Manage Learn to apply best practices and optimize your operations.

XML Firewalls, part two

This column looks at the fight for your security dollars between XML firewall vendors and vendors of traditional firewalls.

The Web Services Advisor
(To receive this column in your inbox,
click Edit your Profile and subscribe.)

Continued from Part One

XML Firewalls, part two
XML firewalls are designed to protect enterprises against the unique dangers posed by Web services. These firewalls examine SOAP headers and XML tags, and based on what they find, block any dangerous or unauthorized content or services from getting inside a corporation. Traditional firewalls can't do this, because they can only filter on the packet level, not on the content level. XML firewalls, on the other hand, examine the XML content of the incoming traffic, understand the content, and based on that understanding, take an action – for example, letting the traffic in or blocking it.

In my previous column, we looked at how XML firewalls work, and what kind of protection they offer. In this column, we'll look at the fight for your security dollars between XML firewall vendors and entrenched vendors of traditional firewalls -- and which solution you should choose.

Where the battle lines are drawn
XML firewalls are a relatively recent phenomenon, and because Web services themselves are so new, have yet to gain widespread acceptance. They often are made by startups or companies releasing new technologies, such as Westbridge Technology (, Quadrasis (, Vordel (, Reactivity (, Forum Systems (, and Flamenco Networks (

Companies such as Westbridge focus solely on Web services security, and so their security solutions don't offer traditional firewall features. Rather, they're designed to work in concert with existing firewalls. So an enterprise looking to use an XML firewall from Westbridge would have separate traditional firewalls and XML firewalls -- the traditional firewall for filtering at the packet level, and the XML firewall for examining SOAP and XML, and filtering based on the actual content in the messages.

Traditional firewall vendors, however, contend that two separate firewalls are not necessary -- that XML firewall functionality can be built into existing firewalls. And they're starting to release these kinds of all-in-one products.

Traditional firewall vendor Check Point Software Technologies released in September the newest version of its Check Point VPN-1/FireWall-1, called Next Generation, Feature Pack 3, which includes the ability to verify the validity and integrity of Web services -- in other words, function as an XML firewall. In addition, it can prioritize Web service traffic by using built-in Quality of Service (QoS) features. Key, though, is that this functionality is built into the traditional firewall at no extra cost, and so companies that go with this solution don't have to pay extra for an XML firewall -- they pay once and get both solutions.

XML firewall vendors contend that such an all-in-one solution is inherently inferior to having firewalls devoted to unique security concerns, and in particular say that the complexity of Web services requires a separate firewall -- that there is no real way to "bake in" Web service functionality into traditional, network-level firewalls.

Kerry Champion, founder of Westbridge Technology, claims that there is a "general barrier to network-level firewalls playing effectively at the application level," and so they can't adequately handle Web services. He contends that "fundamentally, network and application level security infrastructure operates on different entities," traditional firewalls on "IPs, ports, packets, protocols, etc." and XML firewalls at the "application level: requestors, SOAP messages, services, operations, XML data elements, etc." He says that traditional firewall vendors like Check Point "will make their network level firewall aware of the SOAP protocol and able to recognize it as a known protocol," but adds that "it seems very unlikely they will fundamentally redefine their tools to consistently operate on application level entities; and therefore there will be continuing significant limitations in their ability to effectively express application-level policies and rules."

Some analysts agree. For example, Yankee Group analyst Matthew Kovar told Infoworld magazine that he is not sure that Check Point will be able to recognize all the different kinds of unauthorized actions and malicious behavior that can be wrought by the use of Web service protocols.

"They haven't done it in the past," he told the magazine, "and it will be a challenge for them going forward." In other words, their XML firewalls won't be able to do the job.

Traditional firewall vendors, of course, claim that they can do it, and say that it makes economic as well as infrastructure sense to have an all-in-one solution, rather than separate solutions. And while Check Point is the first security vendor to offer such all-in-one solutions, expect that eventually every major firewall vendor will do the same.

The bottom line
The bottom line? For now, specialized XML firewalls appear to have the upper hand over traditional firewall vendors that are adding in Web service security capabilities. These new vendors are closer to the market and new technologies, and appear to be a generation ahead of their competitors. Companies like Westbridge are already adding new generations of functionality and add-ons, while traditional firewall vendors are still coming to terms with basic Web services security issues. (For example, Westbridge recently released Westbridge XML SOAP Monitor, a free piece of software that detects XML and SOAP traffic, and allow the traffic to be inspected and viewed in real time or saved to a log file.)

Companies that have a big investment in Web services, or expect to have one soon, would do well to look at these startups. On the other hand, companies for whom Web services security is not yet a major issue, may do well to consider the upgrading their existing firewalls with Web services features from their existing firewall vendor.

Whether all this holds true for the long run remains to be seen. If Web services eventually dominate the enterprise, it's not clear that corporations will be willing to pay for two types of firewalls, and may look for a single solution to their firewall needs. By that time, however, traditional firewall vendors and XML firewall startups may have already started to merge or develop strategic relationships, and the question may become moot.

About the Author

Preston Gralla, a well-known technology expert, is the author of more than 20 books, including "How the Internet Works," which has been translated into 14 languages and sold several hundred thousand copies worldwide. He is an expert on Web services and the author of a major research and white paper for the Software and Information Industry Association on the topic. Gralla was the founding managing editor of PC Week, a founding editor and then editor and editorial director of PC/Computing, and an executive editor for ZDNet and CNet. He has written about technology for more than 15 years for many major magazines and newspapers, including PC Magazine, Computerworld, CIO Magazine, eWeek and its forerunner PC Week, PC/Computing, the Los Angeles Times, USA Today, and the Dallas Morning News among others. As a well-known technology guru, he appears frequently on TV and radio shows and networks, including CNN, MSNBC, ABC World News Now, the CBS Early Show, PBS's All Things Considered and others. He has won a number of awards for his writing, including from the Computer Press Association for the Best Feature in a Computer Publication. He can be reached at

For More Information:

  • Looking for free research? Browse our comprehensive White Papers section by topic, author or keyword.
  • Are you tired of technospeak? The Web Services Advisor column uses plain talk and avoids the hype.
  • For insightful opinion and commentary from today's industry leaders, read our Guest Commentary columns.
  • Hey Codeheads! Start benefiting from these time-saving XML Developer Tips and .NET Developer Tips.

  • Visit our huge Best Web Links for Web Services collection for the freshest editor-selected resources.
  • Visit Ask the Experts for answers to your Web services, SOAP, WSDL, XML, .NET, Java and EAI questions.
  • Couldn't attend one of our Webcasts? Don't miss out. Visit our archive to watch at your own convenience.
  • Choking on the alphabet soup of industry acronyms? Visit our helpful Glossary for the latest lingo.
  • Discuss this article, voice your opinion or talk with your peers in the SearchWebServices Discussion Forums.

Dig Deeper on Topics Archive

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.