XML Data Screen

Cleanse XML of Exploits, Malformed Data and Restricted Content

The SecureSpan™ XML Data Screen protects XML, Web services and Web 2.0 applications from damage, downtime or improper information. The XML Data Screen is the first Service Oriented Architecture (SOA) / Web-Oriented Architecture (WOA) XML appliance specifically designed to cleanse XML data streams of threats, vulnerabilities and unauthorized content for all common XML message formats including POX, SOAP, REST and AJAX.

Acting as a content filter, the XML Data Screen can be configured to scan, expurgate or transform malicious or malformed data, classified or unwanted “dirty” words and AJAX generated scripts. Policies can be defined to remove, block or transform illegal data or entire messages. Traffic to specific endpoints can be restricted or throttled based on user defined traffic limits, data formats or REST based URLs. HTTP headers and form data can be validated, transformed or removed as required. The XML Data Screen also protects applications from XML Denial of Service (XDoS) and other parser-based exploits, assuring the continuous availability of service endpoints.

The SecureSpan XML Data Screen is available as a linearly scalable, high performance 64-bit, multi-processor, 1U appliance with onboard XML acceleration and optional SSL accelerator. Deployment options include acting as a central entry point to a network of Web services, an on-ramp to an Enterprise Service Bus (ESB) or as an ESB co-processor for cleansing XML documents. All operations on the SecureSpan XML Data Screen can be configured independently for inbound and outbound traffic.

To future proof customers against changing requirements, the SecureSpan XML Data Screen is software upgradeable to SecureSpan XML Firewall and VPN or the SecureSpan XML Networking Gateway.

Example Deployment Pages:

XML Data Screen - Portal

XML Data Screen - Threat Protection

Problems Addressed:

• Prevent XML attack and intrusion
• Filter XML content
• Validate data structures
• Set traffic limits
• Secure REST and AJAX

Innovations:

• First 64-bit multi-processor, ASIC accelerated SOA and Web 2.0 threat and content security appliance with onboard XML hardware acceleration
  
• Built-in preconfigured filters for XML threat / anomaly signatures
• Policy based content and URL processing
• Operates in both in-line and ESB co-processor deployments
• Optional virus scanning for binary attachments
• Built-in clustering support for scalability and high availability
• Future-proof through software upgrade to SecureSpan XML Firewall and VPN, or SecureSpan XML Networking Gateway

Key Features:

XML Threat and Intrusion Protection
• Infrastructural protections against XML parsing, XDoS and OS attacks
• Application protection against XML content tampering and viruses in SOAP attachments
• Protection against SQL and malicious scripting language injection attacks
• Allow / reject messages based on time of day, day of week and IP address
• Configurable throughput restrictions based on requestor or destination prevents downstream XDoS

Message Validation and Filtering
• High speed message validation against predefined schema protects applications from malformed data
• Configurable validation and filtering of HTTP headers, parameters and form data
  
• Configurable limits on XML message size, element size, nesting depth, string length, etc.
• Detection of classified or “dirty” words or arbitrary signatures with subsequent scrubbing, rejection or redaction of messages
• Content detection within XML data structure or across entire message
• Configurable scrubbing or rejection of AJAX or other messages with embedded scripts or priveleged commands
  

Policy Flexibility
• Support for XML, SOAP, POX, AJAX, REST and other XML-based services
• Configuration wizards simplify policy creation and activation
• Support for policy branching based on any message content or context
• Rollback to previous policy versions and reuse of user defined policy fragments
• Single policy can support both in-line and co-processor deployments
• As inline device, support for multiple routing destinations with configurable failover
• Policies can be applied to request-only, response-only or both request and response messages

Administration Options
• GUI-based SecureSpan Manager deployed as either stand alone application (Windows / Linux) or browser-based (Internet Explorer / Firefox)
• Centralized cluster management and configuration with delegated administration
• Drag and drop policy-based policy configuration
• Intelligent, real-time validation and testing of policies
• Secure configuration backup and policy migration between environments
• Logging and audit trapping of violations and system/user defined events via SNMP and SMTP
• Support for external logging sinks
• Dashboard for graphical, real-time monitoring of traffic profiles and security violations

Supported Standards and Specifications
• XML 1.0, SOAP 1.1, REST, AJAX, XPath 1.0, XSLT 1.0, WSDL 1.1, XML Schema, LDAP 3.0, SAML 1.1/2.0, PKCS #10, X.509 v3 Certificates, FIPS 140-2, Kerberos, W3C XML Signature 1.0, W3C XML Encryption 1.0, SSL/TLS 1.1 / 3.0, SNMP, SMTP, HTTP/HTTPS, JMS 1.0, MQ Series, Tibco EMS 4.0, WS-Security 1.0, WS-Addressing, WS-Trust 1.0, WS-Federation,  WS-SecureConversation, WS-MetadataExchange, WS-Policy, WS-SecurityPolicy, WS-PolicyAttachment, WS-SecureExchange, WSIL, WS-I, WS-I BSP, UDDI 3.0

Form Factor
• 1U rack mount appliance, 64-bit multiprocessor platform with XML acceleration ASIC, optional SSL/crypto acceleration with HSM, four GE/FE NICS and dual PSUs
• Gateway software for Red Hat and SUSE Linux and Solaris platforms^*
• Soft appliance supporting a broad range of host operating systems

 
^{*Note: Some features available in appliance version only}