The Role of XML Gateways in SOA

W h i t e P a p e r

The Role of XML Gateways in SOAOptimizing Performance, Security and Policy Operations

L a y e r 7 T e c h n o l o g i e s

W h i t e P a p e r

The Role of XML Gateways in SOA Optimizing Performance, Security and Policy Operations

L a y e r 7 T e c h n o l o g i e s

W h i t e P a p e r

The Role of XML Gateways in SOA

Copyright © 2011 Layer 7 Technologies Inc. All rights reserved.

trademarks of Layer 7 Technologies Inc.

Contents

SOA and the XML Gateway ................................

Centralized Enforcement of Message Level Security

Policy Governance ................................

SLA Enforcement ................................

Protocol Switching and Reliable Messaging

Data Translation ................................

Service Virtualization ................................

Acceleration of XML Processing ................................

Deployment Patterns for XML Gateways

DMZ: Hardened Appliances ................................

Data Center: High Performance, Easily Manageable Blades

Application Server: Software-based Solution

Conclusions ................................................................

About Layer 7 Technologies ................................

Contact Layer 7 Technologies ................................

Legal Information ................................

ogies Inc. All rights reserved. SecureSpan and the Layer 7 Technologies design mark are

Technologies Inc. All other trademarks and copyrights are the property of their respective

................................................................................................

Centralized Enforcement of Message Level Security ................................................................

................................................................................................................................

................................................................................................................................

Protocol Switching and Reliable Messaging ................................................................................................

................................................................................................................................

................................................................................................................................

................................................................................................

Patterns for XML Gateways ................................................................................................

................................................................................................

Data Center: High Performance, Easily Manageable Blades ................................................................

based Solution ................................................................

................................................................................................

................................................................................................

................................................................................................

................................................................................................................................

SecureSpan and the Layer 7 Technologies design mark are

All other trademarks and copyrights are the property of their respective owners. 2

........................................................... 3

................................................ 3

.................................... 3

....................................... 4

................................. 4

........................................ 4

................................ 4

................................................ 5

..................................... 5

...................................................... 5

.................................... 6

........................................................... 6

................................................... 6

.......................................................... 7

....................................................... 7

.......................................... 7




SOA and the XML GatewayAn XML gateway is a new class of networking device that manages message level security, Ser

Agreements (SLAs) and performance in a Service

networking device, which operates on message streams based on network

as TCP or UDP ports, or simple byte patterns in message content), an XML gateway (also referred to as a Web

services gateway) specializes in the application

itself. With the ability to rapidly inspect an

transformation, routing and SLA operations at wirespeed.

An XML gateway can therefore act as an application

policy operations from service endpoints. These operations include content routing, protocol switching, data

transformation, identity authentication and

offloading these policy operations to a purpose

ment security, optimize performance and enable advanced policy operations like SLAs without programming. In a

loosely-coupled, distributed SOA this is critical, since progr

service endpoint introduces security, performance, scalability and flexibility issues.


An XML/Web services gateway provides a means for consistent enforcement of policy in a distributed SOA at a

granular XML or Simple Object Access Protocol (SOAP) (XML m

to Web services standards) message level. For example, gateways can inspect XML

message streams for anomalies or known attacks using specialized silicon. It can

accelerate XML cryptographic operations, manage access requests, encrypt and

decrypt, validate message schemas and signatures. The gateway can affect

credential transforms, act as a Public Key Infrastructure (PKI) Cer

(CA) or Registration Authority (RA),

more—

compliance with Web Services (WS

interoperability by automatically ap

XML messages.

specialized gateway hardware, architects can expand their security control and flexibility while freeing processor

cycles on service endpoints to execute business logic.

When XML gateways are deployed as SOA se

message-level firewalls typically provide XML threat protection at an infrastructure, applic

level, as well as extensive identity-based functions

granular access control, and full support for WS

Policy Governance

By combining policy enforcement with polic

across an SOA. Governance is a combination of consis

At runtime, this may mean that every service endpoint responds the same way to a denial

may mean that precise SLAs can be defined and enforced across a set of services with an automatic re

the event of a violation.

