Advanced Identity-Based Security for SOA
Traditionally, security and entitlement for SOA-based integration has been coded into each and every application exposed as a programmatically accessible service in the organization. When those requirements (or the standards on which they’re based) change, every service needs to be updated and re-tested manually. To simplify governance of security in SOA-based integrations Layer 7 offers the XML Firewall.
Providing intermediate functional capabilities between the API Proxy and SOA Gateway, the XML Firewall is designed to address access, federation and message security needs in SOA based integrations that leverage SOAP, REST and JSON style application interfaces. Unlike the API Proxy which is limited to REST, JSON and OAuth style API security the XML Firewall also supports SAML, XACML and the implementation of a broader array of WS* and WS-I based standards associated with SOAP style messaging.
The XML Firewall can be deployed as a security endpoint to an ESB or as a DMZ-class edge device gating access to an internal ESB or application interfaces. The XML Firewall in the DMZ can be deployed as a hardened appliance, virtual appliance or as software. All form factors support FIPS standards, are PCI DSS compliant and are STIG vulnerability tested to meet rigorous US Defense industry standards.
The XML Firewall supports a comprehensive set of SOA security governance use cases spanning identity, access, threat protection, privacy, communication integrity and information assurance. Example capabilities of the XML Firewall include:
The XML Firewall includes all the features of the API Proxy, which can be upgraded to the Firewall through a license key. The XML Firewall is optimized for HTTP and HTTPS transports. Customers needing a broader range of transports such as MQ Series or Tibco EMS or who need to support a greater number of data and application adapters beyond XML should consider the SOA Gateway, which is an upgrade from the XML Firewall. Like the other Layer 7 API Gateways, the XML Firewall integrates with leading service registry products including Software AG CentraSite, HP Systinet, IBM WSRR, Tibco ActiveMatrix Registry and Oracle Service Registry.
Identity-driven SOA – With support for leading IAMs and SSOs, organizations can quickly leverage their existing identity infrastructure to centrally enforce authentication and authorization.
Secure Cross-domain Interactions – With built-in PKI and SAML based STS capabilities, organizations can cost-effectively implement federated security between disparate identity domains.
Secure Cross-domain and B2B Relationships – Integrated PKI CA/RA as well as STS/SAML issuer provides credential chaining, credential remapping and support for federated identity.
Security Standards Compliance – Layer 7 has long been a leader in drafting and implementing leading OASIS WS*, WS-I WS Basic Security Profile and W3C WS-Policy standards including WS-Security, WS-SecureConversation, WS-Trust, WS-Federation, WS-Policy to name some. Implementing the various standards outside code in the XML Firewall helps insure architects consistent implementation of the standards and protection from standards versioning issues.
API Virtualization and Management – Layer 7's XML Firewall can be deployed as a proxy to both POX, WSDL and REST based service interfaces. Using the native policy language, architects can create virtual service views specific to client identities, secure versions of specific application interfaces and they can manage versions of APIs across the development lifecycle without breaking client appplications.
Security Certification – Layer 7's XML Firewall was the first XML Gateway to support FIPS compliance in both hardware and software, provide support for the latest encryption cyphers including Elliptic Curve, meet DoD STIG vulnerability standards, provide versions that satisfy EAL 4+ common criteria and offer the latest in onboard or offboard hardware key store.
XACML Support – The XML Firewall can be implemented as both an XACML Policy Decision Point and Policy Enforcement Point for existing XACML Decision Points.
VMware Ready – The XML Firewall is the only XML Firewall certified by VMware for their hypervisor and cloud platforms.
|Chassis||1RU standard rack mount: 1.71 x 16.75 x 27.0 in. (43.43 x 425.5 x 658.8 mm)|
|Processor||Dual Six-Core Intel Xeon L5640 2.26 GHz CPU|
|Hardware Acceleration||Offload XML processing operations to optional acceleration card|
|Ports||4 x Gigabit Network Cards|
|Memory||12GB RAM (maximum memory of 72GB)|
|Storage||Mirrored, hot-swappable 146GB RAID 1 SAS HDD|
|Power||Dual redundant, hot-swappable; 760 watts (W)|
|Performance||Able to handle more than 10,000 requests/sec|
|Desktop||VMware (VMware Ready certified)|
|Server||ESX (VMware Ready certified)|