XML Firewalls – Stopping Attacks at the Top of the Stack

XML firewalls are an important component in implementing a secure parameter in today’s XML-laden world. After more than a decade since its incipience, XML has become a fact of life; however, it is notoriously verbose, relatively costly to process, and it opens up many new attack vectors. Surprisingly, many engineers and IT pros have not deployed or worked with this type of gateway and are unaware of the benefits and capabilities they provide.

These defensive devices are akin to the low-level firewalls that we are all familiar with except that they scan entire messages at the top of the stack, in the application layer rather than packets at the IP layer. This is an important difference because, as many, including Scott Charney, VP of Trustworthy Computing at Microsoft, said at RSA earlier this year, attacks are happening in increasing numbers at this level not further down where they’ve traditionally taken place.

– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –
Free Whitepaper: Building a Web Application Security Program
– – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – – –

Most XML gateways not only scan documents as they enter your perimeter, they also perform a number of other functions such as:

  • Message translation
  • Service virtualization
  • Content-based routing
  • Caching
  • Logging
  • Monitoring
  • Authentication

Some integrate into your existing PKI, support SAML, WS-Security, RESTful services, and most perform crypto at blazing speeds in hardware.

The following table summarizes some popular products in this space:




ACM XML Gateway (PKA Reactivity)




XML Security Gateway


Web Services Domain Boundary Controller

How much does one of these cost? Some cost more than others of course, and you may be able to get a discount. They aren’t cheap though (in my book at least). These devices will cost you about as much new luxury car, e.g., a BMW Z4 or a convertible Mercedes-Benz SLK. WOW! I know; you’ll definitely have to get your boss to pay for it.

Travis Spencer

About Travis Spencer

Travis Spencer is a software engineer at Fiserv, specializing in federated identity, Web services, SOA, and multitenant distributed systems. In applying his expertise to the financial industry, Travis has gained an acute understanding of the importance of digital identity management, security, and the need for interoperability among heterogeneous systems. Travis has almost 10 years of IT-related experience that includes supercomputing, ecommerce, enterprise application development, and more. Travis is especially passionate about cloud computing and sees it as an exciting opportunity for entrepreneurs and innovative organizations.

, , ,

No comments yet.

Leave a Reply