Performance, flexibility and integration are the key attributes of our Editor's Choice. The XS40's architecture is built on XSL, and it quickly adapted to just about any threat we threw at it. This generation of the XS40 is a 1U, four-port Gigabit Ethernet appliance with a separate management port and serial-console access. Hiding beneath the covers is DataPower's proprietary XG3 XML acceleration technology.

Since our last look at the XS40 (see ID# 1601sp2), DataPower has enhanced its Web administrative console with a new firewall wizard and control panel. We liked the device's fine-grained, domain- and role-based management scheme that let us permit or deny varying levels of access based on attributes such as object type, all the way down to specifically named objects like "Firewall 1" or "NWC Firewall." This level of control is offered for object management and is meant to secure XML policies, not the messages passing through the device.

The XS40 let us set policies on a per-firewall basis, which boiled down to per port. We also could create complex policies on a single firewall that emulate a per-operation or document type policy, comparable to the policy-configuration options offered by Sarvega and Reactivity.

We configured our initial scenario--asking the device to perform bidirectional schema validation, content filtering and limited authentication--in spite of a minor glitch in the new XML Firewall wizard that caused it to ignore our attempt to modify the endpoint destination on our back-end server. This capability, along with DataPower's rewrite rule, let us obfuscate service names. Sarvega's and Reactivity's products offer this capability as well, but Reactivity's method is much more elegant. DataPower fixed the glitch with a patch, and the wizard behaved as expected. Subsequent configurations were simple matters of modifying the existing policy by adding signature verification to one request, encryption of the response on another and requiring authentication by means of WS-Security headers in another. As with all the products we tested, the XS40 can encrypt an entire response or a single element within an XML document and perform transformation of XML through the application of XSLT.

We added IP ACLs (access-control lists) with ease on the XS40, though they can be configured on a per-firewall basis only, similar to Sarvega's implementation. Reactivity doesn't support IP ACLs for blacklisting, but does allow explicit IP ACLs that restrict access to SOAP operations--the specific function or method being executed on the application server--to specified ranges.

DataPower XS40 XML Security Gateway 3.1, $65,000. DataPower, (617) 864-0455. www.datapower.com