At first, we were frustrated with the low turnout, but the reasons cited point to an industrywide problem: What are these products, and what should they be called? See "The Name Game,", for our take.
Although most conventional firewalls can provide user-based authentication and authorization to services, they're rarely set up to do so; rather, these products control generalized access to services, and their packet-processing mechanisms are not data-aware. XML firewalls, however, must be data-aware to keep unwanted content and users from accessing potentially sensitive services. Although XML over HTTP and even SOAP can be controlled using conventional authentication means, HTTP Basic Auth, for example, SOAP and Web services cognoscenti prefer to use Web services-specific mechanisms, such as WS-Security 1.0, which require authentication and authorization mechanisms to reach into the payload and extract credentials.
For our test scenario, we used NWC Inc.'s Web services deployment, served by IBM WebSphere 6.0 and providing SOAP interfaces to order-entry and tracking functionality. After capturing both requests and responses from all operations, we served them up on our Spirent WebReflector to remove any application bottlenecks. We throttled client traffic back to no more than 2,000 concurrent users, a reasonable number--on the high end for most Web services infrastructures but realistic for an enterprise Web services application. The types of attacks we ran are detailed in "How We Tested XML Firewalls,".
Proven IT Strategies For Lowering Costs, Reducing Capex and Transforming Business
IT or the Engineering department can find ways to reduce not only operating costs, but also capital investment while maintaining and even improving service levels. Obtain and implement proven methodologies found in this whitepaper to transform your business....

NOTE: Offer valid for U.S., U.S. possessions, & Canada only.