Closing the XML Security Gap

If you use a firewall as part of your network security strategy, you might be feeling smug, thinking that you've closed access to thousands of ports and vulnerabilities. What you may not realize is that your firewall is most likely blithely passing XML through port 80, the Web's default port. ... But there is hope for application security in the form of XML firewalls. These devices sit behind a traditional firewall and monitor traffic on port 80 and any other ports you select. They pick through the contents of the XML packets, looking for potential trouble and taking action when trouble is found. [Full story at InfoWorld...]

I had a good time working on this story about three XML security appliances, commonly called "XML firewalls." As the article goes on to say, I did have my favorite, but they all were very able devices. The crucial difference in the product was the view that their developers took on how an XML firewall ought to work. The Sentry seems the most like a traditional firewall while the Reactivity product was more like the Web services intermediaries I've been reviewing.

I did my testing at KeyLabs (see photo at right). I could have accommodated the appliances in my home lab (such as it is), but it was nice to have some support on DNS, power, etc. and room to spread out. Performance testing of the appliances was outside of the scope of my testing, but we did a pretty thorough feature and functionality test.

If I were running a business today and thought my digital assets were valuable enough to buy a regular firewall for security, I'd definitely go the next step and buy and XML firewall to sit behind it and monitor my HTTP traffic. Even businesses that aren't using Web services or XML are susceptible to XML attacks.

Beyond that, I think there's some pretty interesting things you could do with these boxes. They make managing encryption and digital signature tasks on XML a snap. They're extremely configurable XMl processing engines and that alone makes them fun little toys. The DataPower box, for example is programmed using XSL stylesheets and the hardware-based XML processing engine makes XSL transformations fast. One or two of these boxes and a lab full of grad students is a recipe for fun.