Comments
By Roger Strukhoff
Richard Davies wrote: The UK has a good crop of technology pioneers in cloud computing - for example ElasticHosts, FlexiScale, Flexiant, OnApp - and also some strong government initiatives such as G-Cloud. We will have to see whether this kind of technical leadership converts into swift mass-market adoption or not.
Jan. 8, 2012 11:38 AM EST
Cloud Expo on Google News
Did you read today's front page stories & breaking news?

SYS-CON.TV: How Do You Minimize Unpleasant Surprises in Your Java Code? Guest Nigel Cheshire

SYS-CON.TV
Cloud Expo & Virtualization 2009 East
PLATINUM SPONSORS:
IBM
Smarter Business Solutions Through Dynamic Infrastructure
IBM
Smarter Insights: How the CIO Becomes a Hero Again
Microsoft
Windows Azure
GOLD SPONSORS:
Appsense
Why VDI?
CA
Maximizing the Business Value of Virtualization in Enterprise and Cloud Computing Environments
ExactTarget
Messaging in the Cloud - Email, SMS and Voice
Freedom OSS
Stairway to the Cloud
Sun
Sun's Incubation Platform: Helping Startups Serve the Enterprise
POWER PANELS:
Cloud Computing & Enterprise IT: Cost & Operational Benefits
How and Why is a Flexible IT Infrastructure the Key To the Future?
Click For 2008 West
Event Webcasts
Product Review
Forum Systems XWall Web Services Firewall
A solid security solution

By: Brian Barbash
Oct. 1, 2004 12:00 AM

Security is important. Anyone in the business of designing, developing, hosting, or managing business applications understands this fundamental statement. Web services present unique challenges such that the integrity and security of the content of the exchanged documents is just as important as the integrity of the communications link between the trading partners.

Addressing this broad definition of Web services security is the Forum XWall Web Services Firewall from Forum Systems. Within a network topology, it serves as the entry point to an enterprise's collection of Web services and is available as a hardware or software component. As its name implies, the product serves in a traditional firewall capacity such that it may be used to protect resources from external requests. However, it also provides functionality that addresses the security of the content passed between the host and client.

The Forum XWall system is a highly configurable security tool that provides several components enabling secure Web services. Its network security capabilities include PKCS keys, public certificates and SSL, Access Control Lists, IP filtering, and custom error-handling templates. From a Web services point of view, the security functionality includes intrusion detection, WS-I validation, request filtering, and system alerts. This review looks at the software version of XWall.

Securing Web Services Network Perspective
The firewall provides a Web-based interface for configuring all security parameters. All settings are grouped into the Administration, Resources, and System categories. The Administration section contains the Getting Started instructions (see Figure 1), monitoring functionality, and general gateway policies. The Resources section is where administrators set up the key repository, SSL security policies, access control settings, and error templates. The System section includes settings for the operation of the firewall itself, logging, and configuration import/export.

Basics
In the most basic setup, there are two main steps to securing Web services:

  1. Create network policies
  2. Establish Web services policies
Network policies, or HTTP server policies, are either local or remote and provide the channels through which network data travels. Local policies protect resources from incoming traffic. Remote policies act as proxies to services on tertiary systems.

The local policies establish the ports that will accept incoming traffic and provide the network-level security functionality. There are five components to this listener when working with the HTTP protocol:

  1. List of client IP addresses allowed to access services
  2. Protocol used to access services - HTTP or HTTPS
  3. Listener IP address, port, and whether basic HTTP authentication is required
  4. The Access Control List to apply
  5. The template used for error messages
Once incoming network traffic has met the requirements of the local policies, it is passed through to the remote policy. Remote policies are used to configure access to the actual Web services applications hosted on additional servers. There are three components to this policy when working with the HTTP protocol:
  1. Protocol used for outbound communications - HTTP or HTTPS
  2. The IP address or hostname of the machine on which the desired services exist along with the port and basic HTTP authentication settings
  3. A flag indicating whether or not the response from the remote service is to be processed. When turned off, the remote service's response is returned to the calling client unchanged.
For this review, I have established a basic local policy. It establishes a listener on port 8080, restricts IP addresses to a segment of my network, uses the HTTP protocol, and requires basic authentication. I've associated a simple Access Control List with this policy that provides read and execute permissions to a group of one user. I will discuss the remote policy later.

To demonstrate error conditions presented by the local policy, two SOAP messages were sent; one from an IP address that falls outside of the security policy and one with incorrect credentials. As expected, the server responded respectively with 403 and 401 HTTP status codes.

Access Control Lists
As I mentioned in the previous example, Forum XWall supports Access Control Lists to restrict user activity. Users may be defined directly in the Web console or may be imported from an LDAP server. For users from an LDAP server, passwords may be imported in either MD5 or SHA encrypted format. Alternatively, system administrators may choose to have user passwords checked dynamically against the LDAP server at authentication time. Once created or imported, users may then be added to groups, which in turn are assigned to various Access Control Lists. Lists are easily assigned to local server policies during the setup of each policy.

Securing Web Services: Content Perspective
Not only does the Forum XWall Firewall provide network level security, it provides security at the Web services message level. Content is protected via WSDL policies, which are derived from the WSDL documents of the services that clients will ultimately access. Essentially, the WSDL file of the desired service is imported to Forum XWall. As an example, I've imported a WSDL file for a temperature service from Xmethods.net. Once the document is imported, the administrator must choose the listener policy that should be applied to this service. For this example, the policy defined earlier will be applied. The next step in the process is establishing the remote policy for the service.

Remote policies are established to provide the pass-through to the actual Web Service to be executed and have similar configuration parameters to local policies. When working with Web services that require basic HTTP authentication, the administrator may choose to propagate credentials provided initially by the client if challenged, or to use a predefined set of credentials.

