News
News
4/22/2005
02:15 PM
Connect Directly
RSS
E-Mail
50%
50%

Review: XML Gateways

Network Computing tested three security devices and, although they all impressed, our top pick edged past the others thanks to stellar performance, flexibility and integration. Find out which one it is.

Performance, flexibility and integration are the key attributes of our Editor's Choice. The XS40's architecture is built on XSL, and it quickly adapted to just about any threat we threw at it. This generation of the XS40 is a 1U, four-port Gigabit Ethernet appliance with a separate management port and serial-console access. Hiding beneath the covers is DataPower's proprietary XG3 XML acceleration technology.

Since our last look at the XS40 (see ID# 1601sp2), DataPower has enhanced its Web administrative console with a new firewall wizard and control panel. We liked the device's fine-grained, domain- and role-based management scheme that let us permit or deny varying levels of access based on attributes such as object type, all the way down to specifically named objects like "Firewall 1" or "NWC Firewall." This level of control is offered for object management and is meant to secure XML policies, not the messages passing through the device.

The XS40 let us set policies on a per-firewall basis, which boiled down to per port. We also could create complex policies on a single firewall that emulate a per-operation or document type policy, comparable to the policy-configuration options offered by Sarvega and Reactivity.

We configured our initial scenario--asking the device to perform bidirectional schema validation, content filtering and limited authentication--in spite of a minor glitch in the new XML Firewall wizard that caused it to ignore our attempt to modify the endpoint destination on our back-end server. This capability, along with DataPower's rewrite rule, let us obfuscate service names. Sarvega's and Reactivity's products offer this capability as well, but Reactivity's method is much more elegant. DataPower fixed the glitch with a patch, and the wizard behaved as expected. Subsequent configurations were simple matters of modifying the existing policy by adding signature verification to one request, encryption of the response on another and requiring authentication by means of WS-Security headers in another. As with all the products we tested, the XS40 can encrypt an entire response or a single element within an XML document and perform transformation of XML through the application of XSLT.

We added IP ACLs (access-control lists) with ease on the XS40, though they can be configured on a per-firewall basis only, similar to Sarvega's implementation. Reactivity doesn't support IP ACLs for blacklisting, but does allow explicit IP ACLs that restrict access to SOAP operations--the specific function or method being executed on the application server--to specified ranges.

DataPower XS40 XML Security Gateway 3.1, $65,000. DataPower, (617) 864-0455. www.datapower.com

Previous
4 of 10
Next
Comment  | 
Print  | 
More Insights
IT's Reputation: What the Data Says
IT's Reputation: What the Data Says
InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 24, 2014
Start improving branch office support by tapping public and private cloud resources to boost performance, increase worker productivity, and cut costs.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.