My blog has moved and can now be found at

No action is needed on your part if you are already subscribed to this blog via e-mail or its syndication feed.

Friday, March 23, 2007
« Microsoft MVP Summit 2007 Recap | Main | WS-I is not a standards organization »

Patterns are your friends. Patterns keep you from having to reinvent the wheel and it allows you to leverage best practices. Patterns provide a common vocabulary that can be used to share information between folks who often come from different backgrounds. I like patterns!

I was one of the external reviewers for the PAG book on Web Service Security Patterns, so using a pattern based approach is something that I am very much following as part of the design and deployment of a SOA runtime infrastructure. 

Yesterday, a colleague and I were discussing one of the design decisions we made in configuring our environment to enable access for external applications and services to web services within our private network. The enjoyable part of the conversation for me was in using a pattern as a common mechanism of communication to discuss the rationale for the decision, given that our backgrounds are a bit different (He comes from the Network/Comms background and I from the AppDev side).

In particular, the pattern that we used in this instance is the Perimeter Service Router Pattern. Here is a bit of detail on the pattern (follow the link for complete info):


External applications require access to one or more Web services that are deployed within a private network. Access to the Web services and resources in the private network is restricted to authenticated users. External applications should not have access to resources used by the Web services in the private network.


How do you make Web services in a private network available to external applications without exposing resources in the private network?


Any of the following conditions justifies using the solution described in this pattern: 

  • Internal Web services and dependent resources may be targeted by attackers who are external to the network. The organization must protect Web services on the internal network, so that any attacks do not affect the internal Web services or dependent resources.
  • Attackers can gain information about the internal network, and use it to compromise the network. The organization must not reveal information about the internal network infrastructure that can be useful to attackers.

The following condition is an additional reason to use the solution:

  • External clients need reliable access to fixed service endpoints. The location of a Web service's internal implementation may need to change dynamically to cater for the availability of dependent resources, or to cater for maintenance and batch processing windows. External clients should be unaffected by these changes.


Design a Web service intermediary that acts as a perimeter service router. The perimeter service router provides an external interface on the perimeter network for internal Web services. It accepts messages from external applications and routes them to the appropriate Web service on the private network.

The realization of this pattern for us was NOT in software but in hardware. We used a XML Security Gateway as the realization of the Perimeter Service Router pattern.

3/23/2007 5:49 PM Eastern Standard Time  |  Comments [0]  |  Disclaimer  |  Permalink   
Comments are closed.