• United States

Microsoft scrambling to secure Web services

May 24, 20045 mins
Enterprise ApplicationsMicrosoftPatch Management Software

Microsoft this week is scheduled to plug a major gap in its perimeter security software by integrating a partner’s XML filtering and acceleration technology into its firewall and caching server. The move is designed to let corporate users secure the flow

Microsoft this week is scheduled to plug a major gap in its perimeter security software by integrating a partner’s XML filtering and acceleration technology into its firewall and caching server. The move is designed to let corporate users secure the flow of Web services traffic.

At its 11th annual Tech Ed conference in San Diego, Microsoft plans to showcase XML upgrades to Internet Security and Acceleration (ISA) Server 2004. ISA is an application-layer firewall, VPN and caching server.

The platform will get its XML boost from Forum XWall, a Web services firewall from Forum Systems. The add-on component is integrated into the ISA Server Console. XWall inspects XML messages to authenticate data, validate schema and check for malicious content.

Support for XML in ISA Server 2004 lets corporations secure XML-based Web services applications and will contribute to the building of a service-oriented architecture. The absence of an XML firewall had drawn criticism from users and analysts. With ISA 2000 (which was released in 2001), Microsoft only provides an Internet Server API (ISAPI) filter for validating XML messages.

“This has been one shortcoming of the product,” says Peter Pawlak, an analyst with research firm Directions on Microsoft. “Web services is like calling a function, so you have to look at the messages through careful inspection. You have to ensure the messages are well-formed XML, that they adhere to current parameters and do not have any malicious code injected.”

In addition to packet inspection, the Forum XWall for ISA Server 2004 is expected to provide acceleration of XML traffic, which is very CPU-intensive because each message must be opened and parsed.

XWall for ISA Server 2004 provides data-level authentication, schema validation, XML intrusion prevention and support for the WS-I Basic Profile, a set of guidelines to ensure interoperability across disparate products.

“The 2000 version of ISA was a red-headed stepchild, but ISA 2004 should be ready for prime time,” says Wes Swenson, CEO of Forum, which competes with DataPower, Layer 7 Technologies, Reactivity, Sarvega, Vordel and Westbridge Technology. Traditional firewall vendors, such as Check Point, also offer XML traffic inspection capabilities.

XML support is just one addition to ISA Server 2004. Celestix Networks will introduce a firewall, caching and VPN appliance based on ISA Server 2004. Avanade, a systems integrator formed by a joint partnership in 2000 between Accenture and Microsoft, will introduce VPN Quarantine for ISA Server 2004, which assesses the configuration of a client system before it can connect to the network.

Windows Server 2003 and ISA Server 2004 provide rudimentary quarantine technology that lacks assessment capabilities, according to Craig Nelson, systems engineer for Avanade. VPN Quarantine will provide those capabilities and add an administrative interface for setting rules and policies.

Microsoft is making a big push to upgrade its quarantine technology, including server enhancements in Windows 2003 Service Pack 1, due next year, and Update, which is due next year. The company also is working with anti-virus vendors such as Trend Micro.

Security will be a main theme at Tech Ed, which is expected to draw 11,000 IT professionals. Also on the docket is a preview of management software, including System Center 2005, patching tools such as Windows Update Services, and other forthcoming products such as SQL Server 2005 and Visual Studio 2005. Microsoft also plans to release Service Pack 1 for Exchange Server 2003.

But Longhorn, which was the main area of focus earlier this month at the Windows Hardware Engineering Conference, is not on the docket.

“TechEd is where we start to make things real and people can get their hands on the technology,” says Harley Sipner, senior product manager for the Windows Server System at Microsoft.

Meanwhile, patch vendors PatchLink, Bindview and ConfigureSoft are expected to introduce products.

Integration vendor Vintela will introduce Authentication Services, which allow authentication of Unix and Linux systems through Active Directory, and Management Extensions, an add-on to System Management Server 2003 for managing Unix and Linux desktops and servers and Macintosh desktops. WRQ plans to announce the new version of its host-access software Reflection, which includes new security, management and customization features.

On the Exchange front, KVS will show its Enterprise Vault 5.0, for archiving and managing e-mail, Microsoft file system documents, instant messages and SharePoint documents. Sybari Software will unveil Antigen 8.0 for Exchange, Advanced Spam Manager and the Sybari Enterprise Manager.

Perimeter security

Microsoft plans to unveil Internet Security and Acceleration Server 2004 next week, the first new version of the firewall and caching software since its intro-duction in 2001. Here is a look at the pros and cons of the server, set for general availability in July.
VPN filtering: VPN natively supported through VPN network type.Lack of SIP application proxy: Needed to support handling of voice and video using Session Initiation Protocol.
New user interface: Replaces the standard Microsoft Manage-ment Console plug-in used in ISA Server 2000.No IPv6 support: Adds support for IPSec Tunnel Mode but left out IPv6.

Multi-network capabilities: Replaces single-network support with unlimited multiple networks and types (internal, external, VPN, DMZ).

Web Servi
Web services proxy missing: Microsoft plans to add capability in final release through licensing deal with Forum Systems.