Managed WAF Version1¶
About This Menu¶
Overview¶
[1] | WAF ... Web Application Firewall |
Features¶
This menu has following features:
- Reliable and secure operation by security managed serviceThe Security Operation Center (SOC), which has a global security management system, monitors the management servers provided in this menu.
- Multi-function defense by defending against threats against web application serversNTT Com provides all-in-one security functions necessary to protect your Web application server from various security threats such as vulnerable attack communication, unauthorized access, virus infection etc.● WAF function which provides Protection and detection for attack and fraudulent access.● Anti-Virus function for Protection from Virus.● IP reputation function which provides detection for attack known as threat source.
- Immediate provision by self-operation · Immediate setting changeCustomer can immediately leverage this menu by operation Security Control Panel through Enterprise Cloud 2.0 Portal. Configuration change is immediately reflected by Security Control Panel.Customers can use the necessary resources without initial investment and minimum usage period, without owning assets, and can constitute a secure environment tailored to the customer's business environment.
Available Functions¶
List of Available Functions¶
This menu provides following functions;
Functions |
Description |
---|---|
1.Security | Protection and detection to attack to Web application server, Protection to virus infection and detection to well known information as threat. |
2.Network | This function is where the "Device" is connected to the Logical Network and / or routed to the transmitters. |
3.Other Functions | The other functions are to transmit back and forth the Sys log server a log obtained by the Customers themselves through the "Device" and assign the time zone for the log content recorded within the "Device" themselves. |
4.Security Incident Report | This function is what the "Device" self-analyzes and reports any security incident(s) occurring within themselves once there is any information that determines the "Device" received hostile incoming transmissions. |
5.Control Panel | Ability to set up applications and devices from Security Control Panel of Enterprise Cloud 2.0 Portal |
6.Version Upgrade | Function to upgrade from Managed FW / UTM / WAF Version 1 to Managed FW / UTM / WAF Version 2 |
Description of Respective Functions¶
1.Security¶
Item |
Description |
---|---|
Detection / prevention function of attack communication of HTTP / HTTPS communication |
|
Virus detection / prevention function for upload file of HTTP / HTTPS communication |
|
Detection function to well known information as threat. |
● WAF function
The specification of the WAF function is as follows.
Item |
Description |
---|---|
WAF function |
NTT Com will inspect Web communications specified by customers on a signature basis.
Protect web application server from various application layer attacks such as cross site scripting, SQL injection etc.
By being blocked by signature inspection, if there is a problem with the normal communication of the customer web application, the following settings can be changed on a signature basis.
|
Trust / Black IP control function |
Provide traffic control to IP address which customer indicate.
|
DoS protection function |
It is possible to limit the number of connections from a single IP address and to defend against connections deemed to be a DoS attack to the customer web application server. Limit the number of concurrent TCP connections from a single IP address.
The threshold can be specified in the following range.
The action when the threshold is reached can be selected from the following.
|
Decryption function |
It is possible to decrypt SSL communication and check communication. |
X-Forwarded-For function |
It is possible to send source IP address information to X - Forwarded - For of HTTP header and send it to customer web application server. |
Note
Signature updates are automatically performed.
Trust IP and Black IP can not set duplicate addresses.
In case of using the decryption function, prepare the server certificate by the customer. Customer can set / update from the security control panel.
PEM format, PKCS # 12 format server certificate can be set.
● Initial Tuning Report
It is possible to report the advice of the policy tuning from NTT Com.
|
Note
Customers should operate from Security Control Panel to change the policy setting (detection only or change to invalidation for each signature ID) based on the tuning report.
● Antivirus function
Specifications of the functions of the Anti-Virus are as follow:
Item |
Description |
---|---|
Antivirus function |
It is possible to detect / defend against data sent by HTTP POST method. It prevents attackers from uploading viruses to the web application server. NOTE: This function is an additional function of the file upload restriction function. |
file upload
Restriction function
|
It is possible to limit the maximum size of data sent with HTTP POST method. The maximum size can be specified in the following range.
Below action is selectable when data size exceeds upper limit.
|
● IP reputation function
Specifications of IP reputation function are as follows.
Item |
Description |
---|---|
IP reputation function |
Detection to attack known as threat source. Category of threat is below.
|
Note
Please register Black IP of Trust/Black IP control function, if customer want block to detected IP address.
Note
Above graph explains example flow, when DoS protection function and File upload function is configured for block. Block does not be executed when action is only configured for detection.
