NSFOCUS Web Application Firewall

Transcription

1 NSFOCUS Web Application Firewall 1 / 9

2 Overview Customer Benefits Mitigate Data Leakage Risk Ensure Availability and QoS of Websites Close the Gap for PCI DSS Compliance Collaborative Security The NSFOCUS Web Application Firewall () protects your business-critical web applications and information against web attacks, data breaches, and downtime by shielding your business with a singular, overarching cover of security prevention. Among its many features, mitigates the OWASP Top 10 risks, combines a negative security model with a positive security model, employs application profile learning, and offers ironclad protection against application layer distributed denial-of-service (DDoS) attacks. is also designed to help customers with full Payment Card Industry Data Security Standard (PCI DSS) compliance. shares knowledge with NSFOCUS application scanners, creating custom protection policies so as to reduce the potential attack surface and minimize the time-to-fix exposures. collaborates with the NSFOCUS Anti-DDoS System (ADS) for automated, real-time responses to volumetric attacks. Customer Benefits Mitigate Data Leakage Risk Data breaches are both complex and surprisingly frequent. offers powerful protection against most prevalent web attacks based on a complete set of signatures for web vulnerabilities and web attacks, as well as the capability to detect illegal file uploads. enforces access control policy in Layer 4 and 7 to prevent attackers from accessing data without proper authorization. In the later phases of an attack, provides outbound data leakage detection, including illegal file download detection, webshell prevention, and filtering of sensitive information (such as credit card numbers and social security numbers). Ensure Availability and QoS of Websites offers a built-in anti-ddos module, which protects against TCP flood attacks below 1 Gbps, as well as HTTP/S GET/POST flood attacks and slow rate attacks, the fastest-growing DDoS attack vector. employs access rate thresholding and IP reputation and algorithm-based protection mechanisms. 2 / 9

3 Close the Gap for PCI DSS Compliance PCI DSS 3.0 Compliance Requirements Ad-hoc compliance report for PCI audit Offers cookie security in compliance with new req Broken authentication and session management Collaborative Security NSFOCUS NSFOCUS Websafe or WVSS NSFOCUS ADS MSS for provides compliance reports for PCI audits, with suggestions for policy tuning and configuration improvement in order to comply more completely with PCI DSS. The cookie security feature within protects against cookie tampering and cookie poisoning in compliance with section in the new PCI 3.0 standard. Collaborative Security can import vulnerability assessment reports, delivered to from NSFOCUS Cloud Security Service (Websafe) or Web Vulnerability Scanning System (WVSS), and then produce corresponding security policies. In the case of a known vulnerability, can become more aggressive with blocking options to prevent attacks identified around a vulnerable location. collaborates with ADS to mitigate downtime risk of customers websites. Once TCP flooding traffic reaches the preset threshold in, will automatically notify ADS from upstream to divert and scrub the attack traffic in real time so as to lessen latency issues. NSFOCUS also offers a cloud-based managed security service (MSS) for operation and maintenance to supplement the customer s Security Operations (SecOps) team. 3 / 9

4 Key Features As web attacks escalate in complexity, their detection and mitigation must be designed for web security, which works beyond signatures. NSFOCUS safeguards your business-critical web applications and data against the evolving web threats with holistic detection and mitigation capabilities. Layered Defense NSFOCUS mitigates the OWASP Top 10 risks by combining a negative security model with a positive security model as well as application profile learning, equipped with multiple comprehensive detection and protection techniques. protects web applications and the underlying infrastructure by detecting applications, plug-ins, web servers and networks. In addition, with the multiple rule-based inspections, it can trace automated attacks by interactively validating user behaviors. The whitelist mechanism is the most effective method to stop zero-day attacks. automates the process of generating whitelists based on statistical analysis of HTTP request parameters, including the number, type, name and value of specified URLs. Emergency Response Through Cloud Security Service Powered by the NSFOCUS Cloud Security Service and supported by our R&D teams with rich experience spanning more than a decade, NSFOCUS consistently offers real-time protection against the latest known threats. Utilizing its virtual patch through updating application signatures and adjusting policies, can avert severe issues caused by newly identified vulnerabilities in applications, known vulnerabilities in legacy applications or 4 / 9

