Reviews

Review: XWall

• By Mike Gunderloy
• June 14, 2004

XWall 3.1
starting at $2500
Forum Systems
Sandy, Utah
(801) 313-4400
www.forumsys.com

After talking with the folks at Forum Systems a month or so ago, I was interested in trying out their XWall Web services firewall. The main point of this product, as the name suggests, is to protect you from attacks on your Web services. How will your XML parser react if someone throws a few megabytes of information into what should be a short element? Are you free of SQL injection attacks carried by XML payloads? These are just two of the possibilities covered by Forum's XIP (XML Intrusion Prevention) protocol, which allows you to set parameters on things like the amount or size of traffic, and to do so on a document or element level. You can also secure all or part of a document so that it's only available to particular users, create an audit trail, and hide your actual Web services servers behind the firewall.

More interesting to me as a developer, though, is the ability of the product to perform WS-I 1.0 Basic Profile conformance checking at both design and runtime. One unique capability is that you can decide which parts of WS-I really matter to your organization, and configure the XWall accordingly. A developer can then upload the WSDL they're working on to the XWall, and get back a log or HTML report listing any conformance problems that reflects the corporate choices. The XWall will also help you analyze WS-I failures with plain language explanations of the sometimes cryptic conformance test names.

Installing the application was easy (I used the version that runs as a Windows service, rather than the one that's packaged as a standalone appliance), and getting the licensing set up didn't take long either. From there, though, things quickly become overwhelming. There are about 35MB of PDFs to document things here, and none of them have a friendly name like "Getting Started". I eventually muddled through to what I wanted - the WS-I piece - but if you're planning to set up the whole shebang plan on some serious study time to understand how all of the pieces fit together. Once I found the right spot in the product, though, the WS-I conformance checking lived up to its advertising; it was easy to use and quickly pinpointed issues in some WSDL files that I happened to have hanging around.

I also experimented a bit with setting up proxying from the XWall to some Web services. There are a batch of different places in the Web-based UI to visit, but the whole application is structured well enough that you don't have to real all of that documentation to get started. I doubt anyone is going to spend $2500 just for conformance checking - but if your organization is seriously into WSDL, and you have a chance to influence the choice of a firewall strategy, you might put in a few good words for XWall. At the very least, it's a developer-friendly piece of software despite the fact that it's aimed mainly at systems administrator problems.