Today, InfoQ publishes a sample pattern from Arnon Rotem-Gal-Oz' in-progress book SOA Patterns, which attempts to provide a solution that prevents malicious incoming messages and prevent information disclosure. The pattern, termed "Service Firewall", relies on intercepting messages to provide better security:
First it intercepts each incoming and outgoing message and inspects it. Once intercepted the Service firewall can scan the message for malicious content such as viruses or XDOS attacks as mentioned in the sample scenario. Additionally, the Service Firewall can validate messages by making sure they conform to the contract, verifying property types and sizes etc. When a message is identified as problematic the Service Firewall can audit and log the message and then decide whether to filter it out or cleanse the problematic content and let it through.
Read the full article, and check out Arnon's ongoing SOA patterns effort.
Community comments
Is this not the same as the "Perimeter Service Router Pattern"?
by Anil John,
Re: Is this not the same as the
by Arnon Rotem-Gal-Oz,
Re: Is this not the same as the
by Arnon Rotem-Gal-Oz,
Re: Is this not the same as the
by Anil John,
Re: Is this not the same as the
by Anil John,
OT: Which application used to draw diagrams?
by legolas wood,
Re: OT: Which application used to draw diagrams?
by Arnon Rotem-Gal-Oz,
Re: OT: Which application used to draw diagrams?
by legolas wood,
What are your thoughts on using an appliance as Service Firewall/Gateway?
by Rag Ramanathan,
Is this not the same as the "Perimeter Service Router Pattern"?
by Anil John,
Your message is awaiting moderation. Thank you for participating in the discussion.
Perimeter Service Router Pattern
If it is, it may be good to synchronize the pattern name. If not, would appreciate how this is different. Just as an FYI, the implementation of the Service Router Pattern for us was an XML Security Gateway as well, for exactly the reasons that you noted.
Re: Is this not the same as the
by Arnon Rotem-Gal-Oz,
Your message is awaiting moderation. Thank you for participating in the discussion.
Hello Anil,
I wasn't aware of your pattern until now. I'll have to read more thoroughly before I can tell you exactly what's different. It dies seem that both patterns have the same main idea. I'll add a "also known as" and attribute your effort in my book
As a side note, I would say that it shouldn't be too surprising that similar patterns emerge since you discover patterns as you grapple with real-life problems and since some of these problems are common enough, the solutions to them will probably also be similar.
Arnon
Re: Is this not the same as the
by Arnon Rotem-Gal-Oz,
Your message is awaiting moderation. Thank you for participating in the discussion.
OK - so what's the difference,
Well, as I said in the initial reply the main idea of introducing an mediator is similar.
However there are a few differences
1. The Service Firewall pattern is a little more structured as it builds on the Edge Component pattern which is a more general, not security sepecific service mediator pattern
2. I think I take a more architectural point of view vs. your pattern which talks about a deployment implementation. for instance. As you can see in the technology mapping section, the Service Firewall pattern can be implemented to guard services inside a private network and not just moving from a DMZ to a private network. The pattern talks about the principle and it isn't even tied to web-services.
3. My problem statement is more focused on security - but I guess that just a minor semantic issue
As I said in the previous post- since the main idea is similar I'll add an attribution to your pattern in the book
Arnon
Re: Is this not the same as the
by Anil John,
Your message is awaiting moderation. Thank you for participating in the discussion.
Anrnon,
>I'll add an attribution to your pattern in the book
I cannot take credit for that body of work :-)
Those web service security patterns that I pointed to, the Perimeter Service Router pattern just being one, were developed by Microsoft's patterns and practices group. I happened to be one of the external technical reviewers of that work and hopefully made some minor contributions to shape it so the attribution should point to the MS PAG folks.
I also happened to have used them in guiding the implementation of web services security in my work environment, so I am familiar with them from the implementation perspective.
Regards,
- Anil
Re: Is this not the same as the
by Anil John,
Your message is awaiting moderation. Thank you for participating in the discussion.
Arrgh! Arnon, my apologies for misspelling your name in the message above! - Anil
OT: Which application used to draw diagrams?
by legolas wood,
Your message is awaiting moderation. Thank you for participating in the discussion.
Hi
Maybe it is very OT to ask this question, but can some one tell me which application used to draw diagrams for this article?
thanks
Re: OT: Which application used to draw diagrams?
by Arnon Rotem-Gal-Oz,
Your message is awaiting moderation. Thank you for participating in the discussion.
In the book I use both Sparx Enterprise Architect and Microsoft's Powerpoint 2007. The diagrams here are all Powerpoint 2007 :)
Arnon
Re: OT: Which application used to draw diagrams?
by legolas wood,
Your message is awaiting moderation. Thank you for participating in the discussion.
Thank you for letting me know, Hope i can use them to demonstrate some concepts in my university documents and work reports.
Thanks
What are your thoughts on using an appliance as Service Firewall/Gateway?
by Rag Ramanathan,
Your message is awaiting moderation. Thank you for participating in the discussion.
I am involved in building an appliance that provides all the functionality of Service Firewall as listed here, and more. Some customers are deploying this as "Universal Service Gateway" The concept is very similar to having (Web) Firewall, and routers.
I was curious on your thoughts and experience around this.
Thank you.
Rag