Home >Documents >Enterprise Cloud 1.0 Documents >Enterprise Cloud 1.0 Functional Description v2.9.98 > 7. Security Features (Global Standard Menu) >7.6. Web Application Firewall (WAF)

7.6. Web Application Firewall (WAF)

The Web Application Firewall (WAF) is a service that blocks attack traffic on Web applications.

Note

  • Web Application Firewall (WAF) is used via Service Interconnectivity. You need to apply separately for Service Interconnectivity.

7.6.1. Available Features

You can use the following features in Web Application Firewall (WAF).
Feature Overview
Web Application Firewall This feature detects attack traffic on Web applications, and blocks attack traffic which has a high probability of exerting a negative impact.

7.6.2. Web Application Firewall Feature

This feature detects attack traffic on Web applications, and blocks attack traffic which has a high probability of exerting a negative impact.

Note

  • If NTT Communications judges it necessary, we will notify you via email, etc. regarding the detection and blocking status.
Routing Settings
Only communication that goes through the Web Application Firewall (WAF) is targeted for detection. When using Web Application Firewall (WAF), please use the following routing settings.
../../_images/image251.png
  • The communication that is addressed to the IP address block that is assigned for connecting to the Web Application Firewall (WAF) is set so that it is routed by vFirewall/Integrated Network Appliance to the Service Interconnect Gateway used by Web Application Firewall (WAF).
  • The communication from the Virtual Machine is set so that it is routed by the Virtual Machine on the Server Segment targeted for detection to the Service Interconnect Gateway used for Web Application Firewall (WAF).
  • If you perform Ping monitoring on the Virtual Machine, you will require an additional Server Segment for direct connection between vFirewall/Integrated Network Appliance and the Virtual Machine.

Note

  • Please do not connect the Server Segments targeted for detection directly to vFirewall/Integrated Network Appliance.
Analysis Capacity
The traffic volume that can be analyzed by Web Application Firewall (WAF) is shown below.
Item Performance (maximum value) Remarks
Traffic Processing Capacity 1 Gbps The total value of uplink and downlink.
RPS(Request Per Sec) 75,000 rps -
CPS (Connection Per Sec) 10,000 cps -

Active/Standby Structure
The Web Application Firewall (WAF) is configured in an active/standby structure. If a failure occurs in the active device, the switchover from the active device to the standby device will be performed automatically.
Staging
Staging is a process that increases the accuracy of detection and blocking of attack traffic. When you apply for Web Application Firewall (WAF), you can choose whether to implement staging. We recommend implementing it in order to reduce the amount of false positive detections.
If staging is implemented, a staging time period is set (approximately 1 - 4 weeks after you start using IPS mode) during which only detection of attack traffic is performed and traffic is not blocked. After the staging time period, please check to see whether the traffic that the Web Application Firewall (WAF) detects as being targeted for blocking is normal traffic. Based on the results of the confirmation, the Web Application Firewall (WAF) settings will be adjusted.
Policy
The policy is the defense rules in Web Application Firewall (WAF). By default, one policy is operated in Web Application Firewall (WAF).
SSL Decryption
You can use the Web Application Firewall (WAF) to decrypt SSL communications and inspect the communications.

Important

  • You cannot use the SSLv3 protocol to connect from a client to the Web Application Firewall (WAF).
If SSL decryption is necessary for WAF inspection, the customer is asked to prepare a certificate and submit it during the application process. To submit a certificate, take note of the following instructions:

  • The customer is asked to acquire a certificate and to perform updates.

  • Use the PKCS#12 or the PEM format to submit a certificate.

  • A server certificate and key file are both required as a server certificate.

  • Do not include the route certificate of CA.

  • If an intermediate certificate and a cross-route certificate are required, store those certificates as well.
    IIS and some systems include a route certificate when exporting an intermediate certificate etc. at the same time. In this case, please transfer the server certificate and the intermediate certificate/cross-route certificate separately.

  • When you send an intermediate certificate and a cross-route certificate separately, transfer each of them as one file where all necessary certificates are aligned in the correct order. In this case, you can use the PEM format to transfer them.

  • When you create a server certificate, it is recommended to protect the file with a password. (When transferring the server certificate, send the password in a separate message.)
    Specify a password in the PKCS#12 type format at the time of creation. Alternatively, transfer it in the form of a ZIP file encrypted with a password.

7.6.3. Important Points

Used IP Addresses
  • In order to connect the Service Interconnect Gateway with the Web Application Firewall (WAF), you must have two IP address blocks available.
  • NTT Communications will manage the assigned IP address blocks, and assign IP addresses to the devices that require them.
  • When using Web Application Firewall (WAF), the following address bands cannot be used in customer networks that connect to Server Segments and Enterprise Cloud to communicate.
    • 172.17.62.0/23
    • The address block specified as the HA segment in the WAF redundant configuration
Restrictions
  • When the actual traffic volume exceeds the contracted traffic volume, the excess traffic might be discarded.
  • The following health check communication is sent from devices that provide the Web Application Firewall (WAF) feature to a Virtual Machine. In the Virtual Machine settings, allow communication.
    • ICMP
    • Health check to L4 (establishing a 3-way handshake)
  • Web Application Firewall (WAF) does not guarantee that the feature that detects and blocks attack traffic on Web applications has integrity or accuracy, or is suitable for your use. Furthermore, the suitability of the signatures (algorithms that judge the degree of danger and attack traffic) provided by the developers or distributors of the devices making up the Web Application Firewall (WAF) feature is not guaranteed.
  • The following information might be provided to the developers or distributors of the devices making up the Web Application Firewall (WAF) feature.
    • Configuration information obtained from providing Web Application Firewall (WAF)
    • Information obtained from Web Application Firewall (WAF) controls, etc.
  • We cannot guarantee recovery from failures that might occur due to incompatibility between Web Application Firewall (WAF) and your environment, or failures that occur due to your operations other than those specified by NTT Communications.
  • There may be times when the customer’s environment is affected by maintenance services. An advance notice will be sent when there are possible effects to the customer’s environment. This is not applied when we judge the maintenance work urgent to continue service.
7.5. Application Filtering
7.7. UTM