-boxlogging,suchastheAuditLogandtheSystemLog,willeventuallybeoverwritten.

TestingTips

In order to confirm that on-box audit logging is configured to provide comprehensiveinformation,viewtheloggingsettingsatObjects → LoggingConfiguration → AuditLogSettings.Forlocallogging,checkthelocalsystemlogtoensurethatthefollowingeventmessage is not displayed in the log: “0x82400067 Audit log space low - using auditreserve space.” Set up SNMPmonitoring to monitor for this condition on an ongoingbasis.Then,executeaprivilegedfunction(likeaddingchanging,ordeletingauser).Themost recent entrywill be at thebottomof the log. If properly configured, the logwillshowevidenceofthataccountchange.

2.11AlertAuditRecordStorageCriticallyLow

Rationale

In order to avoid the loss of important audit information, it is essential that systemsadministrators be notified when audit log storage capacity is critically low. DataPowerAudit Logging, by default, is local to the appliance (see Section 2.10, “Audit AccountEnablingActions”formoreinformation).Assuch,thespaceavailableforauditloggingiscritically important. Should the available space become critically low,DataPowerwillautomaticallyissueaneventcodeforlogging,thendisableallactiveservicessuchthatnonewtransactionscanbeprocessed.

Configuration

As previously described in Section 2.4, “Send Immediate ThreatAlarms,” SNMP trapscanbeconfigured tocommunicatecriticalevents tooperations staff, so thatappropriateadministrativeactioncanbecarriedout.ConfigureSNMPmonitoringfortheeventcode“0x80400080” (“Audit log space low - using audit reserve space. Shutting down allservices.”).

Figure2-15Auditlogspacelow.

Additionally,itisarecommendedpracticetoconfigurealogtargetforcriticaleventsto be sent to off-appliance logging such as syslog. See Section 2.3, “Off-load SystemAuditRecords”foradditionaldetails.

TIP—ExpandingAuditLogStorage

Establish—andpractice—aminimallydisruptiveprocedureforrespondingtoanearout-of-spacecondition.

TestingTips

Testalertgenerationusing theGenerateLogEventTroubleshooting tool togenerate theevent “0x80400080”. Then confirm that an SNMP trap was sent to the organization’smonitoringsolution.

2.12GenerateAlertsforAuditFailureEvents

Rationale

Administrativepersonnelmustbealertedifasystemisatriskoffailingtoprocessauditlogs.SNMPeventsubscriptionsmustbeconfiguredtosendfailurerelatedtrapeventstoanSNMPserver.TheSNMPservermustbeconfiguredtonotifythepersonnelresponsibleforremediatingtheproblem.

Configuration

In order to generate alerts associated with audit failure events, navigate toAdministration → Access → SNMPSettings.Configure SNMPMonitoring as describedinSection2.4,“SendImmediateThreatAlarms.”Configure“TrapEventSubscriptions”toincludeEventSubscriptionsthatindicateauditlogfailurebyaddingthefollowingevents:0x80c0006a,0x82400067,0x00330034,and0x80400080.

Figure2-16Auditfailureevents.

Onceyou’veconfiguredEventSubscriptions,youmustspecify theSNMPserver(s)DataPowermustnotify.Onthe“TrapandNotificationTargets”tab,addallRemoteHostAddressesandRemotePortsfortheSNMPserversthatmustreceiveyourtrapevents.

Figure2-17Trapandnotificationtarget.

TIP—LogFailoverCapability

Ensurethatafailoverlogtargetisavailableatalltimesinordertominimizethelossoflogdata.

TestingTips

Reviewalloftheaboveconfigurationstoensurethatsettingsareasdesired.Then,gototheDataPowerTroubleshootingPanel.UsetheGenerateLogEventcapabilitytogenerateanytrapeventsubscriptionsyouwishtotest.Thiswillallowanend-to-endtestfromeventtoSNMPservertonotificationrecipient.

2.13ConfigureNTPService

Rationale

Accurate time stamps are essential for correlating events and supporting an accurateanalysis.Determiningtheexacttimethataparticulareventoccurredonasystemiscriticalwhen conducting forensic analysis and investigating system events. Time referenceprecisionmaybeachievedontheappliancebyconfiguringseveralapprovedNTPservers.

Configuration

InordertoconfiguretheDataPowerappliancetosynchronizeinternalinformationsystemclockstoanauthoritativetimesource(NTPservers),gotoNetwork → Interface → NTPService.Specify the IP addressesof several approvedNTP servers.The refresh intervalmaybedefinedatanyvaluebetween60and86400seconds.

Figure2-18NTPserverconfiguration.

WARNING—ExternalNTPServerVulnerabilities

Connectingtoanexternaltimeserverrepresentsapotentialsecurityvulnerability—especiallywhentheconnectionisnotoverTLS.Availabilitymayalsorepresentapointoffailure.Manysecurity-conscioussitesuseinternalNTPserversasanalternative.

TestingTips

Check the system time for the DataPower appliance—and ideally, all those back endservicestheapplianceconnectsto.Ensurethatthetimesareinsync.Anin-syncconditionwillbearfruitwhensystem-widetroubleshootingneedstobeaccomplished.Also,checktheDataPowersystemlogstoconfirmthattherearenoerroreventsrelatedtoconnectionstotheNTPserver(s).

2.14ConfiguretheDesiredTimestampFormat

Rationale

Time stamps used by the appliance must be in a common, known format in order toprovideacommontimereferenceandsupportloganalysis.

Configuration

Bydefault,theDataPowerappliancerecordstimestampsforauditrecordsinCoordinatedUniversal Time (UTC). The following is an example:March 30, 2015 followed by thenumberofmillisecondssinceJanuary1,1970.Forexample,20150330T072434.296Z

Thetimestampformatmaybereconfiguredusingthe“timestamp”CLIcommand.Forexample,timestamp{numeric|syslog}

“numeric”istheUTCformat,while“syslog”isthesyslogtimestampformat.

TestingTips

GotoStatus → ViewLogs → AuditLogtodisplaycurrenttimestampedlogentries.

2.15GenerateanAlertifApplianceConfigurationsAreChanged

Rationale

Anessential step inprotecting theappliance fromunauthorizedaccessandattack is theconfiguration of alerts that indicate unauthorized configuration changes. On theDataPowerappliance,thismaybeaccomplishedbysendingappropriateSNMPtrapeventstoanSNMPserverthatisconfiguredtoprovidenotifications.

Configuration

In order to generate alerts associated with changed configurations, navigate toAdministration → Access → SNMPSettings.Configure SNMPMonitoring as describedinSection2.4,“SendImmediateThreatAlarms.”Configure“TrapEventSubscriptions”toincludeEventSubscriptionsthatindicateconfigurationchange(s).Theseeventsmaybeadded and deleted on an ad hoc basis. The “Select Code” button allows for browsingavailableeventcodes.ForacompletereferencetoDataPowerlogmessages,eventcodes,andauditseventssee:https://ibm.biz/Bd4pkj.

TIP—SelectionofTrapsandNotificationTargets

Workwithyoursecurityofficerinordertobestidentifytrapevents,threatpatterns,andnotification.

TestingTips

GototheDataPowerTroubleshootingPanel.UsetheGenerateLogEventcapabilitytodoatestgenerationofanytrapeventsubscriptionsyouwishtotest.Thiswillallowanend-to-endtestfromeventtoSNMPserver.

2.16ProtectingAuditInformation

Rationale

Systemeventsrelatedtofunctioningoftheappliance,useraccess,configurationchanges,firmware changes, and to a lesser extent, metadata, are commonly referred to as auditdata.

All appliance activity, regardless of the application domain in which it occurs, isrecorded via logging in the default domain. As such, restricting access to the defaultdomainachievestheobjectiveofsecuringthistypeofdata.Auditlogsprovideahistoryofalladministrativeactivitiesthatoccurontheappliance.TheauditlogisseparatefromthestandardDataPowerapplicationlogs.

Adequateauditingsupportstheenforcementofaccessrestrictionsagainstchangestothe device configuration. Audit logging can provide the ability to identify attemptedattacks.Acompleteaudittrailwillalsobeinvaluableforforensicinvestigationleadingtoappropriateafter-the-factactions.

Ifauditdata iscompromised, thencompetentforensicanalysisanddiscoveryof thetruesourceofpotentiallymalicioussystemactivitywillbedifficult,ifnotimpossible,toachieve. In addition,unsecuredaccess to audit recordsprovides informationanattackercouldusetohisorheradvantage.

Toensuretheveracityofauditdata,theinformationsystemand/orthenetworkdevicemust protect audit information from any and all unauthorized access, including readaccess.

TIP—LimitAccesstotheDefaultDomain

Auditlogscanbeaccessedfromthedefaultdomain.Bestpracticestatesthatthedefaultdomainshouldonlybeaccessedbytheappropriateprivilegedusers.

TIP—ProductionAuditLogExternalTarget

Inordertopreventauditlogdataloss,allauditloggingshouldbesenttoanappropriatelysecuredexternallogtarget.

Configuration

Bydefault, theDataPower appliance logs the executionof all privileged functions.Theauditlogisenabledbydefault.Toconfigure,seeSection2.10,“AuditAccountEnablingActions.”

Tolimitdefaultdomainaccesstoonlyprivilegedusers,logintodefaultdomainthengo to Administration → Access → User Account. Select a previously defined nonprivilegeduseraccount, suchasaguestuseraccount.Verify thatAccessLevel is set to

“GroupDefined”andthattheuseristhememberofanappropriatenonprivilegedgroup.Clickthe“…”buttonnexttoUserGroupfield.Enter*/default/*?Access=NONEintotheAccessprofilefield.Add → Apply → Apply → SaveConfiguration(seeFigure2-19).

Figure2-19ConfigureUserGroup.

Alternatively, a more granular approach can be taken which allows access to thedefaultdomain,butlimitsaccesstoDataPower’sbuilt-inauditlogdataandconfiguration,as well as log targets and locally logged data. To implement this alternative approach,appropriateusergroupswouldhavethefollowingAccessprofilesadded.

Listing2-1MoregranularAccessprofilesforlimitingaccesstoauditdata.

*/*/file/auditRemoveItem

*/*/logging/audit-log?Access=rRemoveItem

*/default/file/logtemp?Access=NONE

*/default/logging/target?Name=ISSMLogTarget&Access=r

TheseAccessprofileshavethefollowingeffects:*/*/file/audit

Limitsaccesstothe“audit:”directoryofeachapplicationdomain,includingdefault.*/*/logging/audit-log?Access=r

Providesforread-onlyaccesstotheDataPowerAuditlogconfigurationsettings.*/default/file/logtemp?Access=NONE

Makesthelogtemp:directoryofthedefaultdomaininvisibletousersintheaffectedgroups. The logtemp:directory isacommonplace towritecustom log filedataon theappliance. Local logsmight also bewritten to theRAID array. Include an additionalAccessprofilesforeachdirectory/locationtowhichlogfilesarewritten.*/default/logging/target?Name=ISSMLogTarget&Access=r

Makes the log target configuration read-only. In this case the log target is namedISSMLogTarget. TherewouldbeonesuchAccessprofile foreach log targetdefinition

thatistobeprotected.

TIP—RemotelyLoggedData

AuditdatathatiswrittentolocationsoutsideoftheDataPowerappliance–NFSdrives,SFTP,syslog,etc.mustbesecuredbothduringtransmissionandatrest.

TestingTips

LogintotheDataPowerapplianceasauserwithlimitedauditdataaccess.Confirmthattheuser’sabilitytoaccesstheauditlog,specificlogtargetsandthelogtemp:directoryis,indeed,restricted.

TIP—UseLocalUserAccountsandGroupstoSimplifyAccessProfileConfiguration

Useoflocalloginaccountsmappedtolocalusergroupssimplifiesthedevelopmentandtestingprocessofusergroupsandrelatedaccessprofiles.ThiscanreadilybeaccomplishedusinganinstanceofDataPowerVirtualEdition,specificallydesignatedforRBMconfiguration/testing.Thisvirtualinstancecanthenbeshutdownwhennotinuse,sothatthisVirtualEditionlicensecanbeusedforothervirtualinstances.

2.17PasswordPolicy

Rationale

Anenterpriseshouldhaveapasswordhardeningpolicyforlocalaccountsonservers.Thisprotectstheintegrityofthesystembymakinguseraccountslessvulnerabletobruteforceanddictionaryattacks.

Configuration

TocreateapasswordpolicyonDataPower,typeRBMintheWebGUIsearchbar → RBMSettings → PasswordPolicytab.Belowaresuggestedvalues,butalwayscheckwithyoursecurityorganizationfortheircorporatestandards.

MinimumLength–15charactersRequireMixedCase–OnRequireNonAlphanumeric–OnRequireDigit–OnDisallowUsernameSubstring–On(passwordcannotcontaintheusername)EnableAging–OnMaximumPasswordAge–90daysDisallowPasswordReuse–OnReuseHistorySize–5(usercannotreuselastfivepasswords)

PasswordHashalgorithm–sha256crypt

(SeeFigure2-20)

Figure2-20Passwordpolicyconfiguration.

TIP—PasswordPolicies

TheabovepasswordattributesaretherecommendedsettingsforallusersaccessingtheDataPowersystem.PasswordMinimumLengthcanbeadjusteddownslightly,butshouldalwaysbegreaterthan8characters.

TestingTips

Totest,createatemporaryuseraccount.Whensettingtheuserpassword,trytoviolatetheabove password policy rules by entering a non-compliant password combination, thenNextandCommit.DataPowershouldenforcetheattributessetinthepasswordpolicyanddisplayanderrormessage.

2.18NISTSP800-131aandFIPS140-2Compliance

Rationale

SP800-131a is a recommendation that was developed by the National Institute of

StandardsandTechnology(NIST).Itrequireslongkeylengthsandstrongcryptographicalgorithms.Protectionofacryptographicmodulewithinasecuritysystemisnecessarytomaintaintheconfidentialityandintegrityoftheinformationsecuredbythemodule.

NIST issues standards and guidelines that address security and interoperabilityrequirements ofUS FederalGovernment users. These standards are known as FederalInformationProcessingStandards(FIPS).Specifically,theFIPS140-2standardrequiresthat products such as DataPower use FIPS-approved key management technology andprocessesintheproductionandcontrolofprivate/secretcryptographickeys.

Unapprovedmechanismsthatareusedforauthenticationtothecryptographicmodulearenotverifiedandthereforecannotbereliedupontoprovideconfidentialityorintegrity,anddatamaybecompromised.NetworkdevicesutilizingencryptionarerequiredtouseFIPS-compliantmechanismsforauthenticatingtocryptographicmodules.

TIP—NISTSP800-131aCompliance

SeetheDataPowerKnowledgeCenterformoredetailsonconfiguringNISTSP800-131acompliance:https://ibm.biz/Bd4uBD.

Commonly,theclientthatisconnectingtotheDataPowergatewayisoutsideofyourorganizations’control.Confirmthattheclientcansupportprotocolsandciphersthatareconfigured for the SSL Server Profile to ensure that the organizations will be able toexchangemessages.

As previously described, a component ofDataPower’s client-side processing is theSSL/TLS negotiation and decryption of the data stream. Organizationswill frequentlyrequirecompliancewiththeTransportLayerSecurity(TLS)requirementsidentifiedintheNISTSpecialPublication(SP)800-52. Specifically,NISTSP800-52requires thatTLS1.1 be configured with FIPS-based cipher suites as the minimum appropriate securetransport protocol and recommended that agencies developTLS1.2migration plans byJanuary1,2015.

TIP—NISTSP800-52Revision1

SeetheNISTpublicationsiteformoredetailsontheNISTSP800-52requirements:http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf.

See the IBM Knowledge Center page at https://ibm.biz/BdXRae for moreinformation. With respect to FIPS-compliance, DataPower firmware can run in twodifferentmodes:

Permissive:Inpermissivemode,theappliance’scryptographicbehavioristhesameasitwasinDataPowerfirmwarebefore6.0.1.0.VariousalgorithmsthatarebannedinFIPS140-2arestillsupportedinthismode.

FIPS 140-2 Level 1: FIPS 140-2 is a US government computer securitystandardthatisusedtoaccreditcryptographicmodules.Inthismode,themaintask of the DataPower firmware does all of its cryptography by using acryptographicsoftwaremodulethatisvalidatedtoFIPS140-2Level1.ThealternativeistogothroughtheNISTpublicationandattempttoconfiguretocompliancemanually.Ofcourse, thisapproach ismore likely to result inhumanerror,andshouldbetestedmorecarefullyafterimplementation.

TIP—FIPS140-2SecurityLevels

TheFIPS140-2standardcoversthesecurityrequirementsforcryptographicmodules.http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf

Thereare4increasingsecuritylevelsdefined(1–4)forcryptographicmodules.Levels1through3areapplicabletoDataPowerappliancesinitsvariousformfactors.

Level1–Providesthelowestlevelofsecurityforacryptographicmodule,meaningthatitemploysatleastoneapprovedalgorithmorapprovedsecurityfunctionwillbeused.BothDataPowerphysicalandVirtualEditionformfactorshavethecapabilitytomeetthisspecification.

Level2–Requirestamper-evidentfeaturesbeemployedsuchasatamper-proofcase,tamper-evidentcoatings,andpick-resistantlocks.TheDataPowerphysicalformfactormeetsthisrequirement.Note:DataPowerVirtualEditiondoesnotmeetthisrequirement,asthisisdependentonthehardwarethattheVirtualEditionisinstalled.

Level3–Requiresatamper-evidentphysicalsecuritymechanism,suchasaHardwareSecurityModule(HSM).Note:asoffirmwareversion7.2.x,onlythephysicalDataPowerformfactoroffersthisHSMprotection.Firmwareversion7.5.xsupportsanetworkHSMforbothphysicalandvirtualappliances.

