Traditional firewalls work well with traditional traffic, but screening streams of data like XML requires a shift in technology.
Web services are driving XML use because these services send and receive data using XML messages that are transported via Simple Object Access Protocol (SOAP). Yet XML traffic presents some of the security challenges that have been major stumbling blocks for Web services projects.
XML firewalls are one piece of the puzzle for making Web services secure.
Traditional firewalls examine header information of passing data to determine if it will be allowed to pass through. But such a cursory inspection won't be enough for XML traffic, all of which will slide through because it looks like general Web traffic.
An XML firewall has to go beyond inspecting the packet or protocol level to examining the actual content of the transmission, said Ron Schmelzer, a senior analyst and founder of Waltham, Mass.-based ZapThink, a firm specializing in Web services and XML. "This is much more complicated as messages have to be decrypted or uncompressed without adding latency," he said.
For example, a SOAP message needs to be examined to make sure it's an authorized request, said Jason Bloomberg, another senior analyst with ZapThink, a firm that specializes in security. Examining the message is even more complicated if part or the entire message is encrypted, he said.
Now, some traditional firewalls can do deeper level inspection of data for jobs like checking for viruses, Bloomberg said. But such inspection is pretty "dumb" as it just looks for strings of bytes that could equate to a virus. Examining XML messages is "an order of magnitude more of a challenge," Bloomberg said.
So far, a few approaches have emerged to answer this challenge. Some vendors have created appliances to act as XML firewalls. This approach has the advantage of maximizing performance, a major concern for these products, Schmelzer said.
Other vendors have taken a software approach. These programs can be installed on an application server or other locations and offer more flexibility in terms of where to install the firewall than a hardware appliance.
No one can definitively say which approach will take off, Schmelzer said. The future of XML firewalls depends on the adoption of XML. Currently, only early adopters from financial services and other vertical markets are using XML firewalls.
Schmelzer and Bloomberg predict XML firewalls won't be mainstream until 2003 or 2004.