The XML Security Gateway XS40 provides a security-enforcement point for XML and Web services transactions. It generally sits in the DMZ to take advantage of its extensive security capability. It provides all the capabilities of the XML Accelerator XA35 as described in XML Accelerator XA35 plus the following capabilities:
- Centralized policy management and enforcement
- The outstanding performance of the appliance can enable enterprises to centralize security functions in a single drop-in device that can enhance security and can reduce ongoing maintenance costs. Simple firewall and Web services proxy functionality can be configured via the Web user interface (WebGUI) and run in minutes, or, using the power of XSLT, the appliance can also create sophisticated security and routing rules. Combining integration with leading policy managers and service registries and support for such standards as WS-Security, WS-SecurityPolicy, WS-ReliableMessaging, and WS-Policy, the appliance is an ideal policy enforcement and execution engine for securing next-generation applications. Managed locally or remotely, the appliance support SNMP, script-based configuration, and remote logging to provide seamless integration with leading management software.
- XML/SOAP firewall
- The appliance filters traffic at wire speed, based on information from protocol stack layers 2 through 7, from field-level message content and SOAP envelopes to IP address, port, and hostname, payload size, or other metadata. Filters can be predefined and automatically uploaded to change security policies based on time of day or other triggers.
- Field-level XML security
- The appliance selectively shares information through encryption/decryption and signing/verification of entire messages or of individual XML fields. These granular and conditional security policies can be based on nearly any variable including content, IP address, hostname, or other user-defined filters.
- XML-based Web services access control
- The appliance supports a variety of access control mechanisms, including XACML, Security Assertion Markup Language (SAML), SSL, LDAP, RADIUS, and simple client URL maps. The appliance can control access rights by rejecting unsigned messages and verifying signatures within SAML assertions.
- Service virtualization
- XML Web services require companies to link partners to resources without leaking information about their location or configuration. With the combined power of URL rewriting, high-performance XSL transforms, and XML/SOAP routing, the appliance can transparently map a rich set of services to protected remote resources with high performance.
- Data validation
- With its unique ability to perform XML schema validation as well as message validation at wire speed, the appliance ensures incoming and outgoing XML documents are legitimate and properly structured. This protects against threats such as XML denial-of-service (XDoS) attacks, buffer overflows, or vulnerabilities created by deliberately or inadvertently malformed XML documents.
- SSL acceleration
- The appliance scales transport layer security by accelerating bidirectional/mutual SSL transactions in hardware. The appliance can be configured with multiple SSL identities functioning as client or server, with SSL policies based on message content or metadata such as port number or HTTP header.