G-Cloud Service Definition Atos Web Application Firewall
Atos Web Application Firewall Atos powered by Akamai delivers a scalable web application firewall solution that maintains the performance and integrity of Web applications A powerful web application firewall (WAF) mitigates business risks from Web application attacks and improves brand and customer confidence Powers innovation by bolstering your site's security triad Confidentiality, Integrity, and Availability Reduces Web application attack traffic bandwidth costs and resource usage Cuts operational costs associated with constant Web application security infrastructure maintenance and upgrades Reduces capital expenditures on WAF security hardware and software Identifies and mitigates SQL injection attacks What is it? Atos Web Application Firewall (WAF) is a highly scalable edge defence service architected to detect and mitigate potential application layer DDoS attacks, including SQL injection attacks, in HTTP and HTTPs traffic. Powered by Akamai's Intelligent Platform, attacks can be prevented in the network before they reach customer s data centres. WAF is designed to scale instantly to preserve performance and filter attack traffic close to the source, protecting your infrastructure and keeping your web applications up and running. Features of the service include: Automatic, on-demand scaling to handle massive attacks Mitigate attacks at the source, away from the origin datacentre Eliminate need to provision and architect for Web Application Firewall failover Offload traffic from existing security architecture Reporting through the LUNA Control Centre portal. ii
What makes us unique? The UK based Atos service team will be ready to assist with any queries relating to the service. Quality and resilience are a critical element to meeting the 24x7 demands of today s information needs. Our approach to service delivery ensures high performance, availability and a commitment to service continuity through fully redundant infrastructure and systems. Atos brings the Akamai Intelligent Platform to the public sector, providing extensive reach, coupled with unmatched reliability, security, visibility and expertise. Atos and Akamai remove the complexities of connecting the increasingly mobile world, supporting 24/7 consumer demand, and enabling customers to securely leverage the cloud. Customers can deploy Atos Web Application Firewall (WAF) independently or as part of an existing security ecosystem. The WAF provides a distributed approach to web application security by leveraging the Akamai Intelligent Platform and its distributed network architecture. The service scales automatically, on-demand, offering the capability to defend against massive-scale attacks The service includes a number of key components: Application Layer controls based on three categories of rule sets Open Web Application Security Project (OWASP) ModSecurity Core Rule Set (CRS) 2.2.6 Common Rules Custom Rules. Network Layer controls IP address blocking IP White and Black listing Allow all except listed subnet ranges Deny all except listed subnet ranges Rate Controls Protect against DDoS attacks by limiting requests. Requests are controlled based on behaviour pattern not request structure. Logging & Reporting Event logging within the service, or using the Real Time Reporting functionality that enables customers to incorporate WAF firewall events in near real time into their log management or security information and event management (SIEM) infrastructures. Service reports such as the Firewall Rule Activities as well as Blocked IP report. Security Monitor Real time visualisation of WAF and rate control data iii
iv
Contents 1 Introduction... 1 1.1 Service summary... 1 2 Service overview... 2 3 Information assurance... 4 4 Backup/restore and disaster recovery... 5 5 On-boarding and off-boarding... 6 6 Pricing... 7 6.1 Clarification of Terms... 7 6.2 Discount... 7 7 Service management... 8 8 Service constraints... 9 9 Service levels... 10 10 Financial recompense... 11 11 Training... 12 12 Ordering and invoicing process... 13 13 Termination terms... 14 13.1 By consumers (i.e. consumption)... 14 13.2 By the Supplier (removal of the G-Cloud Service)... 14 14 Data restoration / service migration... 15 15 Customer responsibilities... 16 16 Technical requirements... 18 17 Trial service... 19 18 Abbreviations and definitions... 20 v
