Teros Secure Application Gateway Cleans Up

One of the first steps to protect systems that receive XML and SOAP traffic is to scrub the data. Unfortunately, though, most apps don't wash their data before consuming it, which can lead to trouble if the data contains malicious SQL commands, incorrect data types or oversized strings.

To help you find dirty data, Teros offers its Secure Application Gateway, now running version 4 of its Application Protection System (APS), which supports XML traffic, including SOAP (Simple Object Access Protocol). The device ships as a hardened Linux appliance with 4 GB of RAM, dual Xeon processors and internal redundancy. It provides centralized cluster management and standard failover. Like a Layer 4 firewall, APS forwards traffic based on port and secures requests based on the URL or, in APS nomenclature, an application. Those familiar with SOAP would call this an endpoint, but we'll let Teros slide because APS not only handles XML traffic, it also scrubs data headed for legacy Web apps.

Gaining Knowledge

APS consumes WSDL (Web Services Description Language) to learn about the endpoint, operations and basic structure of an incoming XML document, but does not fetch the document itself--instead, it must be uploaded to the device.

APS provides SOAP-specific security at the XML element level and at the operational level. Although APS does not provide authentication or authorization, it blocks requests for invalid operations, which prevents attack from probing your service-oriented architecture and keeps back-end servers from consuming resources by unnecessarily parsing verbose XML docs.Using proprietary adaptive-learning technology, APS proxies for the back-end app server (or other intermediary) and can learn the expected range of values for each element in an XML document by watching the traffic before passing it through.

I hooked up APS in our NWC Inc. business applications labs in Green Bay, Wis., and directed our Spirent Avalanche to generate a few thousand requests to the APS, which forwarded them to the Spirent Reflector providing SOAP services on the back end. After the first round of data passed through, APS offered suggestions on how to restrict incoming data for my Web services.

For instance, APS said I should accept only Boolean [0,2] for the customer code because it had seen only 0s and 2s in that field. It made similar suggestions for almost all elements, but to get full explanations I had to dig around in the help file. And, because the ideas are based on the traffic APS sees, all the possible use cases may not come through.

On the Lookout

APS also looks for other vulnerabilities in XML traffic. For example, it can be configured to check for SQL Injection, cookie poisoning and cross-site scripting attacks. APS applies some of the lessons learned from Web application data and can be told to check for Social Security and credit-card numbers.

I configured Teros to block all requests containing SQL, then sent another barrage of traffic at APS, this time with half the XML requests containing SQL statements. Teros blocked all the requests with SQL Injection and let the valid requests through. Unfortunately, the device's performance while enforcing security policies and blocking traffic was not impressive--110 messages per second with an average latency of 90 ms. Request/response data varied from 900 bytes to 15 KB across four SOAP operations.

Details, DetailsEverything about APS is granular. All configuration options are available on a global or per-application basis. You can configure SQL Injection protection for some or all applications, depending on your needs. You can also configure alert notifications to be sent over e-mail or SNMP or directed to an external syslog server. You can even delegate administration to individual applications. Logs, configuration events and reports are available on a per-application as well as global basis. However, reports are canned and offered only in PDF.

Although it is not an all-encompassing solution for securing XML transactions, Teros' APS does provide basic protection from some common XML attacks.

Lori MacVittie is a Network Computing senior technology editor working in our Green Bay, Wis., labs. Write to her at [email protected].