Home >Documents >Service Descriptions >Network-based Security v6.0.2 > Managed WAF >Managed WAF Version2

Managed WAF Version2

About This Menu

Overview

Managed WAF [1] _ can be used within the tenant Enterprise Cloud 2.0 and provides a function to detect / prevent security threats such as unauthorized access to the web application server and attack communication.

It can be connected to the logical network within the tenant owned by the customer and can be inspected and controlled by customer's policy.

Please note that this menu is provided by security managed service and minimizes the risk of cyber attack etc. by global security management system.

(Hereafter, Managed WAF will be referred to as this menu, and the facility providing the function will be described as a device.)

This menu works as a reverse proxy server. After this device receives communication from the client and examines the communication, it sends it to the customer's web application server.

[1]	WAF ... Web Application Firewall

Features

This menu has following features:

1. Reliable and secure operation by security managed service

   The Security Operation Center (SOC), which has a global security management system, monitors the management servers provided in this menu.

   
   
2. Multi-function defense by defending against threats against web application servers

   NTT Com provides all-in-one security functions necessary to protect your Web application server from various security threats such as vulnerable attack communication, unauthorized access, virus infection etc.

   
   

   ● WAF function which provides Protection and detection for attack and fraudulent access.

   ● Anti-Virus function for Protection from Virus.

   ● IP reputation function which provides detection for attack known as threat source.

   
   
3. Immediate provision by self-operation · Immediate setting change

   Customer can immediately leverage this menu by operation Security Control Panel through Enterprise Cloud 2.0 Portal. Configuration change is immediately reflected by Security Control Panel.

   Customers can use the necessary resources without initial investment and minimum usage period, without owning assets, and can constitute a secure environment tailored to the customer's business environment.

Available Functions

List of Available Functions

This menu provides following functions;

Functions	Description
1.Security	Protection and detection to attack to Web application server, Protection to virus infection and detection to well known information as threat.
2.Network	This function is where the "Device" is connected to the Logical Network and / or routed to the transmitters.
3.Other Functions	The other functions are to transmit back and forth the Sys log server a log obtained by the Customers themselves through the "Device" and assign the time zone for the log content recorded within the "Device" themselves.
4.Security Incident Report	This function is what the "Device" self-analyzes and reports any security incident(s) occurring within themselves once there is any information that determines the "Device" received hostile incoming transmissions.
5.Control Panel	Ability to set up applications and devices from Security Control Panel of Enterprise Cloud 2.0 Portal
6.Version Upgrade	Function to upgrade Managed FW / UTM / WAF Version 2

Description of Respective Functions

1.Security

Security provides the following functions.

Item	Description
WAF function	Detection / prevention function of attack communication of HTTP / HTTPS communication
Anti-Virus function	Virus detection / prevention function for upload file of HTTP / HTTPS communication
IP Reputation function	Detection function to well known information as threat.

● WAF function

The specification of the WAF function is as follows.

Item	Description
WAF function	NTT Com will inspect Web communications specified by customers on a signature basis. Protect web application server from various application layer attacks such as cross site scripting, SQL injection etc. By being blocked by signature inspection, if there is a problem with the normal communication of the customer web application, the following settings can be changed on a signature basis. Detection only (not blocking) Invalid (not inspected)
Trust / Black IP control function	Provide traffic control to IP address which customer indicate. Trust IP (unconditionally permitted IP address) Black IP (Unconditionally blocking IP address)
DoS protection function	It is possible to limit the number of connections from a single IP address and to defend against connections deemed to be a DoS attack to the customer web application server. Limit the number of concurrent TCP connections from a single IP address. The threshold can be specified in the following range. 1〜65535 The action when the threshold is reached can be selected from the following. Detection only (not blocking) block
Decryption function	It is possible to decrypt SSL communication and check communication.
X-Forwarded-For function	It is possible to send source IP address information to X - Forwarded - For of HTTP header and send it to customer web application server.

Note

• Signature updates are automatically performed.

• Trust IP and Black IP can not set duplicate addresses.

• In case of using the decryption function, prepare the server certificate by the customer. Customer can set / update from the security control panel.

  • PEM format, PKCS # 12 format server certificate can be set.

● Initial Tuning Report

It is possible to report the advice of the policy tuning from NTT Com.

Initial tuning report will be provided only once per device, based on application from customers. NTT Com will report on the top ten signatures with many detections. In order to perform initial tuning, it is necessary to acquire logs for 4 weeks or more (standard). Please operate the device in Monitor Mode for 4 weeks or more and apply initial tuning report after generating real traffic or communication close to real traffic via this device. The initial tuning report application sheet is posted in "Security Control Panel → Operation → document". Please fill out the necessary matter and request with the Enterprise Cloud 2.0 ticket system. Providing the initial tuning report takes time of about 4 weeks (approximate). Please acknowledge that the period until presentation will be around depending on congestion status at the time of application and log detection situation.

Note

• Customers should operate from Security Control Panel to change the policy setting (detection only or change to invalidation for each signature ID) based on the tuning report.

● Antivirus function

Specifications of the functions of the Anti-Virus are as follow:

Item	Description
Antivirus function	It is possible to detect / defend against data sent by HTTP POST method. It prevents attackers from uploading viruses to the web application server. NOTE: This function is an additional function of the file upload restriction function.
file upload Restriction function	It is possible to limit the maximum size of data sent with HTTP POST method. The maximum size can be specified in the following range. 1024KB〜10240KB　（1MB〜10MB） Below action is selectable when data size exceeds upper limit. Detection only (not blocking) block

● IP reputation function

Specifications of IP reputation function are as follows.

Item

Description

IP reputation function

Detection to attack known as threat source. Category of threat is below. DDoS: Source identified as participating in DDoS attack Phishing: Sources that are complicit in phishing attacks or are identified as hosting websites for phishing attacks Anonymous proxy: Traffic that is sent via an anonymous proxy to disguise the original identity of the client and whose source is hidden Malicious source: a host known to be infected by harmful software Spammer: a host known to be sending spam

Note

• Please register Black IP of Trust/Black IP control function, if customer want block to detected IP address.

● Reference: Control flow

Note

• Above graph explains example flow, when DoS protection function and File upload function is configured for block. Block does not be executed when action is only configured for detection.

• Block screen does not show, when DoS protection function blocks packet. The function send reset packet.

2.Network

Network provides the following functions.

Item	Description
Interface	This function is where Interface of the “Device” will be set and then it will be connected to logical network.
Routing	Routing function is where static routes and default gateway is being set and transmission is being routed with.

Note

• It is important for Customers to note that they are required to create logical network prior to the menu is provisioned.

• The "Device" will be connected to Data Plane of logical network although it will not be connected to Storage Plane of logical network.

• In order for Customers to set (to create) / modify (to change) / delete (to erase) the interface for the "Device" , the Customers (and the end users) are noted that they are required to reboot the "Device" and the interface MAC address will be automatically changed.

3.Other Functions

Other Functions provide the following functions.

Item	Description
Sys log transmission	Sys log server where the Customers manage is receiving logs obtained at the "Device"
Time Zone Assignment	Time stamp recorded as to the timetable log on the "Device" will be assigned.

Note

• There is only one (1) settable destination for syslog transmission.

• If you change the time zone, time stamp of the log that has been recorded before the change time zones are not rewritten.

4.Security Incident Report

Security Incident Report provides the following functions.

Item	Description
Create Report	Device logs will be automatically analyzed and "Security Incident Report" will be generated after recognizing detected threat(s).
Publish Report	Security Incident Report is shown on Security Control Panel through Enterprise Cloud 2.0 Portal.
Notify Report	When Security Incident Report is generated, E-mail notification will be sent by registering mail address on Security Control Panel.
Report notification level setting	Function to change the severity of the criteria for creating an Incident Report.

