SERVICE DESCRIPTION Web Application Firewall

(1)

SERVICE DESCRIPTION

Web Application Firewall

(2)

TABLE OF CONTENTS Page 1 INTRODUCTION 3 2 SERVICE DESCRIPTION 4 2.1 Basic service 4 2.2 Options 6 2.2.1 Advanced Security 6 2.2.2 ICAP Interface 7 2.2.3 Certificate Management 8 2.2.4 XML Firewall 9 2.2.5 Test Instance 10 3 ADDITIONAL DOCUMENTS 11 4 DISCLAIMER 11

(3)

1 INTRODUCTION

This document describes the USP Web Application Firewall managed service with all the options available from USP. This document, together with the agreed Service Level Agreement, constitutes the binding basis for the provision of the managed service.

Field of application

More and more applications are accessible from the Internet. Often these web

applications are used to process highly sensitive data. This data can include, business secrets for example, or it might be personal data that is protected by legislationIn its Web Application Firewall managed service, USP offers scalable and powerful protection for your web applications.

Benefits

The Web Application Firewall service provides comprehensive protection for web applications. The service accepts all requests to the web application as a proxy, filters them and thereby minimises IT risks by making the entry routes most widely used by hackers these days impossible.

The same service offers protection for all the customer's web applications. This leads to standardisation and simplification of access to the protected applications.

(4)

2 SERVICE DESCRIPTION

2.1 Basic service

The USP Web Application Firewall service provides effective protection for web applications. The services permits simple and secure access to web applications from the intranet or the Internet via a web portal.

Name of service Web Application Firewall Service abbreviation MSS-RA

Service version 2.0

Status Operational

Operating hours OH1: Monday – Friday, 08:00 – 18:00 CET OH2: Monday – Saturday, 07:00 – 21:00 CET OH3: Monday – Sunday, 0:00 – 23:59 CET

Availability guarantee ACA: best effort

ACB: 99.5% availability during operating hours ACC: 99.7% availability during operating hours ACD: 99.9% availability during operating hours

Usage parameter The service is assessed on the basis of the number of physical or virtual appliances.

Description The basic function of the service is a secure reverse proxy for HTTP and HTTPS protocols. The service permits simple and secure access to the web applications from the intranet or the Internet via a web portal.

The reverse proxy accepts the requests on behalf of the web applications, verifies them and then passes them on to the actual recipient.

Benefits Modern applications are more and more frequently becoming accessible via the Internet and thus are preferred targets for hackers. Using USP's Web Application Firewall service renders these entry routes impassable for hackers. The Web Application Firewall service accepts all requests from the Internet on behalf of your servers. This ensures an effective protection against attacks such as DoS attacks.

The user accesses all protected web applications from a single web portal, which can make it considerably easier for the users of the web applications. Key Performance Indicators

(KPIs)

Compliance with the SLA parameters is measured against the availability of the service infrastructure.

Reporting The following service-specific values are collated in the monthly reports: - infrastructure workload

(5)

- number of sessions

Measuring points The following measuring points are some of those watched to monitor the service:

- CPU / RAM / HDD workload - listener processes

- connection to the backend - accessibility

Conditions of use The service is limited to applications that use the HTTP / HTTPS protocol. It is necessary to use a dedicated load balancer if the service is operated on multiple servers in an active/active setup.

An availability guarantee in excess of "best effort", requires redundant design of the underlying infrastructure.

(6)

2.2 Options

2.2.1 Advanced Security

Advanced security functions for the Web Application Firewall.

Name of the service option Advanced Security

Abbreviation MSS-WAF-AS

Usage parameter The service option is assessed on the basis of the size of the basic service. Description Extension of the Web Application Firewall security functions for high quality

protection of web applications and web services. Examples of these

demanding functions are URL encryption, CSRF protection, dynamic request whitelisting and many more.

Benefits The advanced protection functions offer protection for the dynamic content of modern web applications and portals. In this way you achieve a higher security level for portals based on Java or PHP, for instance.

Countermeasures in the event of new exploits can be enabled from a central location. Appropriate measures can be enabled more quickly and with full coverage. You save valuable resources as you no longer need to modify all your applications.

Key Performance Indicators (KPIs)

Compliance with the SLA is determined using the KPIs for the basic service.

Reporting This option is not listed separately in the reports.

Measuring points This option is not monitored separately. Monitoring on the basis of the basic service measuring points.

(7)

2.2.2 ICAP Interface

A standardised ICAP (Internet Content Adaptation Protocol) interface for the integrated use of external resources, such as virus scanners, for example.

Name of the service option ICAP Interface

Abbreviation MSS-WAF-ICAP

Usage parameter The service option is assessed on the basis of the size of the basic service. Description This option operates a standardised ICAP interface. External resources can

be incorporated into the WAF functionality and used integrally via this interface.

