RE: [STF] Additional security usage scenarios - comments on firew all usage scenario from Champion, Mike on 2002-08-05 (www-ws-arch@w3.org from August 2002)

From: Champion, Mike <Mike.Champion@SoftwareAG-USA.com>
Date: Mon, 5 Aug 2002 12:06:29 -0400
To: www-ws-arch@w3.org
Message-ID: <9A4FC925410C024792B85198DF1E97E403B48B47@usmsg03.sagus.com>

-----Original Message-----
From: Hal Lockhart [mailto:hal.lockhart@entegrity.com]
Sent: Monday, August 05, 2002 11:35 AM
To: 'Steven A. Monetti'; Hugo Haas; www-ws-arch@w3.org
Subject: RE: [STF] Additional security usage scenarios - comments on firew
all usage scenario

 However, firewalls do that today by applying heuristics (guesses) to the
content of the data, without referring to SOAP headers at all. It seems to
me that header checking would only be effective if the headers were hard to
spoof, leading to a heavy duty processing requirement at odds with the idea
of preventing DOS. Thus we may consider these two objectives to represent a
tradeoff. 

 A new category of products that might be called "SOAP-aware firewalls" or
"XML Proxies" is emerging.  See the (abstract, I'm afraid)  ZapThink report
at
http://www.zapthink.com/reports/ZTR-DI101.html?PHPSESSID=a06b80121e3e07a2b4c
f7a93e4f7350c
<http://www.zapthink.com/reports/ZTR-DI101.html?PHPSESSID=a06b80121e3e07a2b4
cf7a93e4f7350c>   "Enterprises will implement "XML Proxies," which can be
either hardware Network Appliances,software Proxies, or software Firewalls,
as a transparent layer over current LAN and WAN traffic, monitoring and
acting on XML data as dictated by pre-configured rules."

It might be helpful for someone whose employer subscribes to ZapThink or has
purchased this report could summarize any architectural implications that
the authors may draw for the rest of us.  Alternatively, several vendors who
are on the WG appear to be mentioned (Contivo, Cisco, Nortel, ...) and
perhaps they can help us understand this area. 

There was also a recent press release from http://www.reactivity.com/
<http://www.reactivity.com/>  describing their SOAP/XML firewall product.

The probable existence of such products has clearly been factored into some
proprietary web services architectures such as Microsoft GXA.  It's clear
that we are going to need to closely watch this space and think about how
they fit into our reference architecture.

Received on Monday, 5 August 2002 12:06:37 UTC