Configuration

In order forDataPower to operate in themost secure cryptographicmode in any formfactor, e.g. appliance, virtual, cloud, etc., type Crypto Tools in the WebGUI searchbar → Crypto Tools → Set Cryptographic Mode → FIPS140-2 Level 1 → SetCryptographicModebutton.ThisconfigurationisshowninFigure2-21.

Figure2-21SettingFIPS140-2Level1cryptographicmode.

TheapplianceisnowsettousetheFIPS140-2Level1algorithmsandkeylengths;however, youmust reload the firmware for these changes to take effect.To accomplishthis, in the default domain → Control Panel → System Control → Shutdown → ReloadFirmware → Shutdownbutton.ThisconfigurationisshowninFigure2-22.Theappliancewillreloadthefirmwarewithoutshuttingtheappliancedown.

Figure2-22Reloadappliancefirmware.

WARNING—OperatinginFIPS140-2Level1Mode

WhenyousetthemodetoFIPS140-2Level1mode,youmustunderstandthefollowing:

FIPS140-2Level1moderemovessupportinthefirmware’smaintaskforMD2,MD4,MD5,RIPEMD160,singleDES,RC2,RC4,Blowfish,andCASTbecausethesealgorithmsareprohibitedbythecorrespondingspecification.Thesealgorithmsareonlyavailableinthefirmware’smaintaskinpermissivemode.

FIPS140-2Level1modeprohibitstheuseofpublickeyssmallerthan1024bits.

FIPS140-2Level1moderequiresthatthefirmware’smaintaskuseapseudorandomnumbergeneratorcompliantwithNISTSP800-131aandFIPS140-2.

AnycryptographichardwarecardsthatarenotvalidatedtoFIPS140-2willhavetheirRSAfunctionalitydisabledwhentheapplianceisinFIPS140-2Level1mode.

Inaddition,RADIUSauthenticationisdisabledasitrequiresuseofMD5.KerberossupportisalsodisabledasitmayrequiretheuseofMD4,MD5,DES,orRC.

Foradditionaldetail,see:https://ibm.biz/Bd48AS

IfyouareusinganHSM,inordertoconfiguretheapplianceforFIPS140-2Level3mode, use the Command Line Interface (CLI). Enter Crypto Configuration mode bytyping “configure terminal” then “crypto”. Next, issue the “hsm-reinit” command withappropriate parameters for your organization’s requirements and follow the resultingprompts.Finally,reboottheappliancebyissuingthe“shutdownreboot”command.

TIP—hsm-reinitCommand

FromtheDataPowerKnowledgeCenter,searchforthe“hsm-reinit”commandtodetermineparametervaluesapplicabletoyourorganization.Selectionofthemostappropriateparametersmayinvolveconsultationwithyourorganization’sSecurity/InformationAssuranceOfficer.

Configuring theappliance forFIPS140-2Level3mode requires that theappliancehave access to a Hardware Security Module (HSM). From the CLI, issue the “showfeatures”commandinordertodetermineyourappliance’ssupportforanHSM.

TestingTips

To ensure that the change has taken place and the appliance is in FIPS 140-2 Level 1mode,intheWebGUIsearchbarentercrypto → selectCryptographicModeStatus.ThisconfigurationisshowninFigure2-23.

Figure2-23ViewingCryptographicmode.

This shows the target cryptographicmode, thecurrent cryptographicmode, and thetargetcryptographicmodeafterthenextfirmwarereload.

ToconfirmFIPS140-2Level3mode,logintotheCLIusingaprivilegedaccountandenter “show crypto-engine”. Confirm “Crypto Accelerator Type” is “hsm2”; confirm“CryptoAccelerator Status” is “fully operational”; finally, confirm “CryptoAcceleratorFIPS140-2Level”is“3.”

TIP—Warning,WillRobinson!!

Normally,thetargetcurrentcryptographicmodeisthesameasthecurrentcryptographicmode.Iftheydonotmatch,alogmessageisdisplayedinthesystemlogstoindicatethereason.ThereasonmightbethatyousetthemodetoFIPS140-2Level1modebutthepasswordfilestillcontainedMD5CryptentriesthatarenotallowedinFIPS140-2Level1mode.Whenthishappens,thenextfirmwarereloadresultsinatargetmodeofFIPS140-2Level1butthecurrentmoderemainsatpermissive.

2.19PKICertificateAuthenticationforAdminUsers

Rationale

As part of any login process, authenticated access to a network device requires anapprovedandassignedindividualaccountidentifier.WhileaccountIDsandpasswordsarecommonlyusedtosecureaccesstoservers,networkdevices,andDataPowerappliances,

enterprisesareincreasinglymovingawayfromtheuseofIDsandPasswordsduetotheirinherent security limitations. Theuseof smartcardsand/or softcertificatesaregainingpopularityasprovidingamoresecuremeansofidentifyingadministrativeusers.Theseare based on embedded PKI certificates. To ensure that only the assigned individual isusing theaccount, theusermustbebound toa trusted,CAsignedusercertificatewhenPKI-basedauthenticationisimplemented.

DataPower’s Role-Based Management (RBM) authentication policy can beconfigured to use a Validation Credential (ValCred) object that acts as a trust store toincludemultiple“trustedthirdparty”certificateobjects(seeSection3.7,“DefineCryptoValidationCredentialsandCertificateRevocationPolicy”).WhenauserattemptstologintoDataPower, theValCredwill ensure, that in addition to a user id and password, theuser’sSSLcertificatewillbeconfirmedascomingfromatrustedcertificateauthority.

Trusted parties can have their certificates uploaded to a DataPower ValidationCredential (trust store) object. As part of the login process, the validation credential isusedtoauthenticatetrustedusercertificatesduringtheSSLhandshake.

Configuration

After the Validation Credential has been loaded with the appropriate certificate, in theWebGUI search bar,go to RBM→ RBM Settings → Authentication. Select theappropriate validation credential from the Validation Credentials drop down. ThisconfigurationisshowninFigure2-24.

Figure2-24UserCertificateCredential.

TIP—EnhancedPKI-BasedAuthentication

TheusercertificatepresentedfromtheSSL/TLSconnectionwillbeusedtoauthenticatetheuser.WhilethisapproachissuperiorapproachtousingonlyIDsandpasswords,manyorganizationsimplementadditionalprocessingstepssuchaslookupoftheuser(basedontheSubjectDNinthecertificate)inanLDAPdirectory,aswellasretrieving

groupinformation.Theseadditionalprocessingstepsmaybeconfiguredbychangingthe“Authenticationmethod”to“LDAP”or“custom”andisshowninSection2.20,“ConfigureMultifactorAuthenticationforNetworkAccesstoNon-PrivilegedAccounts.”

TestingTips

Create a “trusted” certificate (either CA or self-signed) and add it to a ValidationCredentialobject.Usinganexistinguseraccount,attempttologintoDataPowerwithabrowserthathasaddedthe“trusted”certificate.EnsurethatthiscertandhasbeenaddedtotheValidationCredentialasa“trusted”CA.Theusershouldbeabletologinsuccessfully.

Createasecondcertificatebutdonotaddit totheRBMValidationCredential.Addthiscertificatetoyourbrowserforthistest.Anattempttologinwiththiscertificateshouldfail.

2.20ConfigureMultifactorAuthenticationforNetworkAccesstoNon-PrivilegedAccounts

Rationale

Itisfrequentlyarequirementthatnon-privilegedusersmustusemultifactorauthenticationinordertoassureaccountabilityandpreventunauthenticatedaccess.

Multifactorauthenticationusestwoormorefactorstoachieveauthentication.Factorscan include: something you know (password/PIN), something you have (cryptographic,identificationdevice,token),andsomethingyouare(biometriccharacteristics).

Authenticating with a smart card’s authentication certificate, then entering theassociated PIN is an example of multifactor authentication. When used in relation toDataPower, that certificate can be used to negotiate an HTTPS connection to theappliance. The certificate presented to DataPower could also be a “soft certificate”embeddedinabrowser,applicationonadesktop,laptop,ormobiledevice.

Configuration

Theconfigurationdescribedherewill requiremultifactor authenticationbeforeauser isallowedtologontotheDataPowerWebGUI.Authenticationfortheuserwillbedefinedusing theappliance’sRoleBasedManagement (RBM) feature.Theuser’s IDandPWDwill be authenticated using an authentication server e.g., LDAP/AD. MutualauthenticationwillbeconfiguredfortheconnectionbetweenDataPowerandtheclient.

To configureRBMauthentication for theuser, first assign theuser to a single usergroup possessing the desired access profile. Then, use the WebGUI to go toAdministration → Access → RBM Settings. On the Authentication tab, specify a“custom”Authenticationmethod.AcustomURLmustthenbeenteredpointingtoeitheran XSL stylesheet or GatewayScript file residing on the appliance. TheXSL/GatewayScript will receive an XML node at runtime. This node will contain theuser’s ID and PWD—as submitted via the user’sWebGUI login page. The scriptmust

thenauthenticatetheIDandPWDcredentialsusinganauthenticationserver.

For mutual authentication, DataPower’s WebGUI interface must be configured torequire a client-supplied digital certificate. DataPower must also provide its ownidentification credentials. These two objectives are accomplished as follows:Using theWebGUIgotoNetwork → Management → WebManagementService.OntheAdvancedtab,specify“ServerProfile”astheCustomSSLServertype.

Figure2-25WebManagementServiceSSLServerProfile.

AddaCustomSSL serverprofile.Name it.Configure Identification credentials forthe appliance. Turn on “Request client authentication” then configure validationcredentialsfortheclientspecifying“on”forboth“UseCRL”and“RequireCRL.”CRLretrieval is configured via Objects → Crypto Configuration → CRL Retrieval. On the“CRLUpdatePolicy”tab,configureCRLretrievalpolicies.Detailedinformationonthesedefinitionsmay be found here: Section 3.7, “Define CryptoValidation Credentials andCertificateRevocationPolicy.”

TestingTips

GototheTroubleshootingPanel.Settheloglevelto“debug.”Thiswillproducedetailedtrace information.Confirm that theuser’s identity/attributes,DistinguishedName (DN),and DataPower group membership are stored in the configured authentication server.Confirm that the user has access to their digital certificate via a security card readerconnectedtoalaptop/desktopcomputer.

Forthetest,theuserinsertstheircard,andenterstheirPIN,thenopensabrowserandnavigates to theDataPowerWebGUI. TheuserprovidesDataPowerwiththeirassignedIDandpassword.IftheuserdoesnotgainaccesstotheDataPowerappliance,reviewtheDataPowerlogtoexaminethedetailsofthisconnectionprocess.

2.21EnforcingAdministrativeUserPrivileges

Rationale

DataPower appliances will typically have different types of user groups, each withdifferent levels of administrative authority. These different groups should have theirpermissionsdefinedandenforced insuchamanner that there isclearaccountability forthe execution of administrative functions compliant with organization’s governanceprocess.

Configuration

The DataPower functions available to a given user are defined via permissions at thegroup level,with users being assigned to groups. There are several components to beconfiguredinordertodefineandenforcegrouppermissions.

First,groupsarecreatedandpermissionsaredefined.Toconfigureausergroup,gotoAdministration → Access → User Group in theWebGUImenu and click the “Add”button.

Figure2-26ConfiguringaUserGroup.

Provideagroupnameandapplicablecomments. Grouppermissionsaredefinedbyadding one, or more, Access profiles. The default access profile allows for read-onlyaccessviaallnetworkinterfaces,forallobjects inallapplicationdomains. Toviewthedetails of the Access profile, click on the Access profile definition (e.g. “*/*/*?Access=r”).Thiswillpopulatethedefinitionintoaneditablefield.ClicktheBuildbuttontoseethefullprofiledefinition.

Figure2-27ViewanAccessprofile.

ClicktheBuildbuttontoseethefullprofiledefinition.

Figure2-28EditinganAccessprofile.

Make appropriate changes in order to define the desired access profile, then clickSave. ThestringrepresentationoftheAccessprofilewillbepopulatedintotheeditablefield.ClickAddtoaddthedefinitiontotheUserGroup.AddadditionalAccessprofilesasrequiredforthegroupdefinition.

TIP—UserGroupPermissionGranularity

Generally,keepyourusergrouppermissionsascoarse-grainedaspossible,withoutcompromisingsecurity.Gettingtoofine-grainedwithpermissionsconsumesalotoftimetodefineandtest.

TIP—AccessProfilePrecedence

AstheuserisaccessingtheDataPoweruserinterface,DataPowercontinuallyevaluatestheAccessprofilesthatareconfiguredfortheirUserGroup.IfmultipleAccessprofilesareconfiguredwithdifferentpermissionsforthesameobject,DataPowerwillmakeuseofthemostrestrictiveoftheAccessprofiledefinitions.

Second, definehowuser accountswill be authenticated.SeeSection2.7, “ExternalAdminAuthenticators”foradiscussionofhowtoconfigureRBMtomakeuseofaremoteLDAPdirectory.

Third,configureCredentialMapping.Ifusinglocalusersandgroups,thenthedefaultsettingsareapplicable.Itisalsopossible,however,todefinegrouppermissionsusingan

externalizedXMLfile—theAAAInformationfile.WithintheAAAInformationFile,youcan provide user group permissions, andmappings of local credentials to LDAP groupnames. If user accounts are authenticated via LDAP, then their assigned DataPowerGroups are also, normally, stored inLDAP. To configure this, click on theCredential-mappingtabontheRBMSettingspage.

TIP—AAAInformationFile

FormoreinformationontheAAAInformationFileformat,searchtheDataPowerKnowledgeCenterfor“aaainfo”.Theschemaforthisfileislocatedinthestore:///AAAInfo.xsdschemafileandasampleAAAInfofilecanbefoundinstore:///AAAInfo.xml.

AsRBMsettingsareconfiguredin thedefaultdomain, theAAAinfofilewillmostcommonlybestoredinthe“local:”directoryofthedefaultdomain.

To search an LDAP directory for the user group, select the On radio button for“SearchLDAPforgroupname,”andprovidetheLDAPserverinformation.

Figure2-29ConfiguringLDAPSearchfortheuser’sGroupname.

TestingTips

Log into thedeviceasanadministrator/privilegeduser, in thedefaultdomain. Confirmthat user groups are setup with appropriate permissions (go toAdministration → Access → UserGroupintheWebGUImenu).Next,confirmthatuserAuthenticationandCredentialMappingareproperlyconfiguredintheRBMsettings(gotoAdministration → Access → RBMSettingsintheWebGUImenu).Finally,logoutandlogin again using a previously configured test user account. Confirm that user grouppermissions (either defined as a local user group, or in the AAA Info file) are beingenforcedasexpected.

TIP—BuildandTestYourPermissionsPoliciesIncrementally

Buildyourlocalusergroupsandpermissionsusinglocallydefineduseraccounts.GetthemworkingasexpectedbeforeconfiguringRoleBasedManagement(RBM)togetgroupmembershipfromanLDAPdirectory.Thiswilldramaticallysimplifytheprocessofsettingupandtestinggrouppermissions.

Add permissions to a group, one at a time (or just a few) then test the grouppermissionsby logging inwitha testuseraccount tomakesureyouachieved theresultyouexpected.

2.22CustomizingLoginandLogoutMessages

Rationale

Itisfrequentlynecessarytodisplayconsentinformationduringtheloginprocess,makingtheuseraware that theiruseof theDataPowerappliance is subject to theorganization’ssecuritypoliciesandprocedures.Itisalsodesirabletopresenttheuserwithapostlog-outmessagesothatamanagementsessionisnotinadvertentlyleftun-terminated.

NotificationthattheusermustconsenttothepolicyshouldbedisplayedatboththeWebGUIloginaswellastheCLIlogin.

Configuration

First,configureaUserInterfaceCustomizationfile.Thisfilemustbestoredineitherthelocal: or store: directory of the default domain and must be compliant with thestore:///schemas/dp-user-interface.xsd.

TIP—LogoutMessagesandSessionTimeout

Forthelogoutmessages,itwillalsobenecessarytoconfigureanappropriatesessiontimeoutasdescribedinSection2.1,“UserInterfaceIdleTimeoutsandCachedAdminCredentials.”

TIP—UserInterfaceCustomizationDocumentation

SearchtheDataPowerKnowledgeCenterfor“Userinterfacecustomization”(thiscanalsobefoundunderthe“Administration”documentationsectionviathemenutree).Thedocumentationalsoincludesasampletemplatethatcanbeusedasthestartingpointforyourcustomtemplate.SeetheKnowledgeCenter(https://ibm.biz/Bd4wpJ)forthemostrecentversionofthistemplate.

CopythesampletemplatefromtheDataPowerKnowledgeCentertoalocalfileandopenthefileinatexteditor.AcopyofthetemplatefromtheDataPower7.2KnowledgeCenterisshowinthefollowinglisting.

Listing2-2UserInterfaceCustomizationTemplate.

<User-Interface

xmlns=“http://www.datapower.com/schemas/user-interface/1.0”>

<!—Markupforthepromptextensiontocommandlineinterface—>

<CustomPrompt>%s</CustomPrompt>

<!—MarkupforcustommessagesfortheWebGUIinterface—>

<MarkupBannertype=“pre-login”foreground-color=“red”background-color=“blue”>

WebGUIpre-loginmessage

</MarkupBanner>

<MarkupBannertype=“post-login”foreground-color=“blue”background-color=“yellow”>

WebGUIpost-loginpopupmessage

</MarkupBanner>

<MarkupBannertype=“system-banner”location=“header”foreground-color=“green”

background-color=“red”>

WebGUIsystemmessage-header

</MarkupBanner>

<MarkupBannertype=“system-banner”location=“footer”foreground-color=“blue”

background-color=“yellow”>

WebGUIsystemmessage-footer

</MarkupBanner>

<!—Ifthefollowingmarkupwasoutsideofcomments,thefilewouldnot

conformtotheschema.Cannotdefinemultiplesystemmessagesastheheaderorfooter.—>

<MarkupBannertype=“system-banner”>

WebGUIsystemmessage-headerandfooter

</MarkupBanner>

<!—Markupforcustommessagesforthecommandlineinterface—>

<TextBannertype=“pre-login”>

Commandlinepre-loginmessage

</TextBanner>

<TextBannertype=“post-login”>

Commandlinepost-loginmessage

</TextBanner>

<TextBannertype=“system-banner”>

Commandlinesystemmessage

</TextBanner>

</User-Interface>

The two most commonly updated are the MarkupBanner for pre-login and theTextBannerforpre-login.

TIP—UsesfortheCustomUserInterfaceFile

Thisfilecanbeusedtoprovideusefulcustominterfacedisplaysforpre-loginandpost-login.Itcanalsoprovideasystem-bannerthatdisplaysoneachWebGUIscreen.Fortheformatofthisfile,see:https://ibm.biz/Bd4pkE

To configure the User Interface to make use of the UI customization file, go toAdministration → Device → SystemSettings and scroll to thebottomof thepage. UsetheUpload…tooltouploadthefiletothelocal:directoryofthedefaultdomain.

Figure2-30ConfiguringSystemSettingstouseacustomuserinterfacefile.

Apply your changes, save the configuration and log out. You should see yourWebGUIpre-loginmessagedisplayedontheloginform.

Figure2-31WebGUIloginformwithpre-loginmessagedisplayed.

Figure2-32CLIloginpromptwithpre-loginmessagedisplayed.

TestingTips

Inorder toconfirmthecustomUI’sappearance, logintoboththeWebGUIandCLI.Toconfirm log out of a web session and an SSH command line session, log out of eachsession. Upon logout from theWebGUI, the DataPower appliance should display yourcustomWebGUIloginpage,includingyourorganization’susagemessage.

2.23CapturingSystemEventDatawithLogTargets

Rationale

Organizations will frequently wish to generate a consistent set of system-level loggingevents,independentofprocessingforanyspecifictypeofmessageprocessing.Examplesof these types of system events include certificate expiration, appliance reboot, andmodificationstotheRole-BasedManagementconfiguration.

Configuration

Accessthedefaultdomainasauserwithappropriateadministrativepermissions.Toaddalogtarget,gotoObjects → LoggingConfiguration → LogTargetandclickAdd.Providealogtargetnameandconfigurethetypeoflogtargetthatyouwanttocreate–e.g.File,Syslog,etc.

Figure2-33SampleLocalLogTargetConfiguration.

Next, configure thevarious filters and subscription events that youwant capture inyourlogtarget.Forexample,acommonEventSubscriptionFilterincludestheeventsinthefollowinglisting.

Listing2-3Commonlyloggedevents.

0x00330002(Memoryfull)

0x00340017(Serviceremovedfromport)

0x00350016(Serviceinstalledonport)

0x00360026(Domainisdown)

0x00530001(Networkerror)

0x01a30002(Restartduetolowmemory)

0x01a30015(Outofmemory)

0x01b20002(HSMisuninitialized)

0x01b6000c(Certificateisabouttoexpire)

0x02220004(Systembatterymissing.)

0x02220005(Systembatteryfailed.)

0x02220006(PowersupplyACisnotconnected)

0x02240002(Internalcoolingfanhasslowed)

0x02b30002(DNSlookupfailed.)

0x02c30005(Maximumnumberoffailedlogins.)

0x02c30008(Lockoutduetonumberoffailedlogins)

0x02c60002(Configurationadded)

0x02c60003(Configurationdeleted)

0x02c60004(Passwordchanged)

0x03120015(InsufficientdiskspaceonRAIDvolume)

0x03130040(Unauthorizedinboundmessage)

InadditiontoEventFilters,itisalsocommontoconfigureEventSubscriptions.Forexample,allEventCategoriesatanErrorlevel,andabove,aswellasallAuditeventsataninfolevelandabove.

Figure2-34SampleEventSubscriptions.

TIP—SelectingEventstobeFiltered

Inordertofine-tuneyourEventFiltersandSubscriptions,configureyourlogtargetastype“file”first,beforesendingloggingoffoftheappliance.

TestingTips

YourlogtargetcanbetestedbygeneratingtestlogeventsusingtheGenerateLogEventtool on the Troubleshooting Panel then checking the log target endpoint (e.g. file) toconfirmthattheeventwasloggedasexpected.

2.24RestrictingAccesstoaSpecificLogTarget

Rationale

InformationSystemSecurityManagers(ISSM)maywishtocontrolwhattypesofsystemevents are logged as part of the “common set of system events” as defined for theenterprise/programasawhole.

Configuration

Givenanexisting log target that isconfiguredwith theISSM’sdesiredevent filtersand

subscriptions(e.g.ISSMLogTarget),createaUserGroup(e.g.ISSMUsers)thatisgrantedaccesstothattarget.GotoAdministration → Access → UserGroupintheWebGUImenuandclicktheAddbutton.Updatethenamefield(e.g.ISSMUsers)andaddthefollowingAccessprofiles.

Listing2-4ISSMUserGroupAccessProfilefortheISSMLogTarget.

“*/*/*?Access=r”

“*/default/logging/target?Name=ISSMLogTarget&Access=r+w+a+d+x”

Theseaccessprofilesprovidegroupmemberswithread-onlyaccesstoallapplicationdomainsand fullpermissionswith the log targetnamed ISSMLogTarget. Alternatively,theseISSMLogTargetAccessprofilescouldbeaddedtoanother,pre-existingusergrouptowhichISSMusersalreadybelong.

Finally,modify all other user groups such that other users are limited to read-onlyaccess to the ISSM log target. Add the following access profile to the non-ISSMusergroups.

Listing2-5Non-ISSMUserGroupAccessProfilefortheISSMLogTarget.

“*/default/logging/target?Name=ISSMLogTarget&Access=r”

Next, confirm that Role-BasedManagement (RBM) is configured to enforce user-group permissions appropriate for ISSM users. To review RBM settings, go toAdministration → Access → RBMSettingsintheWebGUImenu.Reviewthesettingsineachtab.

TestingTips

LogintotheDataPowerapplianceasauserthatshouldbepartoftheISSMusergroupandconfirmthattheuserhaschangeaccesstotheISSMlogtarget.Conversely,loginasauserthatshouldnothavechangepermissionsfortheISSMlogtarget.Confirmthattheuserhasonlyreadpermissionsonthelogtargetconfiguration.

TIP—UseLocalUserAccountsandGroupstoSimplifyAccessProfileConfiguration

Useoflocalloginaccountsmappedtolocalusergroupssimplifiesthedevelopmentandtestingprocessforusergroupsandrelatedaccessprofiles.ThiscanreadilybeaccomplishedusinganinstanceofDataPowerVirtualEditionspecificallydesignatedforRBMconfiguration/testing.Thisvirtualinstancecanthenbeshutdownwhennotinuse,sothattheproductlicensecanbeusedforothervirtualinstances.

2.25NotificationsforLoggingFailure

Rationale

DataPowersystemeventloggingcommonlytakesplacebysendinglogoutputtoeitherthelocalfilesystemorforaproductionsystem,streamingthelogeventstoaremoteloggingsystemsuchassyslogserver.Operationsstaffmustbenotifiedintheeventofaloggingfailure.

Configuration

Access the default domain as a user with appropriate administrative permissions.Configure SNMP Monitoring as described in Section 2.4, “Send Immediate ThreatAlarms.” Configure“TrapEventSubscriptions” tocaptureeventscommonlyassociatedwith system resources (e.g., availabledisk space, I/Oerrors). Add the followingEventFilterstotrapsuchevents.

Listing2-6Systemresourceeventsthatcandisrupteventlogging

0x00330034(Lowauditdiskspace)

0x01a40001(Throttlingconnectionsduetolowmemory)

0x01a30002(Restartduetolowmemory)

0x01a30003(Restartduetoresourceshortagetimeout)

0x01a40005(Throttlingconnectionsduetolowtemporaryfilespace)

0x01a30006(Restartduetolowtemporaryfilespace)

0x01a30014(I/Oerror)

0x01a30015(Outofmemory)

0x01a30017(Restartduetolowfiledescriptor)

TIP—EventCodes

YoucanseealistingofalleventcodesbygoingtoAdministration → Debug → ViewListofEventCodes.

Also,betweenfirmwareversions,neweventcodesmaybeadded.Itisadvisabletoperiodicallyreviewthelistofeventcodestodetermineifanyneweventshavebeenaddedto DataPower that should be included in the Event Filter configuration for yournotification log target. Visit https://ibm.biz/Bd48xW for an up-to-date list of Logmessages,Eventcodes,andAuditevents.

TestingTips

GeneratetestmessagesusingtheGenerateLogEventtoolontheTroubleshootingpanel.Confirmthatlogeventsareprocessedbythelogtarget,asexpected.

2.26ConfiguringOff-ApplianceLogging

Rationale

It is a commonpractice to store logdata forDataPower appliances on remote systems,suchas syslogserver, inorder toconsolidate log information frommultiple systems,aswellastoprovidecentralizedmechanismsforbackupandmanagementoflogdata.

Configuration

Accessthedefaultdomainasauserwithappropriateadministrativepermissions.Toaddalogtarget,gotoObjects → LoggingConfiguration → LogTargetandclickAdd.Providealogtargetnameandconfigurethetypeoflogtargetthatyouwanttocreate.Forremotelogging,acommonoptionistousesyslog.SyslogleveragestheUDPprotocolbydefaultand is an exceptionally efficient means of broadcasting log data to remote loggingsystems.ATCPversionisalsoavailable.

Figure2-35SampleRemoteLogTargetConfiguration.

Next,configurethefiltersandsubscriptioneventsthatyouwanttocaptureatyourlogtarget. Aspreviously stated, theEventFilter for common loggingeventswill, inmanycases, be the same as those used for local logging purposes. Local logging is oftenconfiguredtoduplicateremotelogginginordertoprovideameasureofredundancyintheeventthatremoteloggingisnotavailable(e.g.,networkissues,orissueswiththecentralremoteloggingservers).Seesection2.3“CapturingSystemEventDatawithLogTargets”foradiscussionofloggingeventselection.

TestingTips

YourlogtargetcanbetestedbygeneratingatestlogeventsGenerateLogEventtoolontheTroubleshootingPanelthencheckingthelogtargetendpoint(e.g.,file)toconfirmthattheeventwasloggedasexpected.

2.27ControllingtheDefaultDomain

Rationale

ThedefaultdomainhousestheDataPowerGateway’scentralconfiguration,andshouldbeprotectedagainstunwantedaccess.

For example, aDataPower appliance’s features and functionality aredeterminedbythespecificversionofthefirmwarethatisinstalledandrunningontheappliance.Thus,the DataPower configuration for proxying and processing various types of requests isdependentontheunderlyingfirmware.

Assuch, it isdesirable tocontrolaccess to thedefaultdomain. Inourexample, thepotentialimpacttotheconfigurationoftheappliancebymodifyingfirmware—upgradingordowngrading—isverydisruptivesinceitrequiresanappliancereboot.Duringareboot,theapplianceisnotavailableformessageprocessing.

This is just one example of many disruptive and damaging acts that can be done(intentionallyorunintentionally)bysomeonewhohasaccesstothedefaultdomain.Ifthedefaultdomainisnotprotectedfromaccess,it’sverycommonforadminuserstomakethemistakeofchanging theconfiguration there,while thinking theyare in theirapplicationdomain.

Configuration

Themost direct approach topreventingunauthorized access to thedefault domain is torestrict access to it. This can be done by adding the following Access profile to theappropriateusergroups.

Listing2-7Accessprofiletorestrictaccesstothedefaultdomain.

*/default/*?Access=NONE

ThisAccessprofilewillhavetheeffectofmakingthedefaultdomaininaccessibletousers in those groups it is added to. Privileged groups would, on the other hand, bepermittedaccesstothedefaultdomain.

TIP—AccesstoUserGroupDefinitions

GotoAdministration → Access → UserGroupintheWebGUImenu,inordertomaintainusergroups.

Amore granular approach would be to explicitly allow access to firmware-relatedmanagement functions to selected user groups, while blocking such access by othergroups.Toallowaccessforprivilegedusergroups,thefollowingAccessprofilescouldbeconfigured.

Listing2-8Accessprofilestoallowfirmwaremaintenance.

*/default/device/boot-delete?Access=r+w+a+d+x

*/default/device/boot-image?Access=r+w+a+d+x

*/default/device/boot-switch?Access=r+w+a+d+x

*/default/device/boot-update?Access=r+w+a+d+x

*/default/device/delete-file?Access=r+w+a+d+x

*/default/device/fetch-file?Access=r+w+a+d+x

*/default/device/initialize-raid-volume-filesystem?Access=r+w+a+d+x

*/default/device/move-file?Access=r+w+a+d+x

*/default/device/shutdown?Access=r+w+a+d+x

*/default/file/image?Access=r+w+a+d+x

Inaddition toAccessprofiles, theprivilegedusergroupsshouldbeconfiguredwiththefollowingCLIcommandgroups.

Figure2-36CLIcommandgroupstoallowfirmwaremodification.

User groups that are not allowed to modify firmware are configured with thefollowingAccessprofiles.

Listing2-9Accessprofilestorestrictabilitytomodifyfirmware.

*/default/device/boot-image?Access=r

*/default/device/boot-switch?Access=r

*/default/device/boot-update?Access=r

*/default/device/delete-file?Access=r

*/default/file/image?Access=r

*/default/file/image=r

TestingTips

Inordertoconfirmthatyouraccesscontrolconfigurationissetupproperly:

Setup two test user accounts: one that is in a group that is able to updatefirmware,andanotherthatisnot.Next, log into theappliance’sWebGUIasauserwho isallowed toupgradefirmware.Thisusershouldbeabletouploadanewfirmwarefileandexecutea firmware update.Confirm that this user can also update firmware via theCLI.Finally,usinganaccountthatshouldnotbeabletoupdatefirmware,confirmthatsuchupdatesareprohibitedinboththeWebGUIandCLI.

Summary

Inthischapter,weshowedtwenty-sevenitemsthatcanbeconfiguredtoadministrativelyhardenanIBMDataPowerGatewayappliance.

Inthenextchapter,Chapter3,“Message-LevelHardening,”wewillshowstepsthatcanbetakentolockdownmessagetrafficflowingthroughtheDataPowerappliance.

Chapter3Message-LevelHardeningInthischapter,wewillcovermessage/transactionlevelhardeningforphysicalandvirtualDataPowerappliances.

3.1ValidateInboundData

Rationale

Often,whenapplicationserverperformancebecomesanissue,messagevalidationis thefirstthingtobesacrificed.Sometimes,eliminatingmessagevalidationisintendedtobeatemporaryfixtoaslowsystem,untiltherealculpritcanbefound.We’veallbeeninthosestressfulsituationsduringpeaktimes,whentheproductionsystemhasslowedtoacrawl,executives are demanding remediation, and jobs are on the line.Most times, the “fix”becomes permanent, andmessage validation is never turned back on. This results in aserioussecurityvulnerability.Someofthemostcommonattackstoday—suchasinjection—areenabledbysuchmessagecompromises.

A key value proposition for DataPower is the ability to dramatically accelerateessential security functions such as schema validations and cryptography. Due toDataPower’shighly-tunedarchitecture,thesefunctionswillperformdramaticallybetteronDataPowerthanoncommodityback-endservers.

Beyondthat,stoppinganinvalidmessageattheDataPowerappliancetier,meansthatthemessagewillnevermake it to theback-end server to consumecomputing resourcesand/or compromise security.DataPower has built-inmessage checking features in areassuch as the XML Parser tab of the XMLManager object. Some basic JSONmessagesettingscanbeconfiguredintheJSONSettingsobject.Theseshouldalwaysbereviewedandcustomizedtofittheexpectedinboundandoutboundpayloadsofeachmessageflow.This includes outboundmessages aswell—if our internal systems become infected,wedon’twanttosendbadmessagesbacktoourclientsorpartners!Schemavalidationmayalsoactasawarningsystemthatsomethinghasgoneawry.Thisincludesnotonlyhackingbutalsoproblemswithnewcodereleases.

Because XML schema validation is usually resource-intensive (particularly whencontentmust be decrypted first), it has not been used inmany systems.DataPower hassolved that problem using its high speed crypto and message processing capabilities.JSONwasaprobleminitsearlydays,beforetheadventoftheJSONschema.Nowthatit’savailable,systemsshouldusevalidationonbothXMLandJSONmessages.

Configuration

In the DataPower WebGUI, type ‘Processing Policy’ in the search bar. Open theProcessingPolicyforyourservice.Revieweachrequestandresponseruletoensurethatit

containsaValidateactionwhenappropriate.Ifoneisnotpresent,andshouldbe,configuretheprocessingpolicytouseaValidateaction.

Figure3-1showstheValidateActionconfiguration.Noticethechoicesavailable.Asyoumightguess,itwouldbelesssecuretoallowvalidationbasedonaschemaattributeinthe message itself. Unless the message is signed and encrypted to prevent alteration,validationbasedonaschemaattributewouldcreateavulnerabilitytoaschemapoisoningattack.Any schema originating outside your secure environment ismore susceptible totamperingandcorruption thanawellvalidated, trusted schema that is retrieveddirectlyfromtheDataPowerfilesystem,orfromasecureserverwithinyourinfrastructure.

Figure3-1ValidateActionconfiguration.

TestingTips

ConfiguretheValidateActionasprescribedabove.Inthe“SchemaURL”field,selectanexisting schema file or upload a schema file to the appliance by selecting the Uploadbutton.Designtestmessagesbasedonspecificitemsintheschema.Theseshouldtestbothvalidandinvalidscenarios.Useanautomated,testingsystem(suchasLoadUI)toproducerepeatabletests,andensurethatinallcasesbadmessagesarerejected,andvalidmessagespass.Test for problempossibilities beyond schemavalidation, such asunusualmessagesizesandotherproblemsthatcanbeaddressedbyconfigurableXMLManagerandJSONsettings.

Test cases must be continually updated along with your applications. Up-to-dateschemas and testing are an essential part of system’s lifecycle application developmentanddeploymentmethodologies.

