While there is tremendous business value in SOA and XML Web services, security remains an unsolved problem and one of the largest single barriers to adoption. Enterprises require a new pragmatic approach to XML Web services security, one that simultaneously recognizes the uncertainty of new standards, the value of existing infrastructure investments, the organizational challenges and the performance impact of XML security.
Because corporations are struggling to deal with resource constraints, diverging business goals, and the requirement to assimilate new technology, IBM® WebSphere® DataPower XML Security Gateway XS40 is a network appliance that is easy to install and maintain, satisfying both application and network groups while supporting current and pending security standards out-of-the-box.
Features and benefits include:
XML firewall
The XS40 provides protection against XML vulnerabilities by acting as an XML proxy and performing XML well-formedness checks, buffer overrun checks, XML schema validation, XML filtering, and XDoS protection. XS40 also includes many essential security functions beyond those of an XML firewall: Web services access control (AAA), XML Encryption and Digital Signature, WS-Security, and content-based routing.
XML denial of service protection
A single low-byte XML message can bypass traditional perimeter protection and instantly crash mission-critical applications. The XS40 validates incoming requests and logs malformed and malicious traffic to provide valuable post-attack forensics.
Field level message security
The XS40 selectively shares information through encryption/decryption and signing/verification of entire messages or of individual XML fields. These granular and conditional security policies can be based on nearly any variable, including content, IP address, hostname, or other user-defined filters.
Web services access control
Since the XML Security Gateway is much more than just an XML Firewall, it provides access control functions which can be used to enable secure access to Web services based applications to both internal and external clients. Both commercial and standards-based integration is supported, including LDAP, SAML and WS-Security.
Diagram 1: Access control
Fine-grained authorization
Instead of URL-based or connection-level access control, fine-grained authorization allows the XS40 to interrogate every individual SOAP/XML transaction and determine whether it should be allowed through based on payload contents, security policy, and identity information. For example, a purchase order that is (1) over $500, (2) digitally signed by the CFO's certificate, (3) targeted for vendor X, and (4) sent before 5 p.m. may be allowed through, while one immediately following it would be rejected. SAML, WS-Security, and XACML are key emerging standards for implementing this kind of fine-grained access control in an open, cross-platform environment which joins a variety of policy enforcement points (such as the XS40) and central policy repositories.
Service virtualization
XML Web services require companies to link partners to resources without leaking information about their location or configuration. With the combined power of URL rewriting, high-performance XSL transforms and XML/SOAP routing, the XS40 can transparently map a rich set of services to protected back-end resources with high performance.
Centralized policy management
The XS40's wirespeed performance enables enterprises to centralize security functions in a single drop-in device that can enhance security and help reduce ongoing maintenance costs. Simple firewall functionality can be configured via a GUI and running in minutes, and using the power of XSLT, the XS40 can also create sophisticated security and routing rules. Because the XS40 works with leading Policy Managers such as IBM® Tivoli® Access Manager, it is an ideal policy execution engine for securing next generation applications. Manageable locally or remotely, the XS40 supports SNMP, script-based configuration, and remote logging to integrate seamlessly with leading management software.
Web services management/service level management
With support for Web Services Distributed Management (WSDM), Universal Description, Discovery, and Integration (UDDI), Web Services Description Language (WSDL), and Dynamic Discovery, and broad support for Service Level Management configurations, the XS40 natively offers a robust Web services management framework for the efficient management of distributed Web service endpoints and proxies in heterogeneous SOA environments. The XS40 also offers SLM alerts and logging and pull and enforce policies, which helps enable broad integration support for third-party management systems and unified dashboards, in addition to robust support and enforcement for governance frameworks and policies.
Inter-enterprise application sharing
XML can Internet-enable nearly every enterprise application, driving an instant need for centralized message filtering and validation. The XS40 can process and validate messages at a central point in real-time so only known-good requests reach valued back-end resources. High-speed message signing and verification prevents falsified requests and securely logs all transactions.
Secure portal connections
Portal applications tie into high-value back-end databases and application servers, ensuring access control is paramount. The XS40 supports legacy systems such as RADIUS and LDAP, along with emerging standards such as Security Assertion Markup Language (SAML) and Extensible Access Control Markup Language (XACML).
Secure architecture
Powered by robust patented XML processing technology built from the ground up to be secure, the XS40 can help to enable full XML Security with the wirespeed performance necessary for real-world applications. The XS40 is more than just an XML firewall: it is an XML proxy with carrier-grade features that can parse, filter, validate schema, decrypt, verify signatures, access-control, transform, sign and encrypt XML message flows at wirespeed so that enterprises can implement comprehensive XML security practices without the performance penalties or security weaknesses typical of other solutions. The XS40's flexible, XML-based architecture offers future-proof functionality and the agility to easily adapt to changing standards, policies, and services.
Web services security is XML processing
Web services security functions, such as XML schema validation, XML Encryption, XML Signature, WS-Security and others, require extensive XML processing. The security of the underlying XML processing engine is essential to the security of a Web services security solution. Secure XML processing is also very resource-intensive. This often forces organizations to choose between performance and protection, because fully securing XML requires processing power not available in traditional XML engines.
