Trust me, I’m on the Web

A new sample XML filter from Microsoft can be used as a way to help customers secure their networks as they embrace Web services.

One of the benefits of XML is that it allows access to, and analysis of, data via the Internet in the user’s choice of application. For example, a company might develop a purchasing application which could automatically obtain price information from a variety of vendors, allow the user to select a vendor, submit the order and then track the shipment until it is received.

The vendor application, in addition to making its services available on the Web, might in turn use a number of XML Web services to accomplish different parts of the transaction, such as checking the customer’s credit, charging the customer’s account and setting up the shipment with a shipping company. In order to deliver this effectively, companies will need to integrate security into their deployment of Web services.

But although such XML Web services make business-to-business (B2B) transactions simpler, security experts say the success of XML services makes them likely to attract attention from those who see them as an opportunity for malicious intent.

Many organisations already have firewalls in place to scan and filter incoming data at the ‘packet’ level. However, issues arise with Hypertext Transfer Protocol (HTTP), which is fast becoming a universal protocol for communication among applications. For example, Microsoft Outlook Web Access gives users access to corporate e-mail over HTTP, and Microsoft BizTalk Server uses HTTP to send the XML that enables B2B transactions.

Packet filtering allows HTTP traffic to pass through a firewall without inspection of its content. While HTTP may be an easier transport for B2B interactions, hackers also target HTTP as a transport to bypass firewall security. That could provide an avenue for improper use of network systems, including viruses or other malicious code, content theft or corruption, unauthorised access, fraudulent transactions, and denial of service attacks.

An XML filter on the firewall is able to monitor and inspect content sent over HTTP at the application level, before it ever reaches computers in the internal network.

The sample XML filter developed by Microsoft uses a simple algorithm to decide whether an XML request is valid: it determines if the user is allowed to access the Web service behind the firewall, and if the structure and content of the XML document are valid. The protection is two-fold: both unauthorised access and attacks using malformed XML are prevented.

Valid XML data passes through to the Web service computer, and unwanted traffic is dropped by the firewall, never even allowed into the internal network. Microsoft’s sample code also includes the associated components necessary to demonstrate the use of the filter in a lab environment, so anyone can test it.

The filter was created using the ISA Server Software Development Kit (SDK) and Microsoft Visual Studio .NET, and is now available free on the development section of the ISA Server Web site.

The Microsoft ISA Server team is demonstrating the new sample XML filter this week in San Jose at RSA Conference 2002. The demonstration shows a Web service being protected from unauthorised access and denial-of-service attacks using ISA Server and the sample XML filter to screen and inspect incoming SOAP and XML data.

‘This is sample code, and it is not meant to be put into a production environment. We just want to show that ISA Server is capable of doing this kind of filtering today, and how important that capability will be to securing Web services in the future. With the included SDK, a filter like this can be quickly written by any developer and tailored to their specific environment, and we really encourage that,’ says Zachary Gutt, technical product manager for ISA Server.

On the web