Block screen does not show, when DoS protection function blocks packet. The function send reset packet.
2.Network¶
Item |
Description |
---|---|
Interface |
This function is where Interface of the “Device” will be set and then it will be connected to logical network. |
Routing |
Routing function is where static routes and default gateway is being set and transmission is being routed with. |
Note
It is important for Customers to note that they are required to create logical network prior to the menu is provisioned.
The "Device" will be connected to Data Plane of logical network although it will not be connected to Storage Plane of logical network.
In order for Customers to set (to create) / modify (to change) / delete (to erase) the interface for the "Device" , the Customers (and the end users) are noted that they are required to reboot the "Device" and the interface MAC address will be automatically changed.
3.Other Functions¶
Item |
Description |
---|---|
Sys log transmission |
Sys log server where the Customers manage is receiving logs obtained at the "Device" |
Time Zone Assignment |
Time stamp recorded as to the timetable log on the "Device" will be assigned. |
Note
There is only one (1) settable destination for syslog transmission.
If you change the time zone, time stamp of the log that has been recorded before the change time zones are not rewritten.
4.Security Incident Report¶
Item |
Description |
---|---|
Create Report |
Device logs will be automatically analyzed and "Security Incident Report" will be generated after recognizing detected threat(s). |
Publish Report |
Security Incident Report is shown on Security Control Panel through Enterprise Cloud 2.0 Portal. |
Notify Report |
When Security Incident Report is generated, E-mail notification will be sent by registering mail address on Security Control Panel. |
● Security Incident Report
Following titles will be included within the "Security Incident Report":
Item |
Description |
---|---|
Device |
The Device Name if there is any |
Reference |
Automatically granted ID |
Severity |
Severity in degree of the recognized threat |
Date and Time |
The date and time of detection --and date and time of last detection-- of the reported threat being reported |
Description | Description of the details of the recognized threat |
Recommendation/Action |
Recommended measures and the further action(s) against the threat |
Signature, DNS |
Name of signature and DNS's information, etc. that was identified from the detections of threat |
Note
All "Security Incidents" are reported in English.
When customer leverages this menu and other menu as like Managed Firewall Version1 or Managed UTM Version1 on one tenant, Security Incident Report by correlation analysis of each device log is generated. So each Security Incident Report is not generated for each menu and device.
5.Control Panel¶
Item |
Description |
---|---|
Order |
Customers can subscribe the Security Menu |
Operation |
Customers can either manage and / or set the created "Device" |
● Order
Following actions are processable from the Order Panel:
Item |
Description |
---|---|
Add Device |
Customers can either create a new or add a "Device" |
Change |
Created "Device" Menu and / or Plan will be changed to update the settings details |
Delete Device |
Created "Device" can be deleted to be eliminated from the operation |
Version upgrade |
It is possible to upgrade from Managed WAF Version1 to Managed WAF Version2 . |
● Operation
Following actions are operable from the Operations Panel:
Item |
Description |
---|---|
Device KPI |
Resource status (such as CPU and memory) and traffics will be viewed. |
Document |
Initial tuning report application sheet can be downloaded. |
Network Management |
Interface of the "Device" will be set here (and then connected to logical network). |
Device Management |
Customers can set security functions, routing of network functions, and other functions. |
Log Analysis |
Customers can download to obtain the data by CSV file after assigning search details by conditions tags. |
Incident Reports |
The Security Incident Report will be posted. |
Customer Profile |
Customers can register mail notification destination for Security Incident Report. |
Information |
Any notable information will be relayed. |
Note
In log analysis, confirmable and searchable period of logs is below. It does not ensure integrity of obtained logs.
Web access log (traffic log): 7 days
Log acquired by security function (security detection log): 90 days
In the event that the Customers would like to obtain the log results for a longer span of time to review the search result, then Customers are advised to transmit to sys log server which Customers are managing.
6.Version Upgrade¶
Menu¶
Plan¶
Plan |
vCPU |
Memory |
Disk |
Disk |
Interface |
---|---|---|---|---|---|
(Number) |
(GB) |
System area (GB) |
Data area (GB) |
(Maximum) |
|
2CPU-4GB |
2 | 4 | 2 | 40 | 1 |
4CPU-6GB | 4 | 6 | 2 | 40 | 1 |
8CPU-12GB |
8 | 12 | 2 | 40 | 1 |
Note
In this menu, if you want to implement load balancing or increase fault tolerance, prepare several menus (devices) and design it in combination with a load balancer.
