US Intelligence Community

Secure Information Sharing with Layer 7 Oracle Service Bus Appliance

The US federal government is one of the largest and most complex organizations on the planet. By extension, the US Intelligence Community is one of the most complex information gathering, processing and disseminating organizations in the world. By augmenting the power of the USs military forces, the intelligence community has enabled the US to more effectively project the presence of the only conventional super power left on the globe. But in the post-911 world of nonconventional forces, thats not enough. September 11, 2001 brought intelligence sharing to the forefront. The sheer scale and complexity of the US military forces presents potential weaknesses that terrorists can take advantage of, so in an effort to coordinate against potential threats, the US government formed the position of the Director of National Intelligence. As publicly stated by Bob Jordan, head of the FBI's Information Sharing Task Force, Our missions and priorities are being redefined to better reflect the post-9/11 realities A substantial component of this approach is information sharing, not only at the federal level but also within the entire law enforcement 1 and intelligence communities.

ESBs in the DMZ

The US Intelligence Community has always operated as siloed repositories of information. Post9/11, those silos had to come down. Sharing information between agencies would require a SOAbased approach to mediate between disparate systems: an ESB. But to meet federal guidelines, those ESBs would need to be secured in the DMZ. Layer 7 OSB Appliance provided the perfect congruence of a government-approved security vendor + a SOA integration solution in a security-hardened appliance.

Goal: Cross Domain Information Sharing

Each organization within the intelligence community has a number of intelligence sharing services that have long been made available within and across their own organization. To open these services to other entities of the greater intelligence sharing community means interconnecting disparate systems that were never created to be interoperable across organizational or jurisdictional boundaries. And that, of course, means opening them up to potential intrusion by third parties. Selectively exposing information services to partners while locking them down to others is a problem familiar to many commercial organizations, but on a vastly more complex scale than securing a supply chain, for example. So the US government turned to the experts. The federal Systems Integrator (SI) community is both wide and deep, encompassing a range of experienced organizations like Booz Allen Hamilton, Raytheon, General Dynamics, Lockheed Martin, SAIC, and a host of others that have been a key part of building the federal governments electronic infrastructure for decades. We have a lot of technology, but a lot of it is still point solutions focused on just one of those problems, not at the integration in an enterprise or at a national security level. We have a lot of crypto devices, firewalls, identity and access management, including biometrics, smart cards and audit software to see what is going on in the network. My real 2 concern is the integration of that technology. Natalie Givans, Vice President, Booz Allen Hamilton.

Problem: Securing ESBs in the DMZ

The US Intelligence Community information sharing project required the implementation of a rapidly deployable, highly secure, perimeter-based solution for delivery of services protected within a high security enclave. Given the wide range of services provided by the intelligence community, as well as the diverse systems (both modern and legacy) on which those services depended, the solution initially required support for a variety of protocols and transports (including secure FTP, email, HTTP/S and JMS), while subsequent phases of the project would require the flexibility to expand support to include non-standard means. For this reason, a SOA integration solution like Oracle Service Bus (OSB) would need to be central to the solution in order to provide the messaging and connectivity support required. However, sharing siloed information securely across organizational boundaries means securing the DMZ an area in which OSB is not traditionally deployed.

Solution: Layer 7 Oracle Service Bus Appliance Proves Key

Organizations that try to leverage middleware products within a DMZ often face significant resistance from their information assurance and operations departments due to the cost and risks associated with testing and certifying the solution. As a result, usually only pre-approved devices like routers, firewalls and web servers are allowed in
1 2

http://www.fbi.gov/congress/congress02/jordan041702.htm http://gcn.com/articles/2008/04/24/natalie-givans--security-gets-into-the-mix.aspx

US Intelligence Community & L7 OSB Appliance ppliance

the DMZ. A SOA environment exposing messaging and application-specific operations within the application enclave poses a security risk by potentially allowing forged/malicious requests from beyond the enterprise perimeter into the depths of the organization most vulnerable computing resources. organizations The Layer 7 Oracle Service Bus Appliance (L7 OSB Appliance) from Layer 7 Technologies and Oracle offers the offe perfect congruence of a government-approved security vendo and a market-leading ESB in a security-hardened approved vendor leading security appliance format, creating a DMZ-ready SOA development platform. As a pre-integrated solution delivered in an ready appliance form factor, the customers SI was able to quickly install L7 OSB Appliance in the rack; connect power and network cables; assign an IP address, and make the platform quickly available for use. The L7 OSB Appliance provides acceleration of CPU-intensive operations like message parsing, data validation and eration XML transformation, while the integral Layer 7 XML Firewall provides DMZ class threat protection, advanced DMZ-class identity integration and message level security capabilities to address the broadest range of external threats. By performing these tasks in a hardware appliance L7 OSB Appliance ensures latency is reduced, applications arent appliance, overloaded and service endpoints can offload computationally intensive operations to hardware. The OSBs wide hardware range of out-of-the-box adapters and ability to translate any box any-to-any transport/protocol meant the solution would be able to connect to the diversity of legacy services offered by the Intelligence Community today, while retaining the flexibility to support future transports. bility Due to the security requirements of the US national computing infrastructure, L7 OSB Appliance is configured to ppliance address Denial of Service (DoS), attached viruses and code injection attacks, as well as ensure message message-level integrity and confidentiality. The L7 OSB Appliance also provides runtime control over federated authentication/authorization of external agencies and partners who seek connectivity to the composite application/messaging capabilities provided by the solution.

The Results
Given that this project was awarded as a firm, fixed price contract, the SI was forced to do more with less. In this ore scenario the L7 OSB Appliance was a game changer providing the means to profitably deliver the project by changer, leveraging an out-of-the-box SOA platform in order to build out a solution much quicker than any alternatives. alternatives As a pre-integrated SOA development platform L7 OSB Appliance provided the SI with a significant head start on integrated platform, the project by reducing installation, deployment and configuration work. Additional they were able to take Additionally, y advantage of the pre-existing appliance lockdowns making certification and accreditation much simpler. ing accreditation As a result, L7 OSB Appliance dramatically decreased total cost of implementation and time to market, while amatically improving business agility through the OSB connectivity adapters and split/join orchestration capabilities. OSBs
Copyright 2011 Layer 7 Technologies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are ogies trademarks of Layer 7 Technologies Inc. All other trademarks and copyrights are the property of their respective owners.