Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: XML firewalls

Re: XML firewalls

From: Eugene Kuznetsov <ekuznets_at_us.ibm.com>
Date: Mon, 20 Feb 2006 10:08:46 -0500

Well, naturally, I cannot resist*. There is quite a few things that are
commonly considered part of best practice. You mention some of them
already. First, there is verifying that the XML is well-formed and does
not have malicious characteristics. Second, there's verifying the
structure and value ranges, usually accomplished using XML schema
validation. In web services setting, there are WSDL files that can be
thought of as describing the schema structures of all the RPC requests &
responses. Third, there is various kinds of additional policy filters
(e.g., do not allow "deleteAllInvoices" method to be called from the
outside), and this is achieved using standards such as XPath or some the
policy languages. The user interface to almost all of this should be an
easy-to-use UI, of course, but underneath it is these specs that make
things works. Fourth, there is good old authentication, authorization and
audit, where SAML, XACML and integration with LDAP or various existing SSO
systems make their appearance. At this stage you can apply fine-grained
policies such as: "user Arkanoid not allowed to invoke "getInvoice" method
iwth argument greater than 100 after 5pm", all at the network level
(outside the application code). Fifth is various message-level crypto,
transcription, routing and service virtualization steps. And there are
some more, potentially. Gartner had put out a list of best practices at
some point, as well.

I'll include some links below for more information and further reading,
but the above is the really interesting thing here that's happened with
XML firewalls, web services security and the like. For the first time,
security professionals can both enforce a positive security model (with
known-good protocol descriptions & schemas) and apply application-level
policy (down to parameters in a function call) in the network, using a
secure device. All using open standards that are decoupled from the
application. This isn't easily done with DCOM, CORBA or other types of
old-style RPC traffic, you just can't get an operationally scalable level
of control, and everyone spends a lot of time trying to block "known bad"
traffic.

So quite aside from whether you have an XML security problem today, this
is an interesting development for security in general, and something that
is only made possible by standardization of the application-to-application
protocols around XML, SOAP, web services, etc. 

---
* Disclaimer: I founded DataPower, a maker of XML-aware network devices 
that was recently acquired by IBM, which now sells XML Security Gateway, 
among other products. http://www.datapower.com
---
Links:
XML Schema - http://www.w3.org/XML/Schema
XACML - http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml
Misc XML security info - http://www.securewebservices.org 
IBM DataPower XS40 product info - 
http://www.datapower.com/products/xs40.html
ArkanoiD <ark_at_eltex.net> 
Sent by: firewall-wizards-admin_at_honor.icsalabs.com
02/13/2006 06:35 AM
To
firewall-wizards_at_honor.icsalabs.com
cc
Subject
[fw-wiz] XML firewalls
nuqneH,
I wrote this to the list a couple of years ago, but no one answered , 
though
i see some XML firewall people here.
Could anyone provide some comments on this lines:
> On SOAP and other http+xml combos: how do you create security polices
> for passing xml-based messages through firewall? 
I've read WS-SecurityPolicy paper, seen some ads of XML firewalls but have 
not seen any good example on how that works for any simple XML-based 
protocol.
Let's start with, say, jabber: i'd like to write a policy that logs sender
ids and restricts everything other to fit official jabber schema without 
vendor extensions. Could anyone show me how can that be achieved with 
current
products?
 
----- Forwarded message from ArkanoiD <ark_at_eltex.ru> -----
Delivered-To: firewall-wizards_at_honor.icsalabs.com
From: ArkanoiD <ark_at_eltex.ru>
To: firewall-wizards_at_honor.icsalabs.com
Reply-To: ark_at_eltex.net
X-Mailer: Mutt 1.0.1i
Subject: [fw-wiz] Future and past firewalls (was "firewalls comparison")
Errors-To: firewall-wizards-admin_at_honor.icsalabs.com
X-BeenThere: firewall-wizards_at_honor.icsalabs.com
X-Mailman-Version: 2.0.13
Precedence: bulk
List-Help: <
mailto:firewall-wizards-request_at_honor.icsalabs.com?subject=help>
List-Post: <mailto:firewall-wizards_at_honor.icsalabs.com>
List-Subscribe: <
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards>,
                 <
mailto:firewall-wizards-request_at_honor.icsalabs.com?subject=subscribe>
List-Id: Firewall Wizards Security Mailing List 
<firewall-wizards.honor.icsalabs.com>
List-Unsubscribe: <
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards>,
                 <
mailto:firewall-wizards-request_at_honor.icsalabs.com?subject=unsubscribe>
List-Archive: <http://honor.icsalabs.com/pipermail/firewall-wizards/>
Date: Fri Jun 25 06:35:37 2004
X-Original-Date: Fri, 25 Jun 2004 14:23:44 +0400
nuqneH,
I've read "Advanced Screening" article on Infosecuritymag site and i'd 
like to
share some thoughts on it.
The fist impression was quite good, i'd say, things are not as bad as i 
supposed ;-)
There still IS market for advanced firewalling as i see it and there are
professionals that are interested in tools for having things controlled.
But some questions are still unanswered. Those are:
As i stated before, there are TWO completely different things, both called
"firewall". Devices for protecting DMZ servers, focused on scalability, 
fault 
tolerance, high performance, IPS capabilities and DoS resistance. And 
there are 
devices for protecting LANs, with completely different feature 
requirements:
advanced application ispection and granular control. Why do everyone mix 
those two?
Diffrent boxes, different designs and sure, different vendors.
(I've found it to be a very good sign that VPN features are left aside in 
this
comparison, looks like people finally realized the obvious thing firewall 
itself
is not required to be VPN box, though it usually can ;-))
On SOAP and other http+xml combos: how do you create security polices
for passing xml-based messages through firewall? I still do not have this
feature, but i definitely need it and i'd like to see a wishlist and 
references
on how do others implement it.
The same question applies to IIOP, which was not even noted in the 
article, though
2 years ago everyone talked about it.
Is IPS in its traditional meaning important for proxy firewalls? My 
personal 
impression that it is more important to have advanced protocol parsing 
that will
drop questionable content regardless if there is known vulnerability 
abused this way
or not rather that to have up to date "signature database". When i see new 
vulnerability, i often do check if my proxies are paranoid enough. For 
http/html, it
is about 70% of "unknown" bad things being blocked a priori. For lpd, it 
is 
about 100% ;-), for cvs-pserver - 50%, etc etc, YMMV. Does not look good 
enough to
rely on it? Sure, but it is just because of my lack of resources to 
analyse
vulnerabilities and making content ispection more deep. 
What's wrong with Cyberguard? It was blamed in the article for "legacy 
design",
what do they mean?
Does Netscreen really do in-depth IMAP inspection? The protocol is 
terribly
complicated :-(
P.S. (some advertising ;-)
Though there still are some corporate, goverment and bank installations of 
my 
creature, it becomes mostly like academic project at the moment ;-). Here 
is the 
core code snapshot (sorry, almost no documentation, but it should look 
familliar to
you if you have expirience with TIS/NAI fwtk, there even is an API that 
resembles
old one so you may compile any fwtk proxy with it). We are interested in 
any
commercial proposals on the thing.
http://milliways.chance.ru/~ark/soft/ADVAopenfwtk-pre2.tar.gz
$ md5sum ADVAopenfwtk-pre2.tar.gz 
86065d63d96e03479bdba627f279753b  ADVAopenfwtk-pre2.tar.gz
It is pre-release code, so no public license - if you want to use it, just 
write
me a email.
Legacy proxies that did not pass QA are not included, you may get them at 
fwtk.org
in "patches" section.
----- End forwarded message -----
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Feb 20 2006
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos