Securing XML Web services

XML Web services are not secure. This should come as no surprise as any time you expose any kind of service to the ‘Net there’s a real risk that someone, somewhere will find a hole and exploit it to your disadvantage. With XML Web services there are three major areas of security threats:

* XML versions of traditional threats such as brute force authorization attacks.

* XML payload attacks such as SQL Injection and viruses.

* Application-level operational attacks such as XML denial of service (XDoS).

A product designed to counter these attacks is the Reactivity XML Firewall from Reactivity (see links below). The Reactivity XML Firewall is a Web services security appliance that operates as a proxy. It is typically used in the DMZ between the internal and external network firewalls.

Reactivity positions its product as a security enforcement point that monitors and controls access to Web services. The product takes into account the source of a message, its content, and its headers and tests these parameters against security policies to determine whether to allow or reject the request. Additionally the Reactivity XML Firewall can modify the source, headers and content of a Web services message allowing for low-level content control and manipulation.

According to the developers, the Reactivity XML Firewall also provides:

* Authentication and access control rules based on new Web services standards being developed by groups like OASIS and WS-I.

* XML Structural Rules that prevent entity expansion and other attacks based on XML structure.

* XML Virus Checking, a set of content heuristics that scan XML message content for signatures of known attacks like SQL insertion.

* XML Schema Validation, at the edge of the network to guard against malformed XML, both malicious and inadvertent.

* XML Denial of Service Protection, operational controls for protecting against several types of XDoS attack.

The Reactivity XML Firewall also performs real-time predictive modeling and traffic throttling through a proprietary throttling algorithm. This monitors message size, back-end server latency, and HTTP status codes to build a model of back-end server load that allows for prediction of back-end server availability and appropriate traffic limiting.

The product supports SSL 2.x/3.0, TLS 1.0, SOAP 1.1/1.2, WSDL 1.1, XML-Encryption, XML Digital Signature, WS-Security 1.0, SAML 1.0/1.1, XML Schema, DTDs, and Xpath. It integrates with message buses such as MQ, Tibco and JMS. Other features supported include auditing and rollback of the full deployment history; SNMP, SMTP and e-mail alerts and syslog. The tool can be clustered for load balancing and failover, and remote Web-based management is supported.

This is quite a specification and pricing starts at $50,000.