As companies embark on efforts to build loosely coupled service-oriented architectures they inevitably have to tackle the issue of securing their SOA service infrastructure, and many turn to XML security appliances to get the job done.

Why choose an XML appliance to protect and safely expose your SOA data services to customers, partners and software-as-a-service (SaaS) vendors? Without dedicated hardware support it is nearly impossible to withstand denial-of-service attacks and to provide the high availability necessary to ensure data confidentiality, integrity and nonrepudiation.

Click to see: Deploying XML security appliances

XML security appliances are typically positioned in the demilitarized zone between two firewalls and become the only device visible to outside clients. The appliance acts as a proxy and performs all necessary security operations, including SSL socket termination, credential validation and data verification.

The XML security appliance is then the only device permitted by the second firewall to establish connections to internal SOA endpoints. Performing security operations outside the endpoints provides a twofold benefit. First, the SOA data service no longer needs to implement any security functions and will not be compromised by hackers. Second, the security infrastructure policy is decoupled from the endpoints and therefore can be easily controlled by the infrastructure security team without having to make changes to the endpoints themselves.

Common functionality

XML security appliances, first introduced in 2000, range in price from $30,000 to $70,000, and the feature sets vary widely. These are the most common and important features to understand.

* Transport-level security: Inbound SSL/TLS socket termination and outbound SSL/TLS socket initiation with support for server-based and mutual authentication has been one of the cornerstones of Web security and the most popular way to achieve data confidentially, integrity and nonrepudiation

* Application security: WS-Security Standard Support (1.0 and 1.1) is a key standard that defines how to secure Web service messages. In its current version (1.1), the standard defines support for several authentication profiles: Username token, X.509, Kerberos, SAML (an XML framework for exchanging authentication and authorization) and REL (Rights Expression Language, for specifying rights to content, fees or other considerations required to secure those rights) token. It also incorporates support for SOAP messages with attachments.