WS-Security and WS-Security Policy are the common standards for ensuring integrity and confidentiality for Web Service messages. On the one hand they allow very flexible definition of security requirements. On the other hand they lead to complex security administration and low performance message processing. In this paper, we present our solution for a security gateway, which uses complete event-based XML and WS-Security processing to create policy conforming SOAP messages. The evaluation of our implementation shows that the event-based approach leads to a much better performance than tree-based WS-Security implementations. Further, we discuss some problematical issues of WS-Security Policy processing, such as determination of digital identities.