MikeShaw's WebLog

Developer Security and other stuff

XML Firewall and more

On 27th July, I was invited to a meeting at the Microsoft Thames Valley Park Campus with Vic Morris, CEO, Mark O’Neill, CTO and Stephen Byrne, SE of Vordel.  I was impressed by what they had to say, not only in the capabilities of their existing products, but also in the maturity of their thoughts and planning behind it.  Far too few companies in the XML Web Services Firewall space have the same breadth of thought.

 

Vordel SOAPbox is a free download from Vordel that is a good tool for debugging Web Service security traffic.  It lets you configure some HTTP header parameters as well as more advanced things such as configuring and sending SAML in a signed SOAP message over SSL.  I thought it was quite cool for a free too anyway.  Find it at http://www.vordel.com/soapbox/index.html

 

VordelSecure is there XML Gateway or Firewall product and VordelDirector is their centralised Web Services product, offering federation and integration with identity management.  They have some way to go to fully integrate with the whole Microsoft product suite, MOM, MIIS, ISA etc, but they do manage to offer a set of sophisticated products with solutions to some of the complex security issues that arise when implementing a Service-Oriented Architecture.

 

I’m sure that I’ll come across Vordel quite a lot in the future, but I’d be interested to hear any feedback anyone has from using their products or from anyone actively working in the XML Firewall space in the UK.  I get a lot of questions about XML and Firewalls…

Posted: Aug 16 2004, 04:16 PM by mikeshaw | with 3 comment(s)
Filed under: , ,

Comments

Sean Gephardt said:

Very cool!
# August 16, 2004 3:56 PM

pak76 said:

I worked with Vordel in the past and I couldn't understand certain, I would say, architectural decisions. I haven't heard from them for a while, so maybe they have changed them already.

You touched SOAPbox. I used it (as a number of different products) and it is good for debugging, but there is no real tool to do proper security testing of web services. Something that would discover and try to penetrate using multiple scenarios. And then I would use something like SOAPBox (or other tools some of which I wrote) to do manual testing.

To be honest I think that XML FW vendors have a very hard task.
1. There are mutliple web services security standards
2. There are multiple standards' versions (so for exmaple WSE1.0 is not compatible with 2.0)
3. There are plenty of drafts (and I need WS-Trust pretty soon)
4. There are multiple security architectures you can implement on top of it (SAML/XML Singature/...)

And they have to implement all of them to satisy their customers, while business is still hesitating (save exceptions such as Amazon, but it is just for product browsing, not transactional) if it is the right direction...
From the security perspective I start to support this view. Web services become, in my opinion, too complicated. They lack simplicity; therefore they are not giving me assurance that they are secure - example: recently using on-line XML Signature verifier I could retrieve any file on the remote system and new standards, such as XPath 2.0 will be even more powerful. On the other hand recently reported weaknesses in hash functions will impact the key security element of web services - XML Signature. It will force us to immediately shift our web services to support better algorithms, such as SHA-512, but which products/vendors support it? So maybe it is better to wait a while...
I haven't touched things such as XSLT and/or XPATH and/or ... and their consequences on security.

But back to XML Firewalls. I investigated several XML FW and abundance of solutions means that it is not possible to find one vendor that will suit everyone. Vendors implement certain set of protocols, they think is appropriate, and that's it. Moreover make sure that they interpreted given standards as you did. One and the same excerpt can be interpreted at least in several different ways...

If you are talking to them, make sure that you know your requirements. Don't expect that they will support your specific requirements of the box (if they do you are really lucky). If they don't support your scenario, influence their roadmap, but keep to the standards - it is the best way to convince them that they need it and it gives you the option to replace this solution with another one in the future.

Companies behind XML FW are young ones. Their viability is still under question. This market will grow, but will the current players survive?
Currently their focus is on their product, and sometimes they don't pay attention to the package, so make sure that you cover basic things such as applicance hardening, secure communication, scalability, failover, performance, ...

Within my organization possibly we will end up with layered approach with solutions from two vendors (once I prove somehow that they are doing their job - another problem how to test XML FWs?), which is always advisable from security perspective. None of vendors supported my requirements, but I managed to influence one to support requirements for one layer and now I'm trying to influence another.

Cheers

pak


# August 19, 2004 4:15 AM

JJ said:

You may also want to take a look at the original Network World "An XML Firewall and more" article.

http://www.nwfusion.com/newsletters/web/2004/0315web2.html

XML firewall and the broader web services security space is maturing nicely. Vordel, Forum and DataPower are the vendors that have been out there the longest.
# August 19, 2004 8:24 AM
Leave a Comment

(required) 

(required) 

(optional)

(required)