Forum Sentry XML Gateway

Mark Bakker

Last week I got a presentation for a security device I had never heard about.
Most times this means it is something which is not commodity, or has no real use-case.

But this time I was really impressed. The device is a possible replacement for IBM Datapower XML Security Gateway. But the way they designed the device is totally different.

What CrossCheck networks did was creating a device with just security as main use case. First of all it was an XML gateway, nowadays is does support HTML, XML, SOAP, FTP, JMS and others.
It also translates different flavors of JMS to each other, it can even convert from IBM MQ to JBoss MQ directly.

The Forum Sentry XML Gatewat comes in two flavors, as an appliance and as an VMWare image.
This is useful for the Development and Test environments.

The main use-case for the device is as a security device. It will stand in the DMZ and acts as a level 7 security gateway. This is the same use-case as the IBM Datapower, only the marketing is a little bit different, CrossCheck Networks markets the device mainly as a security appliance. IBM did market the Datapower mainly as a ESB in the past. Nowadays they also market it mainly as a security appliance.

The main differences I spotted between those two where:

Forum Sentry XML Gateway   IBM Datapower XML Security Gateway XS40
Supports protocol conversions (also IBM MQ → JBoss MQ)   Support protocol conversions (but does only support IBM related JMS technologies)
Support virus scanning (also in SOAP with attachments)   -
Supports large streaming files   Only does this in the Datapower XB60 B2B gateway
Supports authentication by using cascading user stores (i.g. If you can not find this username/ password in LDAP go to your Active Directory and try to match there). This can be configured for each url(-part)/ service(-part).   Support authentication
Real nice configuration, no need to type any XSLT.   Most conversions are made in XSLT.
SSO for web, ftp and services.   SSO for SOAP.

My conclusion after this short demo
The Forum sentry has some advantages when you compare it to the IBM Datapower XML Security Gateway XS40. The main difference is that you can do more whith only one appliance. You can replace an IBM Webseal, a virus scanner and an IBM Datapower XS40 with only one device.
My advice is to take this device in considerations where you have to choose for an XML firewall/ hardware ESB.

Comments (3)

  1. Alex - Reply

    April 6, 2011 at 2:43 pm

    Vordel is another very strong contender.

  2. Joe Weiss - Reply

    February 7, 2012 at 9:41 pm

    We have reviewed a number of SOA/XML Appliances and our conclusions are similar to Mark. Unless you want to buy and ESB in a box with little or no security consideration, you should stay away from vendors that let you drop code in there container. Except for Forum Sentry, all other smaller players in this space are just a fancy application server in a box.

  3. RaviY - Reply

    February 8, 2012 at 4:41 pm

    -- Large streaming is supported in XI50 s as well.
    -- VMWare Image is a real advantage for lower environments.
    -- Inbuilt Virus scanning may not be needed, usually enterprises will have a scan engine for web apps which can be used in conjuction with DP devices. And scanning may slow down the device.
    -- Does FTP protocol support SSO?

Add a Comment