A 1U appliance, Forum Sentry uses a Broadcom chipset to accelerate the RSA operations necessary for signatures. It also supports SSL communication and XML document encryption and decryption. The device can apply signatures and encryption schemes to an entire document regardless of the XML origin and can sign and encrypt/decrypt specific elements within an XML document.

In addition, Forum Sentry can archive documents as part of the processing policy or based on specific elements (tags) within the XML document. Routing capabilities within Forum Sentry let you direct requests to specific servers based on the XML payload--a capability I've been waiting for in content-aware devices since the introduction and quick disappearance of Intel's XML Director several years ago.

Configuration Options

Forum Sentry can be deployed in an inline or side-arm configuration--either is straightforward for the network administrator. But to configure the processing policies you'll need someone well versed in the transactional life of XML documents from a business view. Additional issues surrounding deployment include the ability of business partners to handle signatures and encrypted documents.

Good News Compliant with XML Signature Specification. Supports DTD and XML Schema as well as XSLT. Performs encryption and decryption of XML elements and documents. Supports any XML document, including those generated by Web services. Bad News No way to get to a CLI other than through LSMS or serial/modem connections. CRLs are not supported. Requires considerable XML and business-process knowledge to configure.

A redundant pair of devices sells for $35,000--a competitive price for the routing and document processing functionality Forum Sentry provides compared with the cost of custom solutions based on available development libraries supporting XML-SIG and RSA encryption.

Standing Guard

I tested a beta version of Forum Sentry in our Green Bay, Wis., Real-World Labs®. I inserted the device into the network in a side-arm configuration, using the CLI (command-line interface) to set the initial networking parameters. In a side-arm configuration Forum Sentry acts as a proxy, so you must submit outgoing documents to the device rather than to the remote server.

In an inline configuration, the document is sent directly to the remote server, and the device grabs the document and applies policies as necessary. Either configuration works well, but an inline configuration requires less modification to your network and no changes to your clients.

The product's Web-based administration interface is used to manage the device, import keys and certificates, manage signatures, and create server profiles--the definition of a remote server with which clients will interact. This portion of configuration is intended for use by network and Web administrators.

The Java application used to configure policies on document processing is targeted at XML experts. This separation is problematic only if one person is configuring all aspects of the device. Otherwise, it provides protection from accidental misconfiguration by a non-network administrator.

I created a server profile for a remote Microsoft Windows 2000 machine running Internet Information Server (IIS) and serving up an XML document that echoed back any request received.

I then created a signature policy from an X.509 certificate that I would use to sign outgoing XML documents. I set up an encryption policy by importing a server certificate and giving it a name. This would be used to encrypt outgoing documents. Forum Sentry also can decrypt incoming documents according to encryption policies if you have the public key of the certificate used to encrypt the document.

Signatures and encryption keys can be verified up to the root certificate authority. You'll need to import the CA certificates to provide this level of security, but the process is worth the effort: You can verify the certificate used for signatures or encryption and that certificate's issuer. You can configure the device such that a signature must be verified all the way up its chain of authority or the document will be rejected, or you can choose to accept the signature as valid.

Once the encryption and signature policies were created, I created document-specific policies by starting up the application--a point-and-click tool that lets you verify documents against a known XML DTD or Schema, perform encryption or signing of individual elements or entire documents, and archive specified documents to an Oracle or MySQL database. The device also lets you use XSLT (Extensible Stylesheet Language Transformation) to change the document, providing EAI (Enterprise Application Integration)-like capabilities.

Forum Sentry must learn the structure of each XML document it will process to identify documents and create policies during configuration and later apply the proper policies and validate in-transit documents. This is accomplished by importing an example of the document into the Java application; the document is parsed and the definition of specific actions are taken on it. The actions--validation, signing, encryption, archival, forwarding and transformation--can be nested, rudimentarily modeling business practices.

Vendor Information Forum Sentry, starts at $35,000. Forum Systems, (801) 313-4400. www.forumsys.com

The client in my tests was a simple HTML form that used an HTTP post to send an XML document simulating a purchase order to the remote server. I set up a policy to validate the document against the original, imported a sample document, encrypted the value element of the purchase order and then signed the entire document. It is also possible to validate the document against a DTD or Schema, with the caveat that the DTD/Schema be FTP'd to the device and contain only local references to name spaces and other DTD/Schemas. I questioned the necessity of this because one of the advantages to DTDs and Schemas is the ability to reference external name spaces. Forum Systems said that external references compromise the security of the device by trusting a potentially unknown source; therefore Forum Sentry does not allow this to occur. Once the policy was saved, I pushed it out to the device and the test was ready to be run.

I copied and pasted the XML purchase order into the form in a Web browser and hit "submit." The document was sent to Forum Sentry, where it was validated, encrypted, signed and then forwarded on to the remote server.

The remote server received the document and echoed the document back to the client. Upon receipt, I examined the document and found that the value element was indeed encrypted and the document had been signed according to the policy.

I made a quick modification to the policy, adding archival of documents with a value element greater than $10,000. I modified the client's XML document to have a value of $20,000 and resubmitted it. A quick check indicated that the document had been archived as expected.

Although Forum Sentry requires some initial time spent on configuration as well as a good understanding of the business processes surrounding XML-based transactions, once configured, it can provide you and your business partners with a higher level of security for both traditional XML-based transactions as well as Web services.

Technology editor Lori MacVittie has been a software developer and a network administrator. Most recently, she was a member of the technical architecture team for a global transportation and logistics organization. Send your comments on this article to her at lmacvittie@nwc.com.