RSA, Reactivity Tighten Web Services Security

The vendors will offer tools aimed at helping IT managers comply with the WS-Security standard.

As Web services continue to become an integral part of enterprise Web strategies, IT managers are increasingly looking for ways to lock them down.

This week, Reactivity Inc. and RSA Security Inc. will unveil tools designed to do just that. Although the companies take different approaches—with Reactivity going the hardware route and RSA relying on a software-based offering—each approach is based on the current WS-Security (Web Services-Security) standard, and each puts a lot of stock in strong cryptography.

Click here to read more about the WS-Security standard. Reactivity, an XML security specialist in Belmont, Calif., is releasing the final two pieces of its Secure Deployment System: the Reactivity Gateway and the Reactivity Manager.

The gateway acts as an XML firewall, inspecting incoming XML messages for content violations and security problems. The appliance can detect DoS (denial-of-service) attacks and take countermeasures, such as throttling incoming traffic or blocking traffic from IP addresses, officials said.

The company is introducing two versions of the gateway—the 2450 and the 2460—both of which include nCipher Inc.s nForce 1600 hardware security module. The module is used for cryptographic acceleration and key storage and is designed to handle as many as 1,600 new SSL (Secure Sockets Layer) connections per second. Along with the previously released Gatekeeper, Gateway-D and Gateway Plus, the new components make up the Secure Deployment System.

Both Gateway models include support for all the current standards used in Web services security, such as SAML (Security Assertion Markup Language), WSDL (Web Services Description Language), SOAP (Simple Object Access Protocol) and WS-Security.

The second piece of the new suite, the Reactivity Manager, has evolved from the management portion of the gateway into a separate appliance. The biggest addition to the managers feature set is what the company calls "one-click PKI [public-key infrastructure]." In one step, an IT manager can direct the appliance to contact a certificate authority, obtain a certificate, store the keys in the nForce module and propagate the keys to all relevant gateways.

Users said the Reactivity solutions performance and simplicity make the task of securing Web services less onerous. "Our big question when we started this was how to secure it," said Spyros Kattou, e-business architect at Aeroplan, a subsidiary of Air Canada, based in Montreal, which has been using Reactivitys solutions since last year. "The performance is like looking at a network device. Theres no lag. Its pretty amazing, considering all of the functions."

For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog. RSA, meanwhile, has developed a new version of its BSafe software, called BSafe Secure WS-J, or SWS-J, which is RSAs first pure Java product for securing Web services. The encryption and digital signature software can use any standard Java console and includes a full implementation of WS-Security 1.0.

When an incoming SOAP message or piece of XML data arrives, SWS-J can decrypt the message, verify the digital signature and validate any authentication token associated with the message. The software can also insert the authentication tokens into outgoing messages, officials said.

"This is really something that our customers were asking for," said Mike Vergara, director of product management at RSA, in Bedford, Mass. "The interoperability with the consoles and gateways is key to them."

SWS-J also uses Sun Microsystems Inc.s Java Cryptographic Extension architecture to interoperate with any JCE-compliant product. RSA also will announce this week new partnerships with several Web services gateway providers, including Reactivity, DataPower Technology Inc., Forum Systems Inc., Layer7 Technologies Inc., Vordel Ltd. and Westbridge Technology Inc.

SWS-J is in beta and will be available next month. Reactivitys appliances will be shipping by months end.

Check out eWEEK.coms Security Center at http://security.eweek.com for the latest security news, reviews and analysis.

Be sure to add our eWEEK.com developer and Web services news feed to your RSS newsreader or My Yahoo page