1. CROSSCHECK
NETWORKS
APAC
3F-‐4,
No.
508.
Sec.
5,
Zhongxiao
E.
Rd.
Taipei
11083,
Taiwan
R.O.C.
www.crosschecknet.com
1. Challenges:
As
more
and
more
organizations
and
businesses
are
adapting
to
SOA
and
Cloud
infrastructure,
when
organizations
want
to
migrate
their
existing
system
to
SOA
or
Web
Service
architecture,
they
are
facing
challenges
of
converting
different
data
types
and
transferring
them
via
different
protocols.
Development
teams
could
try
to
do
this
by
writing
code,
but
as
each
organization
has
their
own
unique
or
preferred
protocol
and
standards,
this
will
be
a
nightmare
for
the
developers.
Solution:
By
having
Forum
Sentry,
developers
and
engineers
can
utilize
its
intuitive
user
interface
to
effetely
achieve
data
conversions
automatically
between
various
protocols
without
user
writing
any
code.
Below
are
some
of
the
standards
and
protocols
supported
by
Forum
Sentry:
• XML,
SOAP
• HTML,
JSON
• AS2,
ebXML
• SAML,
WS-‐Federation
• XML-‐Sec,
WS-‐Sec
• WSDL,
XSD
• WS-‐Trust,
XACML
• WS-‐Addressing
• WS-‐Reliable
Messaging
• WS-‐Policy
• XPath
• XSLT
• HTTP,
HTTPS
• SSL
/
TLS
• IBM
MQ
• Tibco
EMS
• JBOSS
JMS
• Oracle
JMS
• Sun
JMS
• FTP,
FTPS,
SFTP
• SMTP
• RAW
TCP
• STREAMING
TCP
• X509
• PKCS
#1,7,8,12
• OpenPGP
• SSH
• Key
Import
• Key
Generation
• CSR,
Self-‐Sign
• CRL,
OCSP,
XKMS,
CDP
• HSM
Security
World
2. CROSSCHECK
NETWORKS
APAC
3F-‐4,
No.
508.
Sec.
5,
Zhongxiao
E.
Rd.
Taipei
11083,
Taiwan
R.O.C.
www.crosschecknet.com
2.
Challenges:
When
organizations
deploy
their
Web
Services
to
partners
and
outside
users,
it
will
be
very
difficult
for
them
to
control
all
the
incoming
and
outgoing
traffics
and
prevent
security
attacks
to
their
services.
Solution:
Forum
Sentry
is
able
to
automatically
parse,
merge
and
administer
compound
WSDLs
from
multiple
endpoints
into
single
virtual
WSDLs,
to
ensure
the
services
are
being
protected
from
external
attacks.
Forum
Sentry
also
provides
extensive
support
for
WS-‐Standards
to
ensure
the
interoperability
of
different
services
communicating
with
each
other.
Forum
Sentry
offers
threat
mitigation
as
it
can
act
as
a
XML
Firewall/WAF
to
detect
and
prevent
intrusion
attacks.
User
is
able
to
set
rate-‐base
or
size-‐based
rules
to
prevent
information
leakage
and
external
attacks
such
as
XML
bombs,
SQL
injections,
malwares,
and
etc.
Forum
Sentry
also
has
an
onboard
anti-‐virus
engine
with
BASE64
encoding
malware
scanning
integrated
with
ICAP.
Forum
Sentry
is
the
only
product
out
there
that
is
fully
certified
by
FIPS
140-‐2
as
it
is
the
most
comprehensive
security
gateway
on
the
market.
3.
Challenges:
When
messages
are
traveling
between
departments
within
the
organization
or
third-‐party
partners
using
different
Identity
Management
Systems
(such
as:
Active
Directory,
LDAP,
Siteminder,
Tivoli
AM,
ClearTrust,
Kerberos
KDC,
CoreID,
JSAM,
WS-‐Trust,
and
more),
organizations
needs
to
ensure
their
Web
Services
can
process
and
respond
to
different
requests
from
different
Identity
Management
Systems.
Solution:
Forum
Sentry
can
integrate
with
commonly
used
Identity
Management
Systems
such
as
CA
SiteMinder,
LDAP,
MS
Active
Directory,
RSA
SecureID,
Oracle
AM,
HP
Select
Access,
IBM
TAM,
OpenSSO,
OpenAM,
XACML,
OAuth,
SAML
SSO,
WS-‐Trust,
and
more.
Forum
Sentry
can
achieve
bridging
between
Protocol-‐based
HTTP
Basic
Authentication
to
message-‐based
WS-‐X.509
and
automatically
convert
different
level
of
Identity
certificates
to
achieve
a
single
point
of
login.
In
addition,
Forum
Sentry
can
support
OAuth
SSO,
SAML
SSO,
Cookie
SSO,
and
more
used
by
mobile
devices.
3. CROSSCHECK
NETWORKS
APAC
3F-‐4,
No.
