Reviews

Briefing: XWall 3.0

• By Mike Gunderloy
• May 19, 2004

XWall 3.0
starting at $2500
Forum Systems
Sandy, Utah
(801) 313-4400
www.forumsys.com

With Web services having been around for a few years now, we're finding out that life isn't quite as easy as just throwing objects over the wall on port 80 and reconsituting them on the other end of the wire. Forum offers a number of products designed to make exposing Web services more secure, as well as to improve functionality and interoperability over what's offered by the basic Web services protocols. This week they announced version 3.0 of their XWall Web services firewall. I managed to drag them away from the N+I trade show floor long enough to talk about the new release.

One of the problems to just exposing your WSDL to the world is that this opens you up to a variety of attacks. How will your XML parser react if someone throws a few megabytes of information into what should be a short element? Are you free of SQL injection attacks carried by XML payloads? These are just two of the possibilities covered by Forum's XIP (XML Intrusion Prevention) protocol, which allows you to set parameters on things like the amount or size of traffic, and to do so on a document or element level. You can also secure all or part of a document so that it's only available to particular users, create an audit trail, and hide your actual Web services servers behind the firewall.

The new version adds WS-I 1.0 Basic Profile conformance checking at both design and runtime. One unique capability is that you can decide which parts of WS-I really matter to your organization, and configure the XWall accordingly. A developer can then upload the WSDL they're working on to the XWall, and get back a log or HTML report listing any conformance problems that reflects the corporate choices. The XWall will also help you analyze WS-I failures with plain language explanations of the sometimes cryptic conformance test names.

If you're interested in following up, there's a 90-day free download version on the company's Web site. I'll be taking a more in-depth look myself for a future review.