IBM WebSphere DataPower
XS40 XML Security Gateway
The IBM WebSphere® DataPower XS40 XML Security Gateway comprises all of the functions of the XA35 XML Accelerator but is built from the ground up to be a security-enforcement point for XML and Web services transactions. The security layer within the XS40 allows the wirespeed filtering of XML/SOAP traffic, encryption/decryption, signing/verifying and validation of data.
The IBM WebSphere DataPower XML Security Gateway XS40 consists of a 1U (1.75" thick) rack-mountable network device that is easy to install and maintain, satisfying both application and network groups while supporting current and pending security standards out-of-the-box.
The XS40 can receive all XML/SOAP traffic on a single port and over http/https transports. This traffic can be decrypted if required and have the signatures verified. Internal routing can allow data to be validated against the correct XML or SOAP schema before being routed to the appropriate backend web service. Web Services security (WS-Security) is also supported. The ability to rewrite HTTP/XML/SOAP header information or perform full transformation is also available.
External authentication/authorisation mechanisms are supported, these include LDAP repositories and 3rd party products such as Tivoli Access Manager. The XS40 is also aware of the main federated assertion standards such as SAML, these can be used to provide single sign on functionality.
The validation of XML/SOAP data based on schema information can be performed with a schema uploaded to the device or held remotely. This technology also provides protection against XML Denial of Service Attacks (XDoS) and other malicious XML traffic.
Because XS40 policies are entirely XML-based, enterprises have fine-grained control of security without being locked into a proprietary framework. This inherent agility ensures that the XS40 easily adapts to changing standards, policies, and partners for any number of applications.
Features include:
- XML firewall
The XS40 provides protection against XML vulnerabilities by acting as an XML proxy and performing XML well-formedness checks, buffer overrun checks, XML schema validation, XML filtering, and XDoS protection. XS40 also includes many essential security functions beyond those of an XML firewall: Web services access control (AAA), XML Encryption and Digital Signature, WS-Security, and content-based routing. - XML denial of service protection
The XS40 validates incoming requests and logs malformed and malicious traffic to provide valuable post-attack forensics. - Field level message security
The XS40 selectively shares information through encryption/decryption and signing/verification of entire messages or of individual XML fields. These granular and conditional security policies can be based on nearly any variable, including content, IP address, hostname, or other user-defined filters. - Web services access control
The XML Security Gateway provides access control functions which can be used to enable secure access to Web services based applications to both internal and external clients. Both commercial and standards-based integration is supported, including LDAP, SAML and WS-Security. - Fine-grained authorization
Fine-grained authorization allows the XS40 to interrogate every individual SOAP/XML transaction and determine whether it should be allowed through based on payload contents, security policy, and identity information. - Service virtualization
With the combined power of URL rewriting, high-performance XSL transforms and XML/SOAP routing, the XS40 can transparently map a rich set of services to protected back-end resources with high performance. - Centralized policy management
The XS40's wirespeed performance enables enterprises to centralize security functions in a single drop-in device that can enhance security and help reduce ongoing maintenance costs. Simple firewall functionality can be configured via a GUI and running in minutes, and using the power of XSLT, the XS40 can also create sophisticated security and routing rules. Because the XS40 works with leading Policy Managers such as IBM® Tivoli® Access Manager, it is an ideal policy execution engine for securing next generation applications. Manageable locally or remotely, the XS40 supports SNMP, script-based configuration, and remote logging to integrate seamlessly with leading management software. - Web services management/service level management
With support for Web Services Distributed Management (WSDM), Universal Description, Discovery, and Integration (UDDI), Web Services Description Language (WSDL), and Dynamic Discovery, and broad support for Service Level Management configurations, the XS40 natively offers a robust Web services management framework for the efficient management of distributed Web service endpoints and proxies in heterogeneous SOA environments. The XS40 also offers SLM alerts and logging and pull and enforce policies, which helps enable broad integration support for third-party management systems and unified dashboards, in addition to robust support and enforcement for governance frameworks and policies. - Inter-enterprise application sharing
The XS40 can process and validate messages at a central point in real-time so only known-good requests reach valued back-end resources. High-speed message signing and verification prevents falsified requests and securely logs all transactions. - Secure portal connections
The XS40 supports legacy systems such as RADIUS and LDAP, along with emerging standards such as Security Assertion Markup Language (SAML) and Extensible Access Control Markup Language (XACML). - Secure architecture
Powered by robust patented XML processing technology built from the ground up to be secure, the XS40 can help to enable full XML Security with the wirespeed performance necessary for real-world applications. The XS40 is more than just an XML firewall: it is an XML proxy with carrier-grade features that can parse, filter, validate schema, decrypt, verify signatures, access-control, transform, sign and encrypt XML message flows at wirespeed so that enterprises can implement comprehensive XML security practices without the performance penalties or security weaknesses typical of other solutions. The XS40's flexible, XML-based architecture offers future-proof functionality and the agility to easily adapt to changing standards, policies, and services. - Web services security is XML processing
Web services security functions, such as XML schema validation, XML Encryption, XML Signature, WS-Security and others, require extensive XML processing. The security of the underlying XML processing engine is essential to the security of a Web services security solution. Secure XML processing is also very resource-intensive. This often forces organizations to choose between performance and protection, because fully securing XML requires processing power not available in traditional XML engines.
Business Benefit:
- Easy access to applications without creating vulnerabilities or versioning headaches
- Easy to use, comprehensive XML Vulnerability protection without new code or performance compromise
- Full XML security with no application code changes, centralising access control and improving security
- Improved uptime and performance with data validation ensuring only known-good requests arrive at mission-critical app-servers
- Information shared selectively or in compliance with regulations, even in multiparty transactions and semi-trusted environments
- Reduced complexity, improved performance and uptime through efficient resource utilisation as requests are routed based on content, network parameters or other metadata