Microsoft scrambling to secure Web services

Microsoft this week is scheduled to plug a major gap in its perimeter security software by integrating a partner's XML filtering and acceleration technology into its firewall and caching server. The move is designed to let corporate users secure the flow of Web services traffic.

At its 11th annual Tech Ed conference in San Diego, Microsoft plans to showcase XML upgrades to Internet Security and Acceleration (ISA) Server 2004. ISA is an application-layer firewall, VPN and caching server.

The platform will get its XML boost from Forum XWall, a Web services firewall from Forum Systems. The add-on component is integrated into the ISA Server Console. XWall inspects XML messages to authenticate data, validate schema and check for malicious content.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Microsoft this week is scheduled to plug a major gap in its perimeter security software by integrating a partner's XML filtering and acceleration technology into its firewall and caching server. The move is designed to let corporate users secure the flow of Web services traffic.

At its 11th annual Tech Ed conference in San Diego, Microsoft plans to showcase XML upgrades to Internet Security and Acceleration (ISA) Server 2004. ISA is an application-layer firewall, VPN and caching server.

The platform will get its XML boost from Forum XWall, a Web services firewall from Forum Systems. The add-on component is integrated into the ISA Server Console. XWall inspects XML messages to authenticate data, validate schema and check for malicious content.

Support for XML in ISA Server 2004 lets corporations secure XML-based Web services applications and will contribute to the building of a service-oriented architecture. The absence of an XML firewall had drawn criticism from users and analysts. With ISA 2000 (which was released in 2001), Microsoft only provides an Internet Server API (ISAPI) filter for validating XML messages.

"This has been one shortcoming of the product," says Peter Pawlak, an analyst with research firm Directions on Microsoft. "Web services is like calling a function, so you have to look at the messages through careful inspection. You have to ensure the messages are well-formed XML, that they adhere to current parameters and do not have any malicious code injected."

In addition to packet inspection, the Forum XWall for ISA Server 2004 is expected to provide acceleration of XML traffic, which is very CPU-intensive because each message must be opened and parsed.

XWall for ISA Server 2004 provides data-level authentication, schema validation, XML intrusion prevention and support for the WS-I Basic Profile, a set of guidelines to ensure interoperability across disparate products.

"The 2000 version of ISA was a red-headed stepchild, but ISA 2004 should be ready for prime time," says Wes Swenson, CEO of Forum, which competes with DataPower, Layer 7 Technologies, Reactivity, Sarvega, Vordel and Westbridge Technology. Traditional firewall vendors, such as Check Point, also offer XML traffic inspection capabilities.

XML support is just one addition to ISA Server 2004. Celestix Networks will introduce a firewall, caching and VPN appliance based on ISA Server 2004. Avanade, a systems integrator formed by a joint partnership in 2000 between Accenture and Microsoft, will introduce VPN Quarantine for ISA Server 2004, which assesses the configuration of a client system before it can connect to the network.

Windows Server 2003 and ISA Server 2004 provide rudimentary quarantine technology that lacks assessment capabilities, according to Craig Nelson, systems engineer for Avanade. VPN Quarantine will provide those capabilities and add an administrative interface for setting rules and policies.

Microsoft is making a big push to upgrade its quarantine technology, including server enhancements in Windows 2003 Service Pack 1, due next year, and Update, which is due next year. The company also is working with anti-virus vendors such as Trend Micro.