Layer 7 SecureSpan XML Gateway FAQ

P R O D U C T F A Q

Table of Contents

What is SecureSpan? ......................................................................................................................... 2

Is SecureSpan only available as a hardware appliance? .................................................................... 2

Does SecureSpan support clustering? ............................................................................................... 2

Does SecureSpan require specialized tools or skills? ........................................................................ 3

Is SecureSpan extensible? ................................................................................................................. 3

Can I publish/update policies on a live “in production” SecureSpan device? ................................... 3

Is SecureSpan upgradeable? .............................................................................................................. 3

Can SecureSpan be deployed in the cloud? ....................................................................................... 4

What third-party identity products and authentication protocols does SecureSpan support? ........... 4

Which standards does SecureSpan support? ..................................................................................... 5

SecureSpan FAQ

F R E Q U E N T L Y A S K E D Q U E S T I O N S

January 4, 2011 This document is being provided for informational purposes only. Page 2 of 5The information presented is accurate at the time of publication, but is subject to change.

What is SecureSpan?

SecureSpan is Layer 7’s family of XML appliances, which are typically deployed as runtime Policy

Enforcement Points (PEPs) to allow organizations to quickly and easily enforce rules about how they

want to run their Service Oriented Architecture (SOA).

Software upgradable, customers can upgrade between versions of the SecureSpan appliance with the

addition of a license key, gaining additional functionality without having to replace their hardware:

• SecureSpan XML Accelerator – hardware-based XML processing, validation and

transformation

• SecureSpan XML Data Screen – XML threat protection and content filtering; includes the

XML Accelerator functionality

• SecureSpan XML Firewall – XML and Web services security; includes both XML

Accelerator and XML Data Screen functionality

• SecureSpan XML Networking Gateway – a turnkey runtime governance solution; includes

XML Accelerator, XML Data Screen and XML Firewall functionality

Is SecureSpan only available as a hardware appliance?

SecureSpan is available in a number of different form factors, supporting multiple deployment

scenarios, budgets and business requirements:

• Hardware – for high-performance environments, the entire SecureSpan family is available as

a 1U 64-bit multiprocessor platform that features dual power supplies, four GE/FE NICS, and

mirrored hot-swappable drives

• Software – for customers that prefer a do-it-yourself approach using their own hardware, the

SecureSpan Firewall and Networking Gateway are available for Sun Solaris 10 (supports both

x86 and Niagara versions), SUSE Linux, and Red Hat Linux 4.0/5.0

• Virtual Appliance – typically deployed in development and QA environments where

performance is not the primary concern, the cost-effective SecureSpan Virtual Appliance

(available in both Firewall and Networking Gateway forms) supports VMWare/ESX

deployments and is “VM Ready” certified

• Cloud-based Appliance – the SecureSpan Virtual Appliance can be deployed on any cloud-

based platform that supports VMWare/ESX, affording portability between cloud vendors.

Does SecureSpan support clustering?

Yes, SecureSpan appliances support true clustering, allowing organizations to centrally administer

multiple devices in a cluster, as well as multiple clusters.

SecureSpan also supports cluster-wide rate limiting, which allows organizations to meter service usage

in order to take some action when a preset threshold is reached. For example, Telco’s that meter usage

of cellular SMS services can use SecureSpan to block access to the service when the customer’s

contractual quota is exceeded. Because the clustered devices maintain and update a shared counter,

metering is always accurate. This capability also allows SecureSpan to provide effective protection

against replay attacks.



Does SecureSpan require specialized tools or skills?

SecureSpan includes an intuitive, graphical policy editor and composer, allowing anyone with basic

scripting skills to create as simple or as complex a policy as required. No knowledge of XSLT or other

complex programming language is required. More than 70 pre-made policy assertions are provided out

of the box to help you get started.

• Compose inheritable policy statements

• Branch policy execution based on logical conditions, message content, externally retrieved

data or transaction specific environment variables

• Create service and operation-level policies using inheritance, simplifying administration

Is SecureSpan extensible?

SecureSpan offers a Custom Policy Assertion SDK, which gives developers the ability to extend the

rich palette of SecureSpan policy assertions in order to customize the Gateway’s functionality to their

specific requirements.

