|
Home > Archive > WebSphere Application Server > December 2006 > Redirecting a web service for ourside firewall access
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Redirecting a web service for ourside firewall access
|
|
|
|
We have the below secnario.
We have a WebService hosted by machine A. Machine A is inside the firewall, but we need to make this web service available to be accessable outside the firewall.
We have a webserver running on machine B, which can route requests to machine A, al though Machine A is not in the AppServer network domain.
Since web service redirect(if we redirect at the web servers level) throws a HTTP Error "302" to the clients(non-browser clients), I am wondering what would be the best way to achieve this funtionality?
Any help is appreciated.
Arun
| |
| Paul Ilechko 2006-12-16, 7:27 pm |
| vijpersonal@yahoo.com wrote:
> We have the below secnario.
>
> We have a WebService hosted by machine A. Machine A is inside the
> firewall, but we need to make this web service available to be
> accessable outside the firewall.
>
> We have a webserver running on machine B, which can route requests
> to machine A, al though Machine A is not in the AppServer network
> domain.
>
> Since web service redirect(if we redirect at the web servers level)
> throws a HTTP Error "302" to the clients(non-browser clients), I am
> wondering what would be the best way to achieve this funtionality?
>
Datapower. It provides you with Web Service proxying, authentication and
authorization, XML threat protection, transport mapping, key management
and lots of other great features. If you are accepting Web Service
requests from outside your firewall you need it.
| |
|
|
Thanks Paul. I have a follow up question though!.
We are on WAS 5.1.X. As per our client requirements, our Web service, the one which should accept requests from outside the firewall need not be highly secured. How soon can we make it available is a factor for them.
Can we use WebServices Gateway in our case? What other options we have?
| |
| Paul Ilechko 2006-12-17, 1:17 pm |
| vijpersonal@yahoo.com wrote:
> Thanks Paul. I have a follow up question though!.
>
> We are on WAS 5.1.X. As per our client requirements, our Web service,
> the one which should accept requests from outside the firewall need
> not be highly secured. How soon can we make it available is a factor
> for them.
>
> Can we use WebServices Gateway in our case? What other options we
> have?
WSGW is an option but that won't protect you against XML based attacks
which can crash your entire system.
| |
| Juanma Martinez 2006-12-17, 7:33 pm |
| vijpersonal@yahoo.com wrote:
> Thanks Paul. I have a follow up question though!.
>
> We are on WAS 5.1.X. As per our client requirements, our Web service, the one which should accept requests from outside the firewall need not be highly secured. How soon can we make it available is a factor for them.
>
> Can we use WebServices Gateway in our case? What other options we have?
You can take a look at WebSphere SOA Datapower appliances, that's what
they have been designed for (specially model XS40)
| |
|
| DataPower gained much visibility recently at IBM, but there is no public
price list.
Anyone here knows the cost ?
Thx.
| |
| Paul Ilechko 2006-12-18, 7:23 pm |
| Ben_ wrote:
> DataPower gained much visibility recently at IBM, but there is no public
> price list.
>
> Anyone here knows the cost ?
Ballpark only - take the model number and multiply by a thousand :-)
| |
| Sunit Patke 2006-12-18, 7:23 pm |
| Google for 7993-32X which is IBM WebSphere DataPower XML Security Gateway.
Sunit
"Ben_" <reply@newsgroup.com> wrote in message
news:em6t8b$24010$1@news.boulder.ibm.com...
> DataPower gained much visibility recently at IBM, but there is no public
> price list.
>
> Anyone here knows the cost ?
>
> Thx.
>
>
| |
|
| "Paul Ilechko" <paul.ilechko@us.ibm.com> wrote in message
news:em6u3d$2405m$1@news.boulder.ibm.com...
> Ben_ wrote:
>
> Ballpark only - take the model number and multiply by a thousand :-)
Great ! That's cheap enough, I'll buy one for my wife for Xmas... :-)
Thanks Sunit, I found the announcement letter with pricing.
| |
|
|
Our web admin thinks that we can filter ip addresses to filter the web service requests from our external client and to avoid any XML attacks. Any opinions about how safe we can be with the filtering in place?
| |
| Paul Ilechko 2006-12-19, 7:26 pm |
| vijpersonal@yahoo.com wrote:
> Our web admin thinks that we can filter ip addresses to filter the
> web service requests from our external client and to avoid any XML
> attacks. Any opinions about how safe we can be with the filtering in
> place?
The problem is the content of the XML itself - the only way to "filter"
it is to parse it, which is expensive and time consuming unless, like
Datapower, you have special purpose hardware that can do XML parsing at
the microcode level. It's trivial to forge source IPs.
| |
|
| > Our web admin thinks that we can filter ip addresses to filter the web
service requests from our external client
It's a start, but it's minimalist in term of security.
> and to avoid any XML attacks.
You'll definitely not be protected from XML attacks: IP filtering is so
low-level that it cannot sanitize the HTTP traffic, like verifying the HTTP
headers and body. For regular web sites, you'll want to sanitize traffic for
possible XSS, SQL injection, abnormally large uploads, etc. For web
services, you'll also want to offload essential processing like schema
conformance, signature, etc.
> Any opinions about how safe we can be with the filtering in place?
IP filtering is common practice, but in combination with other security
measures.
So to speak, with IP filtering, all you do is put "some pressure" on the
customer by telling them "we're watching you and if some malicious payload
is received from your location, we'll bite you".
| |
| Paul Ilechko 2006-12-19, 7:26 pm |
| Ben_ wrote:
> service requests from our external client
> It's a start, but it's minimalist in term of security.
>
> You'll definitely not be protected from XML attacks: IP filtering is so
> low-level that it cannot sanitize the HTTP traffic, like verifying the HTTP
> headers and body. For regular web sites, you'll want to sanitize traffic for
> possible XSS, SQL injection, abnormally large uploads, etc. For web
> services, you'll also want to offload essential processing like schema
> conformance, signature, etc.
There's more to XML attacks than this, though. See:
http://www-128.ibm.com/developerwor..._col_hines.html
| |
|
|
Ben, Paul & others, thanks for the feedback!!
|
|
|
|
|