Striking back against growing numbers of specialty XML security appliances, firewall and security vendor Check Point Software Tuesday released a free upgrade to its firewall to help enterprises secure XML- and SOAP-based traffic.

The new capabilities -- dubbed Application Intelligence Technology -- will be available as a no-charge feature for licensed users of Check Point's firewall and VPN offerings.

The market has been flooded with a slew of so-called "XML firewalls" of late, or standalone servers or appliances that aim to inspect and secure Web services traffic separate from network-level security devices and firewalls. Those vendors say that XML processing and security is so fundamentally different than what happens at a network firewall that it requires a new firewall altogether.

Check Point, in comparison, not only believes that XML processing can happen on firewall boxes, but that application-layer security on those firewalls shouldn't just be limited to HTTP- and XML-based traffic, but should support a wide array of application security measure, said April Fontana, Check Point product marketing manager.

"We agree that XML traffic requires special processing," Fontana said. "Where we diverge with the opinions of niche firewall vendors is that we don't believe it should be on a separate appliance. There are great advantages to securing the network and application levels on the same infrastructure," including reduced costs, integrated management capabilities and the ability to share processes like authentication and single sign-on across both networks and apps, she said.

In addition, by placing XML and network firewall security on the same box, it assures that network-level attacks -- such as denial of service or IP spoofing -- don't take down a standalone XML firewall, Fontana said. Check Point has also added quality of services features that can help companies manage the flow of XML traffic, she said.

Fontana stresses that the Check Point solution is doing content-level inspection of XML traffic, "looking right down into the schemas of the SOAP packets," she said. "We are doing a sophisticated comparison of XML vocabularies and comparing it to the traffic passing through the firewall."

On a practical level, some enterprises put the responsibility for both network and application security on a single person; other IT shops split it between two people. Check Point's management console supports both models, Fontana said.

Check Point sees no need for a separate XML firewall, and has no plans to offer a standalone XML appliance itself. "The standalone option just doesn't make much sense given our approach to the market," Fontana said.

Security for XML and SOAP will be available at no additional cost in the latest version of Check Point VPN-1/FireWall-1 Next Generation, Feature Pack 3, starting in September.