An Architecture for An XML Enabled Firewall

XML is rapidly becoming the default way for organizations to sharing information across networks and organizational boundaries. XML was designed as an information mark-up language and was not designed with security in mind. Consequently we are left with the problem of security XML documents from attacks such as malicious modification or fabrication. With modern VPN technology such as SSL we can encrypt and secure a data stream as it cross the network. However, when the data stream encounters an organizational boundary such as a firewall the XML document has to be parsed and forwarded to any back-end systems that require it. Current IDS and Firewall Technology does not have the ability to identify when the contents of an XML document is being attacked. This paper outlines a firewall architecture for the secure exchange of information using the extensible mark up language (XML). The architecture can be used to create a virtual private network suitable for an e-commerce application, allowing secure communication over the Internet. This paper identifies the elements required to build an XML enabled firewall that will (1) ensure the secure communication of data, and (2) validate the data to ensure data integrity. The architecture addresses the issue of information integrity using the Document Type Definition and additional rules applied by a proxy.