BT

InfoQ Homepage News Article: Service Firewall Pattern

Article: Service Firewall Pattern

Bookmarks

Today, InfoQ publishes a sample pattern from Arnon Rotem-Gal-Oz' in-progress book SOA Patterns, which attempts to provide a solution that prevents malicious incoming messages and prevent information disclosure. The pattern, termed "Service Firewall", relies on intercepting messages to provide better security:

First it intercepts each incoming and outgoing message and inspects it. Once intercepted the Service firewall can scan the message for malicious content such as viruses or XDOS attacks as mentioned in the sample scenario. Additionally, the Service Firewall can validate messages by making sure they conform to the contract, verifying property types and sizes etc. When a message is identified as problematic the Service Firewall can audit and log the message and then decide whether to filter it out or cleanse the problematic content and let it through.

Read the full article, and check out Arnon's ongoing SOA patterns effort.

Rate this Article

Adoption
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

  • Is this not the same as the "Perimeter Service Router Pattern"?

    by Anil John /

    • Re: Is this not the same as the

      by Arnon Rotem-Gal-Oz /

      • Re: Is this not the same as the

        by Arnon Rotem-Gal-Oz /

        • Re: Is this not the same as the

          by Anil John /

          • Re: Is this not the same as the

            by Anil John /

            • Is this not the same as the "Perimeter Service Router Pattern"?

              by Anil John /

              Your message is awaiting moderation. Thank you for participating in the discussion.

              Perimeter Service Router Pattern

              If it is, it may be good to synchronize the pattern name. If not, would appreciate how this is different. Just as an FYI, the implementation of the Service Router Pattern for us was an XML Security Gateway as well, for exactly the reasons that you noted.

            • Re: Is this not the same as the

              by Arnon Rotem-Gal-Oz /

              Your message is awaiting moderation. Thank you for participating in the discussion.

              Hello Anil,
              I wasn't aware of your pattern until now. I'll have to read more thoroughly before I can tell you exactly what's different. It dies seem that both patterns have the same main idea. I'll add a "also known as" and attribute your effort in my book

              As a side note, I would say that it shouldn't be too surprising that similar patterns emerge since you discover patterns as you grapple with real-life problems and since some of these problems are common enough, the solutions to them will probably also be similar.

              Arnon

            • Re: Is this not the same as the

              by Arnon Rotem-Gal-Oz /

              Your message is awaiting moderation. Thank you for participating in the discussion.

              OK - so what's the difference,
              Well, as I said in the initial reply the main idea of introducing an mediator is similar.
              However there are a few differences
              1. The Service Firewall pattern is a little more structured as it builds on the Edge Component pattern which is a more general, not security sepecific service mediator pattern
              2. I think I take a more architectural point of view vs. your pattern which talks about a deployment implementation. for instance. As you can see in the technology mapping section, the Service Firewall pattern can be implemented to guard services inside a private network and not just moving from a DMZ to a private network. The pattern talks about the principle and it isn't even tied to web-services.

              3. My problem statement is more focused on security - but I guess that just a minor semantic issue

              As I said in the previous post- since the main idea is similar I'll add an attribution to your pattern in the book

              Arnon

            • Re: Is this not the same as the

              by Anil John /

              Your message is awaiting moderation. Thank you for participating in the discussion.

              Anrnon,

              >I'll add an attribution to your pattern in the book

              I cannot take credit for that body of work :-)

              Those web service security patterns that I pointed to, the Perimeter Service Router pattern just being one, were developed by Microsoft's patterns and practices group. I happened to be one of the external technical reviewers of that work and hopefully made some minor contributions to shape it so the attribution should point to the MS PAG folks.

              I also happened to have used them in guiding the implementation of web services security in my work environment, so I am familiar with them from the implementation perspective.

              Regards,

              - Anil

            • Re: Is this not the same as the

              by Anil John /

              Your message is awaiting moderation. Thank you for participating in the discussion.

              Arrgh! Arnon, my apologies for misspelling your name in the message above! - Anil

            • OT: Which application used to draw diagrams?

              by legolas wood /

              Your message is awaiting moderation. Thank you for participating in the discussion.

              Hi
              Maybe it is very OT to ask this question, but can some one tell me which application used to draw diagrams for this article?

              thanks

            • Re: OT: Which application used to draw diagrams?

              by Arnon Rotem-Gal-Oz /

              Your message is awaiting moderation. Thank you for participating in the discussion.

              In the book I use both Sparx Enterprise Architect and Microsoft's Powerpoint 2007. The diagrams here are all Powerpoint 2007 :)
              Arnon

            • Re: OT: Which application used to draw diagrams?

              by legolas wood /

              Your message is awaiting moderation. Thank you for participating in the discussion.

              Thank you for letting me know, Hope i can use them to demonstrate some concepts in my university documents and work reports.
              Thanks

            • What are your thoughts on using an appliance as Service Firewall/Gateway?

              by Rag Ramanathan /

              Your message is awaiting moderation. Thank you for participating in the discussion.

              I am involved in building an appliance that provides all the functionality of Service Firewall as listed here, and more. Some customers are deploying this as "Universal Service Gateway" The concept is very similar to having (Web) Firewall, and routers.

              I was curious on your thoughts and experience around this.

              Thank you.
              Rag

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

BT

Is your profile up-to-date? Please take a moment to review and update.

Note: If updating/changing your email, a validation request will be sent

Company name:
Company role:
Company size:
Country/Zone:
State/Province/Region:
You will be sent an email to validate the new email address. This pop-up will close itself in a few moments.