SOA Security: One Treacherous Journey

Are you ready to deal with the risks of opening your service-oriented architecture to business partners?
The performance hit of virtualization means that a virtual appliance can't yet match a dedicated server, so Vordel currently aims its virtual version more at testing and integration than production. Layer 7 started as a vendor of custom appliances with dedicated XML and SSL silicon, so it sees virtualization as an entry point to smaller customers that can't yet justify specialized hardware. But while "software-only" may be a budget-minded mantra for now, it's likely that virtual appliances will soon be used in businesses of all sizes.

Virtual machine performance is increasing rapidly, and the flexibility that virtualization brings is particularly useful in SOA. As new services are rolled out and reused, the SOA infrastructure needs to adapt, and virtualization lets hardware quickly be reassigned between roles. But sharing hardware resources requires that other servers be virtualized, and that can introduce security issues. Although few VMware security vulnerabilities have been reported, the complexity of managing multiple VMs may make it more likely that traffic will accidentally bypass a firewall (see our feature on virtualization security in the Aug. 20 issue of Strategic Security).

illustration: Federated Identity and Single Sign On
(click image for larger view)
Because they include so much overlapping functionality, security gateways are merging with Web services management software. DataPower and Reactivity had both entered the management market before they were acquired, and at least one other firewall vendor is planning to do the same. Management vendors have not yet fought back by adding full XML firewalls, mostly because their software is intended to be run throughout a SOA rather than at the edge.

Because of SSL's popularity, SSL acceleration is ubiquitous in security gateways: Even virtual-appliance vendors support hardware with SSL accelerator cards. XML acceleration is much rarer, with only Layer 7, Cisco, and IBM boxes including dedicated XML chips; IBM builds its own, Cisco and Layer 7 rely on Tarari. This is partly because of Intel's use of its Sarvega technology--Layer 7 believes that the hardware market will gradually transition to software--but mostly because there hasn't yet been much demand for application-layer acceleration.

XML acceleration is useful mostly in Web services that transfer relatively long XML documents, such as SOAP or SAML messages. It isn't used much in Web services designed to support browser-based applications, as these transfer relatively little data in each session, perhaps a single XML element or JSON object, wrapped up in TCP/IP and HTTP headers. Because JavaScript and Flash clients don't need to reload an entire page every time a user performs an action, most Web 2.0 applications involve less application-layer traffic than comparable apps built using static XHTML.

Still, rich Internet applications don't let Web servers off easy. While they may reduce XML traffic, RIAs can dramatically increase the number of HTTP connections that a server has to deal with. Instead of waiting for a user to click on a link, most RIAs run in real time, initiating new connections every few seconds. Servers overloaded by this can often benefit from SSL acceleration and other AFE techniques, including load-balancing and HTTP compression.

Photograph by Tim Flach/Stone/Getty Images

Continue to the sidebar:
WS-* Security Standards: Too Much Of A Good Thing?