Cisco Cisco MGX-FRSM-HS2 B Serial Frame Service Module Libro blanco
![Cisco](https://files.manualsbrain.com/attachments/7380d0050044647c30f5c24bbbf5d0c0b6d9bb84/common/fit/150/50/faa183d287233c52228cfea3dbc2a127fe780f60564fcb0955d9c3d1cd23/brand_logo.png)
Solution Overview
All contents are Copyright © 1992–2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 3 of 5
Terminating SSL on the Cisco ACE XML Gateway
In this scenario, shown in Figure 2, the web services clients generate an SSL request to the virtual
IP address (VIP) exposed on the Cisco ACE Application Switch (connection 1). After defending
against attacks at the TCP/IP layer in the request, the Cisco ACE Application Switch makes a
load-balancing decision about which Cisco ACE XML Gateway to forward the request to, on the
basis of your configured policy and the state of the individual Cisco ACE XML Gateways
(connection 2). Because this forwarding occurs at Layer 4, the Cisco ACE XML Gateway has full
access to the SSL client certificate. This allows the XML Gateway to perform strong authentication
of the client, first by validating the certificate was signed by a trusted certificate authority, and then
by querying an identity store such as Lightweight Directory Access Protocol (LDAP) to authorize
that client’s access to the requested services.
Figure 2. Scenario 1: Terminating SSL on the Cisco ACE XML Gateway
Because web services applications often involve repeated messages between consumers and
providers, SSL must be optimized to take advantage of session reuse, allowing the consumer to
send a new request to the application without the need for a full SSL connection negotiation. The
Cisco ACE Application Switch monitors the session identifiers negotiated between the service
consumer and the Cisco ACE XML Gateway and ensures that repeated SSL connections with the
same session identifier are always directed to the same Cisco ACE XML Gateway.
The Cisco ACE XML Gateway also performs threat defense on the incoming request, looking for
attacks at the SOAP layer that are opaque to most network devices. These attacks include general
application attacks such as Structured Query Language (SQL) injection and buffer overflow as well
as XML-based attacks such as entity expansion and overly recursive documents. Because the
Cisco ACE XML Gateway understands XML natively, it can thwart attempts to use entity encoding
or packet fragmentation to bypass threat defense.
After authenticating the client and determining that the message is not malicious, the Cisco ACE
XML Gateway initiates a new connection to a second VIP exposed on the Cisco ACE Application
Switch that faces the web service providers (connection 3). Because the Cisco ACE XML Gateway
acts as a full proxy, it can perform HTTP multiplexing, handling simultaneous requests from
hundreds or thousands of web services consumers and limiting the connection load on individual
web service providers. It can also throttle the number of messages sent to each provider,
protecting them from out-of-memory and overload conditions.