HomeDownload TrialWebinarsLibraryCareersSalesBlogsSearch

XML Threat Protection

XML firewalls address application-level, message-based XML threats

 

The Problem: Traditional Firewalls Don't Address XML Threats

By providing a common, standards based framework for exposing APIs and exchanging data, XML and Web services simplify information integration but at the cost of introducing potential new vulnerabilities. Many of these vulnerabilities represent new kinds of risks reflecting the unique nature of how XML is structured, processed and composed into a Web services transaction. For example, a malformed IP message doesn’t break a router. A malformed XML message can however disable the XML parser inside an application. Traditional applications with closed APIs generally aren’t vulnerable to direct exploitation. With Web services, applications are exposed directly to the outside world through open XML based APIs making them directly susceptible to content, attachment or execution attacks carried inside an XML message. Since, Web services are by definition an integration technology, they are at risk to transactional threats like message interception, hijacking or spoofing. To address all these XML and Web services vulnerabilities a new kind of application-level XML threat detection, prevention and remediation technology is required.

Solution: Application-level Firewalls

There are three classes of exploits that Web services are particularly susceptible to:

Infrastructure Attacks

  • OS exploits that undermine a host’s execution environment
  • Parser attacks that compromise a Web services performance or operation
  • DoS type attacks that degrade a Web service’s availability

Application Attacks

  • WSDL API scanning and address discovery
  • XML message content manipulation, injection and malformation
  • SOAP attachments that carry viruses

Transactional Attacks

  • Manipulation or inspection of data during transmission
  • Spoofing an identity during a communication
  • Hijacking a communication session

To effectively protect Web services against these three classes of threats, specialized software or hardware is required that can inspect XML and Web services communication for potential risks and either block the offending behavior or remedy the vulnerability. The Layer 7 SecureSpan XML Data Screen and XML Firewall are unique among XML security products and Web services Gateways by fully addressing the broad spectrum of risks associated with XML and Web services communication.

Layer 7 Value: XML Firewall and Data Screen

The Layer 7 SecureSpan Data Screen and Firewall provides the most comprehensive set of infrastructure protection of any XML threat protection device on the market. The parser is based on Layer 7’s FastPath™ XML Stream Processor. Designed specifically for speed and safety, the parser limits XML processing to policy defined instructions. XML messages are never parsed beyond what is explicitly called for in the policy. This ensures the SecureSpan XML appliances will continue to function when processing recursive payloads or SOAP Bombs, threats which can disable some XML security products using traditional parsing. Similarly, application level DoS attacks based on excess of Web service requests, or failed authentications will not affect a SecureSpan XML appliance's availability. DoS restrictions can be set inside the SecureSpan Manager to automatically throttle or drop requests exceeding a frequency or size threshold.

To address application security concerns the SecureSpan Data Screen and XML Firewall provides several unique features to deliver the most robust application level threat protection for XML and Web services on the market. WSDL API’s can be automatically virtualized and access controlled based on a requestor’s identity. Content born threats like SQL Injection and Schema Poisoning can be automatically blocked using Layer 7’s first of its kind ASIC technology for accelerated schema validation and XML content detection. If viruses are passed inside a SOAP attachment, Layer 7 delivers a first to market ability to scan and remove offending payloads leveraging Symantec’s leading virus scanning technology.

While Web services application threats are often the most discussed kind of vulnerability, in many ways are not the most troubling. Web services are an integration technology and, unlike Web applications, are susceptible to integration or transactional vulnerabilities. Examples include man-in-the-middle attack (identity spoofing inside a communication session), replay attack (where is a message is hijacked and replayed), eavesdropping, token interception, message tampering and so forth.

To guard against these threats, Layer 7 implements the latest in WS* standards including WS-Security, WS-SecureConversation, WS-SecurityPolicy, WS-SecureExchange and WS-Policy across device clusters to ensure transaction integrity.

 

Share: | More

Resources

Datasheet:
XML Firewall

Download PDF | 196Kb

 

Datasheet:
XML Data Screen

Download PDF | 196Kb

 

Solution Brief:
XML Intrusion and Threat Prevention

Download PDF | 208Kb

 

ZAPNOTE:
Protecting SOA, Web Services, And Web 2.0 Apps

Download PDF | 130Kb

 

White Paper:
Securing XML Web Services

Download PDF |  205 Kb

 

White Paper:
XML Threats and Web Services Vulnerabilities

Download PDF |  220Kb

 

Webinar:
Securing Web 2.0, What You Need to Know 

Download PDF | View Webinar