5 third-party applications, or newly discovered exploits. Ease of Use and Transparent, Drop-in Deployment NSFOCUS offers a friendly wizard for initial configuration, which guides the user to tune the security policies step by step through configuration of necessary website information including IP addresses, ports, OSs, web servers, and programming language. Default policy templates are also available to facilitate initial configuration. The exception policy is also supported to mitigate false positives. provides flexible deployment options with low overhead. One of the most common options is the drop-in transparent deployment without changes to existing applications or networks. Reverse proxy and out-of-path (traffic diversion and injection) options, which provide protection on demand, are available as well. 5 / 9

6 Web Application Firewall Specification Specification Security Model Application Attacks Prevention Content Modification Web Server Security Protocol Support HTTPS/SSL Inspection Anti-DDoS Network Security Collaborative Security PCI DSS Compliance Deployment Modes Description Negative security model (signature-based) Behavior-based protection Positive security model (whitelist security and dynamic profile learning) OWASP Top 10 Cross-Site Scripting (XSS) Injection Cross-site Request Forgery (CSRF) Remote File Inclusion (RFI) Path Traversal Illegal file upload/download restriction Malicious scanning Webshell Anti-Crawlers Anti-Leech Brute force Sensitive data exposure Content filtering Cookie signing/encryption Sensitive information filtering Web server/plug-in vulnerabilities signatures HTTP protocol validation HTTP access control HTTP 0.9/1.0/1.1 Passive decryption SSL offloading TCP floods (inspected throughput up to 1 Gbps) HTTP/S GET/POST floods Slow rate attacks Layer 4 ACL ARP spoofing protection Collaboration with NSFOCUS ADS Collaboration with NSFOCUS Websafe or WVSS Compliance reporting Inline transparent proxy Reverse proxy 6 / 9

7 Policy Management Management Logging/Monitoring High Availability TCP/IP Support Certification(s) Out-of-path (route diversion and injection) Image deployment Default policy templates Exception policy Custom policy Risk-level policy Web user interface (HTTP/S) Command line interface (SSH/console) SNMP Syslog Active/active; active/passive VRRP Internal software bypass to pass traffic without inspection Fail-open interfaces or integrated hardware bypass IPv4, IPv6 Veracode VL4 Certification from ICSA Labs Product Family Model NX3-P300A NX3-P600A NX3-P1000B NX3-P1600B NX3-P2000A Performance Application Layer Throughput Transactions per Second HTTP 200 Mbps 400 Mbps 1 Gbps 3 Gbps 6 Gbps HTTP 6,000 tps 10,000 tps 30,000 tps 55,000 tps 110,000 tps Hardware Chassis 1U 1U 2U 2U 2U 7 / 9

8 Protection Interface Options 4 x 4 x 6 x One optional slot (4 x BaseT; 4 x GE SX; or 4 x LX Fiber) 4 optional slots (4 x BaseT; 4 x GE SX; or 4 x LX Fiber) 4 optional slots (4 x BaseT; 4 x GE SX; or 4 x LX Fiber) Traffic Bypass Options Fail-open interfaces or integrated hardware bypass Internal software bypass to pass traffic without inspection Management Interface 1 x 1 x 1 x 2 x 2 x Serial Port 1 x RJ45 1 x RJ45 1 x RJ45 1 x RJ45 1 x RJ45 Hard Disk 1 TB, SATA 1 TB, SATA 1 TB, SATA 1 TB, SATA 1 TB, SATA Power Supply Single AC Single AC Dual AC Dual AC Dual AC Power Consumption 60 W 60 W 350 W 400 W 400 W Operating Temperature 0~40 0~40 0~40 0~ 40 0~40 Storage Temperature Weight 5 kg 5 kg 12.6 kg 11 kg 11 kg MTBF > 50,000 hrs > 50,000 hrs > 50,000 hrs > 50,000 hrs > 50,000 hrs Compliance CE, FCC, UL, CB, KCC, ROHS 8 / 9

9 For more information: For more information visit NSFOCUS Website: NSFOCUS is the trademark of NSFOCUS Information Technology Co., Ltd. NSFOCUS enjoys all copyrights with respect to all textual narrations, document formats, illustrations, photographs, methods, processes and other contents, unless otherwise specified, which shall be governed by relevant property rights and copyright laws. Without written permission of NSFOCUS, any individual or institution shall be prohibited to copy or quote any section herein in any way. About NSFOCUS NSFOCUS is a proven global leader in active perimeter security, focusing on industry-leading security research, products and services. With extensive knowledge and experience, NSFOCUS offers its customers and partners a full range of appliances including anti-ddos systems, Web application firewalls and intrusion prevention systems to help companies secure their networks and corporate-critical information. 9 / 9