SOAP/XML Firewalls

Firewall Implementations
Vendors can implement SOAP/XML firewalls either as an appliance or through server-side software on the Web server. Both approaches have trade-offs. Because appliances are designed and optimized for one purpose, they usually offer better throughput. Appliances such as Westbridge Technology's Westbridge XA2500 Security and Management Appliance and DataPower Technology's XS40 XML Security Gateway promise wire-speed processing of traffic and better reliability than server-side software. The Reactivity XML Firewall acts as a proxy that you deploy in the demilitarized zone (DMZ). Forum Systems' Forum Sentry 1500 appliance supports several deployment modes, including a nonintrusive inline mode in which the appliance functions as a network bridge with transparent TCP/IP packet forwarding.

Server-side solutions usually have a cheaper initial entry point, but as your Web services grow, maintaining consistent security standards and policies across all servers becomes increasingly difficult. Westbridge offers its XML Message Server (XMS) product both as server software that you can co-locate on the server that hosts your Web service and in the company's XA2500 Security and Management Appliance. Quadrasis's Quadrasis/Xtradyne SOAP Content Inspector is an application-layer security gateway whose strong suit is support for SAML. Flamenco Networks' Flamenco WSM is a Web services management and firewall solution that consists of a controller and multiple proxies and is available as a managed service as well as licensed software. An interesting variation on a software-based SOAP/XML firewall is Vordel's VordelSecure 2.0, which you can deploy either as a standalone firewall on a Windows, Sun Microsystems' Solaris, or Linux server or by deploying agents on firewalls and Web servers throughout your organization.

For large implementations, appliances are less costly to maintain and give you better manageability by providing a centralized view of your Web services network and its policies and activity. However, appliances must support all the standards and technologies that your combined Web services require. When you shop for a SOAP/XML firewall, whether it's implemented as an appliance or as software, be sure you evaluate standards support. You should familiarize yourself with the current and emerging standards in the Web services sector and identify those that your organization is most likely to need. Before you buy, make sure the product that you want supports those technologies. Table 1 lists common Web services standards.

Getting Ready
Sooner or later, Web services are coming your way, and you need to prepare your security infrastructure for their arrival. When you're ready to get a SOAP/XML firewall, you'll find the market crowded with a variety of offerings. As you sift through them, look for strong standards compliance and support for the Web services technologies that your organization uses (e.g., Framework, IBM's WebSphere platform, BEA Systems' BEA WebLogic Server) as well as support for management tools you use (e.g., IBM Tivoli, Microsoft Operations Manager—MOM). Finally, make sure the product you're considering provides the scalability you need.