BT

Article: Service Firewall Pattern

| by Stefan Tilkov Follow 5 Followers on Jun 18, 2007. Estimated reading time: less than one minute |

Today, InfoQ publishes a sample pattern from Arnon Rotem-Gal-Oz' in-progress book SOA Patterns, which attempts to provide a solution that prevents malicious incoming messages and prevent information disclosure. The pattern, termed "Service Firewall", relies on intercepting messages to provide better security:

First it intercepts each incoming and outgoing message and inspects it. Once intercepted the Service firewall can scan the message for malicious content such as viruses or XDOS attacks as mentioned in the sample scenario. Additionally, the Service Firewall can validate messages by making sure they conform to the contract, verifying property types and sizes etc. When a message is identified as problematic the Service Firewall can audit and log the message and then decide whether to filter it out or cleanse the problematic content and let it through.

Read the full article, and check out Arnon's ongoing SOA patterns effort.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Is this not the same as the "Perimeter Service Router Pattern"? by Anil John

Perimeter Service Router Pattern

If it is, it may be good to synchronize the pattern name. If not, would appreciate how this is different. Just as an FYI, the implementation of the Service Router Pattern for us was an XML Security Gateway as well, for exactly the reasons that you noted.

Re: Is this not the same as the by Arnon Rotem-Gal-Oz

Hello Anil,
I wasn't aware of your pattern until now. I'll have to read more thoroughly before I can tell you exactly what's different. It dies seem that both patterns have the same main idea. I'll add a "also known as" and attribute your effort in my book

As a side note, I would say that it shouldn't be too surprising that similar patterns emerge since you discover patterns as you grapple with real-life problems and since some of these problems are common enough, the solutions to them will probably also be similar.

Arnon

Re: Is this not the same as the by Arnon Rotem-Gal-Oz

OK - so what's the difference,
Well, as I said in the initial reply the main idea of introducing an mediator is similar.
However there are a few differences
1. The Service Firewall pattern is a little more structured as it builds on the Edge Component pattern which is a more general, not security sepecific service mediator pattern
2. I think I take a more architectural point of view vs. your pattern which talks about a deployment implementation. for instance. As you can see in the technology mapping section, the Service Firewall pattern can be implemented to guard services inside a private network and not just moving from a DMZ to a private network. The pattern talks about the principle and it isn't even tied to web-services.

3. My problem statement is more focused on security - but I guess that just a minor semantic issue

As I said in the previous post- since the main idea is similar I'll add an attribution to your pattern in the book

Arnon

Re: Is this not the same as the by Anil John

Anrnon,

>I'll add an attribution to your pattern in the book

I cannot take credit for that body of work :-)

Those web service security patterns that I pointed to, the Perimeter Service Router pattern just being one, were developed by Microsoft's patterns and practices group. I happened to be one of the external technical reviewers of that work and hopefully made some minor contributions to shape it so the attribution should point to the MS PAG folks.

I also happened to have used them in guiding the implementation of web services security in my work environment, so I am familiar with them from the implementation perspective.

Regards,

- Anil

Re: Is this not the same as the by Anil John

Arrgh! Arnon, my apologies for misspelling your name in the message above! - Anil

OT: Which application used to draw diagrams? by legolas wood

Hi
Maybe it is very OT to ask this question, but can some one tell me which application used to draw diagrams for this article?

thanks

Re: OT: Which application used to draw diagrams? by Arnon Rotem-Gal-Oz

In the book I use both Sparx Enterprise Architect and Microsoft's Powerpoint 2007. The diagrams here are all Powerpoint 2007 :)
Arnon

Re: OT: Which application used to draw diagrams? by legolas wood

Thank you for letting me know, Hope i can use them to demonstrate some concepts in my university documents and work reports.
Thanks

What are your thoughts on using an appliance as Service Firewall/Gateway? by Rag Ramanathan

I am involved in building an appliance that provides all the functionality of Service Firewall as listed here, and more. Some customers are deploying this as "Universal Service Gateway" The concept is very similar to having (Web) Firewall, and routers.

I was curious on your thoughts and experience around this.

Thank you.
Rag

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

9 Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT