Header Image

XML Firewall

Advanced Identity-Based Security for SOA

Traditionally, security and entitlement for SOA-based integration has been coded into each and every application exposed as a programmatically accessible service in the organization. When those requirements (or the standards on which they’re based) change, every service needs to be updated and re-tested manually. To simplify governance of security in SOA-based integrations Layer 7 offers the XML Firewall.

Providing intermediate functional capabilities between the API Proxy and SOA Gateway, the XML Firewall is designed to address access, federation and message security needs in SOA based integrations that leverage SOAP, REST and JSON style application interfaces. Unlike the API Proxy which is limited to REST, JSON and OAuth style API security the XML Firewall also supports SAML, XACML and the implementation of a broader array of WS* and WS-I based standards associated with SOAP style messaging.

The XML Firewall can be deployed as a security endpoint to an ESB or as a DMZ-class edge device gating access to an internal ESB or application interfaces. The XML Firewall in the DMZ can be deployed as a hardened appliance, virtual appliance or as software. All form factors support FIPS standards, are PCI DSS compliant and are STIG vulnerability tested to meet rigorous US Defense industry standards.

XML Firewall - Layer 7 technologies


The XML Firewall supports a comprehensive set of SOA security governance use cases spanning identity, access, threat protection, privacy, communication integrity and information assurance. Example capabilities of the XML Firewall include:

  • SSL termination and acceleration
  • Service authentication with a wide range of credentials, tokens and cookies
  • Operation level authorization
  • Credential validation, translation, generation or chaining
  • SAML and OAuth style federation
  • Identity integration with CA, Microsoft, Novell, Oracle, RSA, Sun, Ping, IBM
  • Data validation and API attack protection
  • XML data normalization and transformation
  • API versioning and transformation across SOAP, REST and JSON
  • Content or availability based routing
  • Message and field level encryption, redaction, filtering and signing
  • Throttling of access to a service endpoint based on attribute-based policy
  • Identity and message caching
  • Transaction logging and audit
  • Payload virus scanning using leading virus scan engines
  • PKI certificate management
  • Hardware key store either onboard and offboard

The XML Firewall includes all the features of the API Proxy, which can be upgraded to the Firewall through a license key. The XML Firewall is optimized for HTTP and HTTPS transports. Customers needing a broader range of transports such as MQ Series or Tibco EMS or who need to support a greater number of data and application adapters beyond XML should consider the SOA Gateway, which is an upgrade from the XML Firewall. Like the other Layer 7 API Gateways, the XML Firewall integrates with leading service registry products including Software AG CentraSite, HP Systinet, IBM WSRR, Tibco ActiveMatrix Registry and Oracle Service Registry.

Identity-driven SOA – With support for leading IAMs and SSOs, organizations can quickly leverage their existing identity infrastructure to centrally enforce authentication and authorization.

Secure Cross-domain Interactions – With built-in PKI and SAML based STS capabilities, organizations can cost-effectively implement federated security between disparate identity domains.

Secure Cross-domain and B2B Relationships – Integrated PKI CA/RA as well as STS/SAML issuer provides credential chaining, credential remapping and support for federated identity.

Security Standards Compliance – Layer 7 has long been a leader in drafting and implementing leading OASIS WS*, WS-I WS Basic Security Profile and W3C WS-Policy standards including WS-Security, WS-SecureConversation, WS-Trust, WS-Federation, WS-Policy to name some. Implementing the various standards outside code in the XML Firewall helps insure architects consistent implementation of the standards and protection from standards versioning issues.

API Virtualization and Management – Layer 7's XML Firewall can be deployed as a proxy to both POX, WSDL and REST based service interfaces. Using the native policy language, architects can create virtual service views specific to client identities, secure versions of specific application interfaces and they can manage versions of APIs across the development lifecycle without breaking client appplications.

Security Certification – Layer 7's XML Firewall was the first XML Gateway to support FIPS compliance in both hardware and software, provide support for the latest encryption cyphers including Elliptic Curve, meet DoD STIG vulnerability standards, provide versions that satisfy EAL 4+ common criteria and offer the latest in onboard or offboard hardware key store.

XACML Support – The XML Firewall can be implemented as both an XACML Policy Decision Point and Policy Enforcement Point for existing XACML Decision Points.

VMware Ready – The XML Firewall is the only XML Firewall certified by VMware for their hypervisor and cloud platforms. 


Chassis 1RU standard rack mount: 1.71 x 16.75 x 27.0 in. (43.43 x 425.5 x 658.8 mm)
Processor Dual Six-Core Intel Xeon L5640 2.26 GHz CPU
Hardware Acceleration Offload XML processing operations to optional acceleration card
  • Optional onboard HSM and support for external HSMs (i.e., nCipher, Luna, etc)
  • FIPS 140-2 support in both hardware (Level 3) and software (Level 1)
Ports 4 x Gigabit Network Cards
Memory 12GB RAM (maximum memory of 72GB)
Storage Mirrored, hot-swappable 146GB RAID 1 SAS HDD
Power Dual redundant, hot-swappable; 760 watts (W)
Performance Able to handle more than 10,000 requests/sec
Operating Systems
  • Solaris 10 for x86 and Niagara
  • SUSE Linux
  • Red Hat Linux 4.0/5.0
Virtual Appliance
Desktop VMware (VMware Ready certified)
Server ESX (VMware Ready certified)


