Enterprise Cloud Knowledge Center

  • Documents
  • FAQ
  • Known Issues
  • Service Status
Home >Documents >Service Descriptions >Network-based Security v6.0.2 > Managed WAF >Managed WAF Version2

Managed WAF Version2¶

About This Menu¶

Overview¶

Managed WAF [1] _ can be used within the tenant Enterprise Cloud 2.0 and provides a function to detect / prevent security threats such as unauthorized access to the web application server and attack communication.
It can be connected to the logical network within the tenant owned by the customer and can be inspected and controlled by customer's policy.
Please note that this menu is provided by security managed service and minimizes the risk of cyber attack etc. by global security management system.
(Hereafter, Managed WAF will be referred to as this menu, and the facility providing the function will be described as a device.)

Overview Managed WAF


This menu works as a reverse proxy server. After this device receives communication from the client and examines the communication, it sends it to the customer's web application server.
[1]

WAF ... Web Application Firewall


Features¶

This menu has following features:

  1. Reliable and secure operation by security managed service
    The Security Operation Center (SOC), which has a global security management system, monitors the management servers provided in this menu.

  2. Multi-function defense by defending against threats against web application servers
    NTT Com provides all-in-one security functions necessary to protect your Web application server from various security threats such as vulnerable attack communication, unauthorized access, virus infection etc.

    ● WAF function which provides Protection and detection for attack and fraudulent access.
    ● Anti-Virus function for Protection from Virus.
    ● IP reputation function which provides detection for attack known as threat source.

  3. Immediate provision by self-operation · Immediate setting change
    Customer can immediately leverage this menu by operation Security Control Panel through Enterprise Cloud 2.0 Portal. Configuration change is immediately reflected by Security Control Panel.
    Customers can use the necessary resources without initial investment and minimum usage period, without owning assets, and can constitute a secure environment tailored to the customer's business environment.


Available Functions¶

List of Available Functions¶

This menu provides following functions;

Functions

Description

1.Security

Protection and detection to attack to Web application server, Protection to virus infection and detection to well known information as threat.

2.Network

This function is where the "Device" is connected to the Logical Network and / or routed to the transmitters.

3.Other Functions

The other functions are to transmit back and forth the Sys log server a log obtained by the Customers themselves through the "Device" and assign the time zone for the log content recorded within the "Device" themselves.

4.Security Incident Report

This function is what the "Device" self-analyzes and reports any security incident(s) occurring within themselves once there is any information that determines the "Device" received hostile incoming transmissions.

5.Control Panel

Ability to set up applications and devices from Security Control Panel of Enterprise Cloud 2.0 Portal

6.Version Upgrade

Function to upgrade Managed FW / UTM / WAF Version 2


Description of Respective Functions¶

1.Security¶

Security provides the following functions.

Item

Description

WAF function

Detection / prevention function of attack communication of HTTP / HTTPS communication

Anti-Virus function

Virus detection / prevention function for upload file of HTTP / HTTPS communication

IP Reputation function

Detection function to well known information as threat.


● WAF function

The specification of the WAF function is as follows.

Item

Description

WAF function

NTT Com will inspect Web communications specified by customers on a signature basis.
Protect web application server from various application layer attacks such as cross site scripting, SQL injection etc.
By being blocked by signature inspection, if there is a problem with the normal communication of the customer web application, the following settings can be changed on a signature basis.
  • Detection only (not blocking)

  • Invalid (not inspected)

Trust / Black IP control function

Provide traffic control to IP address which customer indicate.

  • Trust IP (unconditionally permitted IP address)

  • Black IP (Unconditionally blocking IP address)

DoS protection function

It is possible to limit the number of connections from a single IP address and to defend against connections deemed to be a DoS attack to the customer web application server.

Limit the number of concurrent TCP connections from a single IP address.
The threshold can be specified in the following range.
  • 1〜65535

The action when the threshold is reached can be selected from the following.

  • Detection only (not blocking)

  • block

Decryption function

It is possible to decrypt SSL communication and check communication.

X-Forwarded-For function

It is possible to send source IP address information to X - Forwarded - For of HTTP header and send it to customer web application server.

Note

  • Signature updates are automatically performed.

  • Trust IP and Black IP can not set duplicate addresses.

  • In case of using the decryption function, prepare the server certificate by the customer. Customer can set / update from the security control panel.

    • PEM format, PKCS # 12 format server certificate can be set.


