Reactivity's 2400 Series Gateway and Manager with XOS 4.1
This appliance provides security that is anything but reactive.
January 14, 2005
Among the hardware improvements is integration of the gateway with Tarari's XML acceleration card. Tarari's Random Access XML parser, a PCI card with custom silicon, increases the performance of parsing XML.I took the appliance out for a spin in our Real-World Labs® in Green Bay, Wis., and found the wealth of new features exciting, but I was also overwhelmed by the cluttered Web GUI.
Reactivity 2400 Series GatewayClick to Enlarge |
Go With the Flow
The gateway differentiates between the client and server side of a Web service it's proxying for by using the terms handler and service. It further breaks down the Web service into request and response. This is an excellent model for a pure proxy solution: It lets policies be applied granularly on one of four parts of the flow.
But using the GUI to work with these concepts is confusing. The colors Reactivity uses to differentiate between the handler and the service weren't different enough, and I sometimes found myself working on the wrong side of the connection flow. A visual representation of the pipeline, as is offered with Actional's and DataPower's Web service products, would be better.Once I was in the right place, I easily configured the multitude of options available to process an XML message. You can add digital signatures, encryption, transformation, authentication and specific logging needs to a message flow. Reactivity has taken great strides to improve the configuration of these options, including obviating your writing XPath for actions performed on single elements in an XML document. You still can write the XPath, but Reactivity provides easy-to-use mechanisms through lists of elements and schemas it has already parsed from the WSDL (Web Services Definition Language).
Good • Improved performance • Supports SOAP with attachments• Delegated administration with fine-grained control over policies Bad • Cluttered interface • Lacks out-of-band management Reactivity 2400 Series Gateway and Manager with XOS 4.1, starts at $65,000. Reactivity, (866) 889-3485, (650) 551-7800. www.reactivity.com |
Policy configuration and management also has been improved with the notion of subpolicies, making it easy to delegate administrative rights. You can set up an approval system and give some administrators control over others, (like those who might otherwise deploy policies willy-nilly).One worthy improvement made to the deployment process is a feature that lets you compare policies before deploying them. Policies can be deployed to selected gateways or to an entire cluster, all from a central administrative console managed by the Reactivity Manager. The manager is a daemon running on one of the gateways or on a separate server and provides a single point of management for all deployed Reactivity security gateways.
How Fast Is Fast?
Using the Import WSDL feature in the gateway's administrative console, I quickly imported a WSDL served up by our Spirent Communications' Reflector simulated servers and defined a policy to handle each operation. I ran a number of tests across four different operations with request and response sizes ranging from 2 KB to 14 KB. The gateway lets you control whether the Tarari XML accelerator card is active, so I first ran a set of tests without the XML accelerator to see what kind of improvements Reactivity has made on its own.
The results were impressive. The gateway handled 1,450 MPS (messages per second) while acting as a pure proxy. When it was configured to validate both the ingress and egress schemas, the device processed 1,140 MPS.
With the Tarari RAX acceleration card turned on, performance improved only marginally for small messages, but large messages saw a much greater improvement. Using 100-KB SOAP responses, I ran the bidirectional schema- validation test without the Tarari, and the SG processsed 157 MPS with an average response time of 4.5 seconds. Turning on the Tarari and running the test again, the gateway handled 420 100-KB MPS with an average response time of 2.2 seconds.Performance Hit
This class of device still has problems with bulk encryption rates, though. When the device needed to perform encryption and sign messages, processing capabilities decreased to 795 MPS and 590 MPS respectively, with CPU utilization hovering near 90 percent when signing messages using SHA1. The gateway houses the newest nCipher cryptographic hardware security module, but the overhead of performing intense cryptographic functions combined with the inherent limitations of PCI bus speeds continues to degrade performance when digital signatures or bulk encryption is required.
Reactivity has made great strides with its gateway. It's a corporate-class device for securing Web services and XML traffic. The lower-end Gateway 2450 is priced at $65,000. The 2460 adds Tarari XML acceleration and costs $80,000, but it's worth the price difference if you'll be working with exceedingly large XML files.
Lori MacVittie is a Network Computing senior technology editor working in our Green Bay, Wis., labs. Write to her at [email protected].
You May Also Like