IBM®
Skip to main content
    Country/region [select]      Terms of use
 
 
    
     Home      Products      Services & solutions      Support & downloads      My account     
 
developerworks > My developerWorks >  Dashboard > Bobby Woolf: WebSphere SOA and J2EE in Practice > ... > WebSphere DataPower > XML Firewall
developerWorks
Log In   View a printable version of the current page.
Overview Connect Spaces Forums Wikis
XML Firewall
Browse space Browse Space    
Added by bwoolf, last edited by bwoolf on Jun 11, 2006  (view change)
Labels: 
(None)

In my mind, the killer app for the WebSphere DataPower products is their ability to act as XML firewalls.

Network firewalls usually just block IP ports. They let any traffic through as long as it's on a valid port. They usually don't inspect the traffic content.

An XML firewall inspects the content of traffic that's supposed to be XML. It verifies that the traffic is XML, and that the XML is reasonably sane.

It turns out there a number of relatively simple XML hacks that are capable of crashing just about anything running an XML parser. This isn't a weakness of any one product, but a consequence of the way XML is structured and parsed.

As long as the only input from the Web that your application accepts is just URLs with parameters, you're fairly well protected (although URLs can be hacked too). But once you start accepting incoming XML documents, such as when hosting a Web service (SOAP-based or otherwise), you're trusting that anyone on the network who calls your service passes a reasonable XML message. What if someone doesn't?

Thus I believe that any enterprise which is accepting incoming XML from the Internet (or some other network where not everyone can be trusted) should be using DataPower (or some other XML firewall) to validate the traffic and protect the apps.

For more information, see "The (XML) threat is out there..." by Bill Hines (developerWorks; March 22, 2006).

 
    About IBM      Privacy      Contact