● Initial Tuning Report

It is possible to report the advice of the policy tuning from NTT Com.

  • Initial tuning report will be provided only once per device, based on application from customers.

  • NTT Com will report on the top ten signatures with many detections.

  • In order to perform initial tuning, it is necessary to acquire logs for 4 weeks or more (standard).

    • Please operate the device in Monitor Mode for 4 weeks or more and apply initial tuning report after generating real traffic or communication close to real traffic via this device.

  • The initial tuning report application sheet is posted in "Security Control Panel → Operation → document". Please fill out the necessary matter and request with the Enterprise Cloud 2.0 ticket system.

  • Providing the initial tuning report takes time of about 4 weeks (approximate). Please acknowledge that the period until presentation will be around depending on congestion status at the time of application and log detection situation.

Note

  • Customers should operate from Security Control Panel to change the policy setting (detection only or change to invalidation for each signature ID) based on the tuning report.


● Antivirus function

Specifications of the functions of the Anti-Virus are as follow:

Item

Description

Antivirus function

It is possible to detect / defend against data sent by HTTP POST method. It prevents attackers from uploading viruses to the web application server.

NOTE: This function is an additional function of the file upload restriction function.

file upload
Restriction function

It is possible to limit the maximum size of data sent with HTTP POST method. The maximum size can be specified in the following range.

  • 1024KB〜10240KB (1MB〜10MB)

Below action is selectable when data size exceeds upper limit.

  • Detection only (not blocking)

  • block


● IP reputation function

Specifications of IP reputation function are as follows.

Item

Description

IP reputation function

Detection to attack known as threat source. Category of threat is below.

  • DDoS: Source identified as participating in DDoS attack

  • Phishing: Sources that are complicit in phishing attacks or are identified as hosting websites for phishing attacks

  • Anonymous proxy: Traffic that is sent via an anonymous proxy to disguise the original identity of the client and whose source is hidden

  • Malicious source: a host known to be infected by harmful software

  • Spammer: a host known to be sending spam

Note

  • Please register Black IP of Trust/Black IP control function, if customer want block to detected IP address.


● Reference: Control flow

WAF Process

Note

  • Above graph explains example flow, when DoS protection function and File upload function is configured for block. Block does not be executed when action is only configured for detection.

  • Block screen does not show, when DoS protection function blocks packet. The function send reset packet.


2.Network¶

Network provides the following functions.

Item

Description

Interface

This function is where Interface of the “Device” will be set and then it will be connected to logical network.

Routing

Routing function is where static routes and default gateway is being set and transmission is being routed with.

Note

  • It is important for Customers to note that they are required to create logical network prior to the menu is provisioned.

  • The "Device" will be connected to Data Plane of logical network although it will not be connected to Storage Plane of logical network.

  • In order for Customers to set (to create) / modify (to change) / delete (to erase) the interface for the "Device" , the Customers (and the end users) are noted that they are required to reboot the "Device" and the interface MAC address will be automatically changed.


3.Other Functions¶

Other Functions provide the following functions.

Item

Description

Sys log transmission

Sys log server where the Customers manage is receiving logs obtained at the "Device"

Time Zone Assignment

Time stamp recorded as to the timetable log on the "Device" will be assigned.

Note

  • There is only one (1) settable destination for syslog transmission.

  • If you change the time zone, time stamp of the log that has been recorded before the change time zones are not rewritten.


4.Security Incident Report¶

Security Incident Report provides the following functions.

Item

Description

Create Report

Device logs will be automatically analyzed and "Security Incident Report" will be generated after recognizing detected threat(s).

Publish Report

Security Incident Report is shown on Security Control Panel through Enterprise Cloud 2.0 Portal.

Notify Report

When Security Incident Report is generated, E-mail notification will be sent by registering mail address on Security Control Panel.

Report notification level setting

Function to change the severity of the criteria for creating an Incident Report.


● Security Incident Report

Following titles will be included within the "Security Incident Report":

Item

Description

Device

The Device Name if there is any

Signature

Threat name

Severity

Severity in degree of the recognized threat

Confidence

Detection accuracy

Reference

Automatically granted ID

Date and Time

The date and time of detection --and date and time of last detection-- of the reported threat being reported

Description

Description of the details of the recognized threat

Access Patterns

Draw threat access status

Details

Threat details

Note

  • All "Security Incidents" are reported in English.

