starting at $2500
After talking with the folks at Forum Systems a month or so ago, I
was interested in trying out their XWall Web services firewall. The
main point of this product, as the name suggests, is to protect you
from attacks on your Web services. How will your XML parser react if
someone throws a few megabytes of information into what should be a
short element? Are you free of SQL injection attacks carried by XML
payloads? These are just two of the possibilities covered by Forum's XIP
(XML Intrusion Prevention) protocol, which allows you to set parameters
on things like the amount or size of traffic, and to do so on a document
or element level. You can also secure all or part of a document so that
it's only available to particular users, create an audit trail, and hide
your actual Web services servers behind the firewall.
More interesting to me as a developer, though, is the ability of the
product to perform WS-I 1.0 Basic Profile conformance checking at both
design and runtime. One unique capability is that you can decide which
parts of WS-I really matter to your organization, and configure the
XWall accordingly. A developer can then upload the WSDL they're working
on to the XWall, and get back a log or HTML report listing any
conformance problems that reflects the corporate choices. The XWall will
also help you analyze WS-I failures with plain language explanations of
the sometimes cryptic conformance test names.
Installing the application was easy (I used the version that runs as a
Windows service, rather than the one that's packaged as a standalone
appliance), and getting the licensing set up didn't take long either.
From there, though, things quickly become overwhelming. There are about
35MB of PDFs to document things here, and none of them have a friendly
name like "Getting Started". I eventually muddled through to what I
wanted - the WS-I piece - but if you're planning to set up the whole
shebang plan on some serious study time to understand how all of the
pieces fit together. Once I found the right spot in the product, though,
the WS-I conformance checking lived up to its advertising; it was easy
to use and quickly pinpointed issues in some WSDL files that I happened
to have hanging around.
I also experimented a bit with setting up proxying from the XWall to
some Web services. There are a batch of different places in the
Web-based UI to visit, but the whole application is structured well
enough that you don't have to real all of that documentation to get
started. I doubt anyone is going to spend $2500 just for conformance
checking - but if your organization is seriously into WSDL, and you have
a chance to influence the choice of a firewall strategy, you might put
in a few good words for XWall. At the very least, it's a
developer-friendly piece of software despite the fact that it's aimed
mainly at systems administrator problems.
Mike Gunderloy has been developing software for a quarter-century now, and writing about it for nearly as long. He walked away from a .NET development career in 2006 and has been a happy Rails user ever since. Mike blogs at A Fresh Cup.