Forum XWall provides powerful protection for Web services
Hackers would be hard-pressed to circumvent this sturdy, granular security system
XWall will also help protect your Web service against DoS attacks in a couple of ways. It uses a custom XML parser to scan messages and validate them before they hit the Web service’s parser. And through the use of IDP rules, XWall can limit the message size or total number of bytes per minute, hour, or day, minimizing the chance of an unknown attacker overwhelming the service with too much data. This helps prevent hackers from making “exploratory” requests against your service.
In our tests, Forum XWall successfully blocked our XML attacks in all cases. Some of our tests, ranging from 500 to 5,000 attempts, included invalid data types, SOAP requests with missing elements and nested elements, and null data types.
All of this protection is worthless if you do not know what is going on in the system. XWall includes alerting and monitoring tools that can e-mail you when a specific action occurs, such as too many failed requests from a specific source, as well as save archived log information to your Oracle, MySQL, or DB2 database. The Statistics page provides you with an array of counters for items such as the number of errors, average size of the document, and megabytes processed. For even more specific information about the usage of each policy, the Web Services Monitoring page breaks down each policy into its methods and displays successes and failures.
Most enterprises that are deploying Web services will also want to use Forum’s XML schema tightening to protect against SQL injection and command injection, parameter tampering, schema poisoning, and buffer overflows. Unfortunately, these features are not available in XWall. (Forum Systems’ flagship product, Sentry, does protect against these attacks but at a much higher price point, starting at $25,000.) Forum has announced plans to incorporate some schema tightening later this year in XWall.
If you host Web services for public consumption and think your application layer firewall is “good enough,” think again. You need a system that looks deep into the SOAP message and enforces policies based on WS-I (Web Services Inspection) and other standards. Forum XWall -- whether as a hardware appliance or as a software installation -- provides a very granular set of tools for managing your Web services traffic. I really like the fine level of control available in each policy, and being able to define multiple policies for the same service gives me the flexibility to tailor access to each specific set of circumstances. If you need schema tightening and more control over the XML message, then you will want to look to Sentry instead.