1 Introduction As organisations continue to move business online, valuable corporate and financial assets are now connected to the Internet with application interfaces, exposing firms to sophisticated attacks. With the pervasiveness of critical Web applications, threats are increasingly bypassing traditional firewall security controls resulting in the majority of attack traffic now using the HTTP protocol to target Web applications. The severity of such attacks is underscored by the findings from Web Application Security Consortium (WASC) which estimates that more than 95% of Web applications today have one or more vulnerabilities. The security threats are not only increasing in number but also in sophistication. As applications migrate to the Web, they can be accessed and potentially exploited from anywhere in the world. Web applications (Layer seven of OSI model) are fast becoming an attractive target for hackers. Layer seven attacks have grown year over year and now make up for 62% of all cyber-attacks according to Symantec. The frequency and number of attacks is constantly on the rise and Web applications can be targeted from any geographic location around the world. 1.1 Service summary Web Application Firewall is provided by Atos powered by Akamai delivering a managed service that provides customers the ability to detect potential web application attacks in HTTP traffic as it passes through the Akamai infrastructure before the traffic reaches customer s data centre. The service can be configured such that once anomalous and potentially malicious patterns in HTTP request headers are detected an alert can be issued or the traffic blocked altogether. Important characteristics: Risk Mitigation PCI DSS 6.6 1
2 Service overview How the Web Application Firewall service works Web Application Firewall is a distributed WAF that provides a highly scalable, outer defensive ring for Web application protection. The module, through the implementation of network and Application Layer controls, helps prevent threats and exploitation techniques such as SQL Injection, Cross Site Scripting (XSS) and other HTTP attacks. The Application Layer control detects and prevents application-layer attacks using a pre-defined core rule set based on ModSecurity, a trusted and proven industrystandard rule set that provides security against major exploitation techniques including Cross Site Scripting, SQL Injection, and other common application layer threats that target the customer s origin servers and associated applications. The module allows changes to firewall rules to customize the defence perimeter for each specific environment being protected. WAF is an embedded process within the Akamai Edge Platform. As such, it is capable of inspecting both HTTP and HTTPS requests before either serving the request. Because Akamai holds a private key used for encrypting SSL between the client and the Edge platform, customers who accelerate their secure application using Secure Delivery or Web Application Accelerator can easily enable WAF to protect these applications as well all without the problem of having to share a private key with Akamai. Portal Based Configuration WAF is fully managed through the EdgeControl portal. Customers select, configure, enable and disable pre-defined firewall rules via the EdgeControl portal. For rules that are enabled, multiple actions are available such as alert only, drop, and notify. Changes to firewall policies can be implemented using a Fast Channel to propagate updates across the global Akamai network within several hours. The Application Layer control is designed to detect and prevent Application Layer attacks targeting the customer s origin servers and associated applications. WAF through the implementation of network and Application Layer controls helps mitigate application threats and exploitation techniques such as SQL Injection, Cross Site Scripting (XSS) and other HTTP attacks. Application Layer Controls WAF provides customers a rich set of Application Layer protocol rules that mitigate the risks associated with many of their Web application vulnerabilities. Customers can enable a default set of rules that are designed to protect against attacks described in the OWASP top 10. Provides protection against common Web layer attacks such as Cross Site Scripting, SQL Injection, HTTP Response Splitting, and Command Injection. Individual rules can be enabled / disabled and can be configured to block or alert. Network Layer Controls The WAF service also provides network layer controls to allow or restrict requests from certain IP addresses to protect the origin server from application layer attacks. 2
IP Black List The ability to define through a web portal, a list of IP addresses/cidr blocks to be blocked along with the subnet masks to be used in the matching process; the list can be up to 512 entries. IP address updates can be propagated within 30 minutes. This supports a negative security model of accept all except that which is explicitly denied. IP White List The ability to define through a web portal, a list of IP addresses, or IP address ranges to be allowed; the individual IP address list can be up to 512 entries; IP address updates can be propagated within 30 minutes. The IP White List is used in conjunction with the Strict Whitelist feature, which allows traffic only from the defined addresses, while denying all other traffic. Strict IP White List Allows only those IPs in the allowed IPs list, all other IPs are denied. This supports a positive security model of deny all except that which is explicitly trusted Rate Control This Web Application Firewall feature enables a customer to specify the number of requests per second against a