Secure Messaging Gateway - Generic Overview

The Secure Messaging Gateway (SOI-SMG) capability is an advanced policy enforcement point (PEP) and policy-based security enforcement gateway which sits in the network at the boundary of an enterprise’s DMZ or possibly within the enterprise itself, or in a combination of the two. It specializes in XML web services security though it can cater for wider range scenarios. In particular it can mediate the exposure of an enterprise’s services by securing and controlling access to the service.

• Threat protection: the SOI-SMG is capable to provide threat protection at different layers, i.e. transport, application, message-specific…
• Identity bridging: by understanding XML security tokens such as SAML, it can bridge identity realms together.
• Policy-based, logically centralized enforcement: this lets administrators write policies once and apply them everywhere the gateway is deployed. In addition the nature of the policy (XML-based) allows for highly configurable, more or less fine grained policies.
• Delegation of security requests to 3rd party services: the SOI-SMG is able to create on-the-fly requests to external services such as an authorization web service in order to achieve richer scenarios such as access control in the case of the authorization service.
• Context-based security: the SOI-SMG can understand contextual information coming in the SOAP payload and use it to determine which policies (or which branches of a given policy) to step into in order to apply conditional, contextual security. In one of the BEinGRID business experiments dealing with e-health, this can be particularly interesting: the web portal and the web services can sit behind the same gateway but the security applied may not be the same.

The SOI-SMG capability is base on well-defined standards such as WS-Trust, Active Profile of WS-Federation, WS-Security, XML Digital Signatures, XML Encryption, the WSDM stack (WSRF, WS-Notification), and SOAP 1.1 & SOAP 1.2, WS-Addressing. Generally the SOI-SMG increases enterprise flexibility & virtual exposure of internal capabilities by offloading the responsibility of security to a single, border component. It enables faster deployment times with lesser failures: this is the transition towards a SaaS model.

Within BEinGRID there are two variants of the SOI-SMG capability:

• BEinGRID has developed a prototype of an enforcement point More on the BEinGRID prototype
• BEinGRID has been working closely with vendors Layer 7 and Vordel to be able to use trial versions of their XML security gateway products for academic purposes. More on the Layer 7 SecureSpan gateway & Vordel Security Gateway