While not all XML gateways can enforce and manage general XML messaging policies, gate

designed specifically to handle general SOA pol

identity. In this way, a comprehensive SOA policy gover

the application network.

By centralizing policy

operations, XML

gateways eliminate the

need to code policy into

each and every Web

services application in

an organization



SOA and the XML Gateway of networking device that manages message level security, Service Level

Agreements (SLAs) and performance in a Service-Oriented Architecture (SOA). In contrast to a conventional

networking device, which operates on message streams based on network-level inspection of byte streams (such


services gateway) specializes in the application-level protocols rendered within the XML or Web services message

self. With the ability to rapidly inspect and process XML messages, XML gateways can perform security,

transformation, routing and SLA operations at wirespeed.

An XML gateway can therefore act as an application-oriented networking device for offloading tr


mation, identity authentication and authorization, privacy enforcement and schema validation. By

ations to a purpose-built “application networking” device, SOA architects can imple


coupled, distributed SOA this is critical, since programming and processing message level policy on every

service endpoint introduces security, performance, scalability and flexibility issues.



granular XML or Simple Object Access Protocol (SOAP) (XML message conforming





credential transforms, act as a Public Key Infrastructure (PKI) Cer

(CA) or Registration Authority (RA), and capture message-level audit logs

— all at wirespeed. It can also assure standards conformance by enforcing

compliance with Web Services (WS-*) standards, or ensuring improved

interoperability by automatically applying WS-* standards to non

XML messages. Through the offloading of granular XML security operations to


cycles on service endpoints to execute business logic.

When XML gateways are deployed as SOA security devices, they are often described as “XML firewalls

typically provide XML threat protection at an infrastructure, application and transaction

based functions (including credential chaining, single sign-on and federation),

full support for WS-* standards among other functions.

By combining policy enforcement with policy management, an XML gateway can enable runtime policy governance

oss an SOA. Governance is a combination of consistent policy definition, execution and conformance validation.

this may mean that every service endpoint responds the same way to a denial-of-service attack, or it

be defined and enforced across a set of services with an automatic re

While not all XML gateways can enforce and manage general XML messaging policies, gateways have been

designed specifically to handle general SOA policy definitions, including security, SLAs, routing, transforms and

identity. In this way, a comprehensive SOA policy governance framework can be implemented at runtime inside



vice Level

Oriented Architecture (SOA). In contrast to a conventional

inspection of byte streams (such


level protocols rendered within the XML or Web services message

gateways can perform security,

oriented networking device for offloading traditional XML


authorization, privacy enforcement and schema validation. By

built “application networking” device, SOA architects can imple-


amming and processing message level policy on every


essage conforming





credential transforms, act as a Public Key Infrastructure (PKI) Certificate Authority

level audit logs— and

dards conformance by enforcing

*) standards, or ensuring improved

* standards to non-standards-based

granular XML security operations to


XML firewalls.” These

ation and transaction

on and federation),

gateway can enable runtime policy governance

tent policy definition, execution and conformance validation.

service attack, or it

be defined and enforced across a set of services with an automatic response in

ways have been

curity, SLAs, routing, transforms and

nance framework can be implemented at runtime inside




SLA Enforcement

SLAs address situations when, due to contractual or other reasons, compliance

level benchmarks needs to be verified. Although v

increasing frequency in general eBusiness, outsourcing and B2B deployments. Metrics, such as process

messages per hour, rejected transac

exampl

by an intermediary like an XML firewall or gateway. These measurements are then

typically compared by an en

with the result dr

and reporting results, identifying and forwarding SLA violations, or changing service

behavior based on current SLA conformance.

XML gateways can perform a critical role in enforcing SOA SLA

are designed to inspect and pr

violations at an XML message level in real

processing, initiate a new policy process or generate an alarm event. Best

detailed information about any message flowing through it to produce metrics based on virtually any content

including identity, XML payload and/or policy violation.

