REST Security Solution Sheet

Standards-based Security for Web Oriented Architectures

A single solution simplifies the implementation of security for both REST and WS-* Web Services

For RESTful Web services, how can you: Authenticate/authorize RESTful requesters in a uniform manner? Integrate RESTful Web services with existing identity and access management infrastructure? Monitor and audit access to RESTful Web services? Enforce service levels and quotas for RESTful Web services?

The Problem
Representational State Transfer (REST) and resource orientation in general provide a lightweight approach to exposing Web APIs known as RESTful Web services. A key component of Web Oriented Architectures, REST requesters and service implementations use HTTP to exchange resources formatted using common content types, such as PDF, XML, HTML and JSON. But while developers appreciate the fact that REST provides them with a quicker and easier way to instantiate Web services than the more traditional, SOAP-based/WS-* approach, most of them also recognize that REST lacks a wellarticulated security model.

The Layer 7 Solution

RESTful Web services are closely aligned with the Web and, as such, are subject to all the traditional, Web-based threats. Yet, just as for WS-* services, RESTful Web services can receive payloads and potential message-level threats, such as injections and parser attacks. Layer 7s SecureSpan family of XML Gateways can virtualize service endpoints, ensuring that access to RESTful and WS-* Web services can only occur via the SecureSpan Gateway. Gateway policies act on each incoming message, validating compliance with application-specific conditions, such as URI patterns, content level patterns (evaluated using XPath expressions), XML Schema Definitions (XSD), Schematron, JSON schemas, Regular Expressions (RegEx), HTTP header filtering, and more. The SecureSpan XML Gateways runtime logic also provides integration with IAM infrastructure, enabling authentication of requesters, as well as centralized management of service access. By delegating authentication and authorization of requesting entities to SecureSpan, organizations can ensure they are performed in a uniform fashion regardless of the backend implementing technology. Additionally, SecureSpan XML Gateways can also provide a monitoring layer to validate Quality of Service (QoS), and enforce service levels in real time.

Key Features
Identity and Message Level Security
Identity-based access to services and operations Manage security for crossdomain and B2B relationships Secure REST, WSDL and POX interfaces Prevent XML attack and intrusion Transactional Integrity Protection Integration with leading identity, access, SSO and federation systems from Oracle, Sun, Microsoft, CA, IBM Tivoli, Novell Enforce fine-grained entitlement decisions authored in an XACML PDP Credential chaining, credential remapping and support for federated identity Integrated SAML STS issuer featuring support for SAML 1.1/2.0 authentication, authorization and attribute based policies and Security Context Tokens Integrated PKI CA for automated deployment and management of client-side certificates, and integrated RA for external CAs STS support for WS-Trust and WS-Federation Selectively control access to interfaces down to an operation level Create on-the-fly composite WSDL views tailored to specific requestors Out of the box support for popular Cloud & SaaS interfaces from SFDC & Amazon Service look-up and publications using WSIL and UDDI Log message-level transaction information Spool log data to off-board data stores and management systems Configurable validation & filtering of HTTP headers, parameters and form data Detection of classified or dirty words or arbitrary signatures with subsequent scrubbing, rejection or redaction of messages Support for REST, AJAX, XML, SOAP, POX and other XML-based services Protect against XML parsing; XDoS and OS attacks; SQL and malicious scripting language injection attacks; external entity attacks Protection against XML content tampering and viruses in SOAP attachments DoD STIG vulnerability tested and assured Protect against identity spoofing and session hijacking cluster-wide Assure integrity of communication end-to-end Granular rate limiting and traffic shaping based on number of requests or service availability across a cluster Persist message counters across clusters so that rate limiting and traffic shaping can be strictly enforced in high availability configurations Prioritize XML traffic based on Class of Service/Quality of Service preferences Manage routing to back-end services based on availability or latency performance Configurable, out-of-the-box reports provide insight into SSG operations, service-level performance, and user experience

Audit transactions

Threat Protection
Filter XML content for SOA, Web 2.0 and Cloud

Traffic Management
Throttling Cluster-wide counters CoS for XML Service availability management

Reporting and analysis

Supported Standards
XML, JSON, SOAP, REST, PCI-DSS, AJAX, XPath, XSLT, WSDL, XML Schema, LDAP, SAML, XACML, OAuth, PKCS, X.509 Certificates, FIPS 140, Kerberos, W3C XML Signature, W3C XML Encryption, SSL/TLS, SNMP, SMTP, POP3, IMAP4, HTTP/HTTPS, JMS, MQ Series, Tibco EMS, FTP, WS-Security, WS-Trust, WS-Federation, WS-SecureExchange, WSAddressing, WS-SecureConversation, WS-MetadataExchange, WS-Policy, WS-SecurityPolicy, WS-PolicyAttachment, WSIL, WS-I, WS-I BSP, UDDI, WSRR, MTOM, IPv6, WCF

To learn more about Layer 7 call us today at +1 800.681.9377 (toll free within North America) or +1.604.681.9377. You can also email us at info@layer7.com; friend us on facebook.com/layer7; visit us at layer7.com, or follow-us on twitter @layer7.

Copyright 2011 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.