Upload
layer7tech
View
183
Download
1
Embed Size (px)
DESCRIPTION
SecureSpan is Layer 7’s family of XML appliances, which are typically deployed as runtime Policy Enforcement Points (PEPs) to allow organizations to quickly and easily enforce rules about how they want to run their Service Oriented Architecture (SOA). This FAQ addresses many of the common questions users have about the SecureSpan family of XML gateways. .
Citation preview
P R O D U C T F A Q
Table of Contents
What is SecureSpan? ......................................................................................................................... 2
Is SecureSpan only available as a hardware appliance? .................................................................... 2
Does SecureSpan support clustering? ............................................................................................... 2
Does SecureSpan require specialized tools or skills? ........................................................................ 3
Is SecureSpan extensible? ................................................................................................................. 3
Can I publish/update policies on a live “in production” SecureSpan device? ................................... 3
Is SecureSpan upgradeable? .............................................................................................................. 3
Can SecureSpan be deployed in the cloud? ....................................................................................... 4
What third-party identity products and authentication protocols does SecureSpan support? ........... 4
Which standards does SecureSpan support? ..................................................................................... 5
SecureSpan FAQ
F R E Q U E N T L Y A S K E D Q U E S T I O N S
January 4, 2011 This document is being provided for informational purposes only. Page 2 of 5The information presented is accurate at the time of publication, but is subject to change.
What is SecureSpan?
SecureSpan is Layer 7’s family of XML appliances, which are typically deployed as runtime Policy
Enforcement Points (PEPs) to allow organizations to quickly and easily enforce rules about how they
want to run their Service Oriented Architecture (SOA).
Software upgradable, customers can upgrade between versions of the SecureSpan appliance with the
addition of a license key, gaining additional functionality without having to replace their hardware:
• SecureSpan XML Accelerator – hardware-based XML processing, validation and
transformation
• SecureSpan XML Data Screen – XML threat protection and content filtering; includes the
XML Accelerator functionality
• SecureSpan XML Firewall – XML and Web services security; includes both XML
Accelerator and XML Data Screen functionality
• SecureSpan XML Networking Gateway – a turnkey runtime governance solution; includes
XML Accelerator, XML Data Screen and XML Firewall functionality
Is SecureSpan only available as a hardware appliance?
SecureSpan is available in a number of different form factors, supporting multiple deployment
scenarios, budgets and business requirements:
• Hardware – for high-performance environments, the entire SecureSpan family is available as
a 1U 64-bit multiprocessor platform that features dual power supplies, four GE/FE NICS, and
mirrored hot-swappable drives
• Software – for customers that prefer a do-it-yourself approach using their own hardware, the
SecureSpan Firewall and Networking Gateway are available for Sun Solaris 10 (supports both
x86 and Niagara versions), SUSE Linux, and Red Hat Linux 4.0/5.0
• Virtual Appliance – typically deployed in development and QA environments where
performance is not the primary concern, the cost-effective SecureSpan Virtual Appliance
(available in both Firewall and Networking Gateway forms) supports VMWare/ESX
deployments and is “VM Ready” certified
• Cloud-based Appliance – the SecureSpan Virtual Appliance can be deployed on any cloud-
based platform that supports VMWare/ESX, affording portability between cloud vendors.
Does SecureSpan support clustering?
Yes, SecureSpan appliances support true clustering, allowing organizations to centrally administer
multiple devices in a cluster, as well as multiple clusters.
SecureSpan also supports cluster-wide rate limiting, which allows organizations to meter service usage
in order to take some action when a preset threshold is reached. For example, Telco’s that meter usage
of cellular SMS services can use SecureSpan to block access to the service when the customer’s
contractual quota is exceeded. Because the clustered devices maintain and update a shared counter,
metering is always accurate. This capability also allows SecureSpan to provide effective protection
against replay attacks.
F R E Q U E N T L Y A S K E D Q U E S T I O N S
January 4, 2011 This document is being provided for informational purposes only. Page 3 of 5The information presented is accurate at the time of publication, but is subject to change.
Does SecureSpan require specialized tools or skills?
SecureSpan includes an intuitive, graphical policy editor and composer, allowing anyone with basic
scripting skills to create as simple or as complex a policy as required. No knowledge of XSLT or other
complex programming language is required. More than 70 pre-made policy assertions are provided out
of the box to help you get started.
• Compose inheritable policy statements
• Branch policy execution based on logical conditions, message content, externally retrieved
data or transaction specific environment variables
• Create service and operation-level policies using inheritance, simplifying administration
Is SecureSpan extensible?