● Security Incident Report

Following titles will be included within the "Security Incident Report":

Item	Description
Device	The Device Name if there is any
Signature	Threat name
Severity	Severity in degree of the recognized threat
Confidence	Detection accuracy
Reference	Automatically granted ID
Date and Time	The date and time of detection --and date and time of last detection-- of the reported threat being reported
Description	Description of the details of the recognized threat
Access Patterns	Draw threat access status
Details	Threat details

Note

• All "Security Incidents" are reported in English.

• When customer leverages this menu and other menu as like Managed Firewall Version2 or Managed UTM Version2 on one tenant, Security Incident Report by correlation analysis of each device log is generated. So each Security Incident Report is not generated for each menu and device.

5.Control Panel

For Control Panel Functions, the following operations are possible.

For details, see the Enterprise Cloud 2.0 tutorial.

Item	Description
Order	Customers can subscribe the Security Menu
Operation	Customers can either manage and / or set the created "Device"

● Order

Following actions are processable from the Order Panel:

Item	Description
Add Device	Customers can either create a new or add a "Device"
Change	Created "Device" Menu and / or Plan will be changed to update the settings details
Delete Device	Created "Device" can be deleted to be eliminated from the operation

● Operation

Following actions are operable from the Operations Panel:

Item	Description
Device KPI	Resource status (such as CPU and memory) and traffics will be viewed.
Document	Initial tuning report application sheet can be downloaded.
Network Management	Interface of the "Device" will be set here (and then connected to logical network).
Device Management	Customers can set security functions, routing of network functions, and other functions.
Log Analysis	Customers can download to obtain the data by CSV file after assigning search details by conditions tags.
Incident Reports	The Security Incident Report will be posted.
Customer Profile	Customers can register mail notification destination for Security Incident Report.
Information	Any notable information will be relayed.

Note

• In log analysis, confirmable and searchable period of logs is below. It does not ensure integrity of obtained logs.

  • Web access log (traffic log): 7 days

  • Log acquired by security function (security detection log): 90 days

• In the event that the Customers would like to obtain the log results for a longer span of time to review the search result, then Customers are advised to transmit to sys log server which Customers are managing.

6.Version Upgrade

Version Upgrade function provides the following features:

Item	Description
GetFirmwareSatus	You can check whether the target device is the target of version upgrade.
Firmware Update	Execute the version upgrade of the target device.

Menu

Plan

This menu provisions the following Plans:

Plan	vCPU	Memory	Disk	Disk	Interface
	(Number)	(GB)	System area (GB)	Data area (GB)	(Maximum)
2CPU-4GB	2	4	2	40	1
4CPU-6GB	4	6	2	40	1
8CPU-12GB	8	12	2	40	1

Note

• In this menu, if you want to implement load balancing or increase fault tolerance, prepare several menus (devices) and design it in combination with a load balancer.

Subscriptions Method

Customers with Enterprise Cloud 2.0 can basically request to subscribe this menu.

Subscriptions types, Subscription methods and Delivery are as follows:

Order Types	Details	Subscription Methods	Offering Date
Add Device	Create the Device	Subscription by customer on security control panel.	Immediate
Change	Change the "Device" Plan; Modify Menus to change settings	Same as the above.	Same as the above.
Delete Device	Delete the Device	Same as the above.	Same as the above.

Note

• Number of the executable "Device" for one (1) "order" is just one (1). Therefore, if in any event Customers wish to make multiple orders for the "Device", Customers are advised that each order process has to go through once for every "Device" Customers wish to subscribe. The Order screen has to proceed for each and every "Device" every time.

• Change of plan can be performed by all of patterns.

  • 2CPU-4GB → 4CPU-6GB/8CPU-12GB ○
  • 4CPU-6GB → 2CPU-4GB/8CPU-12GB ○
  • 8CPU-12GB → 2CPU-4GB/4CPU-6GB ○

• At such change of Plan, Customers are noted that the "Device" has to reboot.

