Layer 7 Technologies' SecureSpan Gateway 3.5

The five-year-old SOA security market already has casualties--two companies, Oblix and Westbridge, were acquired by service-oriented architecture management vendors. Layer 7 Technologies, however, holds fast to its security-only position. With its superior software and a boost from Tarari's RAX-J (Random Access XML for Java) acceleration hardware, Layer 7's SecureSpan Gateway and SecureSpan Bridge perform as well as custom, silicon-enhanced appliances from IBM's DataPower division and Forum Systems.

Even without Oblix (acquired by Oracle) and Westbridge (Actional), Layer 7 has some company in the SOA security field, but its competitors are expanding their reach. Forum Systems maintains its XWall and Sentry lines, but it is branching out into new arenas. IBM's WebSphere group recently announced its DataPower SOA Appliances. Although the DataPower XS40 keeps security in the forefront, its management integration with ITCAM (IBM Tivoli Composite Application Manager) and TAM (Tivoli Access Manager) looms just as large.By maintaining its niche, Layer 7 has created a product with a wide array of security options. Its PKI management is second to none, and its adherence to SOA security standards is excellent. The SecureSpan Gateway is a proxy solution deployed in its own Tomcat container that can be installed on a machine running Linux, Microsoft Windows Server 2003 or Sun Solaris. Layer 7 also offers the SecureSpan Gateway software on a 1U appliance--an IBM eSeries 326m. This device, the Xspeed Appliance Edition, includes Tarari's RAX-J, which optimizes XML parsing--typically the most time-consuming portion of XML processing.

Offering the SecureSpan Gateway on the IBM unit has drawbacks, though. Unlike devices from Forum Systems and DataPower, which are initially managed more like conventional network devices using a serial console, the Layer 7 product requires a monitor and USB keyboard for initial setup. Then the system can be managed over its fat Java management console from the desktop.

Name Your OS

SecureSpan has plenty of OS deployment options. The Windows Server version, however, lacks clustering, doesn't support Tarari's RAX-J, and doesn't optimize the TCP stack. Because the gateway's good performance is due in part to its fine-tuning of the TCP stack on Linux and Unix, its Windows platform performance lags. Layer 7 suggests you try out the gateway on Windows, but move to the appliance or its Linux/Unix options in a production environment to achieve the best performance and security.

Unlike DataPower, Layer 7 doesn't use Web services for communication between the device and its admin client. Its management console uses RMI (Remote Method Invocation) rather than a SOAP API, and the newcomer provides no real role-based access control over configuration. That's forthcoming, too.

Our testing showed that what the SecureSpan Gateway lacks in its management console it more than makes up for in SOA security. Unlike competitors, the gateway protects against some of the worst SOA vulnerabilities by default and this protection cannot be disabled. Services are protected automatically against schema poisoning, XML bombs, coercive parsing, and XML routing detours. Its support of WS-Security 1.1 is comprehensive if a bit demanding. We were somewhat dismayed by the requirement to pair WSS credentials when encrypting elements in the response, but after some thought we understood this rule.

The SecureSpan Gateway's policy management is comprehensive, with our only nit being the granularity of the configuration. Unlike other products that automatically support configuration of policies at the service, operation, and global levels, Layer 7 allows policies to be configured at the service level only. To apply policies at the operation level, you must use XPath evaluations to first identify the operation, then designate sections of the policy to apply only to that specific operation. It isn't an optimal solution, however, and while Layer 7 provides a great mechanism for grouping policy actions, it's still tightly coupled to the service and breaks all the rules of a well-designed SOA infrastructure. The operations must be specifically protected, and though Layer 7 can achieve this goal, the vendor's process is not consistent with the SOA vision. Without global policies, it's also difficult to apply default policies to new services--often desirable when applying enterprise-wide schema validation and message-size limitations on all services.

Who's There?

Layer 7 supports a variety of external identity stores for authentication and authorization out-of-the-box (Active Directory, LDAP, SAML). Custom connectors for third-party products, such as RSA ClearTrust SiteMinder and TAM, are available at no charge. The next release will include new connectors that support Oracle CoreID and SAP, which brings its list of supported identity stores to par with its competitors.

We were especially pleased with the gateway's PKI support. It can act as a root CA (certificate authority), and issue certificates to users and manage them through its client-side proxy, the SecureSpan Bridge. Layer 7 hides all the complexity of managing a PKI, but provides options--such as the ability to tie a SecureSpan Gateway-issued certificate to a user from an external ID system without needing to store the certificate in the external system--not found in other SOA security products.

Top-Drawer Performance

The SecureSpan Gateway's performance was impressive.The Tarari RAX-J accelerator helped, but that's not the end of the story. Layer 7 attributes the 2,700-plus transactions per second and 40 Mbps of throughput to its fine-tuning of the Linux TCP stack, which it achieves through nothing more than scripts run when the OS boots. Considering the product is a proxy riding inside a Tomcat container, the minimal latency the gateway introduced was at least as good as that of its competitors. Its SSL performance was, understandably, low, achieving only 290 transactions per second. Still, that's more than most organizations are likely to see in the next few years. Layer 7 is shopping around for an SSL acceleration partner, which will only improve the overall performance of its bulk encryption and SSL operations.The SecureSpan Gateway is priced in the same range as its competitors. Its functionality is comparable, and the product offers such niceties as the bridge and the CA. Level 7 must enhance this product's policy management and management console, but these are cosmetic and functional adaptations that require no changes to the underlying operational features.

Lori MacVittie is a Network Computing senior technology editor working in our Green Bay, Wis., labs. Write to her at [email protected].