Once the basic policy is established, Forum XWall's key strengths are available to the administrator. At this point, any operation defined in the imported WSDL file may be enabled or disabled to calling clients. Additionally, separate ACLs may be applied to each operation. This provides for a very flexible access control policy for all configured services.

Forum XWall also addresses the security and integrity of the content of SOAP messages exchanged between the client and service. One of the key features is the ability to perform runtime validation of SOAP messages against the WS-I Basic Profile 1.0 specification. For each WSDL policy in the system, WS-I profile tests may be selectively applied to the messages as they pass through the firewall. For any exchange including a document that does not fulfill the tests configured, a SOAP fault is generated and sent to the calling client.

Another powerful feature of the firewall is the Intrusion Detection and Prevention (IDP) rules that may be applied to WSDL policies (see Figure 2). By default, the firewall comes configured with rules to detect authentication failures, invalid HTTP messages, SOAP documents not conforming to any configured WSDL specifications, document processing errors, and documents that exceed a predetermined size.

After all security parameters have been set within a WSDL policy, the service must be made available to calling clients. This is done by publishing a new WSDL document derived from the local, remote and WSDL policy settings configured. Forum XWall provides the option to export the WSDL document as a file or to upload it to a UDDI server.

As an example, I've configured the temperature service with a document size rule to reject any message over 1 byte. All calls to the service received SOAP faults indicating the error. For even higher levels of security, the system may be configured to fail silently and not return a response to the calling client at all.

Summary
Forum Systems XWall Web Services Firewall is a powerful security solution targeted to Web services. The features covered in this review represent only a small portion of its overall capabilities. The system effectively addresses the problem of securing Web services applications from both a network and content perspective. Overall, this is a very solid product that should be considered for Web services applications.

Forum Systems
Company Info
Forum Systems
45 West 10000 South, suite 415
Sandy, UT 84070
801-313-4400
Fax: 801-313-4401
Toll Free: 1-866-333-0210
sales: twise@forumsys.com

Published Oct. 1, 2004— Reads 21,160 — Feedback 1
Copyright © 2004 SYS-CON Media, Inc. — All Rights Reserved.
Syndicated stories and blog feeds, all rights reserved by the author.
Related Links
▪ Figure 1
▪ Figure 2
About Brian Barbash
Brian R. Barbash is the product review editor for Web Services Journal. He is a senior consultant and technical architect for Envision Consulting, a unit of IMS Health, providing management consulting and systems integration that focuses on contracting, pricing, and account management in the pharmaceutical industry.

In order to post a comment you need to be registered and logged in.

Register | Sign-in

Reader Feedback: Page 1 of 1

I'm confused about how you can give such a glowing review to an XML security product which (1) doesn't support WS-Security [a vital standard] (2) doesn't support SAML [another vital standard], (3) is Java-based [i.e. *slow* - whoever heard of a firewall written in Java?], and (4) doesn't support SOAP attachments [which is how many viruses can sneak into XML applications].


Your Feedback
Simon Dolan wrote: I'm confused about how you can give such a glowing review to an XML security product which (1) doesn't support WS-Security [a vital standard] (2) doesn't support SAML [another vital standard], (3) is Java-based [i.e. *slow* - whoever heard of a firewall written in Java?], and (4) doesn't support SOAP attachments [which is how many viruses can sneak into XML applications].
Latest Cloud Developer Stories
By Maureen O'Gara
In a surprise move Tuesday Oracle wheeled out its Big Data Appliance. That’s the one it said in October would be ready sometime in the first half. Only nobody believed it meant early in the first half. Heck, it’s not even clear anybody thought Oracle could make the first half...
By Elizabeth White
Rackspace Hosting, the service leader in cloud computing, on Thursday announced its acquisition of SharePoint911, an industry leader in SharePoint consulting, training, and "JumpStart" services within SharePoint. The unification of both companies provides capabilities to deliver ...
By Pat Romanski
Wyse Technology, the global leader in cloud client computing, on Thursday announced it's working with Microsoft to market school IT labs and one-to-one computing solutions that allow a cost effective delivery of innovative IT enabled education. These solutions are available throu...
By Jeremy Geelan
With Cloud Expo 2012 New York (10th Cloud Expo) now under four months away, what better time to start introducing you in greater detail to the distinguished individuals in our incredible Speaker Faculty for the technical and strategy sessions at the conference... We have techn...
By Adrian Bridgwater
Nimble, the social CRM platform has announced the launch of Nimble 2.0, billed as the “most social” CRM platform on the market today. Nimble was designed entirely with social CRM in mind and is the first social business platform that empowers companies with the ability to get clo...
MORE »
Subscribe to the World's Most Powerful Newsletters
Subscribe to Our Rss Feeds & Get Your SYS-CON News Live!
Click to Add our RSS Feeds to the Service of Your Choice:
Google Reader or Homepage Add to My Yahoo! Subscribe with Bloglines Subscribe in NewsGator Online
myFeedster Add to My AOL Subscribe in Rojo Add 'Hugg' to Newsburst from CNET News.com Kinja Digest View Additional SYS-CON Feeds
Publish Your Article! Please send it to editorial(at)sys-con.com!

Advertise on this site! Contact advertising(at)sys-con.com! 201 802-3021
SYS-CON Featured Whitepapers
Most Read This Week
By Jeremy Geelan
By Bob Hockman
By Brian McCallion
By Steven Yaskin
By Jeremy Geelan
By Jeremy Geelan
By Udayan Banerjee
By Jeremy Hess
By Udayan Banerjee
By Maureen O'Gara
By Liz McMillan
By Hollis Tibbetts
ADS BY GOOGLE

Breaking Cloud Computing News
Feb. 16, 2012 02:09 PM EST
MORE »