02:15 PM

Review: XML Gateways

Network Computing tested three security devices and, although they all impressed, our top pick edged past the others thanks to stellar performance, flexibility and integration. Find out which one it is.

Our goal in testing XML security functionality was to ascertain how thoroughly these devices defend against XML-based threats and how well they perform when configured to handle typical XML and SOAP (Simple Object Access Protocol) tasks.

We used our NWC Inc. Web services as the base for both valid and invalid XML messages (all DOC/LIT encoding), then tampered with some of them to simulate multiple types of XML attacks. Responses were all served by a Spirent Reflector 2500, simulating a Web services-enabled application server.

We initially configured each product with simple bidirectional schema validation, then set up policies on a per-operation basis to handle authentication, encryption and signature verification. We limited client traffic to no more than 2,000 concurrent users, which is higher than what most Web services setups are likely to handle, except for very large enterprises--say, Amazon or Google. Client traffic for our base test (Base Configuration #1) was simulated by a Spirent Avalanche 2500 and was split as shown in the table (opposite)..

How We Tested
Click to Enlarge

A second set of tests (Base Configuration #2) included 20 percent signed content (purchase-order submissions) and 10 percent encrypted traffic (invoices), with the balance the same as our original test. All purchase-order submissions in the first set of tests were configured to authenticate users via WS-Security 1.0. We removed authentication in the second test set and replaced it with signed content, with the assumption that a valid signature equals a valid user. Keys were 1,024 bits in length for both signature and encryption tests.

We examined each product's environmental security by running Nmap to determine what services, if any, were left open by default. We also tampered with URIs and tried our best to gain access through the products' Web administrative consoles.

A gauntlet of tests served to evaluate overall and individual threat defense on each product, as well as the performance of each device while doing specific XML security functions. The devices also were required to perform schema validation on both request and response. Our threat-defense tests comprised:

• Authentication against LDAP: Devices were configured to authenticate users against our NWC Inc. Active Directory 2000 repository by extracting the user name and password from a WS-Security 1.0 header and validating it against LDAP. Seventy percent of requests were valid, 30 percent were invalid.

• Response encryption: Devices were configured to encrypt sensitive data in response to SOAP requests. We ran two sets of encryption tests under different configurations: configuration 1, encryption of the entire SOAP body, 4 KB in size; configuration 2, encryption of a single element type within the SOAP document, 4 KB in size, six elements to be encrypted per document.

• Signature verification: Devices were configured to verify a signed SOAP request. We ran one set of signature-verification tests with varying data sizes: 30 percent, 4 KB; 40 percent, 7 KB; 30 percent, 11 KB.

• Large response size: We also configured devices to perform schema validation against a 130-KB XML response.

All our performance results are based on these tests and the limitation of 2,000 concurrent users. Just for the fun of it, we did run tests without this user limitation, resulting in substantially higher messages per second on all products, but most enterprises won't be handling upward of 20,000 concurrent users anytime soon, making these results poor measuring sticks for most implementations.

All Network Computing product reviews are conducted by current or former IT professionals in our Real-World Labs® or partner labs, according to our own test criteria. Vendor involvement is limited to assistance in configuration and troubleshooting. Network Computing schedules reviews based solely on our editorial judgment of reader needs, and we conduct tests and publish results without vendor influence.

9 of 10
Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.