XML Firewalling

The Problem

XML Web services provide a versatile method for exposing applications and their data directly to other applications in a standards-based way. Benefits include platform interoperability and simplified reuse of application interfaces across multiple business processes. Nowhere is this benefit more clear than when applications and data need to be shared across departmental and organizational boundaries. For the first time, Web services make cross-boundary integration relatively simple and arguably practical. However, exposing functionality and information to applications in external trust and security domains opens those systems to potential threats. In these scenarios, XML Firewalls provide a first line of defense.

Solution Requirements

While Web services security standards for privacy and integrity have been ratified (WS-Security), others that describe how to exchange security tokens, establish a security session, describe security preferences and capabilities, negotiate and reconcile policy differences, and propagate security claims (to give a few examples) are still in development. Moreover, many of the sometimes overlapping specifications are deliberately ambiguous about implementation details. That makes any hope for manual coordination and programming of security preferences across distributed systems a daunting and error-prone task for the uninitiated developer. However, even if security coordination and enforcement could be expertly and consistently programmed across distributed services, security issues remain:

• How do you ward against XML-borne threats or viruses?
• How do you protect against replay attacks?
• How do you implement differentiated security policies based on a requestor’s identity, credentials, or request content?
• How do you defend access to an application interface from unscrupulous developers?
• How do you assure integration continuity under a denial-of-service attack or server overload?
• How do you make sure that physical addresses never get exposed directly to the outside world?
• How do you implement policy changes without down-time?
• How do you audit and assure against repudiation of transactions?
• How do you switch between data formats
• How do you accelerate XML processing

The above are only a partial list of the kind of considerations that an integration or security architect needs to consider when exposing a Web service outside security boundaries. An XML Firewall can help with all of these requirements by providing a simple to configure, high performance, edge-based gateway for defending access to Web services.

Layer 7 Value Proposition

Layer 7 Technologies' SecureSpan XML Firewall provides comprehensive defense for Web services exposed to external departments and partners. The SecureSpan XML Firewall provides:

• Fine-grained service-level access control
• Data validation, privacy, and integrity for incoming and outgoing messages
• Protection against over twenty threats (including viruses in SOAP attachments)
• Identity-based access control for XML / Web services
• Credential chaining and substitution operations

Designed for high-availability environments, the SecureSpan XML Firewall can be linearly clustered with automatic policy replication. For low-impact integrations, the SecureSpan XML Firewall can also integrate seamlessly with existing identity and access control systems including LDAP, AD, CA SiteMinder®, RSA ClearTrust®, IBM Tivoli® Access Manager, Sun Java Access Manager, Novell Access Manager and Oracle Access Manager and others. Unique among XML Firewalls, the SecureSpan XML Firewall also comes integrated with a PKI CA and can be configured as an RA for existing certificate authorities.

The SecureSpan XML Firewall is available as a linearly scalable, high performance 64-bit, multi-processor, 1U appliance with onboard XML and SSL acceleration or as server software for Linux and Windows server platforms.