given URL, monitoring and controlling the rate of requests against the Akamai EdgePlatform. Rate Categories can be incorporated as WAF rules thus enabling the customer to dynamically alert and/or block client exhibiting excessive request rate behaviours. If a client IP exhibits a request rate that exceeds either the Burst Threshold or the Average Threshold, their requests can be controlled until their associated request rate decreases to acceptable values. Custom Rules This feature enables a user to create Web Application Firewall rules. Custom rules enable the Web Application Firewall to customize the application layer defence stance and can serve as Virtual Patches wherein new website vulnerabilities may be mitigated quickly by the WAF while the application is patched and redeployed over time. Like all WAF features the propagation of Custom Rules configurations is done via the WAF FastChannel. Additionally, the actions of each custom rule will be reported alongside that of standard rules. Logging and Reporting The Web Application Firewall makes event logging and auditing, reporting and compliance checks available through the EdgeControl portal. Logging The Web Application Firewall supports event logging. Customers can elect to log firewall events using the log delivery service (LDS), which now supports the addition of WAF events in the W3C and combined formats. Alternatively, customers can employ the new Real Time Reporting functionality that enables customers to incorporate WAF firewall events in near real time into their log management or security information and event management (SIEM) infrastructures. This new feature enables customers to increase their threat posture awareness. Reporting Reports such as the Firewall Rule Activities and Blocked IP s are constantly updated and delivered via the EdgeControl Portal. 3
3 Information assurance Web Application Firewall is appropriate for processing IL0 data. 4
4 Backup/restore and disaster recovery The Akamai platform offers 100% availability and is designed to withstand multiple points of failure. The platform is fully resilient and allows for multiple versions of a customer configuration to be kept. Customers are able to create a new configuration and push it out to testing and then production, or revert to a previous configuration all through the customer portal. 5
5 On-boarding and off-boarding The Atos Web Application Firewall service requires professional services to scope and integrate the applications to be protected. As such the on-boarding process is customised and defined through this initial professional services. A typical on-boarding process will involve the following stages: Scoping and gating to gather the necessary details for the site. Identify any potential issues with site integration or additional features that may need to be enabled Resourcing to identify and allocate resources to best fit the integration requirements and timescales. Additional discovery of the environment to a more detailed level. This is carried out by professional services in conjunction with the customer and builds on this initial gating Internal testing or pre-configuration to ensure any unusual requirements or environments are tested before an initial customer configuration Initial Configuration Creation of a suitable configuration for the site delivery service and perform internal testing Staging, once tested, the configuration is pushed to a staging environment to allow the customer access to start initial testing Staged Testing, working with the customer to address any issues in the configuration identified during the testing. 6
6 Pricing The pricing provided in the table below is based upon a minimum commitment of 12 months and is exclusive of VAT. Web Application Firewall (WAF) Notes: Estimated monthly usage in Mbps, MPV or GB is summed for all digital properties protected & is used to select a price tier below. Service Description Pricing Unit Tier Bottom Tier Top Price Tier 3 - up to and including 50 Mbps, or 25 MPV, or 7,500 GB per contract 1 Monthly Fee 4,759.00 Tier 2- up to and including 200 Mbps, or 100 MPV, or 30,000 GB per contract 1 Monthly Fee 7,144.00 Tier 1 - up to and including 1,000 Mbps, or 500 MPV, or 150,000 GB per contract 1 Monthly Fee 9,518.00 Tier 0 - up to and including 1000 Mbps, or 500 MPV, or 300,000 GB per contract 1 Monthly Fee 13,590.00 All Tiers - Setup Fee per instance 1 One Time Fee 9,900.00 WAF: Rate Control sub-module per module 1 Monthly Fee 957.00 WAF: Custom Rules sub-module per module 1 Monthly Fee 957.00 WAF: Real-Time Reporting submodule per module 1 Monthly Fee 957.00 6.1 Clarification of Terms Mbps: megabit(s) per second MPV: million Page Views GB: gigabyte(s). 6.2 Discount A forty per cent (40%) discount to the Monthly Fee recurring charges will be applied to customers who procure the service for a full twenty-four (24) month term. For the avoidance of doubt the discount shall not apply to any consumption charges or set-up charges payable by the customer. Should the customer terminate the service before the end of the full twenty-four (24) month term, then the discounts that have been applied to the Monthly Fee recurring charges up to the date of termination shall become payable by the customer to the Supplier as a Termination Fee. 7
