Cisco® ACE Application Control Engine Extensible Markup Language (XML) Gateways deliver a complete transactional and operational XML threat defense and an exceptionally secure architecture to defend against emergent zero-day threats.
Operational exploits include malicious or inadvertent access, sensitive information leakage, and policy modification. Transactional threats include identity exploits, transport exploits, denial-of-service (DoS) exploits, and content-based exploits. Cisco ACE XML Gateway with Cisco ACE XML Manager is the only solution with Rivest, Shamir, and Adelman (RSA) SecurID; Federal Information Processing Standards (FIPS) 140-2 Level 3 signed event, message, and administrative logs; and roles-based administration that delivers policy and reporting isolation.
Operational Exploits
Operational exploits are attacks that are the result of insiders improperly accessing and modifying the infrastructure or provisioning policies and therefore expose secure information. Cisco offers a comprehensive authentication, authorization, and accounting (AAA) implementation and outstanding capability to prevent and detect human error (Tables 1 and 2).
Table 1. Personnel Exploits
Exploit
Cisco Countermeasure
Unauthorized Access to System
• RSA SecurID
• FIPS 140-2 Level 3 keys for authentication and audit signatures
• RADIUS authentication
• Lightweight Directory Access Protocol (LDAP) and public key infrastructure (PKI) authentication
• Signed and stored administrative access logs
Invalid Authorization and Behavior
• Roles-based administration
• Policy segmentation and isolation to limit scope of control
• Report isolation
• Visual policy differencing
• One-click rollback
• Signed, tamper-evident event logs
• Signed, tamper-evident message audit logs
• Signed, tamper-evident policy audit logs
• All logs can be exported to various systems for use in evidentiary proceedings
• FIPS 140-2 Level 3 keys for audit signatures
Unauthorized Policy Modification and Human Error (ignorance, negligence, or malicious intent)
• Security policy assessment tools and warnings within security review model
• Policy coherence assessment tools and warnings
• Line-by-line visual policy differencing
• Line-by-line policy approval
• Multistage policy workflow
• Signed administrative and policy audit trail
• One-click policy rollback
• Unlimited historical policy rollback
• View of all transactions processed during the questionable policy's deployment
Table 2. Response Compliance Exploits
Exploit
Cisco Countermeasure
Information Leakage; through Simple Object Access Protocol (SOAP) Faults (stack tracing and exception mapping), Attacker can Identify Vulnerabilities
• Configurable error response by policy and stage (development gets more detail than production)
• Predefined SOAP faults for rapid identification of appropriate information availability
Privacy Compliance
• Stripping of private information from messages using regular expressions
• Signed message logs for audit
• Extensible Stylesheet Language (XSL) transformation
Transactional Exploits
The structure and use of XML makes it easy to use to launch a wide range of known and evolving XML attacks. Cisco delivers an exceptionally broad defense against XML attacks and a highly sophisticated mechanism to securely update protection, as well as a zero-day threat prevention mechanism whereby Cisco identifies and denies any content that is not recognized and articulated in policy (Tables 3 through 6).
For every SOAP request, assess, deconstruct, strip everything not understood, and construct minimal WS-I compliance message to send to back-end service
Structured Query Language (SQL) Injection
• Deny by default
• Well-formed messages
• XML Schema validation
• XML Path Language (XPath) validation
Buffer Overflow
• Heuristic and configurable XML traffic monitoring
• Throttling and alerting
• Deny by default
• Well-formed messages
• XML Schema validation
• XPath validation
XML Viruses
• Deny by default
• Regular-expression screening
• Secure virus definition updating through signed definitions from Cisco
• Custom virus definition filtering on a per-service basis
Attachment Viruses
• Redirect to antivirus systems
• Optional on-appliance antivirus protection
Parameter Tampering
• XML Schema validation
• XML Signature validation
• Parameter validation
Schema Poisoning
• Schema redirects ignored; only schemas securely loaded to manager are trusted
• No run-time resolution of schema
• Validation of XML schemas upon upload
Inappropriate or Unacceptable Commands
• Deny by default
• Regular-expression screening
• Secure content filter updating
• Custom content filtering
• XSL transformations
Bad Web Service Description Language (WSDL)
• Configurable WSDL validation
• Detailed reports on refused WSDL
Table 4. Message Transport Exploits
Exploit
Cisco Countermeasure
Man-in-the Middle
• Secure transport (one and two-sided Secure Sockets Layer [SSL])
• Service obfuscation
Routing Detours
• Routing articulated in policy
• Deep message manipulation and logging of out-of-band routing instructions in message
Insecure Transport
• Web Services Security (WS-Security) standard for message security
• Support for Simple Mail Transfer Protocol (SMTP), Java Messaging Service (JMS), TIBCO solutions, IBM WebSphere MQ, and enterprise service buses (ESBs)
Table 5. XML DoS and Distributed DoS (DDoS) Exploits
Exploit
Cisco Countermeasure
Programmer Error; Open Loop
• Well-formed messages
• XML Schema validation
• XPath validation
Message Traffic Overload
• Heuristic and configurable XML traffic monitoring
• Throttling and alerting
Coercive Parsing
• Heuristic and configurable monitoring of processing required for messages from specific source or to specific service
• Well-formed messages
• XML Schema validation
• XPath validation
Recursive Payloads (entity expansion attacks)
• Deny by default
• XPath validation
• XML Schema validation
• Document referrals not trusted; only policy is trusted
Oversized Payloads
• Heuristic and configurable XML traffic monitoring
The range of XML threats is continuously expanding as more packaged applications expose interfaces deep into systems, unanticipated reuse of exposed services increases, and more XML transits networks. Table 7 lists common attacks; this list is representative, not comprehensive, of the types of concerns that Cisco ACE XML Gateways detect and prevent.
Table 7 Summary of Common Threats
Table 7.
Exploits
XML Threats
Personnel Attacks
• Repeated authentication failures
• Unauthorized system access
• Unauthorized policy authoring
• Event tampering (historical)
• Message tampering (historical)
Response Compliance Attacks
• Exposed credit card numbers
• Exposed social security numbers
• Exposed patient information
• Exposed account information
• Exposed e-mail addresses
Content-Based Exploits
• SQL command injection
• SQL 2000 threats
• SQL table operations
• Embedded HTML scripts
• Buffer overflow
• XML virus
• Entity expansion
• Oracle database attacks
• Parameter tampering
• Schema poisoning
• Invalid data types
• Invalid data ranges
• Non-XML virus
• Malformed XML
• Malformed SOAP
• Bad WSDL
Message Transport Exploits
• Man-in-the-middle attack
• Insecure transport
• Routing detours
XML DoS (XDoS) and Distributed DoS (DDoS) Exploits
