1 / 9
[Data Sheet]
2 / 9
[Data Sheet]
Overview
The NSFOCUS Web Application Firewall (WAF) protects your business-critical web applications and information against web attacks, data breaches, and downtime by shielding your business with a singular, overarching cover of security prevention. Among its many features, WAF mitigates the OWASP Top 10 risks, combines a negative security model with a positive security model, employs application profile learning, and offers ironclad protection against application layer distributed denial-of-service (DDoS) attacks. WAF is also designed to help customers with full Payment Card Industry Data Security Standard (PCI DSS) compliance.
WAF shares knowledge with NSFOCUS application scanners, creating custom protection policies so as to reduce the potential attack surface and minimize the time-to-fix exposures.
WAF collaborates with the NSFOCUS Anti-DDoS System (ADS) for automated, real-time responses to volumetric attacks.
Customer Benefits
Mitigate Data Leakage Risk
Data breaches are both complex and surprisingly frequent. WAF offers powerful protection against most prevalent web attacks based on a complete set of signatures for web vulnerabilities and web attacks, as well as the capability to detect illegal file uploads. WAF enforces access control policy in Layer 4 and 7 to prevent attackers from accessing data without proper authorization. In the later phases of an attack, WAF provides outbound data leakage detection, including illegal file download detection, webshell prevention, and filtering of sensitive information (such as credit card numbers and social security numbers).
Ensure Availability and QoS of Websites
WAF offers a built-in anti-DDoS module, which protects against TCP flood attacks below 1 Gbps, as well as HTTP/S GET/POST flood attacks and slow rate attacks, the fastest-growing DDoS attack vector. WAF employs access rate thresholding and IP reputation and algorithm-based protection mechanisms.
Customer Benefits
Mitigate Data Leakage Risk
Ensure Availability and QoS
of Websites
Close the Gap for PCI DSS
Compliance
3 / 9
[Data Sheet]
Close the Gap for PCI DSS Compliance
WAF provides compliance reports for PCI audits, with suggestions for policy tuning and configuration improvement in order to comply more completely with PCI DSS. The cookie security feature within WAF protects against cookie tampering and cookie poisoning in compliance with section 6.5.10 in the new PCI 3.0 standard.
Collaborative Security
WAF can import vulnerability assessment reports, delivered to WAF from NSFOCUS Cloud Security Service (Websafe) or Web Vulnerability Scanning System (WVSS), and then produce corresponding security policies. In the case of a known vulnerability, WAF can become more aggressive with blocking options to prevent attacks identified around a vulnerable location. WAF collaborates with ADS to mitigate downtime risk of customers’ websites. Once TCP flooding traffic reaches the preset threshold in WAF, WAF will automatically notify ADS from upstream to divert and “scrub” the attack traffic in real time so as to lessen latency issues.
NSFOCUS also offers a cloud-based managed security service (MSS) for WAF operation and maintenance to supplement the customer’s Security Operations (SecOps) team.
PCI DSS 3.0 Compliance
Requirements
Ad-hoc compliance report
for PCI audit
Offers cookie security in
compliance with new req. 6.5.10 Broken
authentication and session management
Collaborative Security
NSFOCUS WAF NSFOCUS Websafe or WVSS NSFOCUS ADS MSS for WAF
4 / 9
[Data Sheet]
Key Features
As web attacks escalate in complexity, their detection and mitigation must be designed for web security, which works beyond signatures. NSFOCUS WAF safeguards your business-critical web applications and data against the evolving web threats with holistic detection and mitigation capabilities.
Layered Defense
NSFOCUS WAF mitigates the OWASP Top 10 risks by combining a negative security model with a positive security model as well as application profile learning, equipped with multiple comprehensive detection and protection techniques.
WAF protects web applications and the underlying infrastructure by detecting applications, plug-ins, web servers and networks. In addition, with the multiple rule-based inspections, it can trace automated attacks by interactively validating user behaviors.
The whitelist mechanism is the most effective method to stop zero-day attacks. WAF automates the process of generating whitelists based on statistical analysis of HTTP request parameters, including the number, type, name and value of specified URLs.
Emergency Response Through Cloud Security Service
Powered by the NSFOCUS Cloud Security Service and supported by our R&D teams with rich experience spanning more than a decade, NSFOCUS WAF consistently offers real-time protection against the latest known threats. Utilizing its “virtual patch” through updating application signatures and adjusting policies, WAF can avert severe issues caused by newly identified vulnerabilities in applications, known vulnerabilities in legacy applications or
5 / 9
[Data Sheet]
third-party applications, or newly discovered exploits.
Ease of Use and Transparent, Drop-in Deployment
NSFOCUS WAF offers a friendly wizard for initial configuration, which guides the user to tune the security policies step by step through configuration of necessary website information including IP addresses, ports, OSs, web servers, and programming language. Default policy templates are also available to facilitate initial configuration. The exception policy is also supported to mitigate false positives.
WAF provides flexible deployment options with low overhead. One of the most common options is the drop-in transparent deployment without changes to existing applications or networks. Reverse proxy and out-of-path (traffic diversion and injection) options, which provide protection on demand, are available as well.