7 Service management Atos Service Management Model (ASMM) The Atos Service Management Model (ASMM) is a set of service management processes implemented in the Atos organization by which Atos controls the delivery of continuous IT support services (services that a client buys on a longterm basis) and aligns these services to the customer s needs. As a major player in the provision of continuous IT services to the world s premier league companies, we act in a globally consistent manner, presenting a common interface to the client 24 hours a day, 7 days a week. ASMM is built on the best practices in the ICT industry, as defined in the ITIL library version 3 (2011), enriched by the Service Delivery Best Practices of the former Atos Origin and Siemens Information Services. ASMM underpins both ISO/IEC 20000 (previously BS15000), the International Service Management Standard for IT service management and ISO/IEC 27001:2005 - Information technology -- Security techniques -- Information security management systems Requirements. Special attention is given to the end-to-end governance of the services cross the delivery units within Atos (on-, near or offshore), demand supply alignment and immediate communication of major service disruptions (incidents) and major changes to the clients demand organization and involving them in priority setting and resolution progress. Figure 1 - ITIL Service Process Overview 8
8 Service constraints The Akamai Intelligent platform does not require maintenance windows due to the inherent nature of the platform design. Components can be taken out for maintenance without impacting the delivery of the customer application. Ancillary components, such as the customer portal will have maintenance windows, although these are scheduled and customers are notified in advance. 9
9 Service levels Standard Initial Response Times Two (2) hours or less for P1 issues Four (4) hours or less for P2 issues Two (2) business days or less for P3 issues All Support Requests reported via e-mail will be considered as P3 Live support during regular business hours for P2 and/or P3 issues Live 24x7X365 support for P1 issues 10
10 Financial recompense To minimise the cost to users, Atos does not provide service credits for use of the service. All Atos services are provided on a reasonable endeavours basis. Please refer to G Cloud terms and conditions. In accordance with the guidance within the GPS G-Cloud Framework Terms and Conditions, the Customer may terminate the contract at any time, without cause, by giving at least thirty (30) Working Days prior notice in writing. The Call Off Contract terms and conditions and the Atos terms will define the circumstances where a refund of any pre-paid service charges may be available. 11
11 Training Customer training offerings are available on request. 12
12 Ordering and invoicing process Ordering this product is a straightforward process. Please forward your requirements to the email address GCloud@atos.net Atos will prepare a quotation and agree that quotation with you, including any volume discounts that may be applicable. Once the quotation is agreed, Atos will issue the customer with the necessary documentation (as required by the G-Cloud Framework) and ask for the customer to provide Atos with a purchase order. Once received, the customer services will be configured to the requirements as per the original quotation. For new customers, additional new supplier forms may need to be completed. Invoices will be issued to the customer and Shared Services (quoting the purchase order number) for the services procured. On a monthly basis, Atos will also complete the mandated management information reports to Government Procurement Services detailing the spend that the customer has placed with us. Cabinet Office publish a summary of this monthly management information at: http://gcloud.civilservice.gov.uk/about/sales-information/. 13
13 Termination terms 13.1 By consumers (i.e. consumption) Termination shall be in accordance with: The G-Cloud Framework terms and conditions Any terms agreed within the Call Off Contract under section 10.2 of the Order Form (termination without cause) where the Government Procurement Service (GPS) guidance states At least thirty (30) Working Days in accordance with Clause CO-9.2 of the Call-Off Contract Atos Supplier Terms for this Service as listed on the G-Cloud CloudStore. For this specific service, by default Atos ask for at least thirty (30) Working Days prior written notice of termination as per the guidance within the GPS G-Cloud Framework Terms and Conditions. 13.2 By the Supplier (removal of the G-Cloud Service) Atos commits to continue to provide the service for the duration of the Call Off Contract subject to the terms and conditions of the G-Cloud Framework and Atos Supplier Terms. 14
