XS40 XML Security Gateway 3.0 Ups the Ante

A particularly useful feature of version 3.0 is its XPath editor. Previously, users had to write XPath queries manually to implement policies involving XML routing. With 3.0, I build a routing table simply by selecting the node in the XPath editor. DataPower generated the correct XPath expressions.

The new task-oriented features of the XS40 are a boon as well. The Web Services Definition Language tool let me import WSDL for the services I wanted to secure, then walked me through the creation of a policy, including authorization of specific operations, decryption and signature verification. The only drawback to the wizard approach is that there's no way to finish in the middle of the process. That can make editing an existing policy tedious.

SOAP Cleanup

I configured the XS40 to secure a set of SOAP operations served by four servers simulated by a Spirent Reflector 2500. A Spirent Avalanche 2500 generated client load.

Using request data sizes of 2 to 10 KB and response sizes of 1 to 14 KB, I configured the XS40 to encrypt the entire response while validating the SOAP envelope on ingress and egress traffic. The XS40 processed 1,103 request/response pairs per second, with a total throughput of 85 Mbps.

Next, I configured the device to encrypt only a single element in every response while still performing SOAP schema validation. This time, the XS40 processed only about half the number of message pairs, topping out at 559 per second. Still, that's well above peak performance for most XML security gateways, which average 200 to 500 message pairs per second.

Policy ChangeWhile continuing to perform bidirectional validation, I changed the policy to route requests based on the SOAP operation located within the XML payload. Although XML routing can be done easily via the SOAPAction HTTP header, the true power of XML switching lies in the ability to base routing decisions on the value of elements within the payload, such as the amount of a purchase order. The XS40 responded like a champ, processing 1,559 requests per second with zero failures. It correctly routed each according to the security policy, with throughput of just over 100 Mbps.

That said, the Web administration console still needs polishing. It's hard to find the WSDL tool for configuring a basic XML firewall, and some configuration elements aren't always intuitive.

In general, however, the XS40 is moving in the right direction. When the next generation of DataPower's XML acceleration hardware becomes available--it's said to be capable of processing XML at gigabit speed--it will be interesting to see how the product's raw processing power and user interface evolve. As it sits now, the XS40 is an XML-security powerhouse.

Lori MacVittie is a Network Computing senior technology editor working in our Green Bay, Wis., labs. Write to her at [email protected].