The buzz about Web services has turned to discussions about the added security risks they pose. According to Gartner, Web services is about "moving application integration into firewall-evading tunnels," so CIOs must adjust security strategies to include application-level firewalls. While this new breed of firewall must be implemented along with -- and not replace -- traditional network firewalls, InfoWorld has reported that the battle is on between traditional firewall players and a new breed of XML-application firewall vendors. Not everyone is taking the battle seriously, however. In fact, some believe that the novelty of what upstart vendors have to offer will be short-lived. I spoke with several industry experts and asked them what CIOs need to know about application-level security, the upstarts offering XML firewalls, and how to choose a vendor in the space. Here's what I found out. What is an XML-application firewall?
Gartner says that the term XML-application firewall is a bit confusing because the type is clearly distinct from existing IP-level network firewalls. However, the term is appropriate because, like network firewalls, these XML-application firewalls are focused on securing and monitoring the network. XML-application firewalls are unlike traditional network firewalls in that they work at the application level "using an in-depth knowledge of the Web services, service requestors, and message content. It is the XML Web services standardisation of application-level data that makes application-level firewalls practical," write Gartner analysts John Pescatore, Matthew Easley, and Richard Stiennon in a report titled "Security platforms will transform the network security arena." The existence of Web services places new emphasis on the danger of attacks on systems at the application layer. Traditional network firewalls, which will continue to be central to security, don't address the new realities and requirements for security. According to the XML Web Services Security Forum (XWSS), those new realities and requirements are:

• Most security violations come from within the firewall.
• Mission-critical initiatives often require cross-firewall access and integration.
• Ports that were originally intended to pass very specific protocols are now being used for many purposes.
• XML Web services Simple Object Access Protocol (SOAP) messages were specifically designed to easily pass through existing firewalls by being carried over transport protocols, such as HTTP, SMTP, and so on, that are frequently carried through open firewall ports.
• New code written with updated tools such as .NET, current J2EE apps servers, and so on, will be the minority of nodes in an XML Web services data network. The majority of nodes will be legacy or packaged applications, which have significantly varying levels of application security. It is often difficult to verify and manage the security functions they provide.

Figure A is a diagram from the XWSS that illustrates the difference between the old security model and the new security reality.

Different but not separate
Jean-Marc Loingtier, CEO of AKheron, a network security vendor of application firewalls, says XML-application firewalls are sometimes viewed as orthogonal to traditional security products -- like a "convoluted proxy" that speaks, or parses, XML and knows about specific applications, such as SOAP. In the past, similar application-level security has been necessary but not often implemented due to its expense. The high cost of implementation was due to the lack of a standard mechanism and formats for application communications, according to Peter Sorrentino of the management consulting, research, and education firm The Concours Group. XML and Web services provide a standard mechanism and afford corporations a new opportunity to implement product offerings from smaller firms, including Flamenco Networks, Forum Systems, Reactivity, Vordel, and Westbridge Technology, instead of the "expensive, ad-hoc, custom-programmed, application-embedded, application security of the past," Sorrentino says.