XML propels security intelligence

Typical enterprises include task-specific security devices in heterogeneous environments that cannot easily communicate or coordinate mitigation strategies. Several proprietary approaches exist to facilitate this communication, but these are usually limited to single-vendor environments.

To address this problem, a growing trend is to use XML to share security data. The strength of XML is that it enables devices to collaborate easily by providing a lingua franca to communicate with each other. Information and services can be encoded with meaningful structure and semantics that intelligent devices can understand. XML enables rapid information exchange and can easily be extended to include user-specified and industry-specified tags. Languages based on XML are formally and universally defined, enabling programs to modify and validate documents in these languages without prior knowledge of their particular form.

XML is text based, which makes it highly portable, readable and easy to troubleshoot. Because of its wide adoption, numerous tool sets, both commercial and open source, are available to simplify and speed application development. These tools work with multiple programming languages, including C, C++, C# and Java, and scripting languages such as Phyton, Perl and Tcl. This broad flexibility enables XML to be used in almost any application or programming context.

In addition to flexibility, XML is secure. HTTP over SSL (HTTP/S) is the most common scheme used to ensure XML data is transferred over a secure channel. Applications requiring higher levels of security can encrypt and sign the actual XML data before transmitting it via an HTTP/S channel.

To use XML, network infrastructure devices and security appliances must include common elements in their APIs to communicate information between systems. Key steps of this process include: data elements to be shared must be identified and defined (virtual LAN [VLAN] information, for example); XML tags must be created to isolate and represent each piece or type of information; and data must be broadcast, via XML, between the switch and the target security appliance. With these parameters established, the systems can share information and create policies automatically based on real-time information.

The devices also can enforce security policies based on the latest threat information available within the network. Many security appliances use XML and can easily be programmed to interface with other devices that have compatible XML APIs.

An example of how this interaction takes place can be seen in the potential communications between an intrusion detection/prevention system (IDS/IPS) appliance and an intelligent switch. If the IDS/IPS detects a threat, it can immediately communicate with the switch and shut down the port, limit access, control the bandwidth or redirect the infected traffic.

Once the XML functionality is in place it can be used to facilitate other security/infrastructure architectures. The IDS/IPS appliance could be used as a virtual appliance where the network switch does the initial detection and then routes the questionable traffic to an appropriate appliance for further analysis. Using XML, the switch can coordinate this exchange with the virtual appliance, thereby better leveraging the strengths of both elements. The intelligent communication between the switch and the IDS/IPS provides a more scalable, centralized and easy to manage security solution.