Forum XWall provides powerful protection for Web services

Safeguarding Web services is a lot like protecting your Web-based applications from attack. The current crop of application-layer security solutions can look for malformed Web traffic, URL tampering, and the like, but it does not look deep into SOAP messages or scrub XML for malicious content, thus leaving Web services exposed.

Web services come with their own specific vulnerabilities and security needs. By design, each one has an associated WSDL document that is basically a blueprint for the service. The document details the messaging request and response for the service in XML, what parameters (including data type) the service expects, and what operations are available via the service -- a return, a stock quote, or account update, for example. By analyzing a service’s WSDL document, a hacker knows exactly what the service is supposed to do and which parts are open to attack via techniques such as malformed SOAP messages and other XML parser attacks.

Forum XWall Web Services Firewall from Forum Systems can help you fight back and protect your exposed Web services. By peering into each SOAP message, it allows or denies inbound connection attempts based on policies and rules you define. Also, Forum XWall enforces XML intrusion prevention and validation and provides multiple levels of monitoring and auditing.

Available as an appliance, software you install on your hardware, a plug-in to Microsoft ISA (Internet Security and Acceleration) Server, or embedded on a PCI 500 card, Forum XWall has most of the tools necessary to protect your Web services from attack.

For my test, I installed Forum XWall’s software version on a Compaq ML530 running Windows 2003 Server with IIS and UDDI. Installation was straightforward, although initial configuration took some knowledge of XML and WSDL to get things going. In a production setting, Forum XWall should be run on a separate server so that it can efficiently proxy your Web services to consumers and simplify installation.

In order to protect a Web service, you have to create at least one policy. This is done by importing a WSDL document either from a file, URL, or your UDDI directory. After the document is imported, the methods of the Web service are broken out and listed by XWall. You define various intrusion detection rules on inbound messages and can even disable specific methods allowed by the service. This release comes with an upgraded user interface that makes policy creation and maintenance much easier than it was previously.

XML IDP (intrusion detection and prevention) is the core reason for deploying an XML firewall. With Forum XWall, you can validate the SOAP message and the underlying XML by comparing it to the services’ WSDL document and then enforcing your policy. Forum XWall also prevents attackers from scanning your WSDL documents.

The power of Forum XWall becomes apparent as you begin to define validation criteria and access control lists for each Web service operation. For example, on my Google search service, I created an IDP rule that would abort request processing if there were more than 50 total elements in the XML or if the document exceeded 500KB in size. You can create different IDP rules for specific times of day and specify how you want the event logged. Forum XWall allows you to create a global IDP rule set, but you can override or add to these rules for each policy.