Westbridge exec: When XML is a factor, standard firewalls don't cut it |
 |
By Eric B. Parizo, News Editor
05 Mar 2003 | SearchWebServices.com |
|
|
Experts expect Web services security to be a key focus in 2003, and there are a number of companies eager to take advantage of the growing market niche. One of those firms is Westbridge Technology Inc., a Mountain View, Calif.-based startup. SearchWebServices.com recently spoke with the company's president, Kerry Champion, about the need for XML security, the gaps in traditional firewall technology and Westbridge's many competitors.
SearchWebServices.com: In a nutshell, what does Westbridge do?
Champion: We started in 2001, and we started with a specific focus. We saw that XML Web services were a fundamental technology wave and that all software components would soon use XML. We saw that the most important problem people were facing in managing XML was security. So we built a product [the Westbridge XML Message Server] that falls into the category of an application-level XML firewall, and that product is our current offering, which we now have installed in about 700 sites.
SearchWebServices.com: Can you give me a real-life example of how your product helps companies working with Web services?
Champion: For example, SAP now has native XML compatibility. So let's say I upgrade to the current version, and suddenly I have 2,000 SOAP interfaces available. How I make them available will differ for different audiences. Maybe I want to let some employees use Excel to get data out of SAP. But for a different audience, like my external partners, I might want to take a different subset of those interfaces and make them available. But because it's external, I may want to use encryption. People end up with different XML messages coming from these different audiences to the same system, and you need different security mechanisms, depending on the audience. Our tool lets you express those policies.
SearchWebServices.com: Research shows that most Web services projects are internal right now. Why is there a need for this kind of XML security?
Champion: Everyone we talk to is only seeing internal [projects] as a first step, but they see security as the barrier between going from internal to external. A secondary point is that, even internally, people need security policies. Just having perimeter-oriented security isn't enough.
SearchWebServices.com: Tell me how your company differs from companies like Vordel, Reactivity and Flamenco Networks.
Champion: I think our customers see a couple differences. One is scalability, and we went out of our way to address that. The level of XML traffic is dramatically increasing, and as that volume of message traffic goes up, you can scale up accordingly. You also need to scale up as the number of objects you administer goes up. A number of our customers are planning to have hundreds of Web services with thousands of operations. If you want to express policies effectively for those, you need a tool to help with that. Customers have also been surprised about how quickly they can take our tool, get it installed and get their first policies working.
SearchWebServices.com: Some believe that XML firewall functionality can be built into existing firewalls. What's your response to that?
Champion: The current IP firewall vendors are adding support for XML, but they're adding it from their perspective. They think in terms of network-level objects. If all you want to do is make a policy that allows a certain IP address to send XML protocol to another IP address, I can do that with a standard firewall. But if I want to make rules and policies that are not expressed [in terms] of IP and packets, but in terms of function calls or named Web services, those firewalls don't know how to do that.
SearchWebServices.com: A recent Gartner report suggested that Web services developed internally by various departmental or project groups could soon pose a serious threat. Do you agree?
Champion: It's a growing issue and, at the end of 2003, it'll be a much bigger issue than it is now. It's not necessarily intentionally secret Web services, but it's bottom-up usage. Anybody who can write VB can write a Web service in 10 minutes. As soon as Office 11 ships, anyone who can make an Excel spreadsheet can call a Web service. And people are starting to do it. We have a tool called XML SOAP Monitor -- it's free, we just give it away -- and it will look at all the packets on a network, sort through it, and can give you a report showing all the XML messages moving across your network.
FOR MORE INFORMATION:
CLICK for an exclusive: Secret Web services may pose new risks
CLICK for our white paper on Westbridge's XML Message Server
CLICK for other stories by News Editor Eric B. Parizo
|
|
|
|