3.2UseStrongCryptoforMessageTraffic

Rationale

Please refer to the discussion in Section 2.18 “NIST SP800-131a and FIPS 140-2Compliance”aboutplacingtheapplianceintoFIPS140-2Level1mode.Thissectionwillexpanduponthatsettingtoshowitsrelevancetomessage-leveltraffic.

The National Institute of Standards and Technology (NIST) created SpecialPublication 800-131A (SP800-131A) to provide guidelines for strong cryptoconfigurations.SomeofthebasicSP800-131Acompliancerequirementsare:

SSLovertheTLSprotocolSHA-256orstrongerhashingfunctions2048-bitorstrongerRSAkeys

Configuration

WhentheapplianceisconfiguredforFIPS140-2Level1mode,asdescribedinSection2.18 “NIST SP800-131 Compliance,” all protocols and crypto actions will use FIPS-approvedconfigurations.

TestingTips

ConfigureaHTTPSFrontSideHandleronaservice.Submitatestmessagetotheserviceand thencheck the logs to ensure that the expectedalgorithmswereused for all cryptooperations.

3.3SecureLoggingforTransactions

Rationale

In Section 2.3, “Off-load System Audit Records” we discussed sending system auditrecordstooff-appliancelogtargets.Inthissectionwediscussmoregranularloggingatanindividualtransactionlevel.Thistypeofloggingisperformedinreal-timeandcancontainanytypeofcontentthatyoudefine.Therearetwovariationsofthistypeoflogging—the“logtarget”approachandoff-applianceapproach.LoggingofarbitraryinformationtothesystemlogcanbedoneusingXSLTorGatewayScript.Suchlogrecordsarethenwrittento DataPower’s logging event bus and are picked up by appropriately configured logtargets.

Alternatively, logmessaging can be sent to remote services for long-term storage.ThiscanbeaccomplishedbyusingaLogaction inaprocessing rule.Thereare severaladvantagestoreal-timeoffloadingofmessage-levellogrecords.

First,itensuresthatlocalstoragewillnotbecomeover-written—aparticularconcernwithmessage-levellogging.

Second,message-level logging canhelp to ensure that if somekindof catastrophicfailure occurs and the device is not recoverable, log records needed for auditingcomplianceareretained.

Finally,thoughlocallogging,viathe“logtarget”approach,canacceptanystringofdatathatyousendit,itisintendedforloggingoftransientsystemeventsandtransactionalmeta-data, not large payloads. In fact, logging via the log-target approach limits themessagepayloadto1024characters.Anydataoverthatlimitwillbetruncated.TheLogAction approach, by contrast, can accept arbitrarily large payloads, limited only by thecapacityofthebackendservicethatreceivessuchmessages.

Of course, moving log records—and the sensitive data they contain—often comeswithasecurityrisk.SendingapplicationlevellogmessagestoexternallogtargetsmustbedoneinasecuremannerandthelogmessagesshouldbesentoverasecureprotocolusingTLS.Additionally,youmaywishtoencryptthemessagepayload,orportionsofit.

Configuration

In the WebGUI, ensure that the appropriate application domain is chosen. Select theexisting service object (e.g., Multi-Protocol Gateway) and then choose and edit theprocessing policy. Drag the Advanced action to the rule, scroll down, and select LogActionandclickNext.Fillouttheparametersforthelogaction,takingcaretospecifyasecurelogdestination.SeeFigure3-2foranexample.

Figure3-2DefiningLogaction.

Notice that in thisexample, themessagebeing loggediswhateverhappens tobe intheinputcontext“PIPE.”Thatcontentmaybetherequestmessagethatwassenttotheservice,someportionofit,orarbitrarycontentthatyouconstruct.Ifyouaregoingtologonlyaportionofamessage(e.g.,thepayloadwithinaSOAPEnvelope),orsomearbitrarydata (e.g., a JSONorXMLnodecontainingmeta-dataabout the request), thenyouwillfirstneedtoconfigureanXSLTorGatewayScriptactionfirst,whichwillthenwritedataintothecontextthatistheninputintotheLogAction.

TIP—SendingLogMessagesAsynchronously

SettingtheAsynchronousparameterto“on”willallowthemulti-steppolicytoimmediatelycontinueprocessinginsteadofwaitingforareplyfromtheexternallogserver.

TestingTips

Configuretheexternallogserver(orperhapsjustasimpleloopbackproxyonDataPower).Thencreatesometestcasesthatshouldcausemessageloggingtooccur.MonitorthelogsonbothsidestoensurethattheDataPowerlogsareproperlyandsecurelytransmittedto

the remote server.Make sure that the logs on the external server contain the expectedmessagecontent.

3.4ConfigureIndividualandGroupAuthenticationMethods

Rationale

DataPowerappliancesprovidingserviceproxyfunctions(e.g.,proxyingWebApplication,Web Services, andWebAPIs)must commonly identify and authenticate organizationalusers(orprocessesactingonbehalfoforganizationalusers).Identifyingindividualusersand/or system level user accounts is an integral component of determining whetherDataPowershouldallowarequesttobeprocessedorrejected.

It isessential thatusersandservices thatsendrequestmessages to theappliancebeappropriately authenticated and authorized. The DataPower appliance’s AAA Policy(Authentication,Authorization,Audit)providesawiderangeofcapabilitiesforpreventingthemisuseandcompromiseofboththeapplianceandtheorganizationalassetsitsupports.Awell-consideredAAAPolicymustbeapplied toallusersandservices thatconnect totheapplianceasagatewaytobackendresources.

TIP—CredentialsMapping

CredentialsfromtheAAAPolicyauthenticationphasemaybemappedtoaformatthatiscongruentwithyourbackendauthorizationmethod.Forexample,youcanmapanauthenticatednameandpasswordforanaccounttoanLDAPgroup.Foradditionalinformationsee:https://ibm.biz/Bd4pky

Configuration

In order to configure individual and group authentication methods, navigate toObjects → XMLProcessing → AAAPolicy.Add(oropenanexisting)AAApolicy.ThisAAAPolicyisthenusedbyanAAAActionconfiguredaspartofarulethatis, inturn,part of a service’s processing policy. At a minimum, an AAA Authentication requiresconfigurationof threemajorprocessingsteps–IdentityExtraction,UserAuthentication,andUserAuthorization.On themain tab, specify those parameters required to supportyourintendedauthenticationprocess.OntheIdentityextractiontab,checkthosemethodsofidentityextractionthatwillprovidewhatyourauthenticationserverrequires.

Figure3-3AAAPolicy:IdentityExtractiontab.

On the Authentication tab, specify all parameters associated with your desiredauthenticationmethod(e.g.,LDAP).

TIP—CentralizedUserValidation

Useraccountandprivilegevalidationmustbecentralizedinordertopreventunauthorizedaccessusingchangedorrevokedprivileges.Centralizedmanagementofprivilegevalidation(e.g.,ActiveDirectoryorLDAP)iskeytoensuringthatprivilegesarebothprotectedandcarefullymanaged.Exclusivelyon-boxprivilegevalidationshouldonlybeusedinadevelopmentenvironment.

Figure3-4AAAPolicy:Authenticationtab.

TIP—AvailableAuthenticationandAuthorizationMethods

DataPowerprovidesalargenumberofmethodsforimplementingcentralizedauthenticationandauthorizatione.g.,LDAP,ClearTrust,IBMSecurityAccessManager,Siteminder,NSS,Oauth,SAML,XACML,WS-Trust,Radius,andKerberos.

On the Authentication tab, define the specific external control server that willaccomplishauthentication(e.g.,LDAP).Thenspecifyallparametersassociatedwiththatmethod.GivespecialcaretoensuringasecureconnectiontoyourserverbydefininganSSLClientprofilethatsupportsTLS1.1/1.2.

If there is a requirement for credential mapping, on the Credential mapping tab,specifythemethodandassociatedpolicy.

Figure3-5AAAPolicy:CredentialMappingtab.

Next,clickonthe“ResourceExtraction”tabinordertoconfigurewhich“resource”whichisbeingprotected.

ForSOAPmessages,theresourceiscommonlythe“URIoftoplevelelementinmessage”,as this represents thenamespaceURIof thenameof thechildelementoftheSOAPBodyelement.Whilethenameoftheoperationmaynotbe unique across all of your organization’s SOAP Web Services, thecombinationofthenamespaceandtheoperationnameshouldbeunique.For Web API messages (e.g., REST), the resources to be used are mostcommonly the (1) the “URL sent by client” and (2) the “HTTP operation(GET or POST)”. Note that while the label (and, indeed, the onlinedocumentation) indicates that this operation is either a GET or POST, inpractice, this selection will return whatever the HTTP method is,encompassingallHTTPverbs, asdefined theWorldWideWebConsortium(W3C).

Figure3-6AAAPolicy–ResourceExtractionmethods.

TIP—HTTPVerbs

ForafulldiscussionofHTTPMethods,seehttps://ibm.biz/Bd4wJP

TestingTips

GototheTroubleshootingPanel.Settheloglevelto“debug.”PerformatestrunofyourauthenticationscenariobyinitiatinganexternalrequesttoaDataPowerserviceconfiguredwithyourAAAPolicy.Then,examinethesystemlogtoobservethesuccessorfailureofeach step in theauthenticationprocess.Forexample,was theconnectinguser’s identityappropriately extracted? An overview of AAA processing steps may be found here:https://ibm.biz/Bd48YE.

TIP—AAAPolicies

BuildyourAAApoliciesincrementally:firstfocusonfront-sideconnectivitybetweenatestclientandDataPowerthenfocusonconnectivitybetweenDataPowerandyourback-endserver.ConfirmtheresultsofeachAAAphaseusingthetransactionprobe(https://ibm.biz/Bd4wJa)toexamineprocessingresults.

3.5MultifactorAuthenticationforNetworkAccesstoProtectedResources

Rationale

It is frequently a requirement that users access web applications using multifactorauthentication,as thisformofauthenticationismoregenerallymoresecure thanIDandPasswordlogin.Fromthewebapplicationperspective,multifactorauthentication(MFA)helpsassureaccountabilityandpreventunauthenticatedaccess.

Multifactorauthenticationusestwoormorefactorstoachieveauthentication.Factors

can include: something you know (password/PIN), something you have (cryptographic,identificationdevice,token),orsomethingyouare(biometriccharacteristics).

User authentication inmany government and private organizationsmakes use of asmart card which stores certificate that is linked to a specific user. The certificate isunlockedandmadeavailableforusebyinsertingthesmartcard(somethingyouhave)intoaspeciallydesignedreaderandthenenteringanaccesscode(somethingyouknow).

Onceunlocked,thecertificatecanbeusedwhenopeningsecureconnectionsfromtheuser’sbrowsertoaremotewebapplication.WhenDataPowerispartofthearchitecture,that certificatewould be used to negotiate anHTTPS connection to the appliance. Thecertificate presented to DataPower could also be a “soft certificate” embedded into abrowserorapplicationonadesktop,laptop,ormobiledevice.

Configuration

DataPower’sAAAframeworkcanusetheClientCertificatefromtheTLS/SSLconnectionastheauthenticationtoken.AswasdoneinSection2.19“PKICertificateAuthenticationforAdminUsers,” start by creating aValidation credential,with anoptionalCertificateRevocation List Policy, in order to validate the user’s certificate. Next, add an AAAActiontotherequestprocessingruleofyourservice.ConfigureaAAAPolicytoextractthe Client Certificate from the SSL Connection in the Identity Extraction tab. Finally,configure the Authentication processing to validate the certificate using the ValidationCredentialthatyouconfigured.

TIP—AdditionalAuthenticationProcessing

Asdescribed,above,thecertificateisconsideredtrustedifitcanbedeterminedthatitisstillvalid(hasnotexpired)andthatitissignedbyatrustedCertificateAuthority.ItiscommonlyrequiredtoperformadditionalcheckssuchasconfirmingthattheSubjectDNfromtheuser’scertificateisinaparticularLDAPdirectoryandpartofaspecificgroup.Suchprocessingcanbeaccomplishedinanumberofways.OneapproachistoaddasecondAAAPolicy,immediatelyfollowingthefirstone,inordertoextracttheSubjectDNfromtheSSLConnection.Then,configureAuthenticationtosearchfortheSubjectDNinaspecificLDAPdirectory.AnotherapproachmakesuseofGatewayScriptorXSLTtoaccomplishthesameobjective.

TestingTips

GototheTroubleshootingPanel.Settheloglevelto“debug”.Thiswillgeneratedetailedtraceinformation.Confirmthattheuserhasaccesstotheirdigitalcertificateviaasmartcardreaderconnectedtoalaptop/desktopcomputer.

For the test, theuser inserts their smartcard,enters theirPIN, thenopensabrowserandconnectstoadesiredDataPowerservice(e.g.Multi-ProtocolGateway)thatisactingasaproxyforaprotectedWebApplication.Iftheuserdoesnotgainaccesstothebackend

WebApplicationviaDataPower,reviewtheDataPowerlogtoexaminethedetailedresultsof this connection process. Retest the process with a user that does not have a validcertificatetoconfirmthattheyarebarredfromaccesstotheWebApplication.

3.6ConfigureReplay-ResistantMutualSSL/TLS

Rationale

Through the use of SSL Client and Server profiles, the DataPower appliance providesprotection againstman-in-the-middle attacks and the insertion of false information intoapplicationsessions.SSLclientsandserversthatdonotsupportRFC5746arevulnerableto man-in-the-middle (MITM) attacks as documented in CVE-2009-3555(https://ibm.biz/Bd48Vk). Though exceptions can be configured, by default DataPowerrequiresRFC5746connections.

Areplayattackmayenableanunauthorizedusertogainaccesstoanapplication.Inthis attack, amessage is captured and resent.Digital signatures, by themselves, cannotprevent a replay attack because a signedmessage can be captured and resent (until thesignatureorattachedtokenexpires).

The primary method of defense provided by DataPower is to define mutuallyauthenticatedTLS/SSL tunnels, such thatmessages in-flight cannotbe intercepted.Thisrequirestwosidestotheconfiguration(mutualauthentication):bothwhenDataPoweractsasaclientandwhenitactsasaserver.

ThissectiondiscusseshowtocombatreplayattacksbyconfiguringmutualTLS/SSLtunnels.SeeSection3.16,“UsingFilterActions toPreventReplayAttacks” foranothermethodtocombatreplayattacks.

Configuration

To define mutually authenticated TLS connections when DataPower is the requestingclient,go toObjects → CryptoConfiguration → SSLClient Profile.Add anSSLClientProfile.Provideaname.DeselectallProtocolsexceptTLSversion1.1and1.2.Deselect“UseSNI.”ToidentifytheapplianceinaTLSnegotiation,chooseanappropriateactiveIdentification Credential from the drop down list. If no ID Credential exists for theDataPowerappliance,createone.Youwillneedaccesstothekeyfilesyouwishtouse.(Seethefollowingfordetailsonhowtodothis:https://ibm.biz/Bd48KQ.)

Next,chooseanactiveValidationcredential(ValCred)objectfromthedropdownlist.IfanappropriateValCreddoesnotexist,youmustcreateone.(SeeSection3.7,“DefineCryptoValidationCredentialsandCertificateRevocationPolicy.”)Youwillneedaccesstothe certs for the server youwish to validate.Save the configuration.Use this newSSLClientProfilewhenconfiguringaservice.SuchaswhenaMulti-ProtocolGatewayorWebServiceProxyisusedtoconnect(asaclient)tootherservers.Iftheremoteserverwillnotagree to TLS v1.2 or v1.1 and does not provide a certificate that is validated, theconnectionwillnotbeestablished.

To define mutual TLS connections when DataPower is the responding server, thesteps are similar to those for the SSLClientwith aminor difference at the end.Go toObjects → Crypto Configuration → SSL Server Profile. Add an SSL Server Profile.Provideaname.Deselect allProtocols exceptTLSversion1.1 and1.2.Ensure that theFeature,“permitconnectionstoinsecureSSLservers”,isnotenabled.

Ontheadvancedtab,ensurethat“Allowlegacyrenegotiation”issetto“off.”

Specifytheidentificationcredentialsthattheapplianceusestoidentifyitself.IfnoIDCredentialsexist,createone. Youwillneedaccesstothekeyfilesyouwanttouse.Set“RequestclientauthenticationtoOn.”ChooseanactiveValidationcredentialsobjectfromthe list. If an appropriateValCred does not exist, youmust create one. Youwill needaccesstotheservercertsyouintendtovalidate.Savetheconfiguration.UsethisnewSSLServerProfilewhenconfiguringanHTTPSFrontSideHandler(FSH).ThisFSHwouldbeusedbyaserverservice—suchasaMulti-ProtocolGatewayorWebServiceProxy—toacceptincomingrequests.IftheremoteclientwillnotagreetoTLSv1.2orv1.1anddoesnotprovideacertificatethatisvalidated,theconnectionwillnotbeestablished.

TestingTips

To verify that DataPower requires mutual authentication when establishing TLSconnections to remotehosts, firstconfirm that theSSLClientandServerconfigurationsaredoneproperly.Then,makesure that theseSSLClientandServerprofileshavebeenassociated with the intended DataPower services. For example, for a Multi-ProtocolGateway,ensurethat:

On theGeneral tab,SSLType isset to“ClientProfile,” that theappropriateSSLClientprofileisselected,andIn theFrontSideProtocolsettings, theHTTPSFrontSideHandlersettings’SSL server type is set to Server Profile, and SSL server profile is set to acorrectlyconfiguredprofile.

Next,Go to theTroubleshootingPanel.Set the log level to“debug.”Performa testrunofyourauthenticationscenariobyconnecting,overHTTPS,toyourSSL-configuredDataPowerservice.Thenexaminethesystemlogtoobservethesuccessorfailureofeachstepintheauthenticationprocess.

