Académique Documents
Professionnel Documents
Culture Documents
This white paper is a published work containing proprietary information of White Oak Consulting LLC regarding the integration strategies employing open source and open standard technologies. The aggregation of the information contained in total is considered proprietary and confidential in nature due to the format, sequence, selection and quantity of content. No part of this document may be reproduced in any form, including photocopying or transmission electronically, mechanically or otherwise, without prior written consent of White Oak Consulting LLC. White Oak Consulting LLC has made every attempt to ensure the accuracy of the content of this document; however, the content is provided as is, without express or implied warranties of any kind. To the extent permitted by law, no liability (including liability to any person by reason of negligence) will be accepted by White Oak Consulting LLC, its subsidiaries or employees for any direct or indirect loss or damage caused by omissions from or inaccuracies in this document. 2011 White Oak Consulting LLC All rights reserved. Trademarks used in this document as are noted in the footnotes, with the exception of trademarks associated with White Oak Consulting LLC; Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. JBOSS is a registered trademark of Red Hat, Inc. in the U.S. and other countries. White Oak Consulting LLC disclaims any proprietary interest in trademarks and trade names other than its own. All references to technologies originating from the Internet Engineering Task Force (IETF) are copyrighted to the Internet Society, and are protected under BCP78.
13 July 2011
Version History
Version
WO-WP-V0001-0
Publication Date
13 July 2011
Author(s)
Ralph Wallace
Reviewers
Description of Change
Baseline Release
Legend: Title WO (White Oak Consulting LLC ) White Paper (WP) Draft (D) Smooth Draft (SD) Final (F) Released (V) Major Revision 0001; Minor Revision 0
13 July 2011
1. ABSTRACT ............................................................................................................................................. 4 2. BACKGROUND ..................................................................................................................................... 4 3. THE APPROACH.................................................................................................................................... 6 Computer Network Defense in Depth ................................................................................................. 6 JBOSS ................................................................................................................................................. 8 Internet Protocol version 6 (IPv6) ....................................................................................................... 9 The System Approach ....................................................................................................................... 10 4. SECURITY, INTEROPERABILITY AND SCALABILITY IN AN INTEGRATED SOA ENTERPRISE ............................................................................................................................................. 11 Security ............................................................................................................................................. 11 Interoperability and Scalability ......................................................................................................... 13 JBOSS/IPv6 Integration Initiatives in Open Source ......................................................................... 14 5. CONCLUSION ...................................................................................................................................... 14
FIGURES
Figure 1: DoD DMZ Extension (Phase 3 planned for 2012) .......................................................... 5 Figure 2: Carnegie Mellon University IBM Websphere Depiction ................................................ 6 Figure 3: Notional Defense in Depth .............................................................................................. 7 Figure 4: CANES Afloat Core Services ......................................................................................... 8 Figure 5: XML to Non-XML Frameworks ..................................................................................... 9 Figure 6: TCP/IP - OSI Layer Extant Interoperability Opportunities .......................................... 11 Figure 7: IPv6 Extension Headers ................................................................................................ 13 Figure 8: Integrated and Secure SOA Enterprise .......................................................................... 15
13 July 2011
This paper provides the conceptual approach for systems and security engineering to integrate a Service-Oriented Architecture (SOA) middleware platform operating at OSI layer 7 and an Internet Protocol (IP) operating at OSI layer 3. The objective of the integration is to create an optimized and securely interoperable topology across the OSI model that supports each technologys inherent functionality in an ontological and synergistic manner. This paper will focus on the JBOSS SOA platform due to the open source development environment, and IP version 6 (IPv6) due to the extant industry employment of the open standard protocol which will sustain the evolution of the Internet beyond 2012 and into the next century. This paper will additionally focus on the systems approach to security engineering due to the paucity of industry effort towards merging the respective software and network engineering paradigms. 2. BACKGROUND The acceptance of SOA across the private and public sectors is tangible. The most prevalent middleware applications suites are Oracle SOA solutions (formerly BEA Aqualogic), IBM Websphere - both Commercial Off The Shelf (COTS) platforms - and JBOSS (a Professional Open Source (POS) platform)1. The adoption of these product suites to insert the proposed architectural paradigm into an organization's Information Technology (IT) infrastructure is laudable due to the ease of acquisition, modification, installation and operation of the middleware. Observing the evolution of SOA middleware applications over the past 10 years, three significant design boundaries emerged as a result of the evolution of the original technologies. One boundary is the employment of an application to achieve point-to-point and one-to-many connections within an enterprise, partially in order to produce an application layer solution mitigating network inadequacies of Internet Protocol version 4 (IPv4). The second boundary is the design of applications that do not interoperate with the network layer. The third boundary is that the security engineering completed to date is relegated to OSI layer 7, independent