Protocol Switching and Reliable MessagingIncreasingly, XML and SOAP messages are transported over protocols other than HTTP. Between companies this

may mean legacy transports like EDI and FTP. Inside companies this often means reliable messaging protocols like

JMS, MQSeries and Rendezvous. Mediating XML mess

a function that can be handled by many XML gateways using specialized software that allows them to switch mes

sages between transport and middleware protocols. In the future

context (Layer 7 is a co-author to the Organization for the Advancement of Structured Information Standards Web

Services Reliable Exchange or “OASIS” WS

Data Translation

One of the most critical functions of an XML gateway in a SOA environment is the transformation and

normalization of data formats. This plays two vital roles: it simplifies interoperation between applications using

distinct XML data formats; and secondly it allows for

platform authentication and authorization possible. In some XML gateways, this function is accelerated by virtue of

specialized silicon and XML processing software.

Service Virtualization

Service virtualization is another benefit realized by managing acce

an XML g

services presented to requesters based on their identity and capabilities without

custom coding or service duplication. For example, using the policy au

capabilities of the gate

views based on the identity and associated role of the requesting client application.

These identity

standards support, or SLA f

delivery and assuring service reuse.

Using the service virtualization feature of

new virtual services based on multiple existing services or discrete operations o

single service. Similarly non

or TIBCO Rendezvous message queue can be rendered as spec

external departments and partners without the need for

XML gateways perform

a critical role in

enforcing SOA security,

SLAs, routing, access

control, and

data/protocol

transformation

By virtualizing

services at runtime,

organizations can

create new virtual

services based on

multiple existing

services, or discrete

operations of a single

service



SLAs address situations when, due to contractual or other reasons, compliance with one or more defined service

level benchmarks needs to be verified. Although very common in telecom environments, SLAs are being used with

increasing frequency in general eBusiness, outsourcing and B2B deployments. Metrics, such as process

messages per hour, rejected transaction counts and queries per day

examples of defined service levels which may be measured either at endpoints, or


typically compared by an enforcement process or application to the desired

the result driving some form of action. Typical actions can include


behavior based on current SLA conformance.

XML gateways can perform a critical role in enforcing SOA SLA policies. Gateways

signed to inspect and process XML messages at wirespeed;

violations at an XML message level in real-time, and act to deny normal message

processing, initiate a new policy process or generate an alarm event. Best of breed gateways can also capture

detailed information about any message flowing through it to produce metrics based on virtually any content

including identity, XML payload and/or policy violation.

Protocol Switching and Reliable Messaging , XML and SOAP messages are transported over protocols other than HTTP. Between companies this


JMS, MQSeries and Rendezvous. Mediating XML messages between these transports and middleware protocols is

a function that can be handled by many XML gateways using specialized software that allows them to switch mes

sages between transport and middleware protocols. In the future, it will also be possible to preserve reliability

author to the Organization for the Advancement of Structured Information Standards Web

WS-RX standard that will help make this possible).

ost critical functions of an XML gateway in a SOA environment is the transformation and


distinct XML data formats; and secondly it allows for credentials to be transformed and remapped to make cross


ized silicon and XML processing software.

Service virtualization is another benefit realized by managing acce

gateway. Technical architects can fine-tune and personalize the view of


custom coding or service duplication. For example, using the policy au

capabilities of the gateway, a policy can be defined to generate separate service


These identity-tailored service views can proscribe different security expectations,

standards support, or SLA for each requester, simplifying the process of service

delivery and assuring service reuse.