  • When customer leverages this menu and other menu as like Managed Firewall Version2 or Managed UTM Version2 on one tenant, Security Incident Report by correlation analysis of each device log is generated. So each Security Incident Report is not generated for each menu and device.


5.Control Panel¶

For Control Panel Functions, the following operations are possible.
For details, see the Enterprise Cloud 2.0 tutorial.

Item

Description

Order

Customers can subscribe the Security Menu

Operation

Customers can either manage and / or set the created "Device"


● Order

Following actions are processable from the Order Panel:

Item

Description

Add Device

Customers can either create a new or add a "Device"

Change

Created "Device" Menu and / or Plan will be changed to update the settings details

Delete Device

Created "Device" can be deleted to be eliminated from the operation


● Operation

Following actions are operable from the Operations Panel:

Item

Description

Device KPI

Resource status (such as CPU and memory) and traffics will be viewed.

Document

Initial tuning report application sheet can be downloaded.

Network Management

Interface of the "Device" will be set here (and then connected to logical network).

Device Management

Customers can set security functions, routing of network functions, and other functions.

Log Analysis

Customers can download to obtain the data by CSV file after assigning search details by conditions tags.

Incident Reports

The Security Incident Report will be posted.

Customer Profile

Customers can register mail notification destination for Security Incident Report.

Information

Any notable information will be relayed.

Note

  • In log analysis, confirmable and searchable period of logs is below. It does not ensure integrity of obtained logs.

    • Web access log (traffic log): 7 days

    • Log acquired by security function (security detection log): 90 days

  • In the event that the Customers would like to obtain the log results for a longer span of time to review the search result, then Customers are advised to transmit to sys log server which Customers are managing.


6.Version Upgrade¶

Version Upgrade function provides the following features:

Item

Description

GetFirmwareSatus

You can check whether the target device is the target of version upgrade.

Firmware Update

Execute the version upgrade of the target device.



Menu¶

Plan¶

This menu provisions the following Plans:

Plan

vCPU

Memory

Disk

Disk

Interface

 

(Number)

(GB)

System area (GB)

Data area (GB)

(Maximum)

2CPU-4GB

2 4 2 40 1
4CPU-6GB 4 6 2 40 1

8CPU-12GB

8 12 2 40 1

Note

  • In this menu, if you want to implement load balancing or increase fault tolerance, prepare several menus (devices) and design it in combination with a load balancer.


Subscriptions Method¶

Customers with Enterprise Cloud 2.0 can basically request to subscribe this menu.
Subscriptions types, Subscription methods and Delivery are as follows:

Order Types

Details

Subscription Methods

Offering Date

Add Device

Create the Device

Subscription by customer on security control panel.

Immediate

Change

Change the "Device" Plan; Modify Menus to change settings

Same as the above.

Same as the above.

Delete Device

Delete the Device

Same as the above.

Same as the above.

Note

  • Number of the executable "Device" for one (1) "order" is just one (1). Therefore, if in any event Customers wish to make multiple orders for the "Device", Customers are advised that each order process has to go through once for every "Device" Customers wish to subscribe. The Order screen has to proceed for each and every "Device" every time.

  • Change of plan can be performed by all of patterns.

    • 2CPU-4GB → 4CPU-6GB/8CPU-12GB ○
    • 4CPU-6GB → 2CPU-4GB/8CPU-12GB ○
    • 8CPU-12GB → 2CPU-4GB/4CPU-6GB ○
  • At such change of Plan, Customers are noted that the "Device" has to reboot.

  • You can not change the menu from this menu to another menu.

  • Due to possible multiple orders for subscriptions being processed in, Customers might experience too much traffic which might take a longer time for them to fill out the process in creating "Device", changing Plans and so forth.

  • At creating device, selectable zone and group are different by region. Detail information is described on Region/Zone/Group in service description.


Restrictions¶

Following are the sales unit, the number of uppermost maximum and lowermost minimum units.

Unit

Maximum Number

Minimum Number

1

No limit

0


Terms And Conditions¶

Terms And Conditions¶

● Connection with logical network

This menu is a one-armed configuration that connects with the logical network and one interface to transmit and receive traffic in all plans.

Connection for WAF


Conditions of Use in Combination with Other Services¶

This menu does not specifically limit as with combined usage with any other services.

Minimum Use Period¶

This menu does not require minimum usage period.