14 Data restoration / service migration The platform allows for multiple versions of a customer configuration to be kept. Customers are able to create a new configuration and push it out to testing and then production, or revert to a previous configuration all through the customer portal. 15
15 Customer responsibilities The customer is required to provide Atos with names of delegated authorities who can provide service instructions to Atos. Customers must adhere to the Akamai Acceptable use policy, full details may be found at http://uk.akamai.com/html/policies/acceptable_use.html General Conduct Customer must use the Akamai Network and Services in a manner consistent with the permitted use of such Akamai Network and Services. Unless otherwise expressly permitted in writing by Akamai, Customer may not assign, transfer, distribute, resell, lease or otherwise provide access to any third party to the Akamai Network or Services, or use the Akamai Network or Services with or for the benefit of any third party (other than Internet end users). Customer may only use the Akamai Network and Services for lawful purposes and in accordance with this AUP. Responsibility for Content Akamai takes no responsibility for any Customer or User content created, accessible or delivered on or through the Akamai Network and Services. Akamai does not monitor or exercise any editorial control over such content. Customer is solely responsible for (i) any content published or made available through the Akamai Network or Services by Customer and its Users and (ii) compliance with all laws applicable to the publication and distribution of such content. Customer shall be solely responsible for maintaining a copy of its content. Inappropriate and Illegal Content Customer shall not use the Akamai Network and Services to transmit, distribute or store material that is inappropriate (including online gambling), as reasonably determined by Akamai, or material that is illegal, defamatory, libellous, indecent, obscene, pornographic, enables online gambling or inconsistent with the generally accepted practices of the Internet community. Customer shall ensure that its and its Users' use of the Akamai Network and Services and all content transmitted, distributed or stored on the Akamai Network do not violate any applicable domestic or foreign laws or regulations including but not limited to laws relating to content distribution, encryption or export or any rights of any third party. Customer shall not use the Akamai Network and Services to transmit, distribute or store material that contains a virus, worm, Trojan horse, or other component harmful to the Akamai Network and Services, any other network or equipment, or other Users. Intellectual Property Customer shall not use the Akamai Network and Services in any manner that would infringe, dilute, misappropriate, or otherwise violate any privacy or other personal rights or any intellectual property rights, including but not limited to, copyrights and laws protecting patents, trademarks, trade secrets or other proprietary information. If Customer uses a domain name in connection with its use of the Akamai Network and Services, such domain name must not violate any trademark, service mark, or other rights of any third party. Fraudulent/Misleading Content Customer shall not use the Akamai Network and Services to transmit or distribute material containing fraudulent offers for goods or services, or any advertising or promotional materials that contain false, deceptive, or misleading statements, claims, or representations. 16
Email and Spam Customer shall not use the Akamai Network and Services to send unsolicited e- mail messages or USENET postings, including, without limitation, bulk commercial advertising or informational announcements ("spam"). Further, Customer is prohibited from using the service of another provider to send spam or to otherwise promote a site hosted on or connected to the Akamai Network. In addition, Customer shall not use the Akamai Network and Services to (a) send e- mail messages or USENET postings which are excessive and/or intended to harass or annoy others, (b) continue to send e-mail messages or USENET postings to a recipient who has indicated that he/she does not wish to receive them, (c) send e- mail messages or USENET postings with forged header information, or (d) send malicious e-mail messages or USENET postings, including, without limitation, "mailbombing." Akamai reserves the right to charge Customer at Akamai's standard rates for time required to handle any complaints that Customer or User violate this Email and Spam section. Security Violations Customer is prohibited from violating or attempting to violate the security of the Akamai Network and Services, or any third party network, system, server, or account, including, without limitation, engaging in any of the following activities: (a) accessing data, servers, accounts, databases, etc. which such Customer is not authorised to access, (b) impersonating Akamai personnel, (c) attempting to probe, scan or