Profense™ Web Application Firewall
|
Features
Auto mode with instant protection and adaptive learning, positive and negative filtering, load balancing with session persistence, acceleration, automated learning, access log, automated push backup, active/active clustering with policy synchronization.
Support options
All support options include phone based support and access to all major and minor upgrades.
Try before you buy
To evaluate Profense™ Professional simply download Profense™, install it and follow the on screen instructions to activate a full featured 30-day trial period.
Benefits |
Features |
Support options |
Profense™ Professional |
Purchase
|
Benefits
For e-enabled organizations Profense™ maximize business value of web presence by reducing traffic cost by 30-60%, improving efficiency of content delivery and reducing business risk.
- Reduced business risk
- Hackers increasingly target web servers attempting to gain access to critical information and to plant malware spreading to unsuspecting visitors trusting the web site. At least one in 10 web pages are booby-trapped with malware, according to Google. The majority of which belongs to unsuspecting companies who simply got their web site compromised.
- The consequences of a web security breach may include brand damage, customer loss and direct financial cost in terms of legal fees, penalties and audits.
- Profense™ substantially reduces the risk of getting compromised by proactively protecting against attacks from hackers and worms.
- Reduced cost
- Due to its automation features and distribution model Profense&trade is the most time and cost effective means of implementing strong web application security. Additionally Profense™ reduces bandwidth usage by 30-60% leading to trafic cost savings
- Improved visitor browsing experience
- By speeding up content delivery your visitors are served in a more efficient manner leading to improved visitor browsing experience.
- Lower costs of disaster preparedness and recovery
- If disaster strikes all that is needed to restore Profense™ is a backup and a piece of general purpose server hardware. For competitors appliance based solutions a new expensive specialized piece of hardware have to be procured or kept standby off-site.
Feature summary
Profense™ Web Application Firewall is implemented in the network as a filtering gateway which validates all requests to the web systems. Main features of Profense™ are:
- Web Application Firewall
- Proactive protection of web servers and web applications with automated policy building and adaptive learning allowing for fast track web security
- Load Balancing
- Layer 7 load balancing with session persistence - enabling scalability and acceleration of even complex SSL-enabled stateful web applications.
- Web Acceleration
- Reducing traffic cost, improving response time and off-loading web servers.
- Clustering and high availability
- Active/active clustering and high availability configurations with hot fail-over. Profense™ is "self load balancing" - no additional load balancer is needed.
- Software Appliance
- Profense™ includes a hardened OS and installs on most server hardware, including virtual platforms. Major advantages of this are lower cost of disaster preparedness and recovery and lower cost of performance scaling.
Feature comparison |
Profense™ Base |
Profense™ Professional |
Download
Web Application Firewall
On a general level the web application firewall module has the following protective features:
- Web server cloaking and customizable HTTP error handling completely shield web servers from direct Internet access and defeat fingerprinting attacks.
- White-list based filtering of input data (including all URLs and parameters) allows for protection against threats from unpublished vulnerabilities in web server software and web applications.
- Validation of requests using a combination of positive and negative policy rules. Available in Profense™ Professional.
- HTTPS termination allows for white-list based protection from SSL-encrypted attacks.
Adaptive learning with instant protection
Profense™ Professional offers Auto mode using a combination of positive and negative policy rules with adaptive learning of changes in the web applications. The Auto mode provides instant protection which improves as Profense learns the web applications and consequently can create positive policy rules for critical application components.
Automated application profiling
All versions of Profense™ includes the automated application profiling, or learning, engine which allows for completely automated policy building.
Positive security model
Profense™ is based on the positive security model. It determines allowable requests, and inputs and disallows everything else. This approach provides protection against unknown threats, simply because they are not in the white-list and thus are disallowed.
The working basis of the positive security model is that everything is forbidden unless explicitly allowed. In the context of Profense™ this implies that only allowed requests are forwarded to the web system - that is: requests for web pages, applications, parameters etc. which you allow. This positive security approach is proactive because you base your protection on known information, the business content you want your web system to make available, not attack signatures and other potentially unknown information.
Negative security model
In Profense™ Professional the negative security model - signatures matching known attacks - can be used in combination with positive policy rules. For example it is possible to specify (or learn) strict positive input validation rules for certain critical application components, like login.php or payment.jsp, and use more general negative signatures for the remaining part of the web site.
Proactive protection
Because of Profense™'s positive security model it stops exploits of vulnerabilities and weaknesses without dependence on signatures. By building an access control list based on a finite amount of information, the business content of the web system, Profense™ effectively blocks attacks from hackers and worms.
In other words: Profense™ does not identify attacks, it determines if a request is allowed based on a white-list. If a request is not in the list it is treated as if it was an attack. This means that Profense™ also protects from attacks targeting unpublished vulnerabilities.
Application layer firewall or web application firewall?
The Payment Card Industry Data Security Standard ver. 1.1 requires that all web facing applications are protected against known attacks either by installing an application layer firewall or by having all custom application code reviewed by application security specialists.
If your company is affected, or inspired, by the PCI DSS requirements and you choose to go for the application layer firewall solution you will need an application layer firewall which is capable of protecting web applications. A web application firewall will do the job as it is a specialization of an application layer firewall.
Load Balancing
The Profense™ Load Balancer module enables scalability and acceleration of even complex SSL-enabled web applications.
Session persistence
Session persistence is achieved through insertion of a cookie tracking the session.
When the Profense™ Load Balancer is configured in an active/active cluster (is load balanced itself) the session persistence is independent of the cluster node handling the request.
Guaranteed secure persistence
Profense™ Load Balancer offers guaranteed SSL session persistence by decