- XML/SOAP Firewall - The XS40 filters traffic at production speed, with criteria based on information from layers 2 through 7 of the protocol stack; from SOAP envelope, payload size or field-level message content to IP address, hostname and port. Filters can be predefined and automatically uploaded to change security policies based on time of day or other triggers.
- Field Level XML Security - The XS40 performs encryption/decryption and signing/verification of entire messages or of individual XML fields. Conditional security policies are based on a range of data including content, IP address, hostname or other user-defined environment variables.
- Data Validation - With its unique ability to perform XML Schema validation as well as message validation at wirespeed, the XS40 ensures that incoming XML documents are legitimate and outgoing documents are properly structured to protect against threats such as XML Denial of Service (XDoS) attacks, buffer overflows, or crashes from deliberately or inadvertently malformed XML documents.
- XML Web Services Access Control - The XS40 supports a variety of access control mechanisms, from XACML (eXtensible Access Control Markup Language) to RADIUS to simple client/URL maps. The XS40 can control access rights by rejecting unsigned messages and verifying signatures within SAML assertions.
- SSL Acceleration - The XS40 scales transport layer security by accelerating SSL transactions in hardware. The XS40 can be configured with multiple SSL identities functioning as client or server, with SSL policies based on message content or metadata such as port number, HTTP header, etc.
- Service Virtualization - The XS40 enables companies to link users to application resources without leaking information about their location or configuration. With the combined power of URL rewriting, high-performance XSL transforms and XML/SOAP routing, the XS40 can transparently map a rich set of services to protected back-end resources with the appropriate Quality of Service (QoS).
- Centralized Policy Management - While a straightforward web-based GUI for simple rule creation allows the XS40 to be deployed securely in minutes, the XS40 uses the power of XSLT to create rules as simple or complex as required. Rules may be used to define common policies for firewalls, routing, access control, data transformation, and transport layer security across an array of applications and application servers without sacrificing performance. Manageable locally or remotely, the XS40 supports SNMP, script-based configuration and remote logging to integrate smoothly with your chosen management software.
The XS40 is an appliance and standards-based solution that can "drop into" existing networks with easy integration and interoperability. Using either the standard Command Line Interface or the Web-base GUI, the XS40 can be inserted into existing networks with minimal effort and set-up, often in as little as 2 hours.
In your opinion, what are the critical security issues that affect XML?
XML's power and flexibility are also what cause new security issue when deploying XML-based applications and Web services. XML Web Services are designed to seamlessly connect resources above the network layer - enabling the concept of "loosely coupled but tightly contracted" applications. By their very design, they enable easy direct access to valuable backend databases and application servers and in turn, require the fine-grained control of new granular security policies above the network layer. Even those enterprises that don't plan on joining trading networks must take precautions. Because S2S connectivity enables new application sharing inside the enterprise, policy enforcement is as strong a requirement for internal employees as it is for external partners.
Applying these new granular security policies is not trivial. XML, SOAP and other Web Services protocols rely on a human-readable text-based encoding standard that is not only inherently less secure than byte-encoded formats but also more onerous to process. Consequently, XML Web Services security mandates the use of technologies that can parse, filter and transform XML and SOAP packets at wirespeed performance levels to apply security polices down to the element level of an XML document without hindering the application itself; in other words, it can't be a choice between performance of applications OR securing applications. Companies need both.
XML Security Gateways are one example of the XML-Aware network devices that work with existing security infrastructure to provide the key functions that are required for implementing essential XML Web Services security practices.
Does DataPower have any international growth opportunities?
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.