Provides a Complete Web Services Security and Management Solution

• The SecureWithin™ gateways significantly boost web services performance and availability by offloading the authentication, authorization, encryption, decryption, logging, intrusion-detection, intrusion blocking, SLA monitoring and fault notification tasks from web services implementations. By eliminating the need to embed library objects into web services to manage non-functional tasks such as security, monitoring, logging, etc. web services become faster to implement and execute more efficiently and securely. Having a consistent security model and centralized policy enforcement and reporting/notification point strengthens the resiliency, security, implementation time and manageability of web services deployments.
• Existing web services that already employ security mechanisms such as WS-Security or other WS-* standards can gain an extra degree of protection by stacking additional verification checks, logging, SLA enforcement, fault notification and multi-factor authentication or additional authorization rules on top of existing security measures that are built into existing implementations.
• Through integration with third-party authentication, authorization and federation solutions, organizations can achieve single sign on, not just within an organizational boundary but extend the web services functionality to business partners who may employ a different authentication and authorization infrastructure and a completely different computing platform
• SecureWithin™ performs WS-Security checks by evaluating the SOAP headers of web service requests. Authentication and authorization may be comprised of one or a combination of the following technologies:
  • SAML assertions
  • Microsoft Card Space
  • WS-Security UserName tokens
  • Netegrity (CA) Siteminder tokens
  • X.509 certificates
  • Originating host IP address
  • Two-factor authentication tokens such as RSA SecureID® or similar devices
  • SecureWithin™ tokens
  • Microsoft Active Directory and Kerberos support
  • Any LDAP store support
  • Custom authentication and authorization interface support for third party or custom implementations
• In addition to the WS-Security checks, SecureWithin™ also has deep schema and schema-value validation capabilities. Only valid schema-compliant values are allowed and non schema-compliant requests are optionally blocked, logged and trigger notification (based on configurable settings).
• SecureWithin™ supports stateless or stateful web services; although most web service deployments utilize the stateless paradigm, some installations that require maximum speed at the expense of scalability and fault tolerance employ a cookie based stateful approach. SecureWithin™ supports both approaches.
• WCF is fully supported so WCF and non WCF web services can interoperate and be exposed using SecureWithin™ as WCF-based services; this means that a Linux-based or other platform based web service can appear and behave to web-service consumers as a Microsoft WCF based web service with all the benefits of WCF simply by fronting the service with SecureWithin™.
• SecureWithin™ pass-through mode allows the web service implementation to perform all security checks. In the active-security mode the security checks are performed by the SecureWithin™ gateway either in lieu of the web service implementation or in conjunction with the web service implementation.

Provides Web Applications Security

• All the benefits noted for web services are also applicable to any web application, implemented on all platforms.
• SSL acceleration for web applications is built-in. this means that applications can be deployed exposing port 80 (HTTP) and rely on the SecureWithin™ gateway to expose port 443 (HTTPS)

Securely expose ANY TCP or UDP (over IP) based internal endpoint such as (partial list):

• HTTP or HTTPS based web services including all WS-* protocols
• HTTP or HTTPS based web applications
• FTP or SFTP services
• Telnet
• LDAP
• Exchange Server
• SQL Server (any version)
• Oracle Database (any version)
• Active Directory Domain Controller Services (any version)
• Windows Communications Foundation Services (WCF)
• DCOM
• Microsoft Team Foundation Server
• SMTP
• ICMP
• DNS
• Java RMI
• The above list is a small sampling of applications/protocols. ANY TCP or UDP based service can be externalized using SecureWithin™

Fully interoperate with third party authentication and authorization systems

• Microsoft Active Directory®
• Microsoft Card Space
• Netegrity (CA) Siteminder®
• Oblix
• Any LDAP compliant directory
• Any XAML compliant authentication/authorization provider
• Any custom authentication and/or authorization solution through the use of a simple API and web services interfaces

Intrusion detection and protection

• Identifies intrusion attempts at the external gateway and depending on configuration settings blocks originating IP address or an IP address range
• Optionally blocks IP address range based on blocking rules
• Deep logging for offline analysis, logging depth is configurable
• Automatic intrusion attempt notification via SMS, Email or web service invocation or a combination thereof, notification rules are fully configurable

Built-in denial of service & distributed denial of service attack (DOS & DDOS) protection

• Smurf attack detection and prevention
• Disabled IP-directed broadcasts by default
• ICMP traffic is rate limiting or blocking (adjustable settings)
• TCP SYN flood protection using stateful inspection to monitor every TCP handshake
• Filters RFC1918 address space and other configurable address spaces
• Ingress filtering
• Build-in adjustable traffic rate limiting for ICMP, SYN, UDP, etc.
• Port scan attack immediate detection and blocking/logging/notification

Statistics reporting, usage accounting auditing

• Summary reports
• SLA reports
• Detailed transaction report
• Report filtering by one or a combination of the elements below:
  • internal endpoint
  • internal gateway
  • external gateway
  • user
  • IP or IP range
  • Intrusion attempt type
  • Protocol

Sophisticated and proprietary "Learn Mode" algorithms teach the gateways what request/response traffic is valid. Invalid traffic triggers notification and optional blocking depending on configuration settings.

SLA notification

• Internal endpoints SLA monitoring and immediate notification upon SLA threshold non-compliance
• Adjustable settings for notification – SMS, Email, web service or a combination of the three.
• Self monitoring of SecureWithin™ equipment and immediate notification of SLA anomaly to Bitkoo so rapid action can be taken by Bitkoo 24/7

Bridge the security gap between Active Directory based applications (intranet) and heterogeneous clients on the internet (securely)

• Extend the reach of Active Directory authentication to Internet clients so that users can securely access Active Directory® protected applications from the external network.
• No client-side software is required.
• Extends Active Directory® based application access to Apple, Linux, Unix, Etc.

Only expose a subset of internal endpoints and not the entire network

• Unlike VPN, the entire network is NOT accessible to external (Internet) clients; rather, only designated internal endpoints
• Specify a particular URL
• Specify a URL using a wildcard expression with either ALLOW or DENY qualifiers
• Restrict access to URL ranges by a combination of the following:
  • Date and time ranges
  • Client IP address ranges
  • Authentication criteria (two-factor, certain directory, or a combination thereof)
  • Authorization criteria (roles, dynamic roles, attributes or a combination thereof)
  • Valid schema adherence
  • Valid schema data values (if a field can contain either values 1-20, if the input provided is ‘21’, the system will reject the call, log and notify interested parties)
• Restrict access to a TCP port by specifying:
  • Host name or IP address
  • Port number or range of numbers
  • Allowed protocols for each port
  • Allowed schemas
  • Allowed data values within schema compliant data transmission
• Restrict number of requests by client and time period
• Logging of requests with the following granularities:
  • Entire request
  • Entire response
  • Request summary
  • Response summary
  • Failed requests detail
  • Failed request summary
• Detailed audit trail for every metadata change

Scalable to any number of internal/external gateways

• Gateways can be arranged into groups. For applications requiring extreme transaction throughput such as voice over IP or streaming video serving tens of thousands of users, gateways can be load-balanced and there is no limit to the number of gateways
• Configuration of multiple gateways is accomplished at the same speed as a single gateway. That means that if you wish to provision 10 external gateways with the same settings, simply configure one and associate all other 9 gateways with the same group