3.7DefineCryptoValidationCredentialsandCertificateRevocationPolicy

Rationale

TheDataPowerapplianceprovidestheabilitytodefineCryptoValidationCredentialsthatcanvalidateacertificate’scertificationpathfromtheendentitycertificatetoatrustedrootcertificationauthority(CA).ThiscapabilityiskeytoproperlyperformingtheRFC5280-compliantcertificationpathvalidationrequiredbyTLS/SSL.

DataPower’scertificationpathvalidationcanincludecheckssuchascertificateissuer

trust, time validity and revocation status for each certificate in the certification path.Revocationstatus informationforCAandsubjectcertificates inacertificationpathmaybeprovidedviacertificaterevocation lists (CRLs).Withoutconfiguringa localcacheofrevocation data, there is the potential to allow access to users who are no longerauthorized(userswithrevokedcertificates).

DataPower can invoke CRLs, published in a format defined in RFC3280, that listcertificates thatareno longerconsideredvalid.DataPowercanbeconfigured toretrieveandusetheseCRLs.

Though not covered here, DataPower also provides the ability to validate usingOnlineCertificateStatusProtocol(OCSP).

Configuration

First, set up aCRLUpdatePolicy.From thedefault domain, typeCRL in theWebGUIsearchbarandgotoCRLRetrieval → CRLUpdatePolicytab.ClickAdd.EntertheFetchURL value and click the + icon next to the CRL Issuer Validation Credential. TheconfigurationshowninFigure3-7specifiesaCRLrefreshofeveryfourhours.

Figure3-7CertificateRevocationListUpdatePolicy.

ConfiguringCryptoValidationCredentialsprovides the foundation forDataPower’sability toprovideFRC5280-compliant certificatepathvalidation.Here’show it’sdone.Go to Objects → Crypto Configuration → Crypto Validation Credentials. Add a newCrypto Validation Credential. Provide a name. For the certificates parameter, definecertificatealiasesfortheValidationCredential.EachcertificatelistedhereisaValidationCredentialobjectrepresentingthecertificatethatanSSLpeermightsend.ItiseitherthecertificateoftheCertificationAuthority(CA)thatsignedthecertificatesentbyapeer,orthe root certificate. Set Certificate ValidationMode to “Full certificate chain checking(PKIX).” Set both Use CRL and Require CRL to “on.” Set CRL Distribution PointsHandlingto“Require.”

TIP—RequireCRLOption

Specifyingthe“Require”optionwillresultinchecksagainst(butdoesnotfetch)theCRLsintheX.509CRLDistributionPointextensions.IfanyCRLinaCRLDistributionPointextensionnolongerexistsintheCRLcache,thecertificatevalidationfails.

SavethenewValidationCredential.

Figure3-8CryptoValidationCredentials.

Now, the ValCred must be incorporated in an SSL Client Profile(https://ibm.biz/Bd48sk)andanSSLServerProfile(https://ibm.biz/Bd48gM).TheprocessforcreatingthoseprofilesisdescribedinSection3.6,“ConfigureReplay-ResistantMutualSSL/TLS.”

TIP—OperatinginFIPS140-2Level3Mode

TheDataPowerHardwareSecurityModule(HSM)providessecurestorageforRSAkeysandacceleratesRSAoperations.TheHSMoperatesinFIPS140-2Level3mode.Itcan:acceleratesynchronousandasynchronousRSAoperations-sign,verify,encrypt,anddecrypt;provideencryptedpassword-basedlogin;generateandstoreRSAprivatekeysontheHSM;exportandimportkeymaterialamongHSM-equippedappliances;aswellasdeleteRSAprivatekeysfromtheHSM.

TestingTips

GotoObjects → CryptoConfiguration → CryptoValidationCredentials.Confirmthatallsettingsarecorrect.OnceassociatedwithSSLClientandServerProfiles, theValidationCredentialwillcomprisepartofthetestingdescribedinSection,3.6,“ConfigureReplay-ResistantMutualSSL/TLS.”

CreateaCRLintheformatspecifiedbyRFC3280.Createacertificatetobeaddedtothat CRL, thus flagging this certificate as being revoked. Send a message using the“revoked”certificateaspartofa two-waySSLconnectiontoaDataPowerservice(e.g.,Multi-Protocol Gateway) configured with an HTTPS front side handler. Configure theServerProfiletomakeuseofaValidationCredentialthatchecksCRLs,andconfigureaCRL update policy that loads the CRL that you created earlier. Check the DataPowersystemlogstoconfirmthattherequestwasrejectedduetoarevokedcertificate.

3.8ConfigurePKI-BasedCredentialMappingforMessage-levelAuthenticationandAuthorization

Rationale

Authenticationofthesenderofagivenmessage–whetherthat“message”isXML,SOAP,JSON,oranHTTPrequestfromawebbrowser–hasbeenfoundtobesignificantlymoresecurewhenthecredentialsfortheuserarebasedonPKIcertificates,versustheIDandPassword model. Once a requestor – a human user or system account – has beenauthenticated, then, and only then, can the request be Authorized (i.e., make a yes/nodecisionregardingwhether,ornot,theauthenticateduserisallowedtoperformtheactionthat they are requesting). In its role as an application security gateway, theDataPowerappliance’s AAA Policy configuration can ensure that authorization for access to anyserviceisapprovedandhasbeenassignedanindividualaccountidentifier.Toensurethatonly an assigned individual is using the account, the accountmust be bound to a usercertificate.

Configuration

Throughtheconfigurationofanauthentication,authorization,andauditpolicy(AAA),theDataPower provides PKI-based user authentication intermediary services that mapauthenticated identities to theuseraccount.Thiscanbe implemented in twoways. Forsmallscaleimplementations,theDataPowerAAAInformationFilecanbeused.Forlargerscale implementations, the mapping of PKI credentials to a mapped credential morecommonlytakesplaceviaacentralauthentication/authorizationserver(e.g.,LDAP).ThefollowingexamplemakesuseoftheAAAInformationfile.

TheAAApolicymustbeconfiguredasfollows.IntheDataPowerWebGUInavigateto Objects → XML Processing → AAA Policy. Add a new policy. On the Main tab,configure all general policy parameters. On the Identity extraction tab, select from thefollowing PKI-based methods to extract the claimed identity of the service requestor:“SubjectDNofSSLcertificatefromconnectionpeer”or“SubjectDNfromcertificateinmessagesignature,”asappropriateforyourspecificscenario.

Figure3-9AAAPolicy:IdentityExtractiontab.

On the Authentication tab, define the external control server that will accomplishauthentication.OntheResourceextractiontab,selecttheappropriatemethodDataPowershouldusetoextracttherequestedresourcefromtherequestmessage,e.g.,“URLsentbyclient”of“localnameofrequestelement.”

TIP—CredentialMapping

Itisfrequentlyusefultomapindividualcredentials(e.g.,“CN=MarshallT.Rose,O=DoverBeachConsulting,L=SantaClara,ST=California,C=US”)toamoregenericidentifiersuchas“SYSTEM-USER”.Fromthatpoint,forward,intheAAAprocess,theuserisnowidentifiedas“SYSTEM-USER”includingintheAuthorizationphase.Thereareanumberofmethodsavailableformappingusercredentials,including“Custom”(IdentifiesacustommappingresourcesuchasastylesheetorGatewayScriptfile),“AAAinformationfile”(IdentifiesaDataPowerAAAinformationfile,whichisanXMLfile,asthemappingresource),aswellasseveralothers.

See Section 3.4, “Configure Individual andGroupAuthenticationMethods” for anexpandeddiscussiononuserauthentication.ForinformationonthestructureoftheAAAInformationfile,seehttps://ibm.biz/Bd4AWV.

Policyimplementation

In order for the definedAAAPolicy to becomeoperative, itmust be associatedwith aDataPowerservice.Forexample, ifusing theMulti-ProtocolGateway(MPGW)service,anAAAactionmustbeaddedtoitspolicy.

TestingTips

Verify that aDataPower service processing policy includes an appropriately configuredAAApolicyaction.

Oncethepolicyhasbeenassociatedwithaservice, testauthentication/authorization

bysendingarequestmessagefromanauthorized,thenanunauthorizeduser.Examinethelogtoconfirmthattheauthenticationisasexpected.

3.9ConfigureDeviceFailureNotificationFunctions

Rationale

By default, the DataPower Gateway, in the event of a system failure, saves diagnosticinformation,logsystemmessages.Andwhenrestarted,DataPowerloadsthemostcurrentsecuritypolicies,rules,andsignaturesthenrevertstoFailsafeMode.

In addition, the DataPower Gateway supports the configuration of optional failurenotification functions.These include the following: upload error report, include internalstate,backgroundpacketcapture,backgroundlogcapture,andbackgroundmemorytrace.

Configuration

To configure these additional failure notification functions, go toAdministration → Device → FailureNotification.

Selectthecapabilitiesdesired.

Figure3-10FailureNotificationOptions.

TIP—BacktraceFile

Anunscheduleddevicefailuremayresultinabacktracefile.ThisfilecontainsdiagnosticdatawhichwillassistDataPowercustomersupportindebuggingthefailure.Inordertocheckforabacktrace,fromtheCLIenter‘showfailure-info’.

TestingTips

Verify that all desired optional failure notification functions are configured by going toAdministration → Device → FailureNotification.Totest thenotificationprocess,selecteither“AlwaysOnStartup”or“AlwaysOnShutdown”.Then, restart theappliance:Onthe WebGUI Control Panel, click System Control. At the Shutdown section, select“RebootSystem”thenclickShutdown.

Login to the WebGUI after the DataPower appliance reboots and view theconfiguration.Confirmthattheconfigurationistheonelastsaved.

3.10SQLInjectionProtection

Rationale

ASQLInjectionattackconsistsof insertionor“injection”ofaSQLqueryvia the inputdata from the client that targets the application. SQL injection is mostly known as anattackvectorforwebsitesbutalsocanbeusedtoattackanytypeofSQLdatabase.

SQL injection attacks allow attackers to spoof identity, tamper with existing data,cause repudiation issues such as voiding transactions or changing balances, allow thecomplete disclosure of all data on the system, destroy the data or make it otherwiseunavailable,andbecomeadministratorsofthedatabaseserver.

Configuration

To implement this protection inDataPower requires the addition of a Filter action in aprocessing policy (e.g., in a Multi-Protocol Gateway). The filter action allows theinclusionofanXSLTfilethatwillrunoneachmessageprocessedthroughthepolicyrule.ThisXML file includes anXML file that outlines the protections to apply in the filteraction.

DataPower includesa standardXSLTandXMLfile in the store:///directory (SQL-Injection-Filter.xsl and SQL-Injection-Patterns.xml). This file covers most of the SQLInjectionattacksknownatthetimeofthefirmwarerelease.

As an example, add an SQL injection filter action to a Multi-Protocol Gateway(MPGW)policy.First,addafilteractiontooneoftheMPGW’spolicyrules.SeeFigure3-11.

Figure3-11AddaFilterActiontoanMPGWRule.

Double-click the filter icon thatyou just added.EnteranXSLfile locationand filename e.g., store:///SQL-Injection-Filter.xsl. Click Done → Apply Policy → CloseWindow → Apply.ThisconfigurationisshowninFigure3-12.

Figure3-12AddtheSQL-Injection-Filter.xsltothefilter.

TestingTips

Set up tests that inject SQL code into andXMLmessage and send themessage to theDataPowerMPGWservice.Themessage should be caught and an error logged. If not,thentheSQL-Injection-Patterns.xmlfilemayneedtobemodifiedtoincludethisparticularattack.

If a known injection attack is not listed in theSQL-Injection-Patterns.xml file, thisfilemaybecopiedandupdatedmanuallybytheDataPowersystemadministrator.

TIP—ManuallyCreatedFiles

Filesthataremanuallycreatedorcopiedfromfilesinthestore:///directoryonDataPowercannotbesavedinthestore:///directory.Thesefilesmustbelocatedinafolderinthelocal:///directory.

3.11DenialofService(DoS)AttackMediation

Rationale

Denial of service (DoS) attacks deny service to valid users trying to access servicesmediatedby theDataPowerappliance.Anattackermightattempt to flood theappliancewith requests—rendering its services temporarily unavailable or unusable. Denial ofserviceattacksareproblematicbecausetheyareeasytoachieveandcanbeanonymous.The DataPower appliance provides multiple avenues of defense against DoS attacks.Mitigating such attacks at the DataPower gateway insulates backend resources fromnegativeimpact.Onedefenseis tocreateaccesscontrol lists.Accesscontrol listsdefineclausesthatidentifywhichIPaddressestoallowordenyaccesstoaservice.ThistopiciscoveredinSection3.15,“AccessControlLists.”

Installation of content filtering gateways and application layer firewalls at keyboundaries in the architecture mitigates the risk of DoS attacks. These attacks can bedetectedbymatchingobservedcommunicationstrafficwithpatternsofknownattacksandmonitoringforanomaliesintrafficvolume,type,orprotocolusage.Detectioncomponentsthatusesignaturescandetectknownattacksbyusingknownattacksignatures.

ConfigurationEmployMessageCountMonitors

DataPowerMessageCountMonitors can be applied to anyDataPower object (e.g., theMulti-ProtocolGateway)andcanlimittheeffectivenessofaDoSattack.

AMessageMonitorobservestrafficthatistargetedbyaMessageTypeconfiguration(whichinturnisacollectionofMessageMatchingobjects).TheMonitormeasuresonlythattrafficselectedbytheMeasurefield.Onthefilterspage,trafficwhichmeetsthefiltercriteria causes the Monitor to take the corresponding action (which is defined by aMessageFilterActioncommand).

TIP—IPv6Addresses

Eachoftheseconfigurations,whenenabled,providesfullaccessfromallIPv4addresses.IfIPv6addressesaresupported,modifytheACLtoincludeanallowclauseforeitherspecific,orallIPv6addresses.

IntheWebGUIsearchbartypeMessageCountMonitorandcreateaMessageCountMonitor with the appropriate values. This monitor can then be applied to any runningserviceobject.ThisconfigurationisshowninFigure3-13.

Figure3-13MessageCountMonitor.

XMLDoS–DataPowerServiceThreatProtection

EachserviceinDataPower,e.g.,MPGW,WSP,etc.,containsabuiltinThreatProtectioncapability, for this example we will use anMPGW service object. From theWebGUIsearch bar, typeMulti-Protocol. Click Edit Multi-Protocol Gateway. Select or create aMulti-ProtocolGatewayobject.GototheThreatProtectiontab.

This tab provides configuration options for the types of XML attacks DataPowerprotectsagainst:SinglemessageXMLdenial-of-service(XDoS)attacks,multiplemessageXMLdenial-of-service (MMXDoS) attacks, paddingOracle protection,SQLandXPathinjection attacks, protocol threats, XML viruses (X-Virus), and dictionary attacks. The

types of XML Threats that are protected in DataPower can be viewed herehttps://ibm.biz/Bd4wAy.

AAA–DoSFloodingAttackValve

Messagesmay legitimately contain a number of signatures (including referenceURI’s)thatmust bevalidated, e.g., in aSAML token.From theWebGUI searchbar, type aaa.ClickAAAPolicy.SelectorcreateanAAAPolicy.GotoMaintab → DoSfloodingattackvalve parameter.More than a pre-defined number of signatures contained in amessagemayindicateaDoSFloodingattackisinprogress.Thistypeofattackcantieupsystemresourcesintheirattempttovalidateallthesignatures.

To prevent this type of attack, you may specify the number of times allowed toperformthesameXMLprocessingperuser.TheAAApolicyassumesthatmorethanthisvalueofthesameprocessingiscausedbypotentialDoSfloodingattacks.TheAAApolicylimits the number of times to process the same request. These processes can includeencryption, decryption, message signing, or signature verification. These methodsdesignatetheallowednumberofsignaturesorsigningreferenceURIs.

Thedefaultvalueisthree.ThisvaluemeansthattheAAApolicyprocessesonlythefirstthreesignaturesandeachsignaturecancontainuptothreereferenceURIs.Additionalsignaturesor referenceURIsare ignored. (Note:Currently,only identityextractionwithsubjectDNfromcertificateinmessagesignatureandauthorizationwithsignercertificatefordigitallysignedmessagessupportthissetting.)ThisconfigurationisshowninFigures3-14and3-15.

Figure3-14ConfigureAAADoSFloodattackvalve.

Figure3-15ConfigureAAADoSFloodattackvalve.

PKCS7-MaximumNumberofSignaturestoVerify

AnothertypeofDoSattackwillincludealargenumberofbinarysignaturesinamessage.

This can result in a systemallocating amajorityof its processing toverifyingPKCS#7signatures.

IfamessageflowneedstovalidatePKCS#7signatures,DataPower’sCryptoBinaryprocessingactioncan limit themaximumnumberofsignatures thatcanbeverified inaPKCS#7object.This provides protection against a denial of service attack inwhich anobjectcontaininganexceedinglylargenumberofsignaturesissubmittedforverification.ThedefaultvaluefortheCryptoBinaryactionisten.Theminimumisone;themaximumistwentyfive

ThisfeatureisusuallyemployedasanAdvancedactionwithinaprocessingruleofanMPGW. To examine this configuration, add an Advanced action to an MPGW rule.Double click the Advanced action. Select “Crypto Binary” and click Next to see theconfigurationpanel.

Consider adding a Crypto Binary action to your processing rule and setting theMaximumNumberofSignaturestoVerifyvaluetopreventasignature-basedDoSattack.ThisconfigurationisshowninFigure3-16.

Figure3-16CryptoBinaryAction.

TestingTips

Tochecktheseconfigurations:

XMLDoS

SetupaMessageCountMonitor(seehttps://ibm.biz/BdrFXQ)andsetaratelimitinlinewithexpectedtransactionspersecond(TPS).AttachthisMessageCountMonitor(MCM)

to a pre-defined service object such as a Multi-Protocol Gateway. Send a volume ofmessagesthatexceedtheratelimittotheURLprotectedbytheMCM.Messagesoverthislimit should initiate the action you defined in theMCM action, e.g., Notify, Shape, orReject.

