Please wait while the page is being loaded Skip this advertisement >
ARN

Web services may threaten enterprise security

Michael Crawford (Computerworld)  22 February, 2006 08:09:39
Have your say!
Add to Google
ARN Directory | Distributors relevant to this article
Altech Computers , Annuity Systems , ASI Solutions , Cellnet , Compucon Computers , Computerlinks , Corporate Computer Resources , EDsys Computers , Express Data , Express Online , Firewall Systems , Impact Systems Technology , Infortech Distribution , Ingram Micro Australia , LDS International , Leader Computers , Leading Pacific Australia , NewLease , Simms International , Synnex Australia , Topstar Computer International , Unixpac , Westan , XiT Distribution , Xpress I.T.

Clear text messages used in transferring applications via Web services can potentially slip through existing security hardware allowing malformed code to run rampant within organizations.

Typically malicious code such as Trojans and worms are detected at the gateway; however, current XML and SOAP attachments (Simple Object Access Protocol) can potentially allow threats to enter the network, as well as information leakage.

Dean Dierickx, Asia-Pacific director of Forum Systems, said existing firewalls are blind to XML- and SOAP-based messages.

"Adding to the problem is security controls built into Web services applications, which offer a compromise in performance and as a result are systematically being turned off," Dierickx said.

"Because some tools allow developers to write security (like access control) into layers and because of how much demand it makes on the application server, the number of CPUs to parse and validate bogs down application performance; system operators are turning the security off because of application degradation issues."

Dierickx said the likes of Microsoft and BEA have made it easy to write Web services and security problems are now surfacing.

"We are now hearing of Schema poisoning and XML perimeter tampering, and probably another 12 different ways for Web services application breaches to [appear]," he said.

"For companies writing Web services applications using SOAP with attachments, systems need to be set up to scan and detect code coming in on an XML payload, because no existing infrastructure can detect if a company has been breached."

Amer Qureshi, director of Forum systems field operations, said scanning attachments for Web services applications is vital at the network perimeter, before the applications are allowed into the enterprise infrastructure.

"XML attachments work the same as e-mail, but there are no application servers exchanging information and people interact directly with the application; the attachments can be anything so it is vital to scan these documents at the edge of the perimeter before they are let inside the infrastructure."

Crossbeam Systems, in partnership with Forum Systems, released their unified threat management solution X-Series across Australia this week The X-Series is a three-blade chassis offering VPN, IDS/IPS, antivirus, HTTP scanning, URL filtering, Web Firewall, Application Firewall and XML firewall.

Comments

Post new comment

Users posting comments agree to the ARN comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
The content of this field is kept private and will not be shown publicly.
Enter the fully qualified URL, eg. http://www.example.com/
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

Syndicate content
Careerone Job Search
Job seekers Get job alerts | Post your resume online | Interview tips | Ask Kate
Advertisers Click here to advertise your jobs to thousands of job seekers monthly.
 
ARN Distributor Directory
 
Find distributors by name
Find distributors by vendor
Find distributors by location
ARN Vendor Directory
 
Find vendors by name | Find by category
ARN Community Comments
Most Commented
ARN Library


Read Material

Best Practice for Energy Efficient Storage Operations

SNIA’s independent best practice recommendations for improving environmental efficiency in data centre storage operations.

Subscribe to ARN

ARN has been the premier provider of information to the Australian IT channel for more than 12 years. As the only weekly publication dedicated to the channel, ARN produces timely, accurate news and analysis about IT business issues, products and services, new technology and market opportunities.
Sponsored Links