• You can not change the menu from this menu to another menu.

• Due to possible multiple orders for subscriptions being processed in, Customers might experience too much traffic which might take a longer time for them to fill out the process in creating "Device", changing Plans and so forth.

• At creating device, selectable zone and group are different by region. Detail information is described on Region/Zone/Group in service description.

Restrictions

Following are the sales unit, the number of uppermost maximum and lowermost minimum units.

Unit	Maximum Number	Minimum Number
1	No limit	0

Terms And Conditions

Terms And Conditions

● Connection with logical network

This menu is a one-armed configuration that connects with the logical network and one interface to transmit and receive traffic in all plans.

Conditions of Use in Combination with Other Services

This menu does not specifically limit as with combined usage with any other services.

Minimum Use Period

This menu does not require minimum usage period.

Pricing

Initial Fee

This menu is offered at no charge no matter what Plan, subscriptions are being made.

Monthly Fee

This menu, regardless of the use of time, has a monthly fixed fee.

In the same device, if there is a change of the plan or menu in the middle of the month, then the new one is compared with the monthly fee according to the plan or the menu that was available in that month, to apply the highest rate as a monthly fee.

Quality of Menu

Support Coverage

All functions and facilities provided in this menu are within the support range.

However, designing using this menu is not supported.

Also, if a certificate is used, please obtain and update certificate at your own risk.

Operations

This menu is subject to the operational quality, which has been defined by the standard in Enterprise Cloud 2.0.

Furthermore, this menu is implementable as qualified operation of the following self-managed services:

Item	Description
Security update version management	Manages signature updates
Applies security patches	Apply the security patch depending on the degree of influence (Equivalent process as version up operation)
Life Cycle Management of the Products	Proceeds with the updated versions in operations
Monitoring / Maintenance	Operation monitoring and failure countermeasure implementation of this device

SLA

SLA of this menu conforms to SLA defined as standard in Enterprise Cloud 2.0.

Restrictions

Restrictions of this menu are following;

• Only the HTTP / HTTPS communication can be processed with this menu. Communication other than HTTP / HTTPS such as FTP and SSH can not be processed.

• It can not be processed when using protocols not compliant with RFC or when using encapsulated communication.

• Below IP address is not available for Interface, Routing, Address object and list. When these IP addresses is used, This menu cannot correctly work.

  • 100.65.0.0/16
  • 100.66.0.0/15
  • 100.68.0.0/14
  • 100.72.0.0/14
  • 100.76.0.0/15
  • 100.78.0.0/16
  • 100.80.0.0/13
  • 100.88.0.0/15
  • 100.91.0.0/16
  • 100.92.0.0/14
  • 100.126.0.0/15

• Please design the IP address in the logical network to which this menu is connected at your own risk. Please be careful not to duplicate the IP address etc assigned to this menu.

• Please create Policy after rule configuration is saved and completed.

• Communication will be interrupted during maintenance work related to the device. We will carry out the work after notifying in advance, but the work date and time cannot be adjusted. If you want to minimize the effect, prepare multiple units of this menu and design in combination with a load balancer.

• Each function and log provided by this menu does not ensure integrity, accuracy and compatibility for customer's purpose of use.

• NTT Com as a service provider is required to provide the following information to the "Devices'" developer(s) and / or front-end seller of this menu; the purpose of such is to seek if there is any possible or feasible fail-over waiting to happen due to the incompatibility of the setting details or irregular operations or maneuvers which may cause some sort of troubles in duration. However, the fail-over is not at all guaranteed to be repaired if the difficulty in operation or fail-over occur with the operations which NTT Com did not intend to. The following information is going to be relayed to the system developer and front-end seller:

  • Setting details and data obtained at such time the menu is provisioned.

  • Managed details within such information relates to this provisioned menu.

• There is a guideline for the upper limit of performance values. See (Reference) Performance measurement results of Managed WAF .

---

Managed WAF Version1