Using the service virtualization feature of an XML gateway, architects can compose

new virtual services based on multiple existing services or discrete operations o

single service. Similarly non-spec-compliant services coming over an IBM MQSeries

or TIBCO Rendezvous message queue can be rendered as spec-compliant, WSDL-based services for sharing with

partments and partners without the need for recoding.



one or more defined service

ery common in telecom environments, SLAs are being used with

increasing frequency in general eBusiness, outsourcing and B2B deployments. Metrics, such as processing time,

tion counts and queries per day are common

es of defined service levels which may be measured either at endpoints, or


forcement process or application to the desired level,

can include gathering


policies. Gateways

ocess XML messages at wirespeed; detect SLA policy

and act to deny normal message

breed gateways can also capture

detailed information about any message flowing through it to produce metrics based on virtually any content,

, XML and SOAP messages are transported over protocols other than HTTP. Between companies this


ages between these transports and middleware protocols is

a function that can be handled by many XML gateways using specialized software that allows them to switch mes-

e to preserve reliability

author to the Organization for the Advancement of Structured Information Standards Web

ost critical functions of an XML gateway in a SOA environment is the transformation and


credentials to be transformed and remapped to make cross-


Service virtualization is another benefit realized by managing access to services using

tune and personalize the view of


custom coding or service duplication. For example, using the policy authoring

way, a policy can be defined to generate separate service


tailored service views can proscribe different security expectations,

or each requester, simplifying the process of service

XML gateway, architects can compose

new virtual services based on multiple existing services or discrete operations of a

compliant services coming over an IBM MQSeries

based services for sharing with




The ability to virtualize services at runtime also simplifies service lifecycle management. In prac

definitions evolve based on changing business demands, usage policies or stan

client applications from service changes by ensuring that multiple views of the same underlying service can be

maintained simultaneously. This ensures that client access isn’t broken

guarantees services can be staged before deployment

Acceleration of XML Processing

XML processing is extremely resource intensive. The parsing, querying and transformation of messages is

computationally expensive, and can greatly drive up application server costs. Some XML gateways can accelerate

performance through specialized parsing software and silicon. For example, the Layer 7 SecureSpan™ Gateway

accelerates complex XML operations like XPATH, XSLT and schema v

streaming technology) or hardware (via specialized

linearly with the addition of each gateway to a SecureSpan cluster. This combination of performance technologies

allows SecureSpan to handle policy operations on

dependent on DOM-based parsing.

Deployment Patterns for XML GatewaysUnlike conventional firewalls or gateways, which typically define the edge of a corporate network, XML gateways

can be located anywhere within a network where

network architectures can vary so significantly in different organizations, flexibility in deployment is an important

characteristic to consider in evaluating any gateway.

Best-of-breed XML gateways are available in three different physical form factors to support

scenarios, including hardened appliances for the DMZ and network edge, blade

datacenter, and as software that can integrate

DMZ: Hardened Appliances

A common deployment pattern for XML gateways is at the edge of the network, in a DMZ

firewall and router infrastructure. In this role, the XML gateway serves as the entry point for all XML/Web services

traffic into an organization, providing both pro

security policy before routing messages into mission

Hardware

they cluster easily to provide unparalleled scalability and fault tolerance. They are

also self-cont

into the organization.

DMZ deployments often require secure connections between the gateway and the

internal network. This is known as the “last mile”, a term borrowed from telephone

distribution, where it describes the path from the switching station into the

residence. There are a number of approaches to securing the last mile in Web

services. An encrypted tunnel, using Secure Sockets Layer (SSL) or Virtual Pri

solution because of its ease of setup. Alternatively, the gateway can validate, but not decrypt cryptographi

secured message elements. It then relays the still

ultimately decrypted. This solution is only practical if that server has the capability of pro

message-based encryption from the OASIS WS Security specification. Technologies like the OASIS Security

Assertion Markup Language (SAML) or IBM’s Lightweigh

to transfer any authentication context established by a gateway to a downstream application server. Best

gateways can also support a code-free model that requires no se

but rather relies on the deployment of last

Best-of-breed

gateways should be

available in a number

of form factors to

meet performance,

manageability and

budgetary needs



The ability to virtualize services at runtime also simplifies service lifecycle management. In prac

definitions evolve based on changing business demands, usage policies or standards. XML gateways can insulate

from service changes by ensuring that multiple views of the same underlying service can be

maintained simultaneously. This ensures that client access isn’t broken when service definitions change

vices can be staged before deployment.