Subscriptions Method¶
Order Types |
Details |
Subscription Methods |
Offering Date |
---|---|---|---|
Add Device |
Create the Device |
Subscription by customer on security control panel. |
Immediate |
Change |
Change the "Device" Plan; Modify Menus to change settings |
Same as the above. |
Same as the above. |
Delete Device |
Delete the Device |
Same as the above. |
Same as the above. |
Version upgrade |
Device version upgrade |
Same as the above. |
Same as the above. |
Note
Number of the executable "Device" for one (1) "order" is just one (1). Therefore, if in any event Customers wish to make multiple orders for the "Device", Customers are advised that each order process has to go through once for every "Device" Customers wish to subscribe. The Order screen has to proceed for each and every "Device" every time.
Change of plan can be performed by all of patterns.
- 2CPU-4GB → 4CPU-6GB/8CPU-12GB ○
- 4CPU-6GB → 2CPU-4GB/8CPU-12GB ○
- 8CPU-12GB → 2CPU-4GB/4CPU-6GB ○
At such change of Plan, Customers are noted that the "Device" has to reboot.
You can not change the menu from this menu to another menu.
Due to possible multiple orders for subscriptions being processed in, Customers might experience too much traffic which might take a longer time for them to fill out the process in creating "Device", changing Plans and so forth.
At creating device, selectable zone and group are different by region. Detail information is described on Region/Zone/Group in service description.
If you want to migrate from the old version to another plan of the new version, please change the plan after migrating to the new version with the same plan.
- Example: If you want to change from version 1 Managed Firewall (2CPU-4GB) to version 2 Managed Firewall (8CPU-12GB)1.Upgrade from version1 Managed Firewall (2CPU-4GB) to version2 Managed Firewall (2CPU-4GB).2.Plan change from version2 Managed Firewall (2CPU-4GB) to version2 Managed Firewall (8CPU-12GB).
Restrictions¶
Unit |
Maximum Number |
Minimum Number |
---|---|---|
1 | No limit |
0 |
Terms And Conditions¶
Terms And Conditions¶
● Connection with logical network
Conditions of Use in Combination with Other Services¶
Pricing¶
Monthly Fee¶
Quality of Menu¶
Support Coverage¶
Operations¶
Item |
Description |
---|---|
Security update version management |
Manages signature updates |
Applies security patches |
Apply the security patch depending on the degree of influence
(Equivalent process as version up operation)
|
Life Cycle Management of the Products |
Proceeds with the updated versions in operations |
Monitoring / Maintenance |
Operation monitoring and failure countermeasure implementation of this device |
Restrictions¶
Restrictions of this menu are following;
Only the HTTP / HTTPS communication can be processed with this menu. Communication other than HTTP / HTTPS such as FTP and SSH can not be processed.
It can not be processed when using protocols not compliant with RFC or when using encapsulated communication.
Below IP address is not available for Interface, Routing, Address object and list. When these IP addresses is used, This menu cannot correctly work.
- 100.65.0.0/16
- 100.66.0.0/15
- 100.68.0.0/14
- 100.72.0.0/14
- 100.76.0.0/15
- 100.78.0.0/16
- 100.80.0.0/13
- 100.88.0.0/15
- 100.91.0.0/16
- 100.92.0.0/14
- 100.126.0.0/15
Please design the IP address in the logical network to which this menu is connected at your own risk. Please be careful not to duplicate the IP address etc assigned to this menu.
Please create Policy after rule configuration is saved and completed.
Communication will be interrupted during maintenance work related to the device. We will carry out the work after notifying in advance, but the work date and time cannot be adjusted. If you want to minimize the effect, prepare multiple units of this menu and design in combination with a load balancer.
Each function and log provided by this menu does not ensure integrity, accuracy and compatibility for customer's purpose of use.
NTT Com as a service provider is required to provide the following information to the "Devices'" developer(s) and / or front-end seller of this menu; the purpose of such is to seek if there is any possible or feasible fail-over waiting to happen due to the incompatibility of the setting details or irregular operations or maneuvers which may cause some sort of troubles in duration. However, the fail-over is not at all guaranteed to be repaired if the difficulty in operation or fail-over occur with the operations which NTT Com did not intend to. The following information is going to be relayed to the system developer and front-end seller:
Setting details and data obtained at such time the menu is provisioned.
Managed details within such information relates to this provisioned menu.
There is a guideline for the upper limit of performance values. See (Reference) Performance measurement results of Managed WAF .