Musings from Brian J. Noggle

A Fool and His IT Budget

Firewall to zap XML viruses:

Salt Lake City-based Forum Systems plans to announce the addition of the antivirus module to XWall on Monday. It will be available at the beginning of May, with pricing ranging from $5,000 to $40,000.

The 5-year-old company is one of several companies that make software or devices for securing applications that use XML to format data or XML-based communications protocols, called Web services.

$40,000 piece of hardware specifically to block bad XML from coming into your company? Lord, love a duck, I though XML Schema Documents (XSD) did that.

There is a need for XML-specific products, according to these companies and industry analysts, because traditional security products are designed primarily to inspect Internet protocols, rather than XML or Web services protocols.

Obfuscation is a virus, too. Those Web services protocols determine how XML messages are formatted, but they're still sent over common Internet messages that use the same traditional Internet protocols that your native firewalls block. If someone is triggering a denial of service using SOAP against one of your public Web services, you'll do the same thing you do when blocking a traditional DOS attack: You'll block the IP addresses from the incoming flood or you'll block/change the port number/URI of the Web service. No special XML-sniffing necessary.

But now they've expanded the service to include software that scans for XML Viruses, which are pretty common, hey?

Although they have not seen viruses written specifically for XML, these applications are still not adequately protected, executives from Forum Systems and CA said.

The only adequate prevention is heat; that is, just burning money on an XML-virus-sniffing and firewall product is the only thing that can protect you from XML! And SOAP! And all the potentially-malevolent buzzwords you don't understand! After all, gentle reader, your organization is at risk!

Forum Systems CEO Wes Swenson predicted that XML viruses will become common as people store Office documents in XML format and as developers use the Simple Object Access Protocol, which is written in XML, in tools for company-to-company communication.

The difference between XML files and Office document file types is that XML doesn't execute code in and of itself. Wrapped in SOAP, an XML document can trigger the execution of a Web service, but that's not an XML virus. Viruses need to run their contents to propogate, and if you've got an XML document that can propogate itself using SOAP, you've got a problem with your Web service.

But never mind that; spend the $40,000 and feel good about yourself.

"When you do have an XML-based virus attack, it will affect mission-critical servers as opposed to e-mail server and Web servers," Swenson said.

The very words mission-critical indicate that CNET has passed on a press release as a news story. XML viruses don't exist, and cannot exist unless you've got an XML-consuming application that's poorly written and vulnerable to buffer overflow errors or, heaven forfend, runs code contained in XML messages. A DOS attack on a Web service will affect the servers hosting the "mission-critical" Web services, but you don't need this guy's product to deal with it.

But, hey, if corporations want it, let them have it.

Meanwhile, I am hard at work here in the lab to protect corporations from insidious ASCII text file viruses. Did you know that your company uses hundreds or thousands of these potentially hazardous files every day and that they can be transmitted through e-mail attachments or automatically copied from the Internet or across networks. And unlike XML files, ASCII flat files, particularly those with file extensions of .java, .cpp, or .vb, can contain malicious code that can take control of your desktop when executed.

Watch soon for the money-sucking Jeracor ASCII Virus Firewall, coming soon.

- posted by Brian J. @ 8:28 AM