Acceleration of XML Processing



nce through specialized parsing software and silicon. For example, the Layer 7 SecureSpan™ Gateway

perations like XPATH, XSLT and schema validation in software (using

via specialized semiconductor technology). The performance benefits scale


allows SecureSpan to handle policy operations on the kind of large messages that would tax application servers

Deployment Patterns for XML Gateways Unlike conventional firewalls or gateways, which typically define the edge of a corporate network, XML gateways

can be located anywhere within a network where there are XML applications to protect and accelerate. Because


characteristic to consider in evaluating any gateway.

eways are available in three different physical form factors to support different deployment

hardened appliances for the DMZ and network edge, blade-based deployment for the

that can integrate with application servers.

A common deployment pattern for XML gateways is at the edge of the network, in a DMZ defined by conventional


traffic into an organization, providing both protection against threats and high-performance enforcement of

ty policy before routing messages into mission-critical internal servers.

Hardware-based, rack-mount appliances are an ideal solution in this deployment as

hey cluster easily to provide unparalleled scalability and fault tolerance. They are

contained in a hardened package that provides the most secure entry point

into the organization.



stribution, where it describes the path from the switching station into the


services. An encrypted tunnel, using Secure Sockets Layer (SSL) or Virtual Private Network (VPN), is a

solution because of its ease of setup. Alternatively, the gateway can validate, but not decrypt cryptographi

secured message elements. It then relays the still-secure message to the destination application server where it is

pted. This solution is only practical if that server has the capability of processing the complex,

based encryption from the OASIS WS Security specification. Technologies like the OASIS Security

Assertion Markup Language (SAML) or IBM’s Lightweight Third-Party Authentication (LTPA) also provide a means

to transfer any authentication context established by a gateway to a downstream application server. Best

free model that requires no security programming at all on service endpoints,

but rather relies on the deployment of last-mile agents for consuming and enforcing security at the endpoint.



The ability to virtualize services at runtime also simplifies service lifecycle management. In practice, service

ards. XML gateways can insulate

from service changes by ensuring that multiple views of the same underlying service can be

when service definitions change. It also



nce through specialized parsing software and silicon. For example, the Layer 7 SecureSpan™ Gateway

in software (using FastPath™ XML

. The performance benefits scale


tax application servers

Unlike conventional firewalls or gateways, which typically define the edge of a corporate network, XML gateways

there are XML applications to protect and accelerate. Because


different deployment

based deployment for the

defined by conventional


performance enforcement of

critical internal servers.

eal solution in this deployment as

hey cluster easily to provide unparalleled scalability and fault tolerance. They are

ained in a hardened package that provides the most secure entry point



stribution, where it describes the path from the switching station into the


vate Network (VPN), is a popular

solution because of its ease of setup. Alternatively, the gateway can validate, but not decrypt cryptographically-

secure message to the destination application server where it is

cessing the complex,

based encryption from the OASIS WS Security specification. Technologies like the OASIS Security

tion (LTPA) also provide a means

to transfer any authentication context established by a gateway to a downstream application server. Best-of-breed

t all on service endpoints,

mile agents for consuming and enforcing security at the endpoint.





The datacenter has different capacity and management expectati

blade-based solutions. Blade-based XML gateways afford the perfect balance between a cost

ease of management, and raw performance

Application Server: Software

Finally, there are deployments in which endpoint

security or SLA enforcement is the primary concern. In these situations, integrating gateway securit

the application server environment as a software solution is the only way to ensure that there is no possible point

of attack between applications.

Conclusions XML gateways are a new class of network device that can play a key role in any

architects concerned about throughput, security, governance, SLA enforcement or service virtualization may be

able to solve these problems more easily or more cost

managing performance and policy opera

greater scalability, flexibility and security.




The datacenter has different capacity and management expectations than the DMZ, providing an excellent fit for

based XML gateways afford the perfect balance between a cost-effective solution,

ease of management, and raw performance-oriented scalability without sacrificing functionality.

pplication Server: Software-based Solution

Finally, there are deployments in which endpoint-to-endpoint (i.e., from client to service without intermediary)

security or SLA enforcement is the primary concern. In these situations, integrating gateway securit


XML gateways are a new class of network device that can play a key role in any SOA framework. Technical


able to solve these problems more easily or more cost-effectively using an XML gateway. Over time, the benefit of

ng performance and policy operations in a central location will lower the TCO of any SOA, while providing

greater scalability, flexibility and security.



ons than the DMZ, providing an excellent fit for

effective solution,

oriented scalability without sacrificing functionality.

endpoint (i.e., from client to service without intermediary)

security or SLA enforcement is the primary concern. In these situations, integrating gateway security functions into


SOA framework. Technical


effectively using an XML gateway. Over time, the benefit of

tions in a central location will lower the TCO of any SOA, while providing




About Layer 7 TechnologiesWith more than 150 customers across 6 continents, and successful partnershi

resellers in the industry, Layer 7 Technologies is the leader in SOA and cloud security and governance. Our award

winning SecureSpan™ family of XML Gateways feature sophisticated runtime governance, enterprise

management and industry-leading XML security. Our CloudSpan™ family enables enterprises and service providers

to securely consume cloud services, as well as protect and control their own applications deployed in public and

private clouds. Founded in 2002, Layer 7 has a history of helping organizations address their security, visibility and

governance issues by enabling them to control, manage and adapt their Web services, no matter the deployment

model – in the enterprise or in the cloud

Contact Layer 7 TechnologiesLayer 7 Technologies welcomes your questions, comments, and general feedback.

Email:

[email protected]

Web Site:

www.layer7tech.com

Phone:

604-681-9377

1-800-681-9377 (toll free)

Fax:

604-681-9387

Address:

US Office

1200 G Street, NW, Suite 800

Washington, DC 20005

Canada Office

Suite 405-1100 Melville Street

Vancouver, BC

V6E 4A6 Canada

Legal Information Copyright © 2011 by Layer 7 Technologies, Inc. (www.layer7tech.com). Contents confidential. All rights reserved.

SecureSpan™ is a registered trademark of Layer 7 Technologies, Inc. All other mentioned trade na

trademarks are the property of their respective owners.



About Layer 7 Technologies With more than 150 customers across 6 continents, and successful partnerships with some of the largest ISVs and

resellers in the industry, Layer 7 Technologies is the leader in SOA and cloud security and governance. Our award

winning SecureSpan™ family of XML Gateways feature sophisticated runtime governance, enterprise

leading XML security. Our CloudSpan™ family enables enterprises and service providers


er 7 has a history of helping organizations address their security, visibility and


in the enterprise or in the cloud.

Contact Layer 7 Technologies Layer 7 Technologies welcomes your questions, comments, and general feedback.

by Layer 7 Technologies, Inc. (www.layer7tech.com). Contents confidential. All rights reserved.

SecureSpan™ is a registered trademark of Layer 7 Technologies, Inc. All other mentioned trade na

trademarks are the property of their respective owners.



ps with some of the largest ISVs and

resellers in the industry, Layer 7 Technologies is the leader in SOA and cloud security and governance. Our award-

winning SecureSpan™ family of XML Gateways feature sophisticated runtime governance, enterprise-scale

leading XML security. Our CloudSpan™ family enables enterprises and service providers


er 7 has a history of helping organizations address their security, visibility and


by Layer 7 Technologies, Inc. (www.layer7tech.com). Contents confidential. All rights reserved.

SecureSpan™ is a registered trademark of Layer 7 Technologies, Inc. All other mentioned trade names and/or

Documents

The Role of XML Gateways in SOA