Advanced Identity-Based Security for SOA
Traditionally, security and entitlement for SOA-based integration has been coded into each and every application exposed as a programmatically accessible service in the organization. When those requirements (or the standards on which they’re based) change, every service needs to be updated and re-tested manually. To simplify governance of security in SOA-based integrations Layer 7 offers the SecureSpan XML Firewall.
Providing intermediate functional capabilities between the API Proxy and SOA Gateway, the SecureSpan XML Firewall is designed to address access, federation and message security needs in SOA based integrations that leverage SOAP, REST and JSON style application interfaces. Unlike the API Proxy which is limited to REST, JSON and OAuth style API security the XML Firewall also supports SAML, XACML and the implementation of a broader array of WS* and WS-I based standards associated with SOAP style messaging.
The SecureSpan XML Firewall can be deployed as a security endpoint to an ESB or as a DMZ-class edge device gating access to an internal ESB or application interfaces. The SecureSpan XML Firewall in the DMZ can be deployed as a hardened appliance, virtual appliance or as software. All form factors support FIPS standards, are PCI DSS compliant and are STIG vulnerability tested to meet rigorous US Defense industry standards.
The SecureSpan XML Firewall supports a comprehensive set of SOA security governance use cases spanning identity, access, threat protection, privacy, communication integrity and information assurance. Example capabilities of the SecureSpan XML Firewall include:
- SSL termination and acceleration
- Service authentication with a wide range of credentials, tokens and cookies
- Operation level authorization
- Credential validation, translation, generation or chaining
- SAML and OAuth style federation
- Identity integration with CA, Microsoft, Novell, Oracle, RSA, Sun, Ping, IBM
- Data validation and API attack protection
- XML data normalization and transformation
- API versioning and transformation across SOAP, REST and JSON
- Content or availability based routing
- Message and field level encryption, redaction, filtering and signing
- Throttling of access to a service endpoint based on attribute-based policy
- Identity and message caching
- Transaction logging and audit
- Payload virus scanning using leading virus scan engines
- PKI certificate management
- Hardware key store either onboard and offboard
The SecureSpan XML Firewall includes all the features of the SecureSpan Accelerator and API Proxy, any of which can be upgraded to the Firewall through a license key. The SecureSpan XML Firewall is optimized for HTTP and HTTPS transports. Customers needing a broader range of transports such as MQ Series or Tibco EMS or who need to support a greater number of data and application adapters beyond XML should consider the SecureSpan SOA Gateway, which is an upgrade from the SecureSpan XML Firewall. Like the other SecureSpan XML Gateways, the SecureSpan XML Firewall integrates with leading service registry products including Software AG CentraSite, HP Systinet, IBM WSRR, Tibco ActiveMatrix Registry and Oracle Service Registry. The SecureSpan XML Firewall can also be deployed with internal or with external HSM hardware key stores for added security.