XS40 XML Security Gateway 3.0 Ups the Ante update from June 2004

Web services and XML gateways make Web technologies secure, but at a price. XML parsing requires a lot of memory and CPUs. The harder you try to prescreen incoming XML documents--by enforcing restrictions and checking for malicious content, for example--the more resources you consume. As power gets drained, performance declines.

DataPower helps matters with its updated XS40 XML Security Gateway, which I tested in our NWC Inc. business applications lab in Green Bay, Wis. Besides accelerating XML processing, version 3.0 offers administration-console enhancements that make it less onerous to build and manage XML- and SOAP-related security policies.

The XS40 is a 1U appliance with dual 10/100/1000 interfaces for traffic processing and a single 10/100/1000 interface for out-of-band management. It acts as a proxy between the client and internal SOAP endpoints.

A particularly useful feature of version 3.0 is its XPath editor. Previously, users had to write XPath queries manually to implement policies involving XML routing. With 3.0, I build a routing table simply by selecting the node in the XPath editor. DataPower generated the correct XPath expressions.

The new task-oriented features of the XS40 are a boon as well. The Web Services Definition Language tool let me import WSDL for the services I wanted to secure, then walked me through the creation of a policy, including authorization of specific operations, decryption and signature verification. The only drawback to the wizard approach is that there's no way to finish in the middle of the process. That can make editing an existing policy tedious.SOAP Cleanup

I configured the XS40 to secure a set of SOAP operations served by four servers simulated by a Spirent Reflector 2500. A Spirent Avalanche 2500 generated client load.

Using request data sizes of 2 to 10 KB and response sizes of 1 to 14 KB, I configured the XS40 to encrypt the entire response while validating the SOAP envelope on ingress and egress traffic. The XS40 processed 1,103 request/response pairs per second, with a total throughput of 85 Mbps.

Next, I configured the device to encrypt only a single element in every response while still performing SOAP schema validation. This time, the XS40 processed only about half the number of message pairs, topping out at 559 per second. Still, that's well above peak performance for most XML security gateways, which average 200 to 500 message pairs per second.

Policy Change

While continuing to perform bidirectional validation, I changed the policy to route requests based on the SOAP operation located within the XML payload. Although XML routing can be done easily via the SOAPAction HTTP header, the true power of XML switching lies in the ability to base routing decisions on the value of elements within the payload, such as the amount of a purchase order. The XS40 responded like a champ, processing 1,559 requests per second with zero failures. It correctly routed each according to the security policy, with throughput of just over 100 Mbps.

That said, the Web administration console still needs polishing. It's hard to find the WSDL tool for configuring a basic XML firewall, and some configuration elements aren't always intuitive.In general, however, the XS40 is moving in the right direction. When the next generation of DataPower's XML acceleration hardware becomes available--it's said to be capable of processing XML at gigabit speed--it will be interesting to see how the product's raw processing power and user interface evolve. As it sits now, the XS40 is an XML-security powerhouse.

Lori MacVittie is a Network Computing senior technology editor working in our Green Bay, Wis., labs. Write to her at [email protected].