6 / 9
[Data Sheet]
Web Application Firewall Specification
Specification Description
Security Model
• Negative security model (signature-based) • Behavior-based protection
• Positive security model (whitelist security and dynamic profile learning)
Application Attacks Prevention
• OWASP Top 10
• Cross-Site Scripting (XSS) • Injection
• Cross-site Request Forgery (CSRF) • Remote File Inclusion (RFI) • Path Traversal
• Illegal file upload/download restriction • Malicious scanning • Webshell • Anti-Crawlers • Anti-Leech • Brute force Content Modification
• Sensitive data exposure • Content filtering
• Cookie signing/encryption • Sensitive information filtering
Web Server Security • Web server/plug-in vulnerabilities signatures
Protocol Support
• HTTP protocol validation • HTTP access control • HTTP 0.9/1.0/1.1 HTTPS/SSL Inspection • Passive decryption
• SSL offloading Anti-DDoS
• TCP floods (inspected throughput up to 1 Gbps) • HTTP/S GET/POST floods
• Slow rate attacks
Network Security • Layer 4 ACL
• ARP spoofing protection
Collaborative Security • Collaboration with NSFOCUS ADS
• Collaboration with NSFOCUS Websafe or WVSS PCI DSS Compliance • Compliance reporting
Deployment Modes • Inline transparent proxy • Reverse proxy
7 / 9
[Data Sheet]
• Out-of-path (route diversion and injection) • Image deployment
Policy Management
• Default policy templates • Exception policy
• Custom policy • Risk-level policy
Management • Web user interface (HTTP/S)
• Command line interface (SSH/console) Logging/Monitoring • SNMP
• Syslog
High Availability
• Active/active; active/passive • VRRP
• Internal “software” bypass to pass traffic without inspection • Fail-open interfaces or integrated hardware bypass
TCP/IP Support • IPv4, IPv6 Certification(s) • Veracode VL4
• WAF Certification from ICSA Labs
Model WAF NX3-P300A WAF NX3-P600A WAF NX3-P1000B WAF NX3-P1600B WAF NX3-P2000A Performance Application Layer Throughput HTTP 200 Mbps 400 Mbps 1 Gbps 3 Gbps 6 Gbps Transactions per Second HTTP 6,000 tps 10,000 tps 30,000 tps 55,000 tps 110,000 tps Hardware Chassis 1U 1U 2U 2U 2U
Product Family
8 / 9
[Data Sheet]
Protection Interface Options 4 x 10/100/1000 BaseT Copper 4 x 10/100/1000 BaseT Copper 6 x 10/100/1000 BaseT Copper One optional slot (4 x 10/100/1000 BaseT; 4 x GE SX; or 4 x LX Fiber) 4 optional slots (4 x 10/100/1000 BaseT; 4 x GE SX; or 4 x LX Fiber) 4 optional slots (4 x 10/100/1000 BaseT; 4 x GE SX; or 4 x LX Fiber)
Traffic Bypass Options • Fail-open interfaces or integrated hardware bypass
• Internal “software” bypass to pass traffic without inspection
Management Interface 1 x 10/100/1000 BaseT Copper 1 x 10/100/1000 BaseT Copper 1 x 10/100/1000 BaseT Copper 2 x 10/100/1000 BaseT Copper 2 x 10/100/1000 BaseT Copper Serial Port 1 x RJ45 1 x RJ45 1 x RJ45 1 x RJ45 1 x RJ45
Hard Disk 1 TB, SATA 1 TB, SATA 1 TB, SATA 1 TB, SATA 1 TB, SATA
Power Supply Single AC Single AC Dual AC Dual AC Dual AC
Power Consumption 60 W 60 W 350 W 400 W 400 W Operating Temperature 0~40℃ 32~104℉ 0~40℃ 32~104℉ 0~40℃ 32~104℉ 0~ 40℃ 32~104℉ 0~40℃ 32~104℉ Storage Temperature -20~70℃ -4~158℉ -20~70℃ -4~158℉ -20~70℃ -4~158℉ -20~70℃ -4~158℉ -20~70℃ -4~158℉ Weight 5 kg 5 kg 12.6 kg 11 kg 11 kg MTBF > 50,000 hrs > 50,000 hrs > 50,000 hrs > 50,000 hrs > 50,000 hrs
9 / 9
[Data Sheet]
For more information:
For more information visit NSFOCUS Website: www.nsfocus.com
“NSFOCUS” is the trademark of NSFOCUS Information Technology Co., Ltd.
NSFOCUS enjoys all copyrights with respect to all textual narrations, document formats, illustrations, photographs, methods, processes and other contents, unless otherwise specified, which shall be governed by relevant property rights and copyright laws. Without written permission of NSFOCUS, any individual or institution shall be prohibited to copy or quote any section herein in any way.
About NSFOCUS
www.nsfocus.comNSFOCUS is a proven global leader in active perimeter security, focusing on industry-leading security research, products and services. With extensive knowledge and experience, NSFOCUS offers its customers and partners a full range of appliances including anti-DDoS systems, Web application firewalls and intrusion prevention systems to help companies secure their networks and corporate-critical information.
