Though they pose little danger today, a Gartner Inc. analyst believes that secret Web services originating both inside and outside of the firewall could eventually pose serious security risks to many companies.
"Companies are going to have trouble keeping track of Web services," Wagner said. "When they actually begin to
cross the firewall, they're difficult to see."
Wagner said Web services network traffic is often tricky to detect because it utilizes ports 80 and 443 on a Web server, which are the same ports used by HTTP traffic, making it impossible for a standard firewall to tell the difference.
"And the danger is that almost anything can come over a Web service connection," Wagner said, including executable files containing harmful worms or viruses. He said Gartner has estimated that the use of Web services could at some point reopen approximately 60% to 70% of the security holes that companies have plugged during the last 10 years.
Wagner said that unless a company has software in place specifically intended to detect and monitor Web services traffic, not only could harmful data get past a firewall, but an internal department could also build its own Web service and send data out without being detected.
To be absolutely sure what type of data is moving across the firewall, Wagner said a company must break Secure Socket Layer (SSL) connections at its network perimeter and inspect all traffic around its active server ports.
However, that can be a challenge today because of the need to inspect the data at near wire speed. According to Wagner, vendors such as Vordel Ltd., Hitachi subsidiary Quadrasis, Reactivity Inc. and Westbridge Technology Inc. have made strides in developing software that detects Web service traffic at the perimeter but, for the most part, the technology is unproven.
Wagner said few vendors are making a good case for Web services discovery and monitoring mechanisms. Yet he said the market for those products will mature because enterprises will eventually realize the need to differentiate and monitor Web services traffic.
Fortunately, Wagner said, security problems from secret Web services are unlikely to reach epidemic proportions because most companies are a few years away from experimenting with external Web services, and those that have are proceeding with caution.
"There is ample time for organizations to prepare for this," Wagner said. "It's possible for organizations to put in a strong Web services infrastructure by the 2004 or 2005 time frame that can protect against most of this."
FOR MORE INFORMATION:
CLICK for columnist Preston Gralla's exclusive on XML firewalls
CLICK to ask our experts about Web services security
CLICK for more articles by News Editor Eric B. Parizo