Teros enters XML security space

Application firewall maker Teros has added the XML security features to its Secure Application Gateway product line.

Application firewall maker Teros has added the XML security features to its Secure Application Gateway product line.

Customers will be able to choose to use the features for either an XML or HTML security appliance, or use it to protect against both XML and HTML-based attacks, said Greg Smith, senior director of product marketing at Teros.

The gateway is the first step in an initiative to add more security features for web services into its application gateway platform, Teros said.

The latest features will allow the Teros gateway to inspect XML traffic using Soap for many of the same attacks it looks for in HTTP  traffic, such as buffer overflows and SQL (Structured Query Language) injection attacks.

As it does with web application traffic, Teros' Web Services Security Gateway collects, parses and reconstructs Soap communications to web services, then inspects that traffic in detail.

"We know that network level security infrastructure is too simple. You can't expect those devices to begin to protect [web services]. You have to be able to see the same things [web services] applications see," he said.

Teros has an adaptive learning engine that studies XML messages sent and received by a web services installation, then recommends policies for constraining input to the WSDL (Web Services Description Language) interfaces.

The company is planning to release more complex XML security features in the second quarter, including the ability to analyse SAML (Security Assertion Markup Language), an XML standard for user authentication and WS-Security, a security standard for exchanging data between web Services.

Teros believes it is the first application firewall supplier to add XML-based security, Smith said.

However, an executive from Teros's competitor NetContinuum said that the new Soap inspection features are nothing new, and that his company's product has long offered similar protections.

"We've had basic XML support for some months," said Wes Wasson, vice-president of marketing at NetContinuum. The company has not publicised the features because "there aren't  too many threats that are Soap-based", he said.

Like Teros, NetContinuum can do so-called "deep inspection" of Soap traffic and lock out traffic to Soap interfaces on application servers that do not have web services enabled. The company also has further XML security features on its road map, he said.

Teros, NetContinuum and other application firewall makers are also in competition with specialised XML gateway makers such as DataPower and Forum Systems.

Application firewall providers such as Teros and NetContinuum can provide some XML security, especially for companies that are not deploying public web services and want to protect themselves from web services attacks, but do not provide adequate protections for real web services deployments, said Eugene Kuznetsov, chairman and chief technology officer of DataPower.

DataPower's XS40 XML Security Gateway protects web services installations from a host of threats, such as XML-based denial-of-service attacks, buffer overruns and invalid data injection attacks.

They can also do more processing-intensive functions such as XML schema verification, and verification of XML security functions such as XML Encryption, XML Signature and WS-Security, DataPower said.

Teros' Web Services Security Gateway will ship at the end of March. Existing Teros customers will be able to add XML security features to their existing appliances.

Like the Secure Application Gateway, the Web Services Security Gateway will start at about $20,000. No price has been set for the combined web services and web application firewall.

Paul Roberts writes for IDG News Service

Read more on IT architecture