Vendors in many product areas have embraced the flexible, open-source plug-in Eclipse framework as the basis for managing devices and applications. The XML security arena is no exception. Both Sarvega and DataPower provide Eclipse management tools for their devices, with varying degrees of success. We preferred Sarvega's CommandCenter, the principal method of device management, over its unappealing and limited Web-based administrative console. In contrast, DataPower's Eclipse management tool is effective and as powerful as its Web-based console, which continues to improve with each release and is comparable in functionality and ease of use to Reactivity's Web console.
No device gave us much operational configuration capability from the Web console. We accomplished Layer 2/3 management using terminal services or SSH (Secure Shell) in the case of DataPower and Reactivity, and by means of an LCD control panel for Sarvega's XML Guardian. DataPower and Sarvega provide operational statistics for CPU, processes and memory utilization from their management consoles, but Reactivity offers these juicy details only from the terminal, and we needed to use conventional Linux tools, such as top, from an SSH session to delve into its device.
Functional management was rich and detailed in all three products' main admin consoles, with DataPower and Reactivity providing the most intuitive and easy-to-navigate interfaces. We easily achieved message pipeline configuration--the steps within a policy that detail what actions should be taken on a message and in what order--within Reactivity's XML Security Gateway, but DataPower's configuration is confusing. For example, we were never quite certain whether we were configuring a request or response in the XS40's administrative GUI, which caused us a few fits. Sarvega's configuration was made more difficult by the hierarchical nature of Eclipse, which is essentially a file-system-based editor.
XML Firewall Performance
Click to Enlarge
XPath is still the primary method of manipulating XML files, and we found varying degrees of support across the products. XML Guardian's excellent XPath editor at first did not perform as advertised, but Sarvega provided a patch that quickly restored it to working order. DataPower's tool also let us easily configure those features requiring XPath, such as encrypting specific elements within an XML document. Reactivity's offering, however, lacks an easy mechanism for generating XPaths.
After each successful policy implementation, we ran a series of performance tests that included valid and malicious traffic. The XS40 maintained its accuracy even under heavy load, though we detected some heavy breathing in CPU utilization and an increase in latency when the device was configured to perform content filtering and authentication, which requires additional parsing and transformation. We weren't surprised that all three competitors performed schema validation, signature validation and encryption without adding latency. It was only when we piled on content filtering, IP blacklisting and authentication that DataPower and Reactivity began to bog down. Sarvega didn't bat an eye in any configuration--it never added a single millisecond of latency.
After rigorous testing in which all three devices proved capable of stopping the attacks we threw at them, even under heavy load, DataPower's XS40 edged out Sarvega for the top spot in our review. Sarvega XML Guardian's less intuitive functional-management paradigm and the company's decision to turn off account access during a dictionary password attack rather than block the offending IP address kept it from overtaking DataPower. Reactivity was close on the heels of its rivals, but was hindered by lower performance numbers. We wouldn't hesitate to recommend any of these products.