SOA Solutions for Government Organizations

Cross-domain Information Sharing

Layer 7 Technologies is a leading vendor of standards-based, FIPS certified XML security and networking solutions for Government use. The Layer 7 suite of XML appliances and trusted software products address a broad range of performance, security, lifecycle, mediation, SLA and governance challenges inherent in employing Web services in service-centric integration architectures (i.e. SOA), eGov portal initiatives (including Web 2.0 projects) and enablement of net-centric operations. Innovations include:

Hardware acceleration of XML processing and cryptography
Standards based WS-Policy oriented configuration and WS-Security Policy provisioning
Software options for projects requiring software-only option
Advanced identity functionality including support for SAML, Kerberos and X.509 and leading SSO products from Sun, Oracle, RSA, CA, IBM and MS
Demonstrated interoperability across all of WS-Security, WS-SecureConversation, WS-SecurityPolicy, WS-Policy, WS-SecureExchange and WS-I BSP SOA security standards
Integrated PKI cert provisioning and management for machine-to-machine SOA
FIPS 140-2 Level cryptography with HSM
Integration with leading SOA registry products from vendors like HP / Systinet, WebMethods / Infravio and Fujitsu
ESB and MOM support for vendors including BEA, WebMethods, Tibco, Oracle, Sun and IBM

Layer 7 Technologies employs government specific sales and sales support staff for efforts involving the US and Canadian Government. In the US, the Layer 7 sales team is led by SOA veteran Jim Rice formerly of Sun, Amberpoint and GT software. The technical solutions team is lead by Adam Vincent, formerly of The MITRE Corporation where he specialized in Security around XML, SOA, and Net-Centric Information Sharing. To better support classified programs in the US, members of the Layer 7 federal team hold US security clearances up to the TS/SCI level. Layer 7 appliance products offer FIPS certified crypto and the XML Networking Gateway is currently undergoing Common Criteria level 4+ certification. The full complement of SecureSpan XML appliances are available through government resellers in the US, Canada, and Internationally.

Government Certified XML Gateway

Common Criteria Certification

The SecureSpan XML Networking Gateway is currently under evaluation with SAIC Labs for Common Criteria EAL4+ Certification. Common Criteria is recognized as the only officially approved third-party evaluation criteria for IT security by the United States and many other governments. More information about Common Criteria requirements and Layer 7’s evaluation can be found on The National Information Assurance Partnership (NIAP) web site.

FIPS 140-2 Level 3 Compliance

All SecureSpan XML appliances incorporate FIPS 140-2 Level 3 compliant hardware accelerated cryptography and SSL acceleration. All cryptographic operations are performed by dedicated FIPS-compliant acceleration hardware, with the option to also store sensitive cryptographic keys in the FIPS-complaint SafeNet Luna SA security appliance with removable Hardware Security Module.

XML Gateway for Cross-domain Info Sharing

Wire Speed Threat Protection

Screening against XML threats can take on various forms including validating messages against a valid schema, finding specific blacklisted keywords or patterns in messages or detecting abnormally formed messages. The SecureSpan XML Data Screen, Firewall and Networking Gateway all provide wire speed XML threat protection and data cleansing features. All the SecureSpan appliance incorporate multiple, multi-core 64-bit processors, exclusive FastPath XML Stream Processing technology and dedicated ASIC-based XML acceleration to significantly reduce the impact of rigorous threat protection. In many cases, strict threat detection has almost no impact on overall throughput. In addition, binary attachments to SOAP messages can also be scanned for viruses through our partnership with Symantec, the leader in antivirus technology.

High Scalability and Availability

The SecureSpan XML appliances incorporate built-in clustering capabilities to both ensure high availability and give customers the ability to scale processing capacity as needs change. A SecureSpan cluster consists of two or more SecureSpan appliances, each processing traffic using an identical set of policies. This unique clustering capability provides automatic policy replication across clusters, cluster-wide traffic and availability monitoring, automatic failover and zero-downtime configuration change management and upgrades.

Multifactor Control

Access control mechanisms often incorporate multiple layers of authentication, incorporating various technologies including hardware tokens, biometric scans, variable challenge / response and other multifactor authentication mechanisms. Typically these mechanisms produce some form of credential or authentication artifact, which may be layered into messages with evidence from other, earlier authentications. Layer 7’s manager for the SecureSpan XML appliances provides flexible support for customized authentication logic based on virtually any combination of userid, password, HTTP header, certificate, WS-S token, SAML assertion, or SSO cookie. Credentials and authentication artifacts embedded or nested in standard or nonstandard locations within the message can also be extracted, verified, filtered and used to drive additional context-based policy decisions.

