Web services necessitate application-level firewalls

The buzz about Web services has turned to discussions about the added security risks they pose. According to Gartner, Web services is about “moving application integration into firewall-evading tunnels,” so CIOs must adjust security strategies to include application-level firewalls.

While this new breed of firewall must be implemented along with —and not replace— traditional network firewalls, InfoWorld has reported that the battle is on between traditional firewall players and a new breed of XML-application firewall vendors.

Not everyone is taking the battle seriously, however. In fact, some believe that the novelty of what upstart vendors have to offer will be short-lived. I spoke with several industry experts and asked them what CIOs need to know about application-level security, the upstarts offering XML firewalls, and how to choose a vendor in the space. Here’s what I found out.

What is an XML-application firewall?
Gartner says that the term XML-application firewall is a bit confusing because the type is clearly distinct from existing IP-level network firewalls. However, the term is appropriate because, like network firewalls, these XML-application firewalls are focused on securing and monitoring the network.

XML-application firewalls are unlike traditional network firewalls in that they work at the application level “using an in-depth knowledge of the Web services, service requestors, and message content. It is the XML Web services standardization of application-level data that makes application-level firewalls practical,” write Gartner analysts John Pescatore, Matthew Easley, and Richard Stiennon in a report titled “Security platforms will transform the network security arena.”

The existence of Web services places new emphasis on the danger of attacks on systems at the application layer. Traditional network firewalls, which will continue to be central to security, don’t address the new realities and requirements for security. According to the XML Web Services Security Forum (XWSS), those new realities and requirements are:

• Most security violations come from within the firewall.
• Mission-critical initiatives often require cross-firewall access and integration.
• Ports that were originally intended to pass very specific protocols are now being used for many purposes.
• XML Web services Simple Object Access Protocol (SOAP) messages were specifically designed to easily pass through existing firewalls by being carried over transport protocols, such as HTTP, SMTP, and so on, that are frequently carried through open firewall ports.
• New code written with updated tools such as .NET, current J2EE apps servers, and so on, will be the minority of nodes in an XML Web services data network. The majority of nodes will be legacy or packaged applications, which have significantly varying levels of application security. It is often difficult to verify and manage the security functions they provide.

Different but not separate Jean-Marc Loingtier, CEO of AKheron, a network security vendor of application firewalls, says XML-application firewalls are sometimes viewed as orthogonal to traditional security products—like a “convoluted proxy” that speaks, or parses, XML and knows about specific applications, such as SOAP.

In the past, similar application-level security has been necessary but not often implemented due to its expense. The high cost of implementation was due to the lack of a standard mechanism and formats for application communications, according to Peter Sorrentino of the management consulting, research, and education firm The Concours Group. XML and Web services provide a standard mechanism and afford corporations a new opportunity to implement product offerings from smaller firms, including Flamenco Networks, Forum Systems, Reactivity, Vordel, and Westbridge Technology, instead of the “expensive, ad-hoc, custom-programmed, application-embedded, application security of the past," Sorrentino says.

Holistic security vs. piecemeal approaches
Loingtier says the notion of XML-application firewalls as independent, or somehow separated, from customary security won’t last long because traditional vendors have agreed that security is a holistic endeavor where all components must cooperate and be considered in the totality of their interactions.

“Besides, no IT manager would look very kindly at managing two PKIs [public key infrastructures], one for the same firewall/VPN that protects an extranet and one for the sake and needs of Web service applications,” Loingtier explains.

When choosing a vendor for application-level security for Web services, Loingtier recommends that CIOs first ask, “Has it been tested with the products and the configuration I intend to use?” If the answer is no, don’t proceed, he says.

However, CIOs can feel safe investing efforts with a small security firm whose product integrates well with their existing security infrastructure and processes, he adds.

“Pick up the right one and you might not even have to change anything in your infrastructure if it is ultimately migrated to Cisco or Symantec,” Loingtier says.

Smaller companies will likely be swallowed
Sorrentino expects the new or smaller vendors offering application-level security for Web services to be overtaken by larger vendors.

The newer companies “have little proprietary knowledge, technology, patents, and so on ” that would prevent mainstream network security players like Cisco or Nortel from engaging in the market once it’s large enough to be interesting, Sorrentino says. So, an “adaptation to XML would not be a challenge” for the traditional players, “nor at the right time would be the acquisition of one or more of the new vendors."

Leading vendor: Check Point Software
Gartner predicts that as organizations evaluate security requirements, more will implement more than one kind of firewall, spurring demand for integrated centralized administration. One firm that offers central administration is Check Point Software Technologies, which Gartner has named as one of the leading vendors in the firewall market, along with Cisco.

Check Point is among the first to offer an end-to-end security solution that includes application-level security as well as centralized administration, according to Neil Gehani, Check Point senior product manager.

That holistic approach to security is what will separate the surviving application-level security vendors from those destined to fail or be swallowed by bigger fish, he says.

“A lot of the application firewall vendors come from the application space and not from the security context, so they’re not aware of all the security issues you have to deal with,” Gehani says. “You have to remember that most of the people that come to this space assume that the network security issues have been taken care of, which, of course, is the wrong assumption.”

The September 2002 release of Feature Pack 3 for Check Point’s VPN-1/FireWall-1 Next Generation product includes security for XML and SOAP protocols. The additions are a free upgrade to existing customers. Gehani says that’s an advantage of an integration solution over companies offering just the application-level security solutions.

“XML-specific firewall vendors will charge you about $50,000 a pop, plus about $15 a user for it,” Gehani says. “It’s expensive for what they offer, because it’s very limited.”

He recommends that before CIOs spend their money, they narrow the field of vendors offering application-level security by considering those that offer a complete solution that will fit the entire infrastructure and eliminate vendors offering only a piecemeal solution for Web services.

Gehani warns that CIOs will have a tough time wading through the hundreds of vendors to find the top two or three whose solutions match their business needs. However, if they take the time to make a decision with their entire business in mind, they’ll avoid choosing a “penny-wise, pound foolish” solution, he says.

“Most people don’t do that,” Gehani says. “Then they spend a lot of money and later have to deal with the integration issues.”

TechRepublic originally published this article on 27 January 2003.