AAADoS

ConfiguretheAAADoSFloodattackvalue(thedefault is three).Createamessagethathasmore than the configuredmaximumnumber of signatures allowed to be processed.Check the log files to validate that the AAA policy only allowed messages with asignaturecountwithinthedefinedlimit.

PKCS#7

Createabinaryobjectandsignthatbinaryobjectanumberoftimesthatisgreaterthanthevalue defined by the Crypto Binary action. DataPower will only verify the number ofsignaturesspecifiedintheMaximumNumberofSignaturestoVerifyfield.

3.12VirusScanning

Rationale

XMLVirusProtection isused tocheckmessagesandattachmentsforembeddedvirusesusinganexternalICAPserver.Thetypesofattacksthatcanbeeliminatedbythisactionare XML virus attacks, XML encapsulation attacks, payload hijack attacks, and binaryinjectionattacks. DataPower integrateswith3rdpartyanti-virus serversover the ICAPprotocol(https://ibm.biz/Bd4ucC).

Configuration

FromtheWebGUIsearchbar,selectthedesiredserviceobject.EdittheStylePolicy,thendraganAdvancedaction toa request rule.Doubleclick theAdvanced icon, thenselectAnti-Virus,andpresstheNextbutton.ThisconfigurationisshowninFigure3-17.

Figure3-17Anti-Virusaction.

Select thetypeofscanningtobeperformedintheAnti-VirusScanType.Select theenterprise anti-virus scanner from thewell-knownproviders.Enter the host name, port,andURIvaluesforthescanner.ThisconfigurationisshowninFigure3-18.

Figure3-18DefiningAnti-virusaction.

TestingTips

Your test environment will need to have an Anti-Virus server that supports the ICAPprotocol. Workwith your security staff to create amessagewith a virus signature andsubmit the message to a DataPower service that is configured to perform Anti-Virusscanning. DataPower will send the message to the defined virus scanner. It shouldidentify the threat signature. Review the DataPower System Logs to confirm that themessagewasrejectedbytheanti-virusscan.

3.13ViewingUserActivityLog

Rationale

Without the ability to select a user session to capture or view, investigations intosuspiciousorharmfuleventswouldbehamperedbythevolumeofinformation.

Privilegedusersneedaccesstotheauditloginordertoevaluatetheeventsthattakeplaceonasystem,ortosendtheseeventstoananalyticsengineforevaluation.

Configuration

Auditdatacanbeviewedinseveralways.First,DataPower’sbuilt-inAuditLogcanbeviewedbytyping“auditlog”intotheWebGUIsearchbarandselecting“AuditLog”fromthe results. Second, a custom log target can be configured that subscribes to audit logdata. Thisdata canbe stored locally,on theappliance’sRAIDarray,or remotely (e.g.,syslog).

Creating an audit log target in the default domain will have visibility to all useractivitycapturedbyaudit logevents.SeeSection2.3,“Off-loadSystemAuditRecords”forhowtoconfigureLogTargets.

TIP—ObjectCreationintheDefaultDomain

DataPowerserviceobjects,suchasMulti-ProtocolGatewayandWebServiceProxy,shouldnotbecreatedinthedefaultdomain.Thedefaultdomainshouldonlybeaccessedbyprivilegedusers.Accessbynon-privilegedusersshouldberestrictedtonon-defaultdomains.

TestingTips

To test if the appropriate information is logged, first create a file-based log target, asdescribedabove. Next,createa temporaryuseraccount. Finally,access theViewLogstoolfromtheControlPanelandselectthelogtargetfromtheTargetdrop-downlist.Thenview theuseraudit log file.Thenewlycreateduser shouldbe logged.TheSystemLogdisplayisshowninFigure3-19.

Figure3-19UserAuditlogresults.

3.14FICAM-IssuedProfileSupport

Rationale

FICAMistheUSFederalGovernment’simplementationofidentity,credential,andaccessmanagement.ItismeanttoprovideacommonsetofICAMstandards,bestpractices,andimplementationguidanceforFederalagencies (seehttps://ibm.biz/BdrBWx). FICAMisbeing positioned as a component of federated identity management for US FederalGovernment agencies. Without conforming to FICAM-issued profiles, the informationsystemmaynotbeinteroperablewithFICAM-authenticationprotocols,suchasSAML2.0or OpenID 2.0. Use of FICAM-issued profiles addresses open identity management

standards.Theuseof theDataPowerAAApolicyallowsauthenticationofusersagainstFICAM-issuedProfiles.

Configuration

IntheWebGUIsearchbar,typeAAA.SelecttheappropriateexistingAAApolicy,oraddanewone.SelecttheIdentityExtractiontab.Clicktheboxnexttothe‘NamefromSAMLAuthenticationassertion’entry.ThisconfigurationisshowninFigure3-20.

Figure3-20ExtractIdentityfromSAMLassertion.

Click the Authentication tab. In the Method drop down, select ‘Accept SAMLAssertionwithvalidsignature.’ThisconfigurationisshowninFigure3-21.

Figure3-21SAMLAssertionauthentication

TestingTips

Configureyourapplicationdomaintodebuglevellogging.ConfigureaDataPowerservice(e.g., Multi-Protocol Gateway service) with a AAA action, as previously described.

Submit to the DataPower service a test request which contains a signed SAMLAuthentication Assertion. Check the system logs to confirm that the message wasprocessedsuccessfully.SendaSAMLassertionwithaninvalidsignatureandconfirmthatthemessageisrejectedbyDataPower.

3.15AccessControlLists

Rationale

Unrestricted trafficmay containmalicious traffic that poses a threat to a business or tootherconnectednetworks.Additionally,unrestrictedtrafficmaysendmanymessagestoanetworkconsumingbandwidthandotherresources.

Implementingaccesscontrolpoliciesandaccesscontrollistsondevicesthatcontrolthe flow of network traffic (e.g., application level firewalls and Web content filters),ensurethattheflowoftrafficisallowedonlyfromauthorizedsourcesandtoauthorizeddestinations.

Theconfigurationofanaccesscontrollist(ACL)consistsofasequenceofallowanddenyclauses.EachclauseidentifiesanIPaddressorrangeofaddressesthatallowordenyaccesstoaservice.

Configuration

Type “access control list” in theWebGUI searchbar.Select theEntry tab. In theEntrybox, click theAdd button.AddAlloworDeny access to a range of IP addresses.ThisconfigurationisshowninFigure3-22.

Figure3-22AccessControlList.

TIP—UsingCIDRNotations

TheuseofClasslessInter-DomainRouting(CIDR)allowseasierdefinitionofarangeofcontiguousIPhostandsubnetaddresses.(https://ibm.biz/Bd4bHX)

TIP—Don’tRelyExclusivelyonACLs

ACLsrelyontheIPaddressoftheclientcomputersendingtherequest.However,IPaddressescanbespoofed.Consequently,ACLsshouldneverbeusedastheonlymeansofauthentication.Instead,coupletheuseofACLswithadditionalmeasuressuchastwo-waySSL.

TestingTips

CreateanaddressrangewithinyourcontrolandadditasanAllowclause,thentest.ThisshouldallowtheIPaddresstoconnecttoDataPower.Next,addthesamerangetoaDenyclauseandretest.Thisshouldfail.

3.16UsingFilterActionstoPreventReplayAttacks

Rationale

Replayattacksdependuponinterceptinglegitimatemessages,thenalteringthem.Areplayattackmayenableanunauthorizedusertointerceptamessage,masqueradeastheoriginalsender,thengainaccesstoinformationabovetheiraccesslevel.

TechniquesusedtopreventareplayattackincludeAAAFilteraction,protocolsusingnonces(e.g.,numbersgeneratedforaspecificonetimeuse),andchallenges(e.g.,TLS).Additional techniques include time-synchronous and challenge response one-timeauthenticators. Section 3.6, “Configure Replay-Resistant Mutual SSL/TLS” discussesanotherwaytocombatreplayattacksbyconfiguringmutualTLS/SSLauthentication.

Configuration

AFilter action is part of a processing policy for aDataPower service such as aMulti-ProtocolGateway(MPGW)orWebServiceProxy(WSP).TheFilteractionsavailableintheir policies canbe leveraged toprevent replay attacks. This filter uses a directory tocache a selected value from submitted documents. When this value is part of anysubsequentrequest,thatrequestisrejected.

Selecttheproperserviceobject,suchasaMPGW,andedittheStylePolicy.DragtheFilteractionto theappropriateprocessingrule.ThisconfigurationisshowninFigure3-23.

Figure3-23AddingaFilteraction.

Double click the Filter action. Select the Advanced tab → Filter Method. SelectReplayFilter.Thereplay-filter.xsl isautomaticallyentered into theTransformFilefield.ThisconfigurationisshowninFigure3-24.

TIP—ReplayFilterStylesheet

Thereplay-filter.xslfileexistsinthestore:///directory.Filesinthisdirectorycannotbeedited.However,theymaybecopied,augmented,andsavedinthelocal:///directory.

Figure3-24AdvancedtabforFilteraction.

Next,specifytheReplayduration.Thisparameterspecifiesthatifyouseeamessagewith thesamecredentialswithin thedefined time limit,consider it tobea replayattackandrejectit.Thedefaultvalueis600seconds.

Finally, provide a custom XPath expression that points to the part of the requestdocumentcontainingthecredentialinformation.Ifyoudon’tknowtheXPathexpressionoffhand, you can upload a sample document, via the XPath Tool. Select the XMLnode/elementandtheXPathstatementwillbegeneratedforyou.

TestingTips

Thescenariotobetestedisthattheclientapplication(“Alice”)sendsatestmessagetotheserver(“Bob”).Theobjectiveistoconfirmthataneavesdropper(“Eve”)cannotinterceptthefirstmessage,extractcredentials,then“replay”thosemessagesatalaterdate.Todothis, firstconstructa testmessage(SOAPorXML)thatcontainsusercredentials (e.g.aWS-Security User Name Token). Next, setup a DataPower service (e.g.Multi-ProtocolGateway)configuredwithaReplayFilter,aspreviouslydescribed.Setthereplaydurationto 60 seconds, for test purposes. And configure the Replay Filter XPath expression toretrievetheusercredentials.Setyourapplicationdomainloggingtodebuglevel.Submitthetestmessagetoyourservice,thenre-submititwithin60seconds. Checkthelogstoconfirmthatthesecondsubmissionisrejectedbythereplayfilter.

3.17CachingUserAuthenticationandAuthorizationResults

Rationale

Caching of user authentication and authorization decisions can significantly improvetransactional performance by eliminating the need to reprocess authentication andauthorizationstepswitheachrequest.Sincetheauthenticationserverdoesnotneedtobeaccessedoneveryrequest,bothnetworktrafficandloadontheauthenticationservercanbereduced.

DataPower’s AAA processing is predicated upon having a set of user credentials(presentedinatransaction)andarequested“resource”.Theresourceistheservice(e.g.SOAPoperation,orRESTURI)thattheuserisattemptingtoaccess.TheresultofAAAprocessing–permitordeny—canbecached for adefinedperiodof time such that anysubsequentrequestusingthesameusercredentialsandrequestingthesameresourcecanre-usethepreviouslyrendereddecision.

However,cachingthisauthenticationobjectfortoolongcouldexposethesystemtoexploitation of the cached user information.DataPower can be configured to delete thecacheafteraspecifiedtimeperiod.

InDataPower’sAAA action, a user authentication request can be cached for a setperiod of time in order to alleviate multiple authentication requests to an externalauthenticationservice.Eachentry in thecachemusthaveauniquekey.Whenthere isamatchagainstauniquekey,thecachereturnstheresultsfromthepreviousauthentication.

Configuration

ThestepslistedinthissectionassumetheexistenceofapreviouslydefinedAAAPolicythatwillbeusedinaserviceobjectsuchasaMulti-ProtocolGateway.

In the appropriate application domain (not the default domain), from theWebGUIsearchbar.TypeAAAPolicy.Select theexistingAAAPolicy.Select theAuthenticationtab.SettheCacheAuthenticationResults.SettheCachelifetimevalue.

TIP—DataPowerAAACachingModes

Absolute–Cachestheresultsfortheperiodoftimethatisspecifiedbythecachelifetime.Thelifetimeistheexplicittime-to-live(TTL).

Disabled–Disablescaching.Thesystemwillnotcacheresults.

Maximum–ComparestheexplicitTTLtotheprotocolTTL,ifany.TheeffectiveTTListhelesserofthetwovalues.IftheexplicitTTLisfiveandtheprotocolTTListen,thentheeffectiveTTLisfive.WithoutaprotocolTTL,Itisequivalenttoabsolute.

Minimum–ComparestheexplicitTTLtotheprotocolTTL,ifany.TheeffectiveTTListhegreaterofthetwovalues.IftheexplicitTTLisfiveandtheprotocolTTListen,thentheeffectiveTTListen.WithoutaprotocolTTL,theeffectiveTTLisequivalentto86,400.See:https://ibm.biz/BdrEHG

TheCacheLifetimecanbesettoavaluethatmakessenseforthemessageflowandexternalauthenticationserverThisconfigurationisshowninFigure3-25.

Figure3-25AAAAuthenticationcache.

TIP—AAACacheAuthenticationandAuthorization

Thecachecanbesetindependentlyinboththeauthenticationtabandtheauthorizationtab.

TestingTips

SendamessagetothetargetservicethatwillmatchtoaProcessingRulecontainingtheAAAaction.Wait longer than the cachevalue, then resend the samemessage (with thesame user credentials). The log file will show an attempt to contact the authenticationserviceforbothrequests.SendathirdtestmessagetotheservicewithintheeffectiveTTLlimit. The log file shouldshow that theAuthenticationdecisionwas retrieved from theAAAcache.

3.18ConfiguringTransportLayerSecurityConsistentwithNISTSP800-52

Rationale

As previously described, a component of DataPower’s client-side processing is theSSL/TLS negotiation and decryption of the data stream. Organizationswill frequentlyrequirecompliancewiththeTransportLayerSecurity(TLS)requirementsidentifiedintheNationalInstituteofStandardsandTechnology(NIST)SpecialPublication(SP)800-52.NIST SP 800-52 requires aminimum protocol of TLS 1.1 configuredwith FIPS-basedcipher suites.NIST recommended that agencies developmigration plans toTLS1.2 byJanuary1,2015.

TIP—NISTSP800-52Revision1

SeetheNISTpublicationsiteformoredetailsonNISTSP800-52(revision1)requirements:https://ibm.biz/BdrF8p.

Configuration

First, ensure that the appliance is operating at the appropriate level of FIPs 140-2compliance,asdescribed inSection3.2,“UseStrongCryptoorMessageTraffic.”Next,configure an SSL Server Profile (the Security profile used to secure the connectionbetweentheclientandtheDataPowerappliance).ToaddanewSSLServerProfile,loginto your domain via the WebGUI and go to Objects → Crypto Configuration → SSLServerProfile;clickthe“Add”button.

Figure3-26ConfigureanSSLServerProfile.

Provide an SSL Server Profile name and determine which Protocols to enable.Commonly,SSLv3andTLS1.0aredisabled.ForfullcompliancewiththeNISTSP800-131arequirement,TLS1.0wouldalsobedisabled.

TIP—DisableSSLV3andTLSV1.0

ItisabestpracticetodisableSSLV3andTLSV1.0asthesecryptographicprotocolshavebeenbrokenandareun-secure.

TIP—NISTSP800-131aCompliance

SeetheDataPowerKnowledgeCenterformoredetailsonconfiguringNISTSP800-131acompliance:https://ibm.biz/Bd4uBD.

Commonly,theclientthatisconnectingtotheDataPowergatewayisoutsideofyourorganizations’control.Confirmthattheclientcansupportprotocolsandciphersthatareconfigured for the SSL Server Profile to ensure that the organizations will be able toexchangemessages.

Next, configure the “IdentificationCredentials” by clicking the “+” or selecting anexisting Identification Credential object from the drop-down list. The identification

credentialspecifiestheyKeyandCertificateobjectsthatareusedtoasserttheDataPowerappliance’sidentityduringanSSLnegotiation.

Next, configure Client Authentication. By default, no client authentication isrequired.Ifyouwanttoconfiguremutual-TLS(alsoknownastwo-wayTLSortwo-waySSL),changetheradiobuttonto“on.”Youwillthenbepromptedtoconfigureadditionalitems, includingspecifying theValidationCredentialobject thatwillbeused tovalidatetheclient-sidecertificatespresentedduringtheSSLnegotiation(seeSection3.7,“DefineCryptoValidationCredentialsandCertificateRevocationPolicy”).

Figure3-27ConfigureClientAuthenticationfortheSSLServerProfile.

TestingTips

Inthesearchfield,searchfor“Crypto”andselect“CryptographicModeStatus”fromtheresults.Confirmthatthe“Target”valueissetto“FIPS140-2Level1.”

Next, search for “SSL Server Profile” and select “SSL Server Profile” from theresults.Clickthenameof theSSLServerProfileobject tobeinspectedandconfirmtheconfigurationoftheProtocols(TLS1.1and/orTLS1.2),aswellasthattheIdentificationCredentialand(optional)ClientAuthenticationareconfiguredcorrectly.

3.19SecurelyTransmitAuthenticationInformation

Rationale

Inthecourseofprocessingtransactionaltraffic,requestsaretypicallyauthenticated.Suchauthentication commonly involves remote resources such as external LDAP servers.Securingthetransmissionofauthenticationinformationensuresthatitcannotbeexposed,altered, or otherwise compromised during transmission. The DataPower applianceprovides the following authentication server targets: LDAP, ClearTrust, IBM SecurityAccessManager,SiteMinder,SAML,WS-Trust,andRADIUS.

DataPower provides secure access to all supported authentication methods. Forexample, on the AAA Policy Authentication tab, select “Bind to LDAP server” as theMethod. Parameterswill then appear that allow the configuration of a secure SSL/TLSconnectiontothatauthorizationserver.ForasecureconnectiontoLDAPaswellasallof

theother supportedauthentication servers,youneed toconfigureanSSLClientProfile.Detailsofthatprocessmaybefoundhere:https://ibm.biz/Bd48sk.It ispreferabletouseonlythemostrecentTLSversion,whichis1.2atthetimeofthiswriting.