of layer 3. However, Moores Law applies. Technology has evolved. We now have an opportunity to review the above design boundaries for their validity and to examine viable, mature technologies to significantly enhance an organizations SOA implementation in the areas of security, interoperability, and scalability. SOA is a conceptual business architecture where business functionality, or application logic, is made available to SOA users, or consumers, as shared, reusable services on an IT network. Services in an SOA are modules of business or application functionality with exposed interfaces, and are invoked by messages.2 As defined, SOA is an architectural concept. The previously identified software application suites are the de facto accepted implementations of this concept. Unfortunately, these applications are inherently Network Unaware. This means that the interoperability required to implement a true SOA across an enterprise between OSI layers 7 and 3 is ill defined and lacks sufficient maturity (e.g. no interface between Quality of Service (QoS) configurations at layer 7and layer 3 and Virtual Private Networks (VPNs) created at the
1 2
Oracle, BEA, Aqualogic, IBM, Websphere and JBOSS are registered trademarks of their respective companies. E. Marks and M. Bell, Service-Oriented Architecture: A Planning and Implementation Guide for Business and Technology (John Wiley and Sons, 2006) 1. Page 4 of 15 White Oak Consulting LLC Proprietary
13 July 2011
Firewall
Unrestricted Database
Unrestricted Database Security Gateway Restricted Database Security Gateway
Restricted Database
Logical Network Separation
LAN Switch
A representative network architecture employing an IBM SOA implementation provided to Carnegie Mellon University is depicted in Figure 2 in order to illustrate the intricacies of
RDML Simpson, N6 Enterprise Initiatives; OPNAV/CARS Updates on Initiatives, 9 June 2009 Page 5 of 15 White Oak Consulting LLC Proprietary
13 July 2011
Internal Proxy Enterprise Information System (Oracle Financial, HR etc.) Service Consumer Service Provider
External Proxy
Portal Process Web Application Services Server (Choreography) Applications (SIS, Blackboard, etc.)
Internet
Protocol Firewall
Services Gateway
Security Services
Service Registry
Information Services
S Security Policy
Firewall
3. THE APPROACH Computer Network Defense in Depth Technology advances have provided a shift in the evolution and maturity of two of the SOA components enabling system architects to conduct security engineering per ISO 27001. For DoD applications, this affords the adoption of a Computer Network Defense in Depth architecture per the National Security Agencys (NSA) Information Assurance Technical Framework (IATF) 5. The IATF defines the four strata of depth as:
1.
Defend the Network and Infrastructure, including a. Availability of backbone networks, b. Wireless networks security framework,
Carnegie Mellon University, Masters of Science in Information Systems course 95-843 Service Oriented Architecture, (CMU, 11 October 2006) 5 National Security Agency Information Assurance Directorate Technical Directors, Information Assurance Technical Framework (IATF) version 3.1, (NSA, September 2002) Page 6 of 15 White Oak Consulting LLC Proprietary
13 July 2011
Figure 3 provides a notional view of the respective functions that would be part of the defense in depth architecture supported by these two SOA components.
With this architectural objective in mind for future DoD enterprise designs, the embedded system requirements specifications and subsequent design will afford each system the ability to be produced through the corresponding system development life cycle. This helps ensure that each
Page 7 of 15 White Oak Consulting LLC Proprietary
13 July 2011
The US Navy has invested in establishing a technology base within which JBOSS has emerged, removing the proprietary licensing constraints inherent to the other COTS platforms from Oracle and IBM. As an open source application, innovation is supported and J2EE programmers are encouraged to explore creative alternatives within their design environments. The security framework is well known and, at the application layer, well represented by Web Services Security (WS-Security). WS-Security is arguably the most important WS-* specification and is used with virtually all of the other WS-* specifications. WS-Security specifies Simple Object Access Protocol (SOAP) security extensions that provide confidentiality using XML Encryption and data
6
J. Livingstone, Consolidated Afloat Networks and Enterprise Services (CANES) Program and Acquisition Overview (SPAWAR-LANT; 23 April 2009) Page 8 of 15 White Oak Consulting LLC Proprietary
13 July 2011
Internet Protocol version 6 (IPv6) IPv67, as the next generation Internet Protocol, is a required element in all future enterprises, and is mandated in the system requirements specification for CANES (as well as the Navy Next Generation Network, NGEN). This white paper is neither intended to act as a tutorial nor a banner attempting to sell IPv6 virtues. Rather, the objective of this paper is to effectively present to the reader an implementation of this technology in a fashion which offers a number of solutions to the complex functionality required of future enterprises. Since this technology is a requirement for the CANES system, as is the JBOSS platform, a merger of the technologies in an engineered
7
IPv6, and all associated complements generated within the Internet Engineering Task Force (IETF) and documented with Request For Comments (RFCs) are protected under copyright by The Internet Society. Page 9 of 15 White Oak Consulting LLC Proprietary
13 July 2011
The reader should note synchronicities between elements contained in the security apparatus of JBOSS and IPv6, namely X.509 certificates and Kerberos. Also, the security guidelines for DoD should be noted regarding setting the security demarcation between black and red networks. These can only be established today via hardware such as HAIPE devices. Version 3.1.2 of the HAIPE operating systems developed by the three prime contractors producing the devices will shortly receive NSA common criteria certification for operating with IPv6. The System Approach Figures 1 and 2 identify hardware and software architectural tenets that are specific to the enterprises deploying SOA, and each is appropriate for their sub-system component of the enterprise system to be developed. DoD applications are accepting JBOSS as the de facto platform of choice, and the federal government has mandated the adoption of IPv6 across all enterprises, and are the established technical standards which constitute the development platforms. The systems development life cycle approach defined by ISO 15288 is our overarching methodology, coupled with the ISO 27001 security engineering methodology. Our objective is to create a secure enterprise level integrated SOA system.
