Forum secures Web services

“By exposing [Web Services Description Language] to the outside world without additional protection, you are crossing your fingers in the hopes that users don’t find their way into something they were never meant to know existed,” – so says Forum Systems (see links below) in its pitch for its Forum Sentry Products.

And what can we say but “hear, hear!” As we move towards Web services-based infrastructures we’re going to find that whole new realms of risk will emerge and the less we expose of our systems the better.

Forum’s approach to containing and managing risk is its Forum Sentry XML security appliance (think: XML firewall) that sits between your existing firewall (you do have one don’t you?) and your Web application server (it also support an alternative single port architecture using a content level or Layer 7 switch).

The company points out that Web services authentication isn’t enough and points out that a WSDL specification is essentially a hacker’s handbook that provides all the information necessary for exploiting illegal Simple Object Application Protocol Web methods and parameters, unauthorized Web method access, invalid SOAP routing, use of XML macros, SQL injection and submission of corrupt data.

The Forum Sentry appliance authenticates digital signatures and encrypts or decrypts XML packets. Incoming documents are checked for valid XML schemas which prevents not only attacks but also rejects ill-formatted documents which reduces server load.

The Forum Sentry can transform XML into HTML or other language so that the Web application server doesn’t have to and can route XML documents to the required service.

The appliance supports HTTP/HTTPS Basic Authentication, XML Digital Signatures, WS-Security (User Name Token, X.509 Certificates and SAML), XML/SOAP content-based access control lists, LDAP integration (including SunOne, RSA Keon, Microsoft Active Directory, Oracle Directory), radius authentication, and dynamic policy-based access control lists.

Forum also offers what I believe is a unique product: the Presidio PGP Gateway Appliance, which is essentially Pretty Good Privacy (PGP) in a box. The company claims that Presidio “reduces overall PGP total cost of ownership by up to 80%” and provides a migration path to XML Web services security.

Forum Presidio provides PGP bulk data encryption as well as Web services security (including XML encryption, XML digital signatures and SAML functionality), which provides a path to Web services from existing EDI infrastructure.

The company prices the Sentry 1504 Appliance (which adds FIPS 140-2 Level III Hardware Security Module) at $49,995 per unit; the 1503 Appliance at $35,000 per unit; a software-only version, Sentry XML-WS Enterprise (available for Linux, and Windows NT and XP) at $10,000 per CPU; and the Presidio appliance at $15,000.

Forum also gets a huge round of applause for being up-front about its pricing (on the first product page you pull up no less) – a refreshing approach after the scores of vendors that seem to be embarrassed about actually stating what their products cost.