This product offers the most flexible authentication and authorization of the devices we tested, in addition to a dynamic DoS protection scheme and a highly navigable administration console.

The 2400 is a 1U appliance running Linux with dual 3.06-GHz Xeon processors and dual Gigabit Ethernet NICs, and 2 GB of RAM. It comes equipped with an nCipher HSM (Hardware Security Module) for SSL acceleration and a Tarari RAX processor for XML acceleration.

Only Reactivity provides devicewide defaults that we could easily override at the policy level. These defaults can significantly reduce the amount of time needed to configure policies and help satisfy corporate security policies by enforcing required levels of security. Although DataPower told us this functionality could be achieved on the XS40 through its new domain-based administration model, we didn't relish spending time and energy to implement what Reactivity provides out of the box. Not only could we set defaults on content filtering and override them at the policy level on the 2400, we could choose specific SQL injection protection according to the type of database: For Web services interacting with SQL Server 2000, we enabled the content filter specifically designed to protect SQL Server 2000. For Oracle, another content filter is provided by Reactivity out of the box.

The 2400's authentication and authorization options were equally impressive and showcased Reactivity's easy-to-use, albeit somewhat cluttered, Web console. We configured multiple methods of authentication and authorization on a per-operation basis and further specified multiple methods for any operation. Our only complaint revolves around LDAP configuration, which requires a Ph.D.--or at least an intimate knowledge of LDAP filters and regular expressions--to set up. We much preferred the simple configuration offered by DataPower and Sarvega, which let us specify that the user name and password extracted from the WS-Security header should be validated against our NWC Inc. AD 2000 server, but LDAP implementations are a pain across the board. And in Reactivity's case, with complexity we did get power--Reactivity's implementation is exceedingly flexible and dynamic, and with the right knowledge we could limit access based on any directory attribute. One nit: We'd like to see a basic configuration option that validates against LDAP. All the products require a user name and password with which to bind to the directory.

In our performance tests, Reactivity's appliance matched DataPower's and Sarvega's in accuracy--the 2400 did not allow a single invalid or malicious request to reach our back-end servers--but it did introduce some latency. Reactivity's engineers told us the device is optimized for the WAN, and our testing on a fully Gigabit network did not take advantage of these optimizations. Our imposed limit of 2,000 concurrent users led to Reactivity's lower performance numbers. When we removed the limits and reran the tests, all three devices showed an increase in the number of messages processed per second as the number of concurrent users increased, with most tests showing an average of 1,100 to 1,300 messages per second.

Reactivity XML Security Gateway and Manager 2400 Series, starts at $65,000. Reactivity, (866) 889-3485, (650) 551-7800. www.reactivity.com

Lori MacVittie is a Network Computing senior technology editor working in our Green Bay, Wis., labs. She has been a software developer, a network administrator and a member of the technical architecture team for a global transportation and logistics organization. Write to her at lmacvittie@nwc.com.