Traditionally, security and entitlement requirements have been coded into each and every application service in the organization. When those requirements (or the standards on which they’re based) change, every service needs to be updated. The SecureSpan XML Firewall lets organizations secure systems by providing a centralized enforcement point for policy-driven authentication and fine-grained, service level authorization. Centralizing security and access requirements in policy that can be run as a shared service in front of applications provides consistent security, while simplifying audit and compliance burdens. With centralized authentication, authorization and audit (AAA) policies in place, changes can be instituted as new or updated policy rules, dramatically decreasing IT maintenance costs. - Identity-driven SOA – With support for leading IAMs and SSOs, organizations can quickly leverage their existing identity infrastructure to centrally enforce authentication and authorization.
- Secure Cross-domain Interactions – With built-in PKI and STS capabilities, organizations can cost-effectively implement AAA security between disparate identity domains.
- Secure Cross-domain and B2B Relationships – Integrated PKI CA/RA as well as STS/SAML issuer provides credential chaining, credential remapping and support for federated identity.
 Features/Functionality
| Identity and Message Level Security | | Identity-based access to services and operations | - Integration with leading identity, access, SSO and federation systems from Oracle, Sun, Microsoft, CA, IBM Tivoli, Novell
- Enforce fine-grained entitlement decisions authored in an XACML PDP
| | Manage security for cross-domain and B2B relationships | - Credential chaining, credential remapping and support for federated identity
- Integrated SAML STS issuer featuring comprehensive support for SAML 1.1/2.0 authentication, authorization and attribute based policies
- Integrated PKI CA for automated deployment and management of client-side certificates, and integrated RA for external CAs
- STS support through WS-Trust and WS-Federation
| | Enforce WS* and WS-I standards | - Support for all major WS* and WS-I security protocols, including SOAP 1.0/1.1/1.2, WS-Security 1.1 / 1.2, WS-SecureConversation, WS-SecurityPolicy, WS-Addressing, WS-Trust, WS-Federation, WS-Secure Exchange, WS-Policy and WS-I Basic Security Profile, SAML 1.1/2.0, XACML 2.0
| | Secure WSDL, REST and POX interfaces | - Selectively control access to interfaces down to an operation level
- Create on-the-fly composite WSDL views tailored to specific requestors
- Out of the box support for popular Cloud and SaaS interfaces from Salesforce and Amazon
- Service look-up and publications using WSIL and UDDI
| | Audit transactions | - Log message-level transaction information
- Spool log data to off-board data stores and management systems
| | Cryptography | - Optional onboard HSM, as well as support for external HSMs (i.e., SafeNet Luna)
- Support for elliptic curve cryptography (conforms to NSA’s Suite B algorithms)
- FIPS 140-2 support in both hardware (Level 3) and software (Level 1)
| | XML Threat Protection | | Filter XML content for SOA, Web 2.0 and Cloud | - Configurable validation & filtering of HTTP headers, parameters and form data
- Detection of classified or “dirty” words or arbitrary signatures with subsequent scrubbing, rejection or redaction of messages
- Support for XML, SOAP, POX, AJAX, REST and other XML-based services
| | Transactional Integrity Protection | - Protect against identity spoofing and session hijacking cluster-wide
- Assure integrity of communication end-to-end
| | Prevent XML attack and intrusion | - Protect against XML parsing; XDoS and OS attacks; SQL and malicious scripting language injection attacks; external entity attacks
- Protection against XML content tampering and viruses in SOAP attachments
- DoD STIG vulnerability tested and assured
| | API Management | API Publication
| - Secure, manage, monitor and control access to APIs exposed to third parties
- API usage can be throttled to ensure backend services are not overwhelmed; limited by user, time of day, location, etc; and quota managed (i.e., # of uses per user per day)
| | API Metrics and Reporting | - Configurable, out-of-the-box reports provide insight into API performance: measure throughput, routing failures, utilization and availability rates, etc
- Failed authentications and/or policy violations can be tracked to identify patterns and potential threats
| | API Security | - Support for all major WS* and WS-I security protocols
- Support for all major authentication and authorization standards, including SAML, Kerberos, digital signatures, X.509 certificates, LDAP, XACML, etc
| | Enterprise-scale Management | | Operations Console | - A single, real time view of all Gateways across the enterprise and cloud showing audits, events and key metrics
| | Policy Migration | - Centrally move policies between environments (development, testing, staging, production, etc), settings (enterprise, cloud, etc) or geographies, automatically resolving discrepancies such as SSG licenses, IP addresses, IT resources (i.e., LDAPs may be named differently), etc
| | Services Reporting | - Configurable, out-of-the-box reports provide insight into SSG operations, service-level performance, and service user experience
| | Remote Patching | - Selectively update any software installed on Gateways, including system files and operating system
| | Disaster Recovery | - Centrally back up SSG config files and policies from one or more Gateways/clusters, and remotely restore, enabling full disaster recovery
| | Management API | - Remote management APIs allow customers to hook their existing, third-party management tools into the SSG, simplifying asset management
| | XML Firewall Form Factors | | Hardware | - Active-active clusterable, dual power supply, mirrored hot-swappable drives, multi-core, 64-bit 1U server
| | Software | - Solaris 10 for x86 and Niagara, SUSE Linux, Red Hat Linux 4.0/5.0
| | Virtual Appliance | - VMware/ESX (VMware Ready certified)
- Cloud – Amazon EC2 AMI
| | Supported Standards | | XML 1.0, SOAP 1.2, REST, AJAX, XPath 1.0, XSLT 1.0, WSDL 1.1, XML Schema, LDAP 3.0, SAML 1.1/2.0, PKCS #10, X.509 v3 Certificates, FIPS 140-2, Kerberos, W3C XML Signature 1.0, W3C XML Encryption 1.0, SSL/TLS 3.0/1.1, SNMP, SMTP, POP3, IMAP4, HTTP/HTTPS, JMS 1.0, MQ Series, Tibco EMS, FTP, WS-Security 1.1, WS-Trust 1.0, WS-Federation, WS-Addressing, WSSecureConversation, WS-MetadataExchange, WS-Policy, WS-SecurityPolicy, WS-PolicyAttachment, WS-SecureExchange, WSIL, WS-I, WS-I BSP, UDDI 3.0, XACML 2.0, MTOM | Share: | More | | 
or
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
Resources Datasheet:
XML Firewall  Download PDF | 196Kb Solution Brief:
Identity Based XML Firewalling Download PDF | 208Kb White Paper:
Securing XML Web Services Download PDF | 205 Kb Solution Brief:
Federated Web Services Download PDF | 2.2 MB White Paper:
Identity Federation in Web Services
Download PDF | 390 Kb Webinar: 
Building Multi-Enterprise SOA Download PDF | View Webinar Podcast:
Extending SOA across Organizational Boundaries Play Podcast Podcast:
Identity Federation and Web Services Play Podcast Podcast:
XML Security Considerations Inside the Firewall Play Podcast |