  • XML
  • SOAP
  • AJAX
  • XPath
  • XSLT
  • WSDL
  • XML Schema
  • LDAP
  • SAML
  • PKCS
  • X.509 Certificates
  • FIPS 140
  • Kerberos
  • OAuth
  • W3C XML Signature
  • W3C XML Encryption
  • SNMP
  • SMTP
  • POP3
  • IMAP4
  • WCF
  • JSON
  • JMS
  • MQ Series
  • REST
  • Tibco EMS
  • FTP
  • WS-Security
  • WS-Trust
  • WS-Federation
  • WS-Addressing
  • WSSecureConversation
  • WS-MetadataExchange
  • WS-Policy
  • WS-SecurityPolicy
  • WS-PolicyAttachment
  • WS-SecureExchange
  • WSIL
  • WS-I
  • WS-I BSP
  • UDDI
  • WSRR
  • MTOM
  • IPv6


Identity and Message Level Security
Identity-based access to services and operations
  • Integration with leading identity, access, SSO and federation systems from Oracle, Sun, Microsoft, CA, IBM Tivoli, Novell
  • Enforce fine-grained entitlement decisions authored in an XACML PDP
Manage security for cross-domain and B2B relationships
  • Credential chaining, credential remapping and support for federated identity
  • Integrated SAML STS issuer featuring comprehensive support for SAML 1.1/2.0 authentication, authorization and attribute based policies
  • Integrated PKI CA for automated deployment and management of client-side certificates, and integrated RA for external CAs
  • STS support through WS-Trust and WS-Federation
Enforce WS* and WS-I standards
  • Support for all major WS* and WS-I security protocols, including SOAP 1.0/1.1/1.2, WS-Security 1.1 / 1.2, WS-SecureConversation, WS-SecurityPolicy, WS-Addressing, WS-Trust, WS-Federation, WS-Secure Exchange, WS-Policy and WS-I Basic Security Profile, SAML 1.1/2.0, XACML 2.0
Secure WSDL, REST and POX interfaces
  • Selectively control access to interfaces down to an operation level
  • Create on-the-fly composite WSDL views tailored to specific requestors
  • Out of the box support for popular Cloud and SaaS interfaces from Salesforce and Amazon
  • Service look-up and publications using WSIL and UDDI
Audit transactions
  • Log message-level transaction information
  • Spool log data to off-board data stores and management systems
  • Optional onboard HSM, as well as support for external HSMs (i.e., SafeNet Luna)
  • Support for elliptic curve cryptography (conforms to NSA’s Suite B algorithms)
  • FIPS 140-2 support in both hardware (Level 3) and software (Level 1)
XML Threat Protection
Filter XML content for SOA, Web 2.0 and Cloud
  • Configurable validation & filtering of HTTP headers, parameters and form data
  • Detection of classified or “dirty” words or arbitrary signatures with subsequent scrubbing, rejection or redaction of messages
  • Support for XML, SOAP, POX, AJAX, REST and other XML-based services
Transactional Integrity Protection
  • Protect against identity spoofing and session hijacking cluster-wide
  • Assure integrity of communication end-to-end
Prevent XML attack and intrusion
  • Protect against XML parsing; XDoS and OS attacks; SQL and malicious scripting language injection attacks; external entity attacks
  • Protection against XML content tampering and viruses in SOAP attachments
  • DoD STIG vulnerability tested and assured
API Management
API Publication
  • Secure, manage, monitor and control access to APIs exposed to third parties
  • API usage can be throttled to ensure backend services are not overwhelmed; limited by user, time of day, location, etc; and quota managed (i.e., # of uses per user per day)
API Metrics and Reporting
  • Configurable, out-of-the-box reports provide insight into API performance: measure throughput, routing failures, utilization and availability rates, etc
  • Failed authentications and/or policy violations can be tracked to identify patterns and potential threats
API Security
  • Support for all major WS* and WS-I security protocols
  • Support for all major authentication and authorization standards, including SAML, Kerberos, digital signatures, X.509 certificates, LDAP, XACML, etc 
Enterprise-scale Management
Operations Console
  • A single, real time view of all Gateways across the enterprise and cloud showing audits, events and key metrics
Policy Migration
  • Centrally move policies between environments (development, testing, staging, production, etc), settings (enterprise, cloud, etc) or geographies, automatically resolving discrepancies such as SSG licenses, IP addresses, IT resources (i.e., LDAPs may be named differently), etc
Services Reporting
  • Configurable, out-of-the-box reports provide insight into SSG operations, service-level performance, and service user experience
Remote Patching
  • Selectively update any software installed on Gateways, including system files and operating system
Disaster Recovery
  • Centrally back up SSG config files and policies from one or more Gateways/clusters, and remotely restore, enabling full disaster recovery
Management API
  • Remote management APIs allow customers to hook their existing, third-party management tools into the SSG, simplifying asset management
XML Firewall Form Factors
  • Active-active clusterable, dual power supply, mirrored hot-swappable drives, multi-core, 64-bit 1U server
  • Solaris 10 for x86 and Niagara, SUSE Linux, Red Hat Linux 4.0/5.0
Virtual Appliance
  • VMware/ESX (VMware Ready certified)
  • Cloud – Amazon EC2 AMI