Pricing¶

Initial Fee¶

This menu is offered at no charge no matter what Plan, subscriptions are being made.

Monthly Fee¶

This menu, regardless of the use of time, has a monthly fixed fee.
In the same device, if there is a change of the plan or menu in the middle of the month, then the new one is compared with the monthly fee according to the plan or the menu that was available in that month, to apply the highest rate as a monthly fee.


Quality of Menu¶

Support Coverage¶

All functions and facilities provided in this menu are within the support range.
However, designing using this menu is not supported.
Also, if a certificate is used, please obtain and update certificate at your own risk.

Operations¶

This menu is subject to the operational quality, which has been defined by the standard in Enterprise Cloud 2.0.
Furthermore, this menu is implementable as qualified operation of the following self-managed services:

Item

Description

Security update version management

Manages signature updates

Applies security patches

Apply the security patch depending on the degree of influence
(Equivalent process as version up operation)

Life Cycle Management of the Products

Proceeds with the updated versions in operations

Monitoring / Maintenance

Operation monitoring and failure countermeasure implementation of this device


SLA¶

SLA of this menu conforms to SLA defined as standard in Enterprise Cloud 2.0.


Restrictions¶

Restrictions of this menu are following;

  • Only the HTTP / HTTPS communication can be processed with this menu. Communication other than HTTP / HTTPS such as FTP and SSH can not be processed.

  • It can not be processed when using protocols not compliant with RFC or when using encapsulated communication.

  • Below IP address is not available for Interface, Routing, Address object and list. When these IP addresses is used, This menu cannot correctly work.

    • 100.65.0.0/16
    • 100.66.0.0/15
    • 100.68.0.0/14
    • 100.72.0.0/14
    • 100.76.0.0/15
    • 100.78.0.0/16
    • 100.80.0.0/13
    • 100.88.0.0/15
    • 100.91.0.0/16
    • 100.92.0.0/14
    • 100.126.0.0/15
  • Please design the IP address in the logical network to which this menu is connected at your own risk. Please be careful not to duplicate the IP address etc assigned to this menu.

  • Please create Policy after rule configuration is saved and completed.

  • Communication will be interrupted during maintenance work related to the device. We will carry out the work after notifying in advance, but the work date and time cannot be adjusted. If you want to minimize the effect, prepare multiple units of this menu and design in combination with a load balancer.

  • Each function and log provided by this menu does not ensure integrity, accuracy and compatibility for customer's purpose of use.

  • NTT Com as a service provider is required to provide the following information to the "Devices'" developer(s) and / or front-end seller of this menu; the purpose of such is to seek if there is any possible or feasible fail-over waiting to happen due to the incompatibility of the setting details or irregular operations or maneuvers which may cause some sort of troubles in duration. However, the fail-over is not at all guaranteed to be repaired if the difficulty in operation or fail-over occur with the operations which NTT Com did not intend to. The following information is going to be relayed to the system developer and front-end seller:

    • Setting details and data obtained at such time the menu is provisioned.

    • Managed details within such information relates to this provisioned menu.

  • There is a guideline for the upper limit of performance values. See (Reference) Performance measurement results of Managed WAF .




Managed WAF Version1

Table Of Contents

  • Managed FW
    • Managed Firewall Version1
      • About This Menu
      • Available Functions
      • Menu
      • Terms And Conditions
      • Pricing
      • Quality of Menu
      • Restrictions
    • Managed Firewall Version2
      • About This Menu
      • Available Functions
      • Menu
      • Terms And Conditions
      • Pricing
      • Quality of Menu
      • Restrictions
  • Managed UTM
    • Managed UTM Version1
      • About This Menu
      • Available Functions
      • Menu
      • Terms And Conditions
      • Pricing
      • Quality of Menu
      • Restrictions
    • Managed UTM Version2
      • About This Menu
      • Available Functions
      • Menu
      • Terms And Conditions
      • Pricing
      • Quality of Menu
      • Restrictions
  • Managed WAF
    • Managed WAF Version1
      • About This Menu
      • Available Functions
      • Menu
      • Terms And Conditions
      • Pricing
      • Quality of Menu
      • Restrictions
    • Managed WAF Version2
      • About This Menu
      • Available Functions
      • Menu
      • Terms And Conditions
      • Pricing
      • Quality of Menu
      • Restrictions
Copyright © NTT Communications All Rights Reserved.
NTT Communications