Application firewall vendor NetContinuum Inc plans to build web-services firewalling technology from Forum Systems Inc into its line of security appliances.
The proposed web services edition of the NetContinuum NC-1000 Application Security Gateway ASIC-based appliance will offer an extra layer of defense against XML data and application-layer attacks, the vendor said.
A start-up founded in May 2001, Forum Systems aims to deliver end-to-end data integrity, data-level confidentiality, web service auditing, and XML data processing. Unlike rivals such as AmberPoint, Flamenco and Westbridge, Forum Systems is wholly dedicated to web services security. It is privately owned, with head offices in Boston, Massachusetts and Salt Lake City, Utah. Since obtaining $17.5m in Series B funding in September 2003, it has opened a further six offices across the USA. Forum Systems has patents pending for its dynamic content security processing capabilities.
The Forum Sentry 1500 XML Security Appliance incorporates a data privacy server for XML encryption and decryption, a Digital Signature server, and an XML firewall for filtering, authentication, access control and schema validation. Designed to be non-intrusive, it can be installed as an in-process shared service, a proxy intermediary, or a transparent in-line gateway.
Sentry can take the form of a software package, a self-contained hardware appliance, or a PCI card. Cryptographic acceleration and key management are provided by a hardware security module, which is produced by nCipher Plc. The product has a visual configuration management interface which simplifies browsing XML documents and selecting XML fragments. This management interface is separate from the data ports, for better security. Exception handling and auditing features supplement Sentry’s SOAP message filtering capability.
Authentication can be done using HTTP, SSL/HTTPS, SAML, or WS-Security. Authorization is driven by dynamic policies and access control lists. Sentry checks message integrity and validates XML documents against DTDs or XML schemas, using WSDL files where possible. Using the same metadata, it guards against a range of predefined vulnerabilities, although like other present-day XML firewalls, it cannot guarantee to detect all possible exploits. PGP, X.509 and PKCS keys can be imported, generated and managed. Certificates can be fetched through LDAP.
Pricing for the NetContinuum Application Security Gateway starts at $39,000 and the appliance will become available in January 2005. Existing NetContinuum customers can upgrade to the new product for $10,000 per firewall.