When we set out late last year to review comprehensive SOA appliances that provide XML security, acceleration, transformation, and parsing, we worried that we wouldn't find all this goodness in one box. We also didn't foresee the speed at which this space would coalesce.

Since Cisco Systems acquired Reactivity last year, the XML appliance market, for the most part, has been quiet. But next door, Layer 7 Technologies and Vordel continue to be aggressive players in the XML security gateway area. And they'll need to be tough--the core function of an XML security gateway is an XML firewall, and this is a service that established firewall vendors like Cisco, Juniper Networks, and F5 Networks all believe they're well-positioned to provide.

As standalone XML appliances become poster children for market consolidation, which vendors survive is an open question. What's not up for debate is that IT is reaping the benefits of this features competition as we seek to secure and manage our growing service-oriented architectures. As proof, witness the breadth and depth of functionality packed into Layer 7's latest SecureSpan XML Networking Gateway SOA appliance. Not only did SecureSpan control how the Web services in our test bed were exposed to and accessed by partners and customers, it provided us with runtime control over service-level authentication, authorization, key management, credentialing, integrity, confidentiality, schema validation, content inspection, data transformation, threat protection, routing, protocol switching, service-level agreement enforcement, logging and auditing, and other functions.

We took the 1U Layer 7 SecureSpan XML Networking Gateway appliance out for a test drive in our Synegen Real-World Partner Labs. While the amenities of the hardware appliance, primarily setup and maintenance interfaces, could have been better, we had no problem getting the device running and configured. Once under way, we were pleasantly surprised by the operational features and power that the SecureSpan Gateway provided.

FIRE IT UP
The device's configuration interface can be accessed either through a USB keyboard and monitor or via a serial management port on the back of the appliance. In our testing, both worked without a hitch. Once the system was configured, we preferred to access SecureSpan Manager through its client interface because the Web console is somewhat lacking in features. We did appreciate that SecureSpan Manager provided us with a set of predefined roles to control user permissions, a real time saver.

The SecureSpan appliance is essentially a proxy that runs inside an Apache Tomcat container with a MySQL database on the back end. The Tomcat container hosts the processing layer, which manages factors such as identity providers, the trust store of certificates, integration with UDDI registries, and logging and auditing functionality, while the database is responsible for storing this and other configuration information.

The SecureSpan Gateway supports clustering and typically replicates the database across nodes. In certain situations, it's possible to have the database reside on an entirely separate system. This architecture allows Layer 7 to offer the product in three form factors: software that can run on Red Hat Enterprise Linux 4.0, SUSE Linux Enterprise Server 10, Sun Microsystems Solaris 10, or Sun Sparc; as a 64-bit hardware appliance, which is what we tested; or as a soft appliance running under VMware.

LOCK DOWN SERVICES
Policies define rules for how a SecureSpan-protected service can be consumed. Initially, we were somewhat overwhelmed by the number of different types of policies we could configure. The good news is Layer 7 provides convenient mechanisms for defining and managing policies. The bad news? These features have limited functionality in the browser-based version of SecureSpan Manager.

Once our policies were defined, we were able to limit services by HTTP basic authentication, XPath credentials, and service availability. This is on top of the automatic threat protection that was enforced against all manner of exploits, including TCP/IP-based attacks, coercive parsing, XML bomb and external entity attacks, schema poisoning, WSDL scanning, and XML routing detours. The SecureSpan integrates with a number of SOA registry and governance products for policy management.

The appliance sits on top of a powerful AMD Opteron processor-based Sun Fire X4150 server with a Sun Crypto Accelerator 6000 PCIe Card to accelerate SSL cryptographic functions. Its SSL performance was impressive, and while admiring the dashboard to monitor service metrics in real time, we noticed that the longer we let our tests run, the more performance improved. The device's Tarari RAX PCI-e XML accelerator card enhances performance for XPath expressions, XML schema validation, and XSL transformations.

Layer 7's SecureSpan XML Networking Gateway is a solid product that offers a lot of functionality out of the box. We'll see how it stacks up as we test its rivals as part of this Rolling Review. Look for our comprehensive comparison chart and report card after we've completed testing.

InfomationWeek's Rolling Reviews present a comprehensive look at a hot tech category. See the kickoff of our SOA appliances series at Rolling Reviews.

Erik Pieczkowski is an enterprise architect and partner with Synegen. His experience ranges from design and development of high-performing, message-driven systems to building and deploying scalable SOAs. Write to him at epieczkowski@nwc.com.