508.
Sec.
5,
Zhongxiao
E.
Rd.
Taipei
11083,
Taiwan
R.O.C.
www.crosschecknet.com
4.
Challenges:
When
organizations
are
developing
using
JSON/REST
architectures
for
Mobile
Apps,
they
also
need
to
take
considerations
on
security,
performance,
scalability
of
each
transaction,
and
at
the
same
time,
also
managing
the
productivity/cost
of
the
development
groups.
Solutions:
Forum
Sentry
can
automatically
convert
JSON/REST
messages
with
variety
of
protocols
without
re-‐development
of
the
interface.
This
will
greatly
reduce
the
cost
and
improve
the
efficiency
of
the
development
teams.
Forum
Sentry
supports
import,
generation
and
management
of
X.509
and
PKCS
format
directly
into
Java
Key
Store;
supporting
PKCS#1
(Public
Key
Cryptography
Standards),
PKCS
#
7,
PKCS
#
8,
PKCS
#
11,
PKCS
#
12,
X.509
Certificate
and
CSRs;
support
up
to
4096
key
size
with
RSA,
DSA,
DES,
3DES,
SHA-‐1,
SHA-‐2,
AES,
Elliptic
Curve;
support
digital
signature
encryption
(3DES,
AES
-‐128,
AES-‐192,
AES-‐256
KeyWrap:
3DES,
AES-‐128,
AES-‐192,
AES-‐256,
RSA,
RSA-‐OAEP)
and
digital
signature
(RIPEMD-‐160,
SHA-‐1,
SHA-‐256,
SHA
-‐512),
and
more.
5.
Challenges:
The
performance
of
the
system
is
being
affected
due
to
increasing
number
of
transactions;
more
and
more
web
services
require
security
encryptions
and
decryptions,
digital
signature
authentications,
and
handling
parsing
of
XML
messages
with
large
attachments.
Solution:
Forum
Sentry’s
hardware
compliance
offers
various
encryption
and
decryption
methods,
this
can
greatly
reduce
the
workload
on
the
server
and
free
up
resources,
and
will
significantly
improve
the
reliability
of
the
entire
system
and
provide
better
user
experience.
With
patented
XML
security
acceleration
technology
and
an
architecture
certified
by
NIST
and
the
U.S.
Department
of
Defense,
the
Forum
Sentry
XML
Gateway
is
the
industry
standard
for
XML
and
SOAP
security,
access
control
and
integration.
4. CROSSCHECK
NETWORKS
APAC
3F-‐4,
No.
508.
Sec.
5,
Zhongxiao
E.
Rd.
Taipei
11083,
Taiwan
R.O.C.
www.crosschecknet.com
6.
Challenges:
Web
Application
Firewall
(WAF)
does
not
support
nor
can
it
validate
XML
messages
and
XML
related
documents.
Organizations
are
running
into
risks
of
only
having
a
WAF
as
their
security
gateway.
Solution:
Forum
Sentry
not
only
provides
standard
functionality
as
a
WAF
(such
as:
CSRF
attack
protection,
Cookie
tamper
protection,
web
protection
from
hotlinking,
SQL
injection
attack
protection,
XSS
attack
protection,
application
layer
DoS
protection
of
sensitive
information
leakage
protection,
file
uploading
and
downloading
control),
more
importantly,
it
can
also
protect
security
vulnerabilties
for
XML
transactions
such
as:
Reconnaissance
attacks
• WSDL
scanning
Attacks
on
integrity
• Parameter
tampering
• Message
tampering
• Schema
poisoning
• External
entity
attack
Denial
of
Service
(DoS)
attacks
• Recursive
payloads
sent
to
XML
Parsers
• Oversized
payloads
sent
to
XML
Parsers
• Schema
poisoning
• Memory
leak
exploitation
Command
Injection
• SQL/XQuery
injection
• XML/Query
injection
• Cross-‐site
scripting
Malicious
code
attacks
(e.g.,
system
compromise)
• Command
Injection
• Malformed
content
• XML
malicious
morphing
• XML
encapsulation
• XML
virus
• Malicious
include
Privilege
Escalation
attacks/Attacks
on
confidentiality
• Dictionary
attack
• Replay
attack
• Message
snooping
5. CROSSCHECK
NETWORKS
APAC
3F-‐4,
No.
508.
Sec.
5,
Zhongxiao
E.
Rd.
Taipei
11083,
Taiwan
R.O.C.
www.crosschecknet.com
7.
Challenges:
As
applications
become
more
and
more
complex,
Web
Services
API
management
and
deployment
also
become
more
problematic.
Organizations
are
looking
for
a
centralized
system
that
is
able
to
easily
manage
and
deploy
their
complex
web
services.
Solutions:
Forum
Sentry
is
able
to
automatically
parse,
merge
and
administer
compound
WSDLs
from
multiple
endpoints
into
single
virtual
WSDLs.
