02:15 PM
Connect Directly
Repost This

Review: XML Gateways

Network Computing tested three security devices and, although they all impressed, our top pick edged past the others thanks to stellar performance, flexibility and integration. Find out which one it is.

Our goal in testing XML security functionality was to ascertain how thoroughly these devices defend against XML-based threats and how well they perform when configured to handle typical XML and SOAP (Simple Object Access Protocol) tasks.

We used our NWC Inc. Web services as the base for both valid and invalid XML messages (all DOC/LIT encoding), then tampered with some of them to simulate multiple types of XML attacks. Responses were all served by a Spirent Reflector 2500, simulating a Web services-enabled application server.

We initially configured each product with simple bidirectional schema validation, then set up policies on a per-operation basis to handle authentication, encryption and signature verification. We limited client traffic to no more than 2,000 concurrent users, which is higher than what most Web services setups are likely to handle, except for very large enterprises--say, Amazon or Google. Client traffic for our base test (Base Configuration #1) was simulated by a Spirent Avalanche 2500 and was split as shown in the table (opposite)..

How We Tested
Click to Enlarge

A second set of tests (Base Configuration #2) included 20 percent signed content (purchase-order submissions) and 10 percent encrypted traffic (invoices), with the balance the same as our original test. All purchase-order submissions in the first set of tests were configured to authenticate users via WS-Security 1.0. We removed authentication in the second test set and replaced it with signed content, with the assumption that a valid signature equals a valid user. Keys were 1,024 bits in length for both signature and encryption tests.

We examined each product's environmental security by running Nmap to determine what services, if any, were left open by default. We also tampered with URIs and tried our best to gain access through the products' Web administrative consoles.

A gauntlet of tests served to evaluate overall and individual threat defense on each product, as well as the performance of each device while doing specific XML security functions. The devices also were required to perform schema validation on both request and response. Our threat-defense tests comprised:

• Authentication against LDAP: Devices were configured to authenticate users against our NWC Inc. Active Directory 2000 repository by extracting the user name and password from a WS-Security 1.0 header and validating it against LDAP. Seventy percent of requests were valid, 30 percent were invalid.

• Response encryption: Devices were configured to encrypt sensitive data in response to SOAP requests. We ran two sets of encryption tests under different configurations: configuration 1, encryption of the entire SOAP body, 4 KB in size; configuration 2, encryption of a single element type within the SOAP document, 4 KB in size, six elements to be encrypted per document.

• Signature verification: Devices were configured to verify a signed SOAP request. We ran one set of signature-verification tests with varying data sizes: 30 percent, 4 KB; 40 percent, 7 KB; 30 percent, 11 KB.

• Large response size: We also configured devices to perform schema validation against a 130-KB XML response.

All our performance results are based on these tests and the limitation of 2,000 concurrent users. Just for the fun of it, we did run tests without this user limitation, resulting in substantially higher messages per second on all products, but most enterprises won't be handling upward of 20,000 concurrent users anytime soon, making these results poor measuring sticks for most implementations.

All Network Computing product reviews are conducted by current or former IT professionals in our Real-World Labs® or partner labs, according to our own test criteria. Vendor involvement is limited to assistance in configuration and troubleshooting. Network Computing schedules reviews based solely on our editorial judgment of reader needs, and we conduct tests and publish results without vendor influence.

9 of 10
Comment  | 
Print  | 
More Insights
The Agile Archive
The Agile Archive
When it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
Register for InformationWeek Newsletters
White Papers
Current Issue
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.