Web Services Journalの記事。アプリケーションレベルのセキュリティについて包括的に書いてある。
AnexinetというSIでSOA Principal Architectをしている人。
適用ポイントとしてはDataPowerが一番、という評価。
「私の意見では、DataPower XS40が最高の製品だ。この機器は信じられないくらい速く、しかも信じられないくらい柔軟性がある。全ての処理をPKI関係の管理からポリシー設定や適用まで含めて処理していく事も、またシステムの中の特定の処理だけを優先させるような事も、うまくこなしてくれる。そして驚くほど速い。スキーマ検証やポリシー適用や暗号処理をいくら重ねてやらせても、この機械をワイアスピード以下にスローダウンさせる事は難しい。小さな国の経済活動丸ごとくらいのトランザクションを処理できるのだ。たった一台でもそれほどのパワーがあり、クラスタ化した場合は天井知らずとなる。
最もありがたく思うのは、メッセージ・レベルのセキュリティとXML攻撃に対する防御、そしてログ保存とポリシー適用を一箇所でできてしかも性能面でまったく悩む必要が無いということだ。」
この他にWebサービス管理基盤としてBlue Titan Network Director、IDの統一管理でRSA Federated Identity Managerが推奨されている。
Solve Your Application Security Issues
The advantage of building app security into infrastructure
December 2, 2004
Luckily, there are some very good tools in this space already, which makes this task bearable. In fact, without these tools it wouldn't be possible at this time to implement the premise of this article. Central among the tools we leverage is the XML security gateway, otherwise known as an XML firewall. There are many of these tools on the market now, mostly from startups, and they are ready for prime time. The best of them do everything from content routing to XML acceleration, but most importantly security policy enforcement. They also offer configurable logging. And the ability to log access decisions and request content is very powerful, as we will see in our use case.
The best of breed, in my opinion, is the XS40 from DataPower. This device is incredibly fast and incredibly flexible at the same time. It is equally adept at running the entire show with everything from PKI management to policy setup and enforcement as it is at deferring everything but the actual enforcement to other systems in your enterprise. And it screams. It is hard to stack enough validation, enforcement, and cryptography functions on it to slow it down below wire speed...at transaction throughputs that would run the economy of a small country. And that's just one box. Load up a cluster of them and the sky's the limit. The main take-away for our purposes is that we will do our message-level security functions, XML attack countermeasures, logging, and our policy enforcement all at the same time and not worry for a second about performance.