User
is
able
to
perform
various
tasks
through
Forum
Sentry’s
intuitive
user
interface,
without
purchasing
any
additional
machines,
to
address
system
mediation
and
other
security
related
concerns.
8.
Challenges:
When
there
are
know
vulnerabilities
in
the
existing
legacy
system
such
as
SQL
injections,
organizations
often
do
not
have
the
time/resource/policy
to
address
these
issues
right
away.
Solution:
Forum
Sentry
provides
an
integrated
anti-‐virus
engine
on
the
hardware
with
BASE64
encoding
malware
scanning
and
integrated
with
ICAP.
Forum
Sentry
is
also
able
to
effectively
protect
system
from
security
attacks
such
as
SQL
injection,
XSS
attacks,
DoS
attacks,
DDoS
attacks
through
its
IDP
rules
and
WAF
capability.
9.
Challenges:
Data
centers
often
need
to
achieve
a
certain
level
of
SLA
for
their
services;
organizations
need
to
ensure
the
performance
of
their
system
will
meet
the
SLA,
and
also
provide
the
ability
to
distribute
the
transaction
bandwidth
based
on
different
user
groups
or
types.
Solution:
Forum
Sentry’s
built-‐in
IDP
rules
are
able
to
intelligently
manage
network
traffics
for
users
and
partners.
Forum
Sentry
is
able
to
control
inbound
and
outbound
traffics
according
to
user’s
deployment
strategy.
When
users
or
partners
gone
beyond
the
bandwidth,
Forum
Sentry
will
automatically
log
the
information
via
SNMP,
Email,
SOA
records,
or
Database
trigger
alerts.
All
these
data
also
helps
organizations
to
come
up
with
better
sales
strategy
targeting
different
customer
groups.
6. CROSSCHECK
NETWORKS
APAC
3F-‐4,
No.
508.
Sec.
5,
Zhongxiao
E.
Rd.
Taipei
11083,
Taiwan
R.O.C.
www.crosschecknet.com
10.
Challenges:
Organizations
need
a
system
that
will
integrate
with
their
existing
architecture
and
support
technologies
such
as:
Intrusion
Detection
and
Prevention,
Anti-‐virus,
WAF,
XML
Firewall,
traffic
control,
Identity
management
systems,
system
transformation,
secure
PKI
key
management,
encryption/decryption
acceleration,
transaction
auditing.
Solution:
Forum
Sentry
(emphasis
on
XML
and
SOA
security)
is
a
comprehensive
security
gateway
that
offers
XML
acceleration,
Web
application
firewall,
intrusion
detection/preventation,
access
control
management,
onboard
anti-‐virus,
encryption/decryption
acceleration,
PKI
key
management,
HSM
and
more.
Forum
Sentry
is
capable
of
handeling
volume
of
over
10
billion
times
a
day
worldwide.
It
offers
the
most
comprehensive
HTML,
XML,
SOAP
and
REST
vulnerability
protection
and
will
also
greatly
improve
the
performance
of
business
transactions.
As
the
pioneer
for
XML
security,
Forum
Systems
owns
registered
XML
security
patent
(7,516,333).
Forum
Sentry
is
also
certified
with
FIPS
by
the
U.S.
Department
of
Defense
security
certification.
11.
Challenges:
Banks
and
Telecommunication
companies
need
to
handle
large
number
of
non-‐core
business
logics
at
the
front
end
of
the
platform
to
improve
efficiency
and
security
of
their
core
system.
Solution:
-‐Forum
Sentry
allows
customers
to
access
various
transport
protocols
No
matter
if
it’s
financial
bureaus,
enterprise
banks
with
messages
via
MQ
SSL,
or
midsize
banks
using
HTTP/HPPTS,
even
if
customer
is
using
Web
Services
or
FTP,
they
will
be
able
to
utilize
Forum
Sentry’s
multi-‐protocol
access
to
process
their
transactions.
-‐Implementation
user
authorization
and
authentication
through
SSL
Forum
Sentry
is
able
achieve
secure
user
authentication
and
access
control
through
SSL
authorization,
no
matter
if
it
is
MQ
or
HTTP.
-‐File
format
transformation
Forum
Sentry
is
able
to
transform
file
received
via
MQ
and
HTTP
to
the
same
MQ
message
to
reduce
the
workload
of
the
backend
system.
This
can
greatly
improve
the
performance
of
the
entire
system.
-‐Data
Preprocessing
When
messages
are
being
sent
via
MQ
or
HTTP
to
Forum
Sentry,
user
will
be
able
to
check
and
validate
the
message
content
and
format.
If
the
validation
is
successful,
then
Forum
Sentry
will
then
convert
the
message
into
a
unified
MQ
message
to
the
backend
platform;
if
the
check
fails,
then
user
gets
“Invalid
Format”
message
without
going
through
the
core
processing
platform.