8
Committee on National Security Systems (CNSS) Policy No. 19, National Policy Governing the Use of High Assurance Internet Protocol Encryptor (HAIPE) Products, NSA, February 2007 Page 10 of 15 White Oak Consulting LLC Proprietary
13 July 2011
The problem is further complicated in that these services can be applied at varying levels of the TCP/IP model (which differs from the OSI model in several ways, none of which are significant for our purpose herein). Figure 6 depicts an effort to provide confidentiality by encrypting a webbased transaction, similar to a web service operating within a SOA.
13 July 2011
13 July 2011
IPv6 design includes elements to enhance scalability and interoperability. In addition to the benefits of the 128 bit address itself and the opportunity for globally resolvable and link-local (non-routable) addresses, another key element for scalability and interoperability is the employment of flexible routing extensions without imposing overhead to intermediate routers. Figure 7 provides a clear comparison between what was available in IPv4, and what is now available within IPv6.
Next Header
No Extension Headers
Layer4 Payload
(Analogous to IPv4's Protocol behavior)
Next Header Extension Header #1 Next Header Extension Header #2 Next Header Extension Header #3
Layer4 Payload
(Analogous to IPv4's Protocol behavior)
13 July 2011
Within the JBOSS Online Community, an example of JBOSS/IPv6 integration is provided by System property handling and IPv4 versus IPv6.9, In regards to the processing of addresses, the developers indicate that After the initial property processing, a next phase ensues, which attempts to determine the type of stack (IPv4 versus IPv6) and sets correct defaults. Further, If [the service] didn't find any addresses, and has both stacks available, we default to IPv6. Although there is no documented rationale in the online discussion for these design decisions, the statements in the community demonstrate the acceptance of operating JBOSS in an IPv4 only, an IPv6 only, and an integrated IPv4/v6 environment. The fact that the default condition is set for IPv6 when both stacks are available lends some credibility to acceptance within the open source community for IPv6 functionality.
5. CONCLUSION
White Oak Consulting LLC has the corporate experience in achieving results based on the above concepts. Our senior engineering staff was engaged in a US Navy system design effort which integrated JBOSS and IPv6 technologies to employ a security engineering architecture based on the concepts depicted. In the system requirements definition stage of the system development life cycle, our staff participated as the subject matter expert in all enterprise architecture meetings, creating the technology standards profile (DoDAF style TV-1)10 for the system enterprise architecture incorporating all security, SOA and IPv6 technical standards. As the designated security architect, our staff created the system security plan11,12 for the system under development, including the security controls for the associated integration laboratory, in order to achieve a DIACAP ATO upon system completion. In short, through our senior staffs experience, White Oak Consulting LLC was involved in the
9
http://community.jboss.org/wiki/SystempropertyhandlingandIPv4versusIPv6 Department of Defense Architecture Framework (DODAF) version 2.0, (28 May 2009) 11 MIL-HDBK- 1785, System Security Engineering Program Management Requirements, (1 August 1995) 12 DoDI 8510.01, DoD Information Assurance Certification and Accreditation Process (DIACAP), (28 November 2007 Page 14 of 15
10
13 July 2011
This paper provided the conceptual approach for systems and security engineering to integrate a Service-Oriented Architecture (SOA) middleware platform operating at OSI layer 7 and an Internet Protocol (IP) operating at OSI layer 3. The objective of the integration is to create an optimized and securely interoperable topology across the OSI model that supports each technologys inherent functionality in an ontological and synergistic manner. This paper focused on the JBOSS SOA platform due to the open source development environment and IP version 6 (IPv6) due to the extant industry employment of the open standard protocol which will sustain the evolution of the Internet beyond 2012 and into the next century. This paper additionally focused on the systems approach to security engineering due to the paucity of industry effort towards merging the respective software and network engineering paradigms. In short, this paper has stated that the opportunity to securely integrate a SOA platform with a robust network protocol is now.