Configuration

TheDataPowerGateway provides support for the secure transmission of authenticationinformationtoanysupportedauthenticationserver.

To configure secure transmission, use the WebGUI to go to Objects → XMLProcessing → AAA Policy. Press the Add button. Then, on the Authentication tab,complete the parameters associated with the server you have specified in the Methodparameter(e.g.,LDAP).ConfigurationofthedifferentAuthenticationtechniquewillvary,but those involving remote services (e.g. LDAP) will include the ability to establishsecuredconnections,asisthecasebelow,wherethe“SSLclienttype”isdefined.

Figure3-28ConfigureAAAPolicyauthentication.

PleasenotethatthoughourfocushereisoncompletingtheauthenticationportionofourAAAPolicy,theidentityextractionmethodsspecifiedonthe“Identityextraction”tabmustbeinsyncwithyourchosenauthenticationmethod.

TestingTips

VerifythatthesecuretransmissionofauthenticationinformationwithinyourAAAPolicyhas been configured properly. Use the WebGUI to go to Objects → XMLProcessing → AAA Policy, select an existing AAA Policy. Confirm that the identityextractionmethod chosen for this policy is in syncwith the authenticationmethod youhave selected. Confirm that all parameters on the Authentication tab are correctlyconfigured.Confirm that an SSLClient Profile is associatedwith the configuration foraccessingyourauthenticationserver.Also,confirmthattheSSLClientProfileusesonlyTLSv1.1and1.2.

3.20ServerNameIndication(SNI)Profiles

Rationale

Server Name Indication (SNI) is an extension of the TLS protocol that allowsmultiplehostnamestobeservedoverHTTPSfromthesameIPaddress.MakinguseoftheSNIextensionenableswebsitesandwebservicestomakeuseoffewerIPaddressesthroughouttheirenvironment,sinceSNIallowsmultipledomainstosharethesamesecureIPaddress,alimitationinthebaseSSL/TLSprotocol.

Normally,whenmakingaTLSconnectiontoasecure(HTTPS)site,aclientwillsendarequesttoaserverwhichwillreturntotheclientitsdigitalcertificateaspartoftheTLShandshakingsequence.Theclientwillthenexaminethecertificateandcomparethehostnameinthecertificatewiththehostnameitwasexpectingtoconnectwith.Ifadifferenthostnameisgiven in thecertificate, thiscould indicate to theclient that theconnectionmaybecompromised,possiblypartofaman-in-the-middle(MITM)attackforinstance,andrejectthetransaction.

Ideally, theservershouldbeable toserveup thepropercertificate that theclient isexpecting,providedtheserversupportstherequestedclienthostname.Theproblemhereis that the TLS handshake happens before the server sees any client forwarded HTTPheadersthatindicatethedomainorhostnametheclientisexpecting.Therefore,itisnotpossible for the server to use the information in the clientHTTP host header to decidewhichcertificatetopresentandassuchpresentstotheclientthecertificateassociatedwiththerequestedIPaddress.

TheSNIextensionallowstheservertohostmultipledomainnames(certificates)onasingleIPaddressandusesthedomainnametheclientissendingtoselecttheappropriatecertificatefortheTLShandshakethuseliminatingtheTLSconnectionwarning.

Configuration

Inorder toconfigureSNI inDataPower, from theWebGUI, typeSNI in the searchbar.ChooseSSLSNIServerProfile.ClickAdd,thennametheprofile.Deselect“EnableTLS1.0”(thisisalesssecureversionofTLSandshouldnotbeused).SeeFigure3-29.

Figure3-29SNIserverprofile.

In the “Host name to profilemapping” field, choose an existing profile or create anewonefor the“Hostname toprofilemapping.”Tocreateanewprofile,click the“+”icon. Enter thehostname in the“Hostnamematchingexpression” fieldand select theappropriateSSLServerProfilethenclickAdd.SeeFigure3-30.

Figure3-30SSLHostNameMapping.

Next,inthe“Defaultserverprofile”,chooseanexistingSSLServerprofile.ThisSSLserverprofilewillactasthedefaultprofiletousedwhennoClientHelloSNIextensionisprovidedduringtheclientrequest.

TomakeuseoftheSNIprofile,modifytheHTTPSFrontSideHandlerofanexistingDataPower service (e.g.Multi-Protocol Gateway). Select “SNI Server Profile” for thevaluein the“SSLserver type”field. Fromthe“SSLSNIserverprofile”dropdownlist,selectthepreviouslyconfiguredprofilecreated,inthiscase,“testSNIServerProfile.”

Figure3-31HTTPSFrontSideHandlerSSLSNIserverprofile.

TestingTips

First,configureeitheraDNSserver,or/etc/hostsfiletomapthesameIPaddresstotwodifferent hosts names. Use an SNI supported browser and send a command to a pre-definedHTTPS Front SideHandler associatedwith aDataPower service object. In theURL,ensurethatthehostnamechosenmatchesoneofthematchingexpressionsinyourSSLSNIServerProfile. Testwithyoursecondhostname. Bothwebaddressesshouldresolvewithoutanywarningmessagesfromthebrowser.

3.21ConfigureXMLandJSONThreatProtection

Rationale

AsignificantcomponentofDataPower’sroleasasecuritygatewayisthatofensuringthatincoming requests are free from threat signatures. That is content/markup that wouldcompromise an off-the-shelf parser andpossibly the application server. DataPower hasthe ability to performvarious threat checks onXML (includingSOAP) and JSONdataformats.

Configuration

DuringtheClient-Side(Front)ProcessingPhase,thereceivedmessagewillbedirectedtotheserviceobjectthatisconfiguredfortheIPaddressandportcombinationonwhichthemessagewasreceived.Oncetheserviceobject(suchasaMulti-protocolGatewayorWebServiceProxy) receives themessage,asignificantamountofprocessingof themessageoccurs.Forexample:

If SSL is configured for the service, SSL negotiation and decryption of thedatastreamwilloccur;SOAPenvelopevalidation(ifapplicable);Protocol-specificactionssuchasHTTPheadersuppressionorinjection;andInspection for knownXML or JSON threats (assuming that your service isprocessingXML,SOAPorJSON).

With respect to filtering and inspectingmessage traffic, several key configurationsimpact thisprocessingphase. These include therequestandresponsedatatypesand theXMLManagerconfiguration forXML/JSONparser limitsand, finally, threatprotection

checks.

If using the Multi-Protocol Gateway, specify the appropriate type of request andresponse traffic: JSON, Non-XML, Pass through, SOAP or XML. Specifying JSON,SOAP, or XML will automatically trigger a check for well-formedness of the relatedmessage – no other configuration is required. For an XML or JSON document to beconsideredwellformed,itmusthave,ataminimum,adefinedrootelement,allelementsmusthaveclosingtags,andelementsmustbeproperlynested.NotethattheXMLFirewallonlyacceptsXMLmessages.TheWebServiceProxyacceptsonlySOAPmessages.

Once thewell-formednesscheck iscompleted, theJSONorXMLthreatchecksareapplied, as appropriate for the requestmessage type. Initial configuration for theXMLThreat Protection starts by configuring the XML parser limits via the XML Managerobject. Within your application domain, go to Objects → XML Processing → XMLManager. Click“Add” toaddanewXMLManager, thenclick the“XMLParser” tab.Fromthisconfigurationtab,youcancontrolparameterssuchasmaximumnodesizeandelementdepth.NotethatthesechecksareperformedseparatelyfromanyXMLSchemavalidation.

Figure3-32XMLParserLimits.

Fromthe“Main”taboftheXMLManagerconfiguration,youcanalsospecifyJSONSettingstobeappliedtoincomingrequests.

Figure3-33XMLManagerMaintab.

TodefineJSONSettingsclickthe“+”buttonattheJSONSettings.

Figure3-34JSONSettingsObject.

SimilartotheXMLParserLimits,JSONsettingscontrolthe“maximum”parametersforincomingJSONpayloads.

TIP—CustomXMLManager

CreateacustomXMLManagerandforyourservicestouse,separatefromthedefaultXMLManager.ThisapproachmakesitveryclearinyourconfigurationthatyouhavecustomizedXMLManagersettingsthataredistinctlydifferentformthedefaultsettings.

The XML Threat Protection configuration is accessible through the configurationpageofeachofthemainservicetypes–Multi-ProtocolGateway,WebServiceProxyandXMLFirewall. Forexample, in theMulti-ProtocolGateway,clickonthe“XMLThreatProtection”tab.

Figure3-35Multi-ProtocolGatewayXMLThreatProtectiontab.

Using the XML Threat Protection configuration, you have access to configurationoptions forapplyingXMLThreatProtectionmeasures forSingle (XDoS)andMultiple-Message(MMXDoS)DenialofServiceattacks. Youalsohaveaccesstoparametersforconfiguring protection measures during the subsequent service processing phase,includingmessagetamperingprotection,injectionattackprotectionanddictionaryattackprotection.

Figure3-36XMLThreatProtectionconfiguration.

TestingTips

Configureyourserviceobject(e.g.multi-protocolgateway)toacceptaparticulartypeofdata (e.g.XMLorSOAP),andconfigure theXMLManagerandXMLthreatprotectionchecks. Within your development domain, enable logging at the debug level. Then

submit test messages that are configured to violate the parser limits and/or threatprotectionmeasures.Checkthelogstoconfirmthatthetestmessagesarebeingrejectedasexpected.

Summary

In this chapter, we covered twenty-one steps to harden message level traffic flowingthroughtheIBMDataPowerGatewayappliance.

AppendixA:DataPowerResources

To download code listings shown in this book, please go tohttp://wildlakepress.com/books/15-information-technology/18-datapower-handbook-resources

DataPowerResources

IBMDataPowerHandbooks:VolumeI:DataPowerIntro&Setup:

http://amzn.to/1IjrEBb

VolumeII:DataPowerNetworking:

http://amzn.to/1Ijrzh3

VolumeIII:DataPowerDevelopment:

http://amzn.to/1JJszf4

VolumeIV:DataPowerB2BandFileTransfer:

http://amzn.to/1Ijrzh3

IBMDataPowerKnowledgeCenter:

http://www-01.ibm.com/support/knowledgecenter/SS9H2Y/welcome

IBMDataPowerInformationCenter:

http://www.ibm.com/software/integration/datapower/library/documentation

IBMDataPowerInternet/WWWMainProductPage:

http://www.ibm.com/datapower

DataPowerGitHub:

https://github.com/ibm-datapower

Twitter:

https://twitter.com/IBMGateways

YouTube:

https://www.youtube.com/channel/UCV2_-gdea5LM58S-E3WCqew

LinkedIn:https://www.linkedin.com/groups?home=&gid=4820454

developerWorksDiscussionForum:

https://www.ibm.com/developerworks/community/forums/html/forum?id=11111111-0000-0000-0000-000000001198

WeeklyDataPowerWebcast:

https://www14.software.ibm.com/webapp/iwm/web/signup.do?source=swg-wdwfw

SlideShare:

http://www.slideshare.net/ibmdatapower/

How-tofindappropriateDataPowerproductinformation:

http://www-01.ibm.com/support/docview.wss?uid=swg21377654

DataPowerProductSupportWebsite:

Contains firmware, documentation, support procedure, technotes and other helpfulmaterial:

http://www.ibm.com/software/integration/datapower/support/

Redbooks:

http://www.redbooks.ibm.com/cgi-bin/searchsite.cgi?query=datapower

SoftwareServicesforWebSphere:

Top-notchDataPowerconsultingfromIBMWebSphere.

http://www.ibm.com/developerworks/websphere/services/findbykeyword.html?q1=DataPower

HermannStamm-Wilbrandt’sBlog:

Hermann is one of the brightest minds in DataPower-land, and his blog ondevelopment topics is incredibly valuable, featuring tips and techniques that can’t befoundelsewhere.

https://www.ibm.com/developerworks/community/blogs/HermannSW/?lang=en

WebSphereGlobalCommunityDataPowerGroup:

http://www.websphereusergroup.org/datapower

IBMWebSphereDataPowerSupport:

http://www.ibm.com/software/integration/datapower/support/

SupportFlashesRSSFeed:

http://www-947.ibm.com/systems/support/myfeed/xmlfeeder.wss?feeder.requid=feeder.create_public_feed&feeder.feedtype=RSS&feeder.maxfeed=25&OC=SS9H2Y&feeder.subdefkey=swgws&feeder.channel.title=WebSphere%20DataPower%20SOA%20Appliances&feeder.channel.descr=The%20latest%20updates%20about%20WebSphere%20DataPower%20SOA%20Appliances

IBMDataPowerSupportTechnotes:

http://www.ibm.com/search/csass/search?

q=&sn=spe&lang=en&filter=collection:stgsysx,dblue,ic,pubs,devrel1&prod=U692969C82819Q63

IBMEducationAssistantDataPowerModules:

http://www-01.ibm.com/support/knowledgecenter/websphere_iea/com.ibm.iea.wdatapower/plugin_coverpage.dita

WAMCTechnote:

http://www-01.ibm.com/support/docview.wss?uid=swg24032265

DataPowerFeatureGrid:

We consider the Feature Grid to be an invaluable resource, and we are excited toprovide it to you. It yields the answers to the most commonly asked questions aboutDataPower(“Isfeature/protocol/specXsupportedonmyYappliance?”)Wehadinitiallyincludedtheentiretablehere,spreadacrossseveralpages.However,duetoitsdensity,itwas hard to read, and it was literally changing under us as productmanagementmadechangesfortheimpendingannouncements.

We debated and felt that the best thing we could do for our readers would be toprovide a URL hyperlink, so that the most up to date information (and not stale orincorrectinformation!)isavailabletoyou.Therearedetrimentstothisapproach,suchasthedreaded‘bustedURL’,butinthisdayandageit’slikelythatyouarereadingthisonadevicewith an Internet connection, or have onewithin reach, and aswellwe have thecapabilitytoupdatethisbookassoonaswefindthatsomethingisamiss.Youcanfindthefeaturesgridat:

http://www.slideshare.net/ibmdatapower/ibm-data-power-gateways-features-comparison

AcknowledgementsTheAuthorTeam:  WethanktheIBMmanagementteamforallowingustoaccesstheresourcesnecessarytowritethebook.

BillHines:I’dliketothankKeysBotzumandKyleBrownforbeingrolemodelsforworkethicandintegrity,andmentoringmethroughoutmyIBMcareer.I’dliketothankmyimmediateandextendedfamilyforbeingsupportiveandunderstandingduringthetoughtimes.Lastbutcertainlynotleast,I’dliketothankmyauthorteamforstickingwiththisprojectduringthemanymonths,nights,andweekendsofheateddebatesandstress.Youwereallpickedforareason,andIthinkthefactthatyouhaveallputupwithme,andwehavebeenthroughwhatwehaveandemergedstillgoodfriendswithtremendousrespectforeachother,atteststothosedecisionsbeinggoodones.I’mextremelyproudofthejobyou’vedone.

TerrillKramer:  Iwouldfirstandforemost,liketothankmyco-authorBillHines,whoseguidance,cajoling,monitoring,andincessantdriveduringthisprocesswassimultaneouslyannoyingandmuchappreciated;hewasPerryWhitetoourClarkKents.Iwouldalsoliketothankmyotherco-authors,DerekandLen,withwhomIhaveworkedcloselywithovermanyyears,fortheirfeedback,knowledgesharing,andwillingnesstoparticipateinthisendeavor.Thishasbeenalongride,startingwiththeDataPowerSTIGandendingwiththisvolume,andIcouldn’tthinkofabettergroupsoffolkstohavesharedthisexperiencewith.Thankyouall.

DerekDoerr:

I would like to thank Bill Hines for proposing we write this volume of the DataPower Handbook as well as his

seeminglyendlessenergyinshepherdingTerrill,Lenandmyselfthroughthewritingprocess.Wecouldn’thavedoneit

withyou!I’dalsoliketothankBillforbeingagreatinstructorwhenTerrillandIwerejuststartingoutasDataPower

consultants for IBM. Iwould like to thankmy co-authors for their insights, knowledge and patience asweworked

throughmanydraftsandrevisions.Finally,I’dliketoprovideaspecialthankstomyoriginalDataPowermentorsSam

PearsonandRichGrootwho,thankfully,putupwithaneverendingstreamofquestionsandhelpedshapethepast10

yearsofmycareer.

LenMcWilliams:Thankstoallofmyco-authorsfortheirhardworkandsupport-when-I-needed-itinwritingthisbook.It’sbeenaprivilegeworkingwithsuchknowledgeableandself-motivatedtechies.ThanksespeciallytoBillHinesandhiszealthatmadethisefforthappen.

AbouttheAuthorsBillHinesBillisanIBMExecutiveI/TSpecialist.HiscurrentroleisNorthAmericaHybridCloudIntegrationAPIEconomyLeader,workingoutofLakeHopatcong,NJ.HehasmanyyearsofIBMWebSpheresolutiondesignandimplementationexperienceinbothcustomerengagementsanddevelopinganddeliveringinternaltrainingwithinIBM.HeistheleadauthoroftheacclaimedIBMPressbookIBMWebSphereDataPowerSOAApplianceHandbook(firstandsecondeditions)andco-authorofIBMWebSphere:DeploymentandAdvancedConfiguration,aswellasmanyarticlespublishedinWebSphereTechnicalJournalanddeveloperWorks.

TerrillKramerTerrillisaSeniorSolutionsArchitectforAmazonWebServicesintheUSFederalsector.HeisanOpenGroupCertifiedI/TSpecialist.Hehasover22yearsofexperienceintheITindustry-including20yearsatIBM-inavarietyofdifferentrolesfromDeveloper,Consultant,andTechnicalSpecialistforprimarilyDataPowerandvariousWebSphereproducts.Heisco-authorofIBMWebSphereDataPowerB2BApplianceXB60Revealed.

