Web application firewall vendors are starting to recognize the surging enterprise interest in XML and Web services. They also know their products aren't capable of inspecting the content of XML traffic for threats like malicious code injections and deliberate or inadvertent denial-of-service attacks.
During these relatively early days of XML Web services adoption, established network security vendors will rely heavily on partnerships to address the Web services security needs of enterprise customers.
Through its partnership with Forum Systems Inc., NetContinuum Inc. of Santa Clara, Calif., today announced the availability of an application and XML firewall bundle. Sandy, Utah-based Forum sells the XWall XML firewall.
The new Web services edition of the NetContinuum Application Security Gateway integrates Web and XML application protection in the same ASIC-based appliance.
"This at least addresses some of the issues [customers have] of 'How many devices do I want on my network? One for Web apps, another for XML traffic, another for firewalls, another for intrusion detection?' At least here we're collapsing two of them -- XML and Web application attack protection -- into one device," said Randy Heffner, vice president with Forrester Research Inc. of Cambridge, Mass.
Heffner said NetContinuum's deal with Forum puts it ahead of most of the XML application protection field. He identified Teros, which also sells a Web services application security gateway, but said it falls short in the functionality that Forum brings to this deal.
"It's not a version 1 run at it. Forum understands more about XML level threats than I gathered from Teros," Heffner said. NetContinuum wasn't first, but it has leapfrogged Teros, which was the first one there, he noted.
XML firewalls not only parse XML traffic, but inspect content for XQuery injections, coercive parsing, schema poisoning, jumbo payloads and XML routing detours -- all of which threaten the integrity of Web services transactions.
Applications have been widely regarded as the new network perimeter, and as more apps are exposed to the supply chain, partners and customers, new threats are introduced. NetContinuum chief strategy officer Wes Wasson cited a survey in which 70% of security buyers want XML protection from their Web application firewall vendors. Market research firm SalesRamp surveyed Fortune 500 chief security officers.
Wasson said including Web and XML security in the same bundle lessens management costs.
"The security guy wants to control [Web services]. He doesn't understand the technology. He doesn't understand what loosely coupled means," Wasson said. "He wants it to go through one choke point. That gives security guys control, but it doesn't force him to understand how it works."
Heffner cautioned that enterprises assess their needs before jumping into a product purchase.
"There's a whole lot of Web services stuff where it would be good enough if you don't have [an appliance]," Heffner said. "If I don't have very many partners and am trying to connect two here by a two-way SSL connection or a private connection, I may just ride that. Some of these things make it so you can get by without one right now."
Heffner added that XML threats are real, however, and should not be dismissed.
"I'm not hearing a lot of attack stuff. Certainly there have been no major headline attacks. So it hasn't risen to the level of major public concern," Heffner said. "Bottom line is there are real risks, but no data yet that say that it's happening at a frequent to high-impact rate."