SERVICE DESCRIPTION Web Application Firewall
Size: px
Start display at page:

Download "SERVICE DESCRIPTION Web Application Firewall"

Transcription

1 SERVICE DESCRIPTION Web Application Firewall Date: Document: Service description: Web Application Firewall

2 TABLE OF CONTENTS Page 1 INTRODUCTION 3 2 SERVICE DESCRIPTION Basic service Options Advanced Security ICAP Interface Certificate Management XML Firewall Test Instance 10 3 ADDITIONAL DOCUMENTS 11 4 DISCLAIMER 11 Copyright United Security Providers AG page 2/11

3 1 INTRODUCTION This document describes the USP Web Application Firewall managed service with all the options available from USP. This document, together with the agreed Service Level Agreement, constitutes the binding basis for the provision of the managed service. Field of application More and more applications are accessible from the Internet. Often these web applications are used to process highly sensitive data. This data can include, business secrets for example, or it might be personal data that is protected by legislationin its Web Application Firewall managed service, USP offers scalable and powerful protection for your web applications. The Web Application Firewall service provides comprehensive protection for web applications. The service accepts all requests to the web application as a proxy, filters them and thereby minimises IT risks by making the entry routes most widely used by hackers these days impossible. The same service offers protection for all the customer's web applications. This leads to standardisation and simplification of access to the protected applications. Copyright United Security Providers AG page 3/11

4 2 SERVICE DESCRIPTION 2.1 Basic service The USP Web Application Firewall service provides effective protection for web applications. The services permits simple and secure access to web applications from the intranet or the Internet via a web portal. Name of service Service abbreviation Web Application Firewall MSS-RA Service version 2.0 Status Operating hours Operational OH1: Monday Friday, 08:00 18:00 CET OH2: Monday Saturday, 07:00 21:00 CET OH3: Monday Sunday, 0:00 23:59 CET Availability guarantee ACA: best effort ACB: 99.5% availability during operating hours ACC: 99.7% availability during operating hours ACD: 99.9% availability during operating hours The service is assessed on the basis of the number of physical or virtual appliances. The basic function of the service is a secure reverse proxy for HTTP and HTTPS protocols. The service permits simple and secure access to the web applications from the intranet or the Internet via a web portal. The reverse proxy accepts the requests on behalf of the web applications, verifies them and then passes them on to the actual recipient. Modern applications are more and more frequently becoming accessible via the Internet and thus are preferred targets for hackers. Using USP's Web Application Firewall service renders these entry routes impassable for hackers. The Web Application Firewall service accepts all requests from the Internet on behalf of your servers. This ensures an effective protection against attacks such as DoS attacks. The user accesses all protected web applications from a single web portal, which can make it considerably easier for the users of the web applications. Compliance with the SLA parameters is measured against the availability of the service infrastructure. The following service-specific values are collated in the monthly reports: - infrastructure workload - total data volume Copyright United Security Providers AG page 4/11

5 - number of sessions The following measuring points are some of those watched to monitor the service: - CPU / RAM / HDD workload - listener processes - connection to the backend - accessibility The service is limited to applications that use the HTTP / HTTPS protocol. It is necessary to use a dedicated load balancer if the service is operated on multiple servers in an active/active setup. An availability guarantee in excess of "best effort", requires redundant design of the underlying infrastructure. Copyright United Security Providers AG page 5/11

6 2.2 Options Advanced Security Advanced security functions for the Web Application Firewall. Name of the service option Abbreviation Advanced Security MSS-WAF-AS The service option is assessed on the basis of the size of the basic service. Extension of the Web Application Firewall security functions for high quality protection of web applications and web services. Examples of these demanding functions are URL encryption, CSRF protection, dynamic request whitelisting and many more. The advanced protection functions offer protection for the dynamic content of modern web applications and portals. In this way you achieve a higher security level for portals based on Java or PHP, for instance. Countermeasures in the event of new exploits can be enabled from a central location. Appropriate measures can be enabled more quickly and with full coverage. You save valuable resources as you no longer need to modify all your applications. Compliance with the SLA is determined using the KPIs for the basic service. This option is not listed separately in the reports. This option is not monitored separately. Monitoring on the basis of the basic service measuring points. The conditions of use are the same as those for the basic service. Copyright United Security Providers AG page 6/11

7 2.2.2 ICAP Interface A standardised ICAP (Internet Content Adaptation Protocol) interface for the integrated use of external resources, such as virus scanners, for example. Name of the service option Abbreviation ICAP Interface MSS-WAF-ICAP The service option is assessed on the basis of the size of the basic service. This option operates a standardised ICAP interface. External resources can be incorporated into the WAF functionality and used integrally via this interface. This option permits the use of external resources to allow additional data checking. The incoming and outgoing data traffic can be checked for viruses if an external virus scanner is connected, for instance. This can considerably improve the security of your web applications and also that of your entire IT infrastructure. Compliance with the SLA is determined using the KPIs for the basic service. This option is not listed separately in the reports. The ICAP interface is not monitored separately. The components addressed via the ICAP interface must act as ICAP servers. The operation of the components is not included in the service options. The service options are not offered until at least two operational instances have been procured. Copyright United Security Providers AG page 7/11