DerekDoerrDerekisaSeniorIBMandOpenGroupCertifiedI/Tspecialist.HiscurrentroleisasaTechnicalSalesSpecialistinIBM’sHybridCloudIntegrationgroupworkingwithUSFederalGovernmentcustomers,workingoutofBradenton,FL.Hehasbeenover20yearsofexperienceintheITindustry–including14yearsatIBM–inavarietyofrolesincludingdevelopment,ManagementConsulting,andasaconsultantforIBMDataPowercustomers.OvertheyearshehasbeeninvolvedindevelopmentoftheDataPowerProof-of-Technologyassets,theDataPowercertificationtest,aswellasvariousDepartmentofDefensecertificationsforIBMDataPowergateways.

LenMcWilliamsLenisanIBMHybridCloudIntegrationTechnicalSalesSpecialistsupportingFederalintelligenceandDoDagencycustomers.Hehasover35years’experienceworkingasanapplicationdeveloper,projectmanager,DBA,technicaltrainer,andspecialistinGeographicInformationSystemsandintegrationmiddleware.InbetweenITgigs,LenhasworkedasacertifiedSpecialEducationteacherandperformedmusicfromEasternEurope,theMiddleEast,andNorthAfrica,aswellasclassicalguitar,andopera.Inhissparetime,hebuildsandfliesradiocontrolledhelicopters.

AfterwordAfterwordbyEugeneKuznetsov

“Theproperplanningofanyjobisthefirstrequirement.Withlimitedknowledgeofatrade,thejobofplanningisdoublyhard,buttherearecertainstepsthatanypersoncantaketowardsproperplanningifheonlywill.”

—RobertOakesJordan,Masonry

IfoundedacompanycalledDataPower®inthespringof1999tobuildproductsbasedonseveral distinct ideas. The first idea involved applying reconfigurable computing anddynamiccodegenerationtotheproblemofintegratingdisparateapplications.Thesecondideacenteredontheconceptofdata-orientedprogramming(DOP)asthemeanstoachievedirect and robust data interchange. The third idea involved deliveringmiddleware as anetworkfunction,enabledbytheDOPtechnologyandinspiredbythesuccessfulmodelsof ubiquitous connectivity. The product’s journey since has been remarkable, and thisgreat book is another milestone for the entire team behind DataPower. Before morediscussionofthebookitself,afewwordsonthesethreeideas.

Rapidlyadaptingtochangeiskeyforeverythingandeveryoneintoday’sworld,andIBMappliancesarenoexception.Whetherit’sapolicy,atransformationmap,aschema,or a security rule, DataPower will try to put it into effect with as little delay andinterruption as possible. Popular methods for maintaining this kind of flexibility comewith a large performance penalty. However, by dynamically generating code andreconfiguringhardwarebasedonthecurrentmessageflow,itbecamepossibletoachievebothflexibilityandnear-optimalperformance.Atanygivenpoint,thedeviceoperatesasacustomengine foraparticular task,butwhen the taskchanges, it can rapidlybecomeadifferentcustomengineunderneaththecovers.

This dynamic adaptability is especially useful when combined with DOP. Statedbriefly, DOP emphasizes formally documenting data formats and using them directly,insteadofencapsulationorabstraction,tointegrateorsecuredifferentmodulesorsystems.Today,XMLisprobablyoneof themostsuccessfulandreadilyrecognizedexamplesofDOP, but the principles are more universal than any particular technology. AnotherexampleofDOPis thewayDataPowerXI52processesbinarydata,byusinghigh-levelformatdescriptorsinsteadofadaptors.

These, in turn, enable the creation of network hardware (also known as appliance)products that operate on whole application messages (rather than network packets) tointegrate, secure, or control applications. Greater simplicity, performance, security, andcost-effectivenesswere envisioned—and are nowproven—with the appliance approach.Beyond the appliance design discipline, the success of IP & Ethernet networking inachievinguniversalconnectivityhasmuchtoteachaboutthebestwaytoachieveradicallysimplifiedandnear-universalapplicationintegration.

Reading this bookwill enable you to benefit from theprevious three ideas in theirconcrete form: the award-winning IBMproducts they became. From basic setup to themostpowerfuladvancedfeatures,itcoversDataPowerappliancesinareadabletonewitha solid balance of theory and examples. For example, Chapter 6 does a great job inexplainingthebig-pictureviewofdeviceoperation,andChapter22givesadetailedhow-toonextendingitscapabilities.Withsomeofthemostexperiencedhands-onDataPowerpractitionersamongitsauthors,itprovidesthekindofreal-worldadvicethatisessentialtolearninganycraft.

When learning IBM DataPower, there is one thing that may be more helpful andrewarding than remembering every particular detail, and that is developing an internal“mentalmodel” of how the devices aremeant to operate and fit into the environment.Especiallywhentroubleshootingorlearningnewfeatures,this“mentalmodel”canmakedevice behavior intuitive.Reading the following pageswith an eye toward not just thedetailsbutalsothismentalmodelwillspeedbothproductivityandenjoyment.

In conclusion, Iwould like to use this occasion to thank the entire team, past andpresent,whomadeandcontinuestomakeDataPowerpossible.TheirworkandthepassionofDataPowerusersisaninspiringexampleofhowgreatpeopleandapowerfulideacanchangetheworldforthebetter.

—EugeneKuznetsov,Cambridge,MAFounderofDataPowerTechnology,Inc.servedasPresident,Chairman, andCTOat various points in the company’s history, and thenserved as director of Product Management and Marketing, SOA Appliances at IBMCorporation.

DataPower’sfirstofficeisontheright.PhotocourtesyofMerrymanDesign.

AfterwordbyJerryCuomo

ItallstartedwhenIwasaskedtoco-hostanIBMAcademyConferenceon“AcceleratorsandOff-Loading”in2004.Iwasfeelinga littleoutofmyelement,soIdecidedto takesomeofthefocusoffmeandputitonothers.IhadbeenreadingaboutsomeofthenewXML-centered hardware devices and was intrigued. I have always been interested insystem performance. With XML dominating our emerging workloads (e.g., ServiceOriented Architecture), the impact of XML performance on system performance wasbecoming increasingly important.Hence, I thought itwould be a good idea to invite a

handfuloftheseXMLvendorstoourconference.

Attheconference,theDataPowerpresentationwasquitedifferentfromtheothers.Itwasn’taboutASICsortransistors;itwasaboutimprovingtimetovalueandtotalcostofoperation.TheDataPowerpresentationfocusedontopicsthatwerealsonearanddeartome,suchassystemsintegration,configurationoverprogramming,andthemeritsofbuilt-for-purposesystems.Inessence,EugeneKuznetsov,theDataPowerfounderandpresenter,wastalkingaboutthevalueofappliances.Whileveryintriguing,Icouldn’thelpbutfeelcuriousaboutwhethertheclaimswereaccurate.So,aftertheconferenceIinvitedEugenetocometoourlabinResearchTriangleParkinNorthCarolinatorunsometests.

I have to admit now that in the back of my mind, I operated on the principle of“keepingyourfriendscloseandyourenemiescloser.”Behindmyintriguewasafeelingofwanting to understand their capabilities so that we could outperform vendors withWebSphere®ApplicationServer.Thetestswentwell;however,theDataPowerteamwassomewhatreluctanttodwellontherawXMLperformancecapabilitiesoftheirappliance.Feeling a little suspicious, I hadmy team run some rawperformance experiments.Theresultswereoffthecharts.Whywasn’ttheDataPowerteamflauntingthiscapability?Thisis when I had my “ah-ha” moment. While performance measured in transactions persecondisimportantandpartofthevalueequation,theoverallperformancemetricsfoundwhile assessing time to value andoverall cost of operation andownership are themostcritical performance metrics to a business. This is where the DataPower appliancesoutperform. I read a paper,written by JimBarton,CTOand co-founder ofTivo, called“Tivo-lution.”ThepaperwasinspiringasitconfirmedthemotivationsandaspirationsthatI’vehadever since I led IBM’sacquisitionofDataPower in2005. In thepaper,Bartondescribes the challenges of making complex systems usable and how “purpose-built”computersystemsareoneanswertothechallenge:

“Oneofthegreatestchallengesofdesigningacomputersystemisinmakingsurethesystemitselfis‘invisible’totheuser.Thesystemshouldsimplybeaconduittothedesiredresult.Therearemanyexamplesofsuchpurpose-builtsystems,rangingfrommodernautomobilestomobilephones.”

Theconceptofpurpose-built systems isdeeplyengrained inourDNAat IBM.Thenameofourcompanyimpliesthisconcept:InternationalBusinessMachines.

IBMhasalonghistoryofbuildingpurposedmachines,suchasthe1933Type285,anelectricbookkeepingandaccountingmachine.Icanimaginethismachinebeingdeliveredto an accountant, plugging it in, immediately followed by number crunching. Theaccountant didn’t have to worry about hard drive capacity, operating system levels,compatibilitybetweenmiddlewarevendors,orapplicationfunctionality.Itjustdidthejob.I can also imagine it followed the 80/20 rule. It probably didn’t do 100% of what allaccountantsneeded.But it probablydid80%ofwhat all accountantsneededverywell.Usersjustdealtwiththeremaining20%,orlearnedtolivewithoutit.

“BusinessMachines,Again” ismy inspiration.Ourcustomers respondpositively to

there-emergenceofthisapproachtoengineeringproducts.It’sallabouttime-to-valueandtotalcostofoperationandownership.AppliancessuchasourWebSphereDataPowerareleadingthewayindeliveringontheseattributes.

At the extreme, purpose-built systems, such as aTivoDVRand anXI52, are builtfromthegroundupfortheirpurposes.Whiletheymightuseoff-the-shelfparts,suchasanembeddedLinux®OS, it is important that all parts are “right sized” for the job.Right-sizingsourcecodeinahardwareapplianceismorelikefirmware(withstrongaffinitytotheunderlyinghardware)thanitissoftware.Assuch,theTivo-lutionpaperdescribestheneed to own every line of source code to ensure the highest level of integration andquality:

“…byhavingcontrolofeachandeverylineofsourcecode…

Tivowouldhavefullcontrolofproductqualityanddevelopmentschedules.Whenthebigbughuntoccurred,asitalwaysdoes,weneededtheabilitytofolloweverylead,understandeverypath,andtrackeveryproblemdowntoitssource.”

The Tivo team even modified the GNU C++ compiler to eliminate the use ofexceptions(whichgeneratealotofcodethatisseldomused)infavorofrigidcheckingofreturncodeusageinthefirmware.DataPowersimilarlycontainsacustomXMLcompilerthatgeneratesstandardexecutablecodefor itsgeneral-purposeCPUs,aswellascustomcodeforthe(XG4)XMLcoprocessorcard.

Aphysicalappliancehastheunparalleledbenefitofbeinghardenedforsecurity.JimtalksaboutthisinhisTivopaper:

“Securitymustbefundamentaltothedesign…Wewantedtomakeitasdifficultaspossible,withintheeconomicsoftheDVRplatform,tocorruptthesecurityofanyparticularDVR.”

The DataPower team has taught me the meaning of “tamper-proof” appliances, ormore precisely “tamper-evident.” Like the 1982 Tylenol scare, we can’t stop you fromopening thebox,butwecanprotectyou, if someonedoesopen it. In fact, thephysicalsecurity characteristics ofDataPowermake it oneof theonly technologies someof ourmost stringent customers will put on their network Demilitarized Zone (DMZ). If aDataPower box is compromised and opened, it basically stops working. An encryptedflashdrivemakesanyconfigurationdata,includingsecuritykeys,difficulttoexploit.“DPisliketheroachmotel;privatekeysgoin,butnevercomeout”isthewaywesometimesdescribethetamper-proofqualitiesofDataPower.

But the truth is, DataPower is not a DVR. DataPower is a middleware appliance.Middleware is a tricky thing to make an appliance out of. Middleware is enablingtechnology and by its nature is not specific to any application or vendor. The Tivoappliance is a specific application (TV and guide) that makes it somewhat easier toconstrain:

“Remember,it’stelevision.Everybodyknowshowtelevisionworks.”

“Televisionneverstops,evenwhenyouturnofftheTVset.Televisionsnevercrash.”

Hence, the challenge (and the art) in building a middleware appliance involvesproviding the right amount of constraint, without rendering the appliance useless. Forexample, DataPower does not run Java™ code (which is the primary means ofcustomizingmuchoftheWebSphereportfolio);instead,itusesXMLastheprimarymodeof behavior customization. So, at some level, DP is not programmed, but instead it isconfigured.Now,forthosewhohaveusedXML(anditscousinXSLT),youknowthatit’smore than configuration; however, it is a constraint over Java programming,which hasunbounded levels of customizability. The combined team of IBM andDataPower havebeenbridgingthisgap(ofspecialtogeneralpurpose)effectively.WehaverecentlyaddedfeaturestoDPtoallowittoseamlesslyconnecttoIBMmainframesoftware(IMS™andDB2®)aswellascapabilitiestomanageacollectionofappliancesasiftheywereone.

IBM has a healthy general-purpose software business. OurWebSphere, Java-basedmiddleware is the poster child for general-purposemiddleware (write once, run almosteverywhere).However,thereisaplaceforbusinessmachinesthatarepurposedbuiltandfocusonprovidingthe80partofthe80/20rule.WeareheadingdownthispathinaBigBlueway.

Thisbook represents an importantmilestone in the adoptionofDataPower into theIBMfamily.TheauthorsofthisbookrepresentsomeofIBM’smostskilledpractitionersofServiceOrientedArchitecture (SOA).This teamisacustomer facing teamandhasagreatdealofexperienceinhelpingourcustomersquicklyrealizevaluefromourproducts.They have also been among themost passionatewithin IBMof adopting the applianceapproach to rapidly illustrating the value of SOA to our customers. The authors haveunparalleled experience in using DataPower to solve some of our customers’ moststringent systems integration problems. This book captures their experiences and bestpracticesandisavaluabletoolforderivingthemostoutofyourWebSphereDataPowerappliance.

—JerryCuomo,IBMFellow,WebSphereCTO

AfterwordbyKyleBrown

Icanstillrememberthedayinlate2005whenJerryCuomofirstcalledmeintohisofficeto tell me about an acquisition (then pending) of a smallMassachusetts company thatmanufacturedhardwaredevices.

“Waitaminute.Hardware??!?”

That’sthefirstincredulousthoughtthatwentthroughmymind.JerrywastheCTOofthe WebSphere brand in IBM, which had become the industry-leading brand ofmiddleware based on Java.Why were we looking at a company that made hardware?Echoing the immortalwordsofDr.“Bones”McCoy from theclassicStarTrekseries, I

thenthought,

“I’masoftwareengineer,notahardwareengineer,dangit!”

Butas I sat inhisoffice, Jerrywovemeastory (ashehadforourexecutives) thatsoonhadmeconvincedthatthisacquisitiondid,infact,makesenseforWebSphereasabrandandforIBMasawhole.JerryhadthevisionofawholenewwayoflookingatSOAmiddleware—avision that encompassed efficient, special-purpose appliances that couldbeusedtobuildmanyof thepartsofanSOA.Keyto thisvisionwastheacquisitionofDataPower, which gave us not only a wealth of smart people with deep experience inNetworking,XML,andSOA,but anentry into this fieldwith theDataPower familyofappliances—notablytheIntegrationappliance.

Sincethatday,I’veneverregrettedourdecisiontobranchouttheWebSpherebrandwell beyond its Java roots. The market response to the introduction of the DataPowerappliancestothebrandhasbeennothingshortofphenomenal.Farfromdistractingus,theability to provide our customers with an easy-to-use, easy-to-install, and remarkablyefficienthardware-basedoptionfortheirESBandsecurityneedshasturnedouttobeanasset thatcreatedsynergywithourotherproduct linesandmadethebrandstrongerasawhole.It’sbeenanincrediblejourney,andaswebegintobringoutnewappliancesintheDataPower line,we’reonlynowbeginning to see the fundamental shift in thinking thatappliance-basedapproachescangiveus.

On this journey, I’vebeenaccompaniedbya fantasticgroupofpeople—somewhocame to us through theDataPower acquisition and somewhowere already part of theWebSpherefamily—whohavehelpedourcustomersmakeuseofthesenewtechnologies.Bill,John,andtherestoftheauthorteamarethetrueexpertsinthistechnology,andtheirexpertiseandexperienceshowinthisbook.

This book provides a wealth of practical information for people who are eithernoviceswith theDataPowerappliances,orwhowant to learnhowtoget themost fromtheirappliances.Itprovidescomprehensivecoverageofallthetopicsthatarenecessarytomaster theDataPower appliance, from basic networking and security concepts, throughadvancedconfigurationoftheAppliance’sfeatures.Itprovidescopious,detailedexamplesof how the features of the appliances work, and provides debugging help and tips forhelpingyoudeterminehow tomake thoseexamples (andyourownprojects)work.Butwhat’smosthelpfulaboutthisbookisthewayinwhichtheteamhasgivenyounotjustanexplanationofhowyouwoulduseeachfeature,butalsowhythefeaturesarebuiltthewaytheyare.Understandingthethinkingbehindtheapproachestakenisanenormoushelpinfullymasteringtheseappliances.Theteamprovidesthat,andprovidesyouwithawealthofhints,tips,andtime-savingadvicenotjustforusingandconfiguringdevices,butalsoforhowtostructureyourworkwiththedevices.

Thisbook is something theDataPowercommunityhasneeded fora long time,andI’mgladthattheauthorshavenowprovidedittothecommunity.Sositback,crackopenthebook,openuptheadminconsole(unlessyouhaveyettotaketheapplianceoutofthe

box—the book will help you there, too!) and begin. Your work with the appliances isabouttogetawholeloteasier,morecomprehensible,andenjoyableaswell.

—KyleBrown,DistinguishedEngineer,IBMSoftwareServicesandSupport