Westbridge Technologies' XMS 3.0
With version 3.0, Westbridge Technologies' XML Security Gateway seeks to lock down SOAP traffic without imposing performance or management overhead.
March 18, 2004
XMS 3.0 is Java-based and rides on JVM 1.4, which offers significant performance enhancements. JVM 1.4's non-blocking I/O has translated into up to 25-percent increases in performance for J2EE products, such as application servers, that rely on Java. This is also true for many of the products in the XML Security Gateway market, as a majority of them are J2EE-based.
Westbridge is having somewhat of a cryptographic acceleration identity crisis. The company originally offered the Rainbow/Chrysalis-ITS SSL accelerator, but now is pushing nCipher's nFast 1600 as its SSL acceleration solution. Acceleration is an add-on, not a stock option. Regardless, you'll need to add acceleration onto the price if you'll be taking advantage of encryption or digital signature functionality, although the product won't perform well without it.
I was able to verify the impact of the XMS 3.0's new JVM and caching configuration options in our Green Bay, WI, Real World Labs. The XMS appliance shipped as a 1U, dual Xeon 2.4-GHz server with 1 GB RAM.
XMS 3.0 supports SQL Server, Oracle and MySQL as repositories for logging and policies and easily integrated with the lab's existing SQL Server instance. Device configuration via a browser--Netscape 7+ or IE 5.5+--is relatively unchanged from the earlier version, although it is now possible to bypass the rudimentary workflow implemented for policy creation. It's a nice improvement to the product, as the slightest change to a policy in previous versions required stepping through the entire configuration flow. Not a terrible process, but annoying enough to appreciate the enhancement.
Good Bad Westbridge Technologies XMS 3.0. $40,000 with SSL acceleration option. http://www.westbridgetech.com/ |
I created policies to handle two Web services provided by Spirent Communications' WebReflector and then generated load with its WebAvalanche to verify the improvement in performance. In the first test run, as a straight proxy with no message processing, XMS 3.0 was able to handle an average of 262 messages per second. I then configured a policy to encrypt a specific XML node within the response document and set the product to cache the keys from the keystore for 15 minutes. Performance stayed relatively equal to the straight-through proxy configuration, averaging 262 messages per second.
Although performance is more in line with its competitors, pricing for the XMS is still quite a bit more than a comparable product from DataPower or ForumSystems. Many competing products include SSL acceleration as part of the overall package, while Westbridge requires a separate purchase for this functionality. This really is an anomaly, since encryption and secure communication are considered basic requirements for any security product intended for deployment on the edge of a network.
Westbridge has somewhat simplified the selection of specific XML nodes for action in policies. However, the same functionality in ForumSystems is still easier to use. All products in this space have a trade-off. ForumSystems, for instance, requires a separate Java application to provide administrative functionality while other offerings offer a completely Web-based administrative experience. There is no technological reason why this same functionality cannot be provided within a Web-based environment. Other Web-services-based products offer this ease-of-use feature, but for some reason none of the vendors in this space has implemented such a solution at this time.
XMS 3.0 still supports SOAP 1.1 and WSSE 1.0, and Westbridge expects to provide support for SOAP 1.2 in the near future. The move to JVM 1.4 and the option to configure the caching of keys in XMS 3.0 puts the product in a position to firmly compete in terms of performance. And although it is still one of the priciest products on the market, many of XMS 3.0's management features make it worth an in-house evaluation.
Lori MacVittie is a NETWORK COMPUTING senior technology editor working in our Green Bay, Wis., labs. Write to her at [email protected].
You May Also Like