test the vulnerability of a system or network or to breach security or authentication measures without proper authorization, (d) attempting to interfere with, disrupt or disable service to any user, host or network, including, without limitation, via means of overloading, "flooding," "mailbombing," "denial of service" attacks, or "crashing," (e) forging any TCP/IP packet header or any part of the header information in any e-mail or newsgroup posting, (f) taking any action in order to obtain services to which such Customer is not entitled, or (g) attempting to utilise another party's account name or persona without authorization from that party. Customer is also prohibited from attempting any action designed to circumvent or alter any method of measuring or billing for Akamai Services. Violations of system or network security may result in civil or criminal liability. 17
16 Technical requirements Client applications must be internet facing. 18
17 Trial service Trials (involving limited, non-production traffic) are available, as are paid-for Proof of Concept exercises which can be configured to support full production traffic levels. 19
18 Abbreviations and definitions Abbreviation / term: Adaptive Caching Cross Site Scripting (XSS) Denial of Service (DoS) Attack & Distributed Denial of Service (DDoS) Attack HTTP (S) HTTP POST ISO20000 ISO27001 Version A feature where customer identified content is served from the Edge during an attack, maintaining service where the originating servers(s) may be affected. Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy Denial-of-Service attack (DoS attack) or Distributed Denial-of-Service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. A distributed attack includes multiple attack sources. Hyper Text Transfer Protocol (Secure):-Hypertext is structured text that uses logical links (hyperlinks) between nodes containing text and is the basis of the World Wide Web (www). HTTP is the protocol to exchange or transfer hypertext. HTTP utilises port 80, while HTTPS uses port 443 and utilises security mechanisms in the transmission of the data. A function of the HTTP protocol allowing information to be sent to a web service such as a block of data that is the result of submitting a web form to a data-handling process; or an item to add to a database. ISO/IEC 20000 is the first international standard for IT service management. It was developed in 2005, by ISO/IEC JTC1 SC7 and revised in 2011.[1] It is based on and intended to supersede the earlier BS 15000 ISO/IEC 27001:2005, part of the growing ISO/IEC 27000 family of standards, is an information security management system (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its full name is ISO/IEC 27001:2005 Information technology Security techniques Information security management systems Requirements. 20
Abbreviation / term: ISO27002 MB Mbps MPV OSI Layers OWASP PCI-DSS SQL Injection Attack UDP Fragments; ICMP Floods; SYN Floods; ACK Floods; RESET Floods; and UDP Floods. URL Web application Attack Version ISO / IEC 27002 provides best practice recommendations on information security management for use by those responsible for initiating, implementing or maintaining information security management systems (ISMS). Mega Bytes a measure of cumulative network traffic Mega bits per second a measure of network bandwidth / throughput Million page views The Open Systems Interconnection (OSI) model (ISO/IEC 7498-1) is a conceptual model that groups similar communication functions into one of seven logical layers. A layer serves the layer above it and is served by the layer below it. For example, a layer that provides errorfree communications across a network provides the path needed by applications above it, while it calls the next lower layer to send and receive packets that make up the contents of that path. The Open Web Application Security Project (OWASP) is an open-source web application security project. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and technologies. The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards. SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). Techniques used as part of DoS or DDos attacks. A uniform resource locator, abbreviated URL, also known as web address Web Application attacks are attacks on the underlying applications and scripts supporting web services such as PHP, Java EE, Java, Python, 21
Abbreviation / term: Web Application Firewall Version A web application firewall is a form of firewall which controls input, output, and/or access from, to, or by a web application or service. It operates by monitoring and potentially blocking the input, output, or system service calls which do not meet the configured policy of the firewall. The application firewall is typically built to control all network traffic on any OSI layer up to the application layer. It is able to control applications or services specifically, unlike a stateful network firewall which is - without additional software - unable to control network traffic regarding a specific application. 22
23