Advanced SAML Support

SAML is a proven, interoperable framework for creating and exchanging security information, especially between entities in different identity or trust domains. Layer 7 provides extensive support for both SAML 1.1 and 2.0 standards for both authentication and as a source of identity supporting holder of key and sender vouches models. In addition it is possible to make policy decisions based on specific attributes contained in a SAML assertion. These capabilities help simplify federated Web services applications, hybrid Web/Web services deployments and centralized authentication gateways or portals. The SecureSpan XML Firewall and Networking Gateways can also act as issuers of SAML assertions to back-end services providing both flexible credential mapping and robust last mile security.

Hardened OS

Critical to any attempt to use an XML security appliance as part of an overall defense in depth strategy is ensuring that that the security appliance itself is not subject to attack or malicious exploits. For this reason a hardened operating system is essential in an XML appliance. The SecureSpan Accelerator, XML Data Screen, Firewall and Networking Gateway incorporate a hardened operating system, obfuscated interfaces and internal firewalling to block access to potential toeholds for attacks and protect critical internal subsystems. This ensures that system integrity is maintained, an important foundation for layering on protection for service endpoints.

XML Enablement for Cross-Domain Solutions/Guards

Net Centric Information Exchange Across Security And Classification Boundaries

The SecureSpan™ Policy Integration Point for cross domain solutions builds on the capabilities of Layer 7's SecureSpan family of XML products to provide “out of the box” net-centric connectivity for SOA and Web Services enablement of legacy cross domain solutions and guard technologies.

Deployed in pairs, the SecureSpan Policy Integration Point provides a complete set of capabilities to help address the challenges of securing, validating and transferring XML data across security boundaries in a net-centric environment. In addition to supporting virtually any form of XML data, including Web 2.0, Web services and SOA deployments, the SecureSpan Policy Integration Point also addresses the key requirement of coordinating security and integration policy between classification domains.

The SecureSpan Policy Integration Point supports integration with other components of a cross domain solution through its guard-agnostic plug-and-play architecture which supports a range of popular XML aware cross domain products including Radiant Mercury (RM), Data Sync Guard (DSG), Information Support Server Environment and solutions from Trusted Computer Solutions (TCS).

Key XML Gateway Features:

Service Level Agreements (SLA)

Throttling control provides ability to support service over subscription with per-service throttling of excess messages
Service availability features includes support for strict failover, round robin, best effort and latency-based routing
Full support for Class of Service based message processing and routing based on identity, message content, time of day, etc
Service Mediation and Virtualization Features
Transport mediation between HTTP, HTTPS, MQS, JMS
Smart WSDL generation for non-SOAP services
WSDL remapping and service virtualization based on requestor identities
Authorization controls for access to specific service operations
Policy Flexibility
Support for XML, SOAP, POX, AJAX, REST and other XML-based services
Configuration wizards simplify policy creation and activation
Support for policy branching based on any message content or logic operation
Single policy can support both in-line and co-processor deployments
Policies can be applied to request-only, response-only or both request and response messages

Administration Options

GUI-based SecureSpan Manager deployed as either stand alone application (Windows / Linux) or browser-based (Internet Explorer / Firefox)
Centralized cluster management and configuration with delegated administration
Gateway virtualization supports multiple, independently logical managed Gateways on one appliance
Drag and drop policy-based policy configuration
Intelligent, real-time validation and testing of policies
Logging and audit trapping of violations and system/user defined events via SNMP and SMTP
Dashboard for graphical, real-time monitoring of traffic profiles and security violations

Supported Standards and Qualifications

US DHS Approved Products List; US Army IA Approved Products List; NSA Approved Products List; US FAA Qualified Vendor List; DISA NCES Certification; US DoD PKI Certification; DISA STIG Vulnerability Testing, DISA SRR/Retina Scans Validation; FIPS (both hardware and software products); Canadian CSE Processes; NSA Security Configuration Guides; US DoD 5220.22-M; CNSSI 1253; DCID 6/3; DIACAP; NIAP EAL 4+
XML 1.0, SOAP 1.2, REST, AJAX, XPath 1.0, XSLT 1.0, WSDL 1.1, XML Schema, LDAP 3.0, SAML 1.1/2.0, PKCS #10, X.509 v3 Certificates, FIPS 140-2, Kerberos, W3C XML Signature 1.0, W3C XML Encryption 1.0, SSL/TLS 1.1 / 3.0, SNMP, SMTP, POP3, IMAP4, HTTP/HTTPS, JMS 1.0, MQ Series, Tibco EMS, FTP, WS-Security 1.1, WS-Trust 1.0, WS-Federation, WS-Addressing, WSSecureConversation, WS-MetadataExchange, WS-Policy, WS-SecurityPolicy, WS-PolicyAttachment, WS-SecureExchange, WSIL, WS-I, WS-I BSP, UDDI 3.0, XACML 2.0, MTOM

Share: | More