Jiri’s Notepad

As security slowly and steadily moves from the infrastructure to application layer, we will see more frequent use of XML firewalls. XML firewalls have a potential to become a foundation of some sort of corporate data integrity service responsible for checking the data coming in and out of security domains for corrupted or malicious content. However, in short-term perspective I do not see rationale for putting a XML firewalls in place to be that strong.

It seems there are two ways in which app firewalls are intended to use. The first one is to sit between presentation and application layer (web and app server) and wade through the XML traffic to filter out would-be hackers fiddling with the application web interface. The second high-level function that XML firewall can (at least theoretically) do, is inspect content of messages coming from a untrusted parties for malicious or corrupted content.

You can achieve the first function using properly configured web servers, app servers and business logic that implements input validation.

As far as the second function goes, there are indeed some application firewalls out there that can validate message schema, but to get the malicious content detection, you would have to write your own code. The problem is that you can get the same thing from most EAI hubs. And developers who would be writing the validation/detection logic will probably be your EAI guys.

There are more XML firewall functions than I mentioned, but even then I am asking myself a question, ” Why would you want to make the solution more complicated and more expensive by using an extra software, when most security functionality can be achieved by properly using non-security components?”

Answering this question, the most likely rationale for XML firewalls would be based around the decision to what extent you require to separate security from functional components.

I suspect that in the beginning many companies will be quite happy implementing security functionality without any XML firewalls. It will take time and several high-profile securiy incidents at data level before people will start wanting to extract XML firewalling functions from a more general functional XML infrastructure.

Although some may not like it, I think this is fine. In the end security is about managing risks. An although XML data integrity risks seem plausible and possible, there is not much real world evidence to prove that the risks which they protect against are serious. At least so far.