WebSphere DataPower Service Gateway XG45 Features and Benefits

While SOA and XML Web Services offer the opportunity to simplify IT management and increase business value, securing and exposing services remains a barrier to adoption. The WebSphere® DataPower Service Gateway XG45 is a network appliance that is built for web services deployments, governance, light integrations and hardened security in a single “drop-in” box.

XML firewall

The XG45 provides secure portal connections and protection against XML vulnerabilities by acting as an XML proxy. While at the same time performs XML well-formedness checks, buffer overrun checks, XML schema validation, XML filtering, and XDoS protection.

XML denial of service protection

A single low-byte XML message can bypass traditional perimeter protection and instantly crash mission-critical applications. The XG45 validates incoming requests and logs malformed and malicious traffic to provide valuable post-attack forensics.

Field level message security

The XG45 selectively shares information through encryption/decryption and signing/verification of entire messages or of individual XML fields. These granular and conditional security policies can be based on nearly any variable, including content, IP address, hostname, or other user-defined filters.

Web services access control

Since the XG45 is much more than just an XML Firewall, it provides access control functions which can be used to enable secure access to Web services based applications to both internal and external clients. Both commercial and standards-based integration is supported, including LDAP, SAML and WS-Security.

Fine-grained authorization

Instead of URL-based or connection-level access control, fine-grained authorization allows the XG45 to interrogate every individual SOAP/XML transaction and determine whether it should be allowed through based on payload contents, security policy, and identity information. For example, a purchase order that is (1) over $500, (2) digitally signed by the CFO’s certificate, (3) targeted for vendor X, and (4) sent before 5 p.m. may be allowed through, while one immediately following it would be rejected. SAML, WS-Security, and XACML are key emerging standards for implementing this kind of fine-grained access control in an open, cross-platform environment which joins a variety of policy enforcement points (such as the XG45) and central policy repositories.

Service virtualization

XML Web services require companies to link partners to resources without leaking information about their location or configuration. With the combined power of URL rewriting, high-performance XSL transforms and XML/SOAP routing, the XG45 can transparently map a rich set of services to protected back-end resources with high performance.

Centralized policy management

The XG45’s wirespeed performance enables enterprises to centralize security functions in a single drop-in device that can enhance security and help reduce ongoing maintenance costs. Simple firewall functionality can be configured via a GUI and running in minutes, and using the power of XSLT, the XG45 can also create sophisticated security and routing rules. Because the XG45 works with leading Policy Managers such as IBM® Tivoli® Access Manager, it is an ideal policy execution engine for securing next generation applications.

Web services management/service level management

With support for Web Services Distributed Management (WSDM), Universal Description, Discovery, and Integration (UDDI), Web Services Description Language (WSDL), and Dynamic Discovery, and broad support for Service Level Management configurations, the XG45 natively offers a robust Web services management framework for the efficient management of distributed Web service endpoints and proxies in heterogeneous SOA environments. The XG45 also offers SLM alerts and logging and pull and enforce policies, which helps enable broad integration support for third-party management systems and unified dashboards, in addition to robust support and enforcement for governance frameworks and policies.

Inter-enterprise application sharing

XML can Internet-enable nearly every enterprise application, driving an instant need for centralized message filtering and validation. The XG45 can process and validate messages at a central point in real-time so only known-good requests reach valued back-end resources. High-speed message signing and verification prevents falsified requests and securely logs all transactions.

Secure portal connections

Portal applications tie into high-value back-end databases and application servers, ensuring access control is paramount. The XG45 supports legacy systems such as RADIUS and LDAP, along with emerging standards such as Security Assertion Markup Language (SAML) and Extensible Access Control Markup Language (XACML).

Secure architecture

Powered by robust patented XML processing technology built from the ground up to be secure, the XG45 can help to enable full XML Security with the wirespeed performance necessary for real-world applications. The XG45 is more than just an XML firewall: it is an XML proxy with carrier-grade features that can parse, filter, validate schema, decrypt, verify signatures, access-control, transform, sign and encrypt XML message flows at wirespeed so that enterprises can implement comprehensive XML security practices without the performance penalties or security weaknesses typical of other solutions. The XG45’s flexible, XML-based architecture offers future-proof functionality and the agility to easily adapt to changing standards, policies, and services.

Web services security is XML processing

Web services security functions, such as XML schema validation, XML Encryption, XML Signature, WS-Security and others, require extensive XML processing. The security of the underlying XML processing engine is essential to the security of a Web services security solution. Secure XML processing is also very resource-intensive. This often forces organizations to choose between performance and protection, because fully securing XML requires processing power not available in traditional XML engines.

WS-Policy standards

WS-PolicyAttachment: Message Content Filters 1.1:
This IBM specification extends the policy subject attachment semantics as defined in WS-PolicyAttachment v1.5 framework (PDF, 188KB). It provides standardization across Policy Enforcement and Policy Administration platforms for describing policies that should be applied to specific consumers of a service. The specification defines a new policy subject domain (MessageContent) that defines policy attachment filtering based on the content of messages (which complements the use of web services attachment semantics, such as WSDL 1.1 Element Identifers). WebSphere DataPower provides support for this specification starting with release 5.0.

WS-MediationPolicy 1.6:
This IBM specification defines a new policy domain vocabulary related to Service Gateway mediation capabilities using extensibility provided in WS-Policy v1.5 framework (PDF, 176KB). Key benefits of supporting this specification include: the abstraction of intended mediation assertions semantics from Policy Enforcement runtime configuration, and the ability to govern individual policy documents as representing business operational policies. The new policy vocabulary covers Service Gateway mediation capabilities such as Quality-of-Service (QoS), Routing, Message Validation, and Message Translation action patterns. WebSphere DataPower release 5.0 can consume these new policy types and affect services hosted in Web-Service Proxy gateways.

Data Integration Module

With DataPower XG45, customers can opt for Data Integration Module as a field upgradeable option for any to any data transformation. Data Integration Module can parse and transform arbitrary binary, flat text, and XML messages, including EDI, COBOL Copybook, ISO 8583, CSV, ASN.1, and ebXML. Data Integration Module also provides database access and PKCS7 encryption.

Hardware Security Module

A FIPS 140-2 Level 3 certified hardware security module (HSM) is available as an embedded, factory installed option. The HSM provide tamper proof storage of private key material used for cryptographic operations performed on the appliance.