8 2.2.3 Certificate Management Monitoring and managing the SSL certificates for the encryption of web connections via HTTPS. Name of the service option Abbreviation Certificate Management MSS-WAF-CA The service option is assessed on the basis of the number of valid certificates. The SSL certificates for the encryption of web connections via HTTPS are monitored and managed by USP's Security Operations Center. The service options are offered at the following levels: Bronze USP monitors the life of the SSL certificates and informs the customer no later than 14 days before their expiry. Silver USP monitors the life of the SSL certificates and initiates their renewal on its own initiative. This service is restricted to collaboration with godaddy.com as the certificate provider. Only domain-validated SSL certificates will be provided. Gold USP monitors the life of the SSL certificates and initiates their renewal on its own initiative. This service covers collaboration with godaddy.com as the certificate provider for domain-validated certificates and with the provider SwissSign for extended-validated certificates. Seamless renewal of the certificates is the responsibility of the USP. Customers no longer need to worry about their certificates themselves or maintain a complex PKI. USP takes care of monitoring the certificates on your behalf and notifies you in good time before the certificates expire. The validity of the certificates will be monitored. This service option has no influence on the compliance with the basic service SLA. A list of certificates with their status is added to the reports supplied. The list can be viewed by authorised users via USP Connect. The validity of the certificates will be monitored. Seamless renewal of the certificates for the website is the responsibility of the customer in the Bronze and Silver levels. Copyright United Security Providers AG page 8/11

9 2.2.4 XML Firewall Monitors the XML/SOAP data traffic. Name of the service option Abbreviation XML Firewall MSS-WAF-XML The service option is assessed on the basis of the size of the basic service. This option checks the XML/SOAP data traffic and filters out suspicious content. On the one hand the format of the data transmitted is checked, on the other hand, the data content is monitored for critical content. Applications that provide an XML/SOAP interface are additionally protected by this option. First, security is increased by inspection of the XML contents. Second, however, access to the XML interface is also checked. Compliance with the SLA is determined using the KPIs for the basic service. This option is not listed separately in the reports. This option is not monitored separately. The applications to be protected must have a standardised XML/SOAP interface. The service options are not offered until at least two operational instances have been procured. Copyright United Security Providers AG page 9/11

10 2.2.5 Test Instance Operation of an additional instance which is not used in production. Name of the service option Abbreviation Non-Prod Licence MSS-WAF-TEST The service option is assessed on the basis of the number of instances. This option operates another instance of the Web Application Firewall. The additional instance is not used operationally and can thus be used as a test or development environment for example. The additional instance will be equipped with the same options as the operational instances. Changes can be tested before implementation in an environment similar to the production environment by the use of a non-operational instance. The risk of an error in a subsequent live implementation of amendments on the production environment is considerably reduced by the option of first testing modifications on a non-operational environment. Test instances are operated on a best-effort level during office hours, whatever the SLA for the basic service. This option has no particular KPIs. No reports are prepared for test instances. The availability of the instance will be monitored. MSS-WAF-TEST is not offered until at least two operational instances have been procured. Copyright United Security Providers AG page 10/11

11 3 ADDITIONAL DOCUMENTS The present document describes the functional scope of USP's Web Application Firewall service. General information on the Service Level Agreement and on operation may be found in the additional documents. Service management and SL catalogue Services catalogue Price list This document contains all the information relating to the Service Level Agreement parameters. It defines the support processes and collaboration obligations, for instance, along with operating hours and availability guarantees. The services catalogue defines the operation tasks and the standard changes. The document also describes the processes by which the corresponding changes can be triggered in a qualified fashion. The prices of all services and options are laid down in the price list. 4 DISCLAIMER This document is the intellectual property of USP AG and may not be copied, reproduced, handed on or used for execution without its permission. Unauthorized use is punishable in accordance with Section 23 in conjunction with Section 5 of the Swiss Unfair Competition Law. This work is protected under copyright. The rights consequently justified, particularly of translation, reproduction, the use of illustrations, distribution by photomechanical or other means and storage in data processing systems, even in extract, remain reserved. The functions, data and illustrations described in this documentation are applicable with the reservation that amendment is possible at any time. They are provided for better understanding of the material, without claiming completeness and correctness in detail. The programs described in this document are only provided on the basis of a valid licence agreement with USP AG and can only be used in compliance with the conditions laid down in the licence agreement. USP's General Terms and Conditions shall apply unless higher-ranking provisions apply. Copyright United Security Providers AG. All rights reserved. Copyright United Security Providers AG page 11/11

Similar documents
2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback | Do Not Sell My Personal Information