9 January 2003 Security firm ISS has warned web services users that they may need to improve their firewalls if they want to avoid attacks from malicious hackers.

Web services is a way for applications to communicate with each other, even if they are on different machines separated by a network or the Internet. Organisations that are using web services to communicate with applications outside their own networks are typically looking to integrate their supply chain systems with their suppliers’ so that business processes such as placing orders and inventory checks can be done automatically without human intervention and expensive integration software development.

But to do this, web services uses HyperText Transfer Protocol (HTTP), the same system web servers use to communicate with browsers such as Internet Explorer. Organisations that use web services therefore have to let web traffic travel in both directions through their firewalls, even if they do not have a web server.

ISS warns that this firewall hole is frequently targeted by hackers looking for a way to break into a network. In the last three months of 2002, 57% of firewall attacks tracked by ISS targeted the web traffic entry and exit point.

“Many firewalls today do not process web traffic at a sufficient level of detail to recognise malicious activity,” the company claims. “It could provide a gateway for attackers to communicate with application servers.”

Applications need to be engineered for security to avoid businesses opening their networks to unnecessary risks, Ovum analyst Gary Barnett argues.

However, even the best application server will have bugs and it may be possible for a hacker to cause the server to crash or even to break into it if they have access.

Companies who have deployed or are looking to deploy web services should therefore investigate ‘smart’ firewalls that can detect malicious behaviour in web traffic if they want to ensure their networks to remain secure, say experts.