Profense™ validates all parts of a HTTP request (including the path, query and segment) according to the defined access policy.

Requests not-matching the access-policy, are per default flagged as illegitimate, rejected and logged for further analysis. This allows system administrators to have a strict white-list of legitimate URLs for a given web application.

In Profense™ Professional policy rules can be specified using positive matching for specific URL and negative for all other.

Profense™ validates all parts of a query in a URL request according the defined white-list access policy.

Each parameter and the corresponding value is validated. This allows system administrators to specify what input is allowed for a given URL resource.

In Profense™ Professional, as for URLs, combinations of negative and positive policy rules can be employed.

Rules which match parameters on a global basis can be specified using regular expressions or signature based matching (in Profense™ Professional).

This is particularly useful when for instance the web application uses global parameters for session tracking or for printer friendly displaying instructions.

Profense™ can enforce pragmatic and strict standard HTTP headers compliance (RFC2068/RFC2616).

All request from clients are validated against a strict positive list of valid HTTP headers and values. This prevents possible attacks that exploit vulnerable web applications and servers through illegal HTTP headers.

Strict HTTP headers compliance checking can potentially cause problems with clients that deviate from standards or are otherwise incompatible.

Pragmatic HTTP headers compliance checking is a more loose access policy enforcement comparing to the strict method described previously which still protects web applications and servers from validating values for the submitted parameters according to a positive list of allowed data compiled from the strict RFC compliant heads.

Pragmatic HTTP headers checking allow non-standard headers to pass through Profense™.

Profense™ completely isolates the web server from direct Internet requests and information and web system technology information is removed from web server responses.

A typical web server gives out a lot of information about it's version, installed software, operating system, etc. This information is completely irrelevant for normal HTTP/HTTPS communication between clients and web server. However, attackers and worms can misuse this information to craft more targeted attacks on a vulnerable web application or server. Profense™ removes this information from the response sent back from the back-end server before forwarding it to the client thus protecting the web application and server from leaking potentially sensitive information.

Profense™ terminates all HTTP/HTTPS requests from clients before forwarding legitimate requests to back-end web servers. This means that back-end web servers are isolated from clients (typically from the Internet) and are placed on a back-end network/LAN segment. Network isolation means that only HTTP/HTTPS traffic is actually forwarded to the back-end servers. Any other network traffic (for instance a ICMP flood attack or a request to another potentially vulnerable service) will never reach the back-end servers thus eliminating other network threats as well.

Profense™ automatically generates access policies for even complex web applications and web systems.

All relevant information for a web application including URLs, parameters and HTTP methods is automatically learned by Profense™ and applied to the running access policy. This allows system administrators to quickly enable new or updated information about the web application thus reducing the manual work needed when implementing new or changed access policies.

Profense™ has full support for standard PCRE (Perl Compatible Regular Expressions).

This feature allows system administrators to manually fine-tune and implement strict values for legitimate HTTP parameters.

In order to simplify the ACL Profense™ supports the definition of URL wild cards based on regular expressions which matches URLs without parameters on a proxy global basis.

Rules which match parameters on a global basis can be specified using regular expressions.

This is particularly useful when for instance the web application uses global parameters for session tracking or for printer friendly displaying instructions.

Filtering rules can be specified using classes for easy administration.

Classes are defined globally and can be applied both when manually editing the access policy, when the access policy is built automatically and when rules are added or modified from log.

All rejected requests are classified in major attack groups (i.e. SQL-injection, buffer overflow, etc.) using a combination of cross validation, heuristic patterns and statistics.

Alerts can be sent to external syslog server or email.

Alert levels are completely configurable and are mapped to standard syslog priorities (information levels).

The management interface includes a comprehensive security log displaying all the necessary details about blocked requests, including the time stamp, IP address, HTTP methods, path and query segments, HTTP headers violations, attack classification and raw request data.

Multiple search criteria can be specified using wildcards allowing for detailed drill down searches. Customizable reporting.

All log views (searc filter sets) can be exported to printable reports or XML.

In Profense™ Professional all requests to the website can be logged in addition to the deny log..

Though ease of use is a qualitative statement we prefer regarding it as a product feature in order to keep development focus on the usability aspect. Misconfiguration of systems is a major source of vulnerability. Therefore ease of use is a security feature as it increases the likelihood of getting things right the first time and thus reduces the risk of human error due to complexity and misconceptions.

Ease of use is achieved through:

Profense™ combines the flexibility and scalability advantages of software with the security advantages and administrative simplicity from dedicated hardware appliances. The Profense™ software appliance installer turns a piece of general purpose application server hardware into a dedicated application acceleration and security gateway within minutes - with minimal interaction.

The Profense™ software package is completely self contained and no system level expert know-how or low level interaction is required to install and run Profense™.

The web based administrative interface provides access to perform all necessary administrative tasks, including initial configuration, administration of clustering and filtering rules, backup, log and reporting functions.

Profense™ is based on a stripped and hardened OpenBSD platform which is regarded as the most secure OS generally available.

The proxy, filtering and administration components run in a non-privileged and closed run-time environment and technologies like ProPolice, W^X protection, non-executable stack, etc. are used to further harden the system against attacks.

With Profense™ you get a seriously hardened and secured frontend to your web applications - without compromising functionality.