XML Appliances Overview
XML Accelerator
XML Data Screen
XML Firewall and VPN
XML Firewall soft-Appliance
XML Networking Gateway
Mainframe SOA Gateway
Management
Custom Policy Assertion SDK
Innovations
Standards Leadership

XML Firewall and VPN

XML Firewall and VPN

Secure Your SOA, Share Your SOA

The SecureSpan™ XML Firewall combines the capabilities of the SecureSpan XML Accelerator and Data Screen with advanced identity and message level security to address the broadest range of behind the firewall, portal and B2B SOA security challenges. The SecureSpan XML Firewall includes support for all leading directory, identity, access control, Single Sign-On (SSO) and Federation services. This provides SOA and security architects unparalleled flexibility in defining and enforcing identity-driven SOA security policies leveraging SSO session cookies, Kerberos tickets, SAML assertions and PKI. The SecureSpan XML Firewall also provides architects with advanced policy controls for specifying message and element security rules including the ability to branch policy based on any message context.

Key storage, encryption and signing operations can be handled in FIPS 140-2 certified acceleration hardware onboard the appliance or centrally through Safenet’s Luna HSM. The SecureSpan XML Firewall has demonstrated compliance with all major WS* and WS-I security protocols including WS-Security, WS-SecureConversation, WS-SecurityPolicy, WS-Trust, WS-Secure Exchange, WS-Policy and WS-I Basic Security Profile. The SecureSpan Firewall also supports SAML 1.1 and 2.0 both in sender vouches and holder of key models.

The SecureSpan XML VPN Client is optional SOA client software (or hardware) used in conjunction with the SecureSpan XML Firewall to streamline SOA B2B and portal connectivity. The SecureSpan XML VPN Client can be deployed on or in-front of client applications needing connectivity to secured Web services. The XML VPN Client automatically manages PKI, SSO, Federation and WS* compliance on SOA clients without coding, ensuring secure SOA connectivity and simplifying security change management.

The SecureSpan XML Firewall is available as a linearly scalable, high performance 64-bit, multi-processor, 1U appliance with onboard XML acceleration and optional SSL/crypto accelerator with HSM, as Gateway software for Linux and Solaris server platforms, and as a soft appliance supporting a broad range of host operating systems. Deployment options include inline DMZ security or as a security coprocessor to an Enterprise Service Bus (ESB), providing operations including document signing, validation and encryption.

The SecureSpan XML VPN Client is available as a class library for integration into a client application, a stand-alone executable, or as hardware.

To future proof customers against changing requirements, the SecureSpan XML Firewall is software upgradeable to the SecureSpan XML Networking Gateway.

Example Deployment Pages:
XML Firewall and VPN - B2B
XML Firewall and VPN - B2B 		XML Firewall - Identity Based SOA Security
XML Firewall - Identity Based SOA Security

Problems Addressed:

  • Control access to services and operations
  • Secure service WSDL interfaces
  • Enforce WS* and WS-I standards
  • Manage security for B2B relationships
  • Audit transactions

 

Innovations:

  • First XML Firewall to combine 64-bit architecture with onboard XML and FIPS 140-2 crypto acceleration
  • First XML Firewall to offer XML VPN to streamline B2B and portal SOA security
  • First XML Firewall to implement all WS* standards cluster-wide
  • First XML Firewall to offer software upgradeability to an application oriented XML networking appliance

 

Key Features:

 

    XML Threat Protection
  • Infrastructural protections against XML parsing, XDoS and OS attacks
  • Application protection against XML content tampering and viruses in SOAP attachments
  • Protection against SQL and malicious script injection attacks
  • Allow / reject messages based on time of day, day of week and IP address
  • Configurable throughput restrictions based on requestor or destination prevents downstream XDoS

  

    Advanced Identity, Credentialing and PKI Support
  • Onboard identity store for administrative identities and fast staging of new services
  • Integration with multiple external identity, access, single sign-on and federation systems including LDAP, Microsoft (Active Directory and Active Directory Federated Services), Oracle Access Manager, IBM Tivoli (Access Manager and Federated Identity Manager), CA SiteMinder, RSA ClearTrust, Sun Java Access Manager and Novell Access Manager
  • Credential chaining, credential remapping and support for federated identity
  • Integrated SAML issuer and comprehensive support for SAML 1.1/2.0 authentication, authorization and attribute based policies
  • Integrated PKI CA for automated deployment and management of client-side certificates and RA ability for external CA’s including Verisign

  

    Policy Flexibility
  • Support for XML, SOAP, POX, AJAX, REST and other XML-based services
  • Configuration wizards simplify policy creation and activation
  • Support for policy branching based on identity or any message content or context
  • Rollback to previous policy versions and reuse of user defined policy fragments
  • Support for multiple routing destinations with configurable failover
  • Policies can be applied to request-only, response-only or both request and response messages

  

    Administration Options
  • GUI-based SecureSpan Manager deployed as either stand alone application (Windows / Linux) or browser-based (Internet Explorer / Firefox)
  • Centralized cluster management and configuration with delegated administration
  • Drag and drop policy-based policy configuration
  • Intelligent, real-time validation and testing of policies
  • Secure configuration backup and policy migration between environments
  • Logging and audit trapping of violations and system/user defined events via SNMP and SMTP
  • Support for external logging sinks
  • Dashboard for graphical, real-time monitoring of traffic profiles and security violations

  

    Supported Standards and Specifications
  • XML 1.0, SOAP 1.1, REST, AJAX, XPath 1.0, XSLT 1.0, WSDL 1.1, XML Schema, LDAP 3.0, SAML 1.1/2.0, PKCS #10, X.509 v3 Certificates, FIPS 140-2, Kerberos, W3C XML Signature 1.0, W3C XML Encryption 1.0, SSL/TLS 1.1 / 3.0, SNMP, SMTP, HTTP/HTTPS, JMS 1.0, MQ Series, Tibco EMS 4.0, WS-Security 1.0, WS-Addressing, WS-Trust 1.0, WS-Federation,  WS-SecureConversation, WS-MetadataExchange, WS-Policy, WS-SecurityPolicy, WS-PolicyAttachment, WS-SecureExchange, WSIL, WS-I, WS-I BSP, UDDI 3.0

  

    Form Factor
  • 1U rack mount appliance, 64-bit multiprocessor platform with XML acceleration ASIC, optional SSL/crypto acceleration with HSM, four GE/FE NICS and dual PSUs
  • Gateway software for Red Hat and SUSE Linux and Solaris platforms*
  • Soft appliance supporting a broad range of host operating systems

 
*Note: Some features available in appliance version only

 

  © 2007 Layer 7 Technologies Inc. All rights reserved.