SecureSpan offers a Custom Policy Assertion SDK, which gives developers the ability to extend the
rich palette of SecureSpan policy assertions in order to customize the Gateway’s functionality to their
specific requirements.
Custom assertions can be created for proprietary message processing, pattern recognition and filtering,
as well as interfacing to third-party products, such as identity management infrastructure, network
monitoring applications, or anti-virus systems – all without requiring an application server to run the
custom code.
Using Java, programmers can create a SecureSpan-compatible .jar file that includes all required code
and/or interfaces to third-party APIs. Uploading the .jar file to SecureSpan will make it available for
use within the policy editor and composer as a policy assertion, which can then be incorporated into
both new and existing polices as required.
Can I publish/update policies on a live “in production” SecureSpan device?
Yes, while it’s not recommended that new policies be created and implemented on a production
version of SecureSpan, it is possible to do so: the next message processed by SecureSpan will be
subject to the new/updated policy.
The recommended practice is to migrate a tested policy from a QA/test environment to the production
SecureSpan device, and then publish it live. In either case, there’s no need to bring down and restart
the system to implement new/updated policies.
Is SecureSpan upgradeable?
SecureSpan provides maintenance releases as packaged software updates, and major releases as
packaged migration upgrades. Both updates and upgrades can be implemented without requiring
professional services; can be implemented remotely on soft appliances; and can be rolled back, if
necessary.
Customers that purchase software or VMware versions of the SecureSpan appliance and remain
current on their Support and Maintenance are entitled to soft appliance upgrades at no charge
For those customers that remain current on their Support and Maintenance, Layer 7 will refresh their
hardware platform when it becomes EOL for a nominal fee. Customers are entitled to retain their old
appliance hardware – there is no need to return it to Layer 7.
F R E Q U E N T L Y A S K E D Q U E S T I O N S
January 4, 2011 This document is being provided for informational purposes only. Page 4 of 5The information presented is accurate at the time of publication, but is subject to change.
Can SecureSpan be deployed in the cloud?
The SecureSpan Virtual Appliance can be deployed as a virtual Policy Enforcement Point (vPEP) on
any public or private cloud-based platform that supports VMWare/ESX (i.e., Google, AT&T, British
Telecom, Verizon, Sun, etc). When deployed in conjunction with an enterprise-based Gateway, the soft
appliance allows organizations to isolate, monitor and control their cloud-based application services by
providing the ability to:
• Secure integration channels at the Web services application layer between enterprise and
cloud-based applications
• Leverage existing, secure internal identity and access infrastructure for local authentication
and authorization
• Monitor availability and performance of cloud-based applications that integrate back into the
enterprise via Web services
• Log, track and audit all Web services-based interactions between enterprise and cloud-based
applications
• Ensure data-level validation for information exchanged between the enterprise and cloud-
based applications
What third-party identity products and authentication protocols does SecureSpan support?
SecureSpan supports integration with leading identity, access, SSO and federation systems, including:
• Microsoft Active Directory/Federated Services
• Oracle Access Manager
• Novell Access Manager
• IBM Tivoli TFIM
• IBM Tivoli TAM (custom assertion provided)
• CA SiteMinder (custom assertion provided)
• Sun Java System Access Manager (custom assertion provided)
Supported authentication protocols include:
• SAML tokens
• Security Context Tokens
• Kerberos
• digital signatures
• X.509 certificates
• LDAP
• XACML
• HTTP Basic
• SSL Client Authentication
F R E Q U E N T L Y A S K E D Q U E S T I O N S
January 4, 2011 This document is being provided for informational purposes only. Page 5 of 5The information presented is accurate at the time of publication, but is subject to change.
Which standards does SecureSpan support?
SecureSpan supports most common Web services/Web 2.0 and PKI standards, as well as a number of
transport and security protocols, including:
XML 1.0 SOAP 1.2 REST AJAX
FIPS 140-2 Level 3 Kerberos W3C XML Signature 1.0 MQ Series
SNMP IMAP4 W3C XML Encryption 1.0 Tibco EMS
SMTP HTTP/HTTPS X.509 v3 Certificates FTP
POP3 JMS 1.0 SSL/TLS 1.1 / 3.0 WS-Security 1.1
WS-Trust 1.0 WS-Federation WS-Addressing WSSecureConversation
WS-Policy WS-SecurityPolicy WS-MetadataExchange WS-PolicyAttachment
WS-I WSIL WS-SecureExchange WS-I BSP
WSDL 1.1 3.0 XACML 2.0 SAML 1.1/2.0 XML Schema
XPath 1.0 XSLT 1.0 UDDI LDAP 3.0
PKCS #10