02:15 PM

Review: XML Gateways

Network Computing tested three security devices and, although they all impressed, our top pick edged past the others thanks to stellar performance, flexibility and integration. Find out which one it is.

Performance, flexibility and integration are the key attributes of our Editor's Choice. The XS40's architecture is built on XSL, and it quickly adapted to just about any threat we threw at it. This generation of the XS40 is a 1U, four-port Gigabit Ethernet appliance with a separate management port and serial-console access. Hiding beneath the covers is DataPower's proprietary XG3 XML acceleration technology.

Since our last look at the XS40 (see ID# 1601sp2), DataPower has enhanced its Web administrative console with a new firewall wizard and control panel. We liked the device's fine-grained, domain- and role-based management scheme that let us permit or deny varying levels of access based on attributes such as object type, all the way down to specifically named objects like "Firewall 1" or "NWC Firewall." This level of control is offered for object management and is meant to secure XML policies, not the messages passing through the device.

The XS40 let us set policies on a per-firewall basis, which boiled down to per port. We also could create complex policies on a single firewall that emulate a per-operation or document type policy, comparable to the policy-configuration options offered by Sarvega and Reactivity.

We configured our initial scenario--asking the device to perform bidirectional schema validation, content filtering and limited authentication--in spite of a minor glitch in the new XML Firewall wizard that caused it to ignore our attempt to modify the endpoint destination on our back-end server. This capability, along with DataPower's rewrite rule, let us obfuscate service names. Sarvega's and Reactivity's products offer this capability as well, but Reactivity's method is much more elegant. DataPower fixed the glitch with a patch, and the wizard behaved as expected. Subsequent configurations were simple matters of modifying the existing policy by adding signature verification to one request, encryption of the response on another and requiring authentication by means of WS-Security headers in another. As with all the products we tested, the XS40 can encrypt an entire response or a single element within an XML document and perform transformation of XML through the application of XSLT.

We added IP ACLs (access-control lists) with ease on the XS40, though they can be configured on a per-firewall basis only, similar to Sarvega's implementation. Reactivity doesn't support IP ACLs for blacklisting, but does allow explicit IP ACLs that restrict access to SOAP operations--the specific function or method being executed on the application server--to specified ranges.

DataPower XS40 XML Security Gateway 3.1, $65,000. DataPower, (617) 864-0455.

4 of 10
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of September 25, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.