Custom assertions can be created for proprietary message processing, pattern recognition and filtering,

as well as interfacing to third-party products, such as identity management infrastructure, network

monitoring applications, or anti-virus systems – all without requiring an application server to run the

custom code.

Using Java, programmers can create a SecureSpan-compatible .jar file that includes all required code

and/or interfaces to third-party APIs. Uploading the .jar file to SecureSpan will make it available for

use within the policy editor and composer as a policy assertion, which can then be incorporated into

both new and existing polices as required.

Can I publish/update policies on a live “in production” SecureSpan device?

Yes, while it’s not recommended that new policies be created and implemented on a production

version of SecureSpan, it is possible to do so: the next message processed by SecureSpan will be

subject to the new/updated policy.

The recommended practice is to migrate a tested policy from a QA/test environment to the production

SecureSpan device, and then publish it live. In either case, there’s no need to bring down and restart

the system to implement new/updated policies.

Is SecureSpan upgradeable?

SecureSpan provides maintenance releases as packaged software updates, and major releases as

packaged migration upgrades. Both updates and upgrades can be implemented without requiring

professional services; can be implemented remotely on soft appliances; and can be rolled back, if

necessary.

Customers that purchase software or VMware versions of the SecureSpan appliance and remain

current on their Support and Maintenance are entitled to soft appliance upgrades at no charge

For those customers that remain current on their Support and Maintenance, Layer 7 will refresh their

hardware platform when it becomes EOL for a nominal fee. Customers are entitled to retain their old

appliance hardware – there is no need to return it to Layer 7.



Can SecureSpan be deployed in the cloud?

The SecureSpan Virtual Appliance can be deployed as a virtual Policy Enforcement Point (vPEP) on

any public or private cloud-based platform that supports VMWare/ESX (i.e., Google, AT&T, British

Telecom, Verizon, Sun, etc). When deployed in conjunction with an enterprise-based Gateway, the soft

appliance allows organizations to isolate, monitor and control their cloud-based application services by

providing the ability to:

• Secure integration channels at the Web services application layer between enterprise and

cloud-based applications

• Leverage existing, secure internal identity and access infrastructure for local authentication

and authorization

• Monitor availability and performance of cloud-based applications that integrate back into the

enterprise via Web services

• Log, track and audit all Web services-based interactions between enterprise and cloud-based

applications

• Ensure data-level validation for information exchanged between the enterprise and cloud-

based applications

What third-party identity products and authentication protocols does SecureSpan support?

SecureSpan supports integration with leading identity, access, SSO and federation systems, including:

• Microsoft Active Directory/Federated Services

• Oracle Access Manager

• Novell Access Manager

• IBM Tivoli TFIM

• IBM Tivoli TAM (custom assertion provided)

• CA SiteMinder (custom assertion provided)

• Sun Java System Access Manager (custom assertion provided)

Supported authentication protocols include:

• SAML tokens

• Security Context Tokens

• Kerberos

• digital signatures

• X.509 certificates

• LDAP

• XACML

• HTTP Basic

• SSL Client Authentication



Which standards does SecureSpan support?

SecureSpan supports most common Web services/Web 2.0 and PKI standards, as well as a number of

transport and security protocols, including:

XML 1.0 SOAP 1.2 REST AJAX

FIPS 140-2 Level 3 Kerberos W3C XML Signature 1.0 MQ Series

SNMP IMAP4 W3C XML Encryption 1.0 Tibco EMS

SMTP HTTP/HTTPS X.509 v3 Certificates FTP

POP3 JMS 1.0 SSL/TLS 1.1 / 3.0 WS-Security 1.1

WS-Trust 1.0 WS-Federation WS-Addressing WSSecureConversation

WS-Policy WS-SecurityPolicy WS-MetadataExchange WS-PolicyAttachment

WS-I WSIL WS-SecureExchange WS-I BSP

WSDL 1.1 3.0 XACML 2.0 SAML 1.1/2.0 XML Schema

XPath 1.0 XSLT 1.0 UDDI LDAP 3.0

PKCS #10

Documents

Layer 7 SecureSpan XML Gateway FAQ