Benefits This option permits the use of external resources to allow additional data checking. The incoming and outgoing data traffic can be checked for viruses if an external virus scanner is connected, for instance. This can considerably improve the security of your web applications and also that of your entire IT infrastructure.

Reporting This option is not listed separately in the reports. Measuring points The ICAP interface is not monitored separately.

Conditions of use The components addressed via the ICAP interface must act as ICAP servers. The operation of the components is not included in the service options. The service options are not offered until at least two operational instances have been procured.

(8)

2.2.3 Certificate Management

Monitoring and managing the SSL certificates for the encryption of web connections via HTTPS.

Name of the service option Certificate Management

Abbreviation MSS-WAF-CA

Usage parameter The service option is assessed on the basis of the number of valid certificates.

Description The SSL certificates for the encryption of web connections via HTTPS are monitored and managed by USP's Security Operations Center. The service options are offered at the following levels:

• Bronze

USP monitors the life of the SSL certificates and informs the customer no later than 14 days before their expiry.

• Silver

USP monitors the life of the SSL certificates and initiates their renewal on its own initiative. This service is restricted to collaboration with godaddy.com as the certificate provider. Only domain-validated SSL certificates will be provided.

• Gold

USP monitors the life of the SSL certificates and initiates their renewal on its own initiative. This service covers collaboration with

godaddy.com as the certificate provider for domain-validated certificates and with the provider SwissSign for extended-validated certificates. Seamless renewal of the certificates is the responsibility of the USP.

Benefits Customers no longer need to worry about their certificates themselves or maintain a complex PKI. USP takes care of monitoring the certificates on your behalf and notifies you in good time before the certificates expire. Key Performance Indicators

(KPIs)

The validity of the certificates will be monitored. This service option has no influence on the compliance with the basic service SLA.

Reporting A list of certificates with their status is added to the reports supplied. The list can be viewed by authorised users via USP Connect.

Measuring points The validity of the certificates will be monitored.

Conditions of use Seamless renewal of the certificates for the website is the responsibility of the customer in the Bronze and Silver levels.

(9)

2.2.4 XML Firewall

Monitors the XML/SOAP data traffic.

Name of the service option XML Firewall

Abbreviation MSS-WAF-XML

Usage parameter The service option is assessed on the basis of the size of the basic service. Description This option checks the XML/SOAP data traffic and filters out suspicious

content. On the one hand the format of the data transmitted is checked, on the other hand, the data content is monitored for critical content.

Benefits Applications that provide an XML/SOAP interface are additionally protected by this option. First, security is increased by inspection of the XML contents. Second, however, access to the XML interface is also checked.

Reporting This option is not listed separately in the reports. Measuring points This option is not monitored separately.

Conditions of use The applications to be protected must have a standardised XML/SOAP interface.

The service options are not offered until at least two operational instances have been procured.

(10)

2.2.5 Test Instance

Operation of an additional instance which is not used in production.

Name of the service option Non-Prod Licence

Abbreviation MSS-WAF-TEST

Usage parameter The service option is assessed on the basis of the number of instances. Description This option operates another instance of the Web Application Firewall. The

additional instance is not used operationally and can thus be used as a test or development environment for example. The additional instance will be equipped with the same options as the operational instances.

Benefits Changes can be tested before implementation in an environment similar to the production environment by the use of a non-operational instance. The risk of an error in a subsequent live implementation of amendments on the production environment is considerably reduced by the option of first testing modifications on a non-operational environment.

Test instances are operated on a best-effort level during office hours, whatever the SLA for the basic service. This option has no particular KPIs. Reporting No reports are prepared for test instances.

Measuring points The availability of the instance will be monitored.

Conditions of use MSS-WAF-TEST is not offered until at least two operational instances have been procured.

(11)

3 ADDITIONAL DOCUMENTS

The present document describes the functional scope of USP's Web Application Firewall service. General information on the Service Level Agreement and on operation may be found in the additional documents.

Service management and SL catalogue

This document contains all the information relating to the Service Level Agreement parameters. It defines the support processes and collaboration obligations, for instance, along with operating hours and availability guarantees.

Services catalogue The services catalogue defines the operation tasks and the standard changes. The document also describes the processes by which the corresponding changes can be triggered in a qualified fashion. Price list The prices of all services and options are laid down in the price list.

4 DISCLAIMER

This document is the intellectual property of USP AG and may not be copied, reproduced, handed on or used for execution without its permission. Unauthorized use is punishable in accordance with Section 23 in conjunction with Section 5 of the Swiss Unfair Competition Law. This work is protected under copyright. The rights consequently justified, particularly of translation, reproduction, the use of illustrations, distribution by photomechanical or other means and storage in data processing systems, even in extract, remain reserved. The functions, data and illustrations described in this documentation are applicable with the reservation that amendment is possible at any time. They are provided for better understanding of the material, without claiming completeness and correctness in detail. The programs described in this document are only provided on the basis of a valid licence agreement with USP AG and can only be used in compliance with the conditions laid down in the licence agreement.