re: XML Firewall and more

JJ — Thu, 19 Aug 2004 12:24:00 GMT

You may also want to take a look at the original Network World "An XML Firewall and more" article.

http://www.nwfusion.com/newsletters/web/2004/0315web2.html

XML firewall and the broader web services security space is maturing nicely. Vordel, Forum and DataPower are the vendors that have been out there the longest.

re: XML Firewall and more

pak76 — Thu, 19 Aug 2004 08:15:00 GMT

I worked with Vordel in the past and I couldn't understand certain, I would say, architectural decisions. I haven't heard from them for a while, so maybe they have changed them already.

You touched SOAPbox. I used it (as a number of different products) and it is good for debugging, but there is no real tool to do proper security testing of web services. Something that would discover and try to penetrate using multiple scenarios. And then I would use something like SOAPBox (or other tools some of which I wrote) to do manual testing.

To be honest I think that XML FW vendors have a very hard task.
1. There are mutliple web services security standards
2. There are multiple standards' versions (so for exmaple WSE1.0 is not compatible with 2.0)
3. There are plenty of drafts (and I need WS-Trust pretty soon)
4. There are multiple security architectures you can implement on top of it (SAML/XML Singature/...)

And they have to implement all of them to satisy their customers, while business is still hesitating (save exceptions such as Amazon, but it is just for product browsing, not transactional) if it is the right direction...
From the security perspective I start to support this view. Web services become, in my opinion, too complicated. They lack simplicity; therefore they are not giving me assurance that they are secure - example: recently using on-line XML Signature verifier I could retrieve any file on the remote system and new standards, such as XPath 2.0 will be even more powerful. On the other hand recently reported weaknesses in hash functions will impact the key security element of web services - XML Signature. It will force us to immediately shift our web services to support better algorithms, such as SHA-512, but which products/vendors support it? So maybe it is better to wait a while...
I haven't touched things such as XSLT and/or XPATH and/or ... and their consequences on security.

But back to XML Firewalls. I investigated several XML FW and abundance of solutions means that it is not possible to find one vendor that will suit everyone. Vendors implement certain set of protocols, they think is appropriate, and that's it. Moreover make sure that they interpreted given standards as you did. One and the same excerpt can be interpreted at least in several different ways...

If you are talking to them, make sure that you know your requirements. Don't expect that they will support your specific requirements of the box (if they do you are really lucky). If they don't support your scenario, influence their roadmap, but keep to the standards - it is the best way to convince them that they need it and it gives you the option to replace this solution with another one in the future.

Companies behind XML FW are young ones. Their viability is still under question. This market will grow, but will the current players survive?
Currently their focus is on their product, and sometimes they don't pay attention to the package, so make sure that you cover basic things such as applicance hardening, secure communication, scalability, failover, performance, ...

Within my organization possibly we will end up with layered approach with solutions from two vendors (once I prove somehow that they are doing their job - another problem how to test XML FWs?), which is always advisable from security perspective. None of vendors supported my requirements, but I managed to influence one to support requirements for one layer and now I'm trying to influence another.

Cheers

pak

re: XML Firewall and more

Sean Gephardt — Mon, 16 Aug 2004 19:56:00 GMT

Very cool!