Network Computing tested three security devices and, although they all impressed, our top pick edged past the others thanks to stellar performance, flexibility and integration. Find out which one it is.
Sarvega's product is focused on performance and content protection, and supports almost complete operational management capabilities through its Eclipse CommandCenter 1.6.
The XML Guardian is a 2U device that sports four Gigabit Ethernet ports and offers both front-panel and serial-console configuration. However, it doesn't have a separate management port; this caused us problems when we decided to enable SSL, because management is through HTTPS and runs on Port 443. We could move the management interface to a different port or change the ports for the services (the latter was much simpler during our tests). We much preferred DataPower's and Reactivity's configuration setups, which placed SSL-secured Web management on alternate ports by default.
Configuring the XML Guardian for message-size limitations was almost overwhelming in terms of the number of options available. Unlike Reactivity, Sarvega provides extremely fine-grained control of XML structure. Even DataPower, which offers a good number of options, can't match Sarvega in this area. From message size to depth of elements, size of elements to number of children, nearly every aspect of an XML document can be restricted on a per-operation basis. Although most of these restrictions can be defined by the schema, they're rarely used, and when they are, they often aren't detailed enough to prevent parsing attacks. We were pleased with being able to limit message size on a per-operation basis, because this value can vary from operation to operation.
There are two factors unique to Sarvega: its decision to enable schema validation by default and the fact that it does not serve up WSDL. The company told us it's decided to wait for WS-Policy before providing this functionality. In contrast, DataPower serves up WSDL because it's essentially a proxy, while Reactivity lets you create an aggregate WSDL based on user rights--a feature we hope other vendors will implement. Although we generally applaud and encourage standards-based implementations, as long as the resulting WSDL is WS-I Basic Profile compliant, we're not that concerned about proprietary methods of generation.
But our biggest complaint with the XML Guardian was the need to restart the device when we deployed a new configuration. Minor changes to existing configurations don't require restarts, but major changes do, and we had to wait "some time" (Sarvega's phrasing) for the device to resume. During testing, "some time" lasted two to three minutes, during which time managed services were unavailable.
XML Guardian's performance was on par with DataPower XS40's and in some ways beat the competition. For example, the XML Guardian added no latency in any scenario, while both rivals added latency in at least three different test scenarios. Its XESOS 5.0.2 kept up with the XS40's custom silicon throughout our tests. During performance tests we could keep an eye on CPU utilization through the dashboard option on the XML Guardian's Web console. A wealth of other operational and functional statistics are available for near-time graphing. Reactivity offers historical functional statistics, including performance metrics for both clients and back-end servers, while DataPower provides operational and functional statistics for only a few categories--notably HTTP transactions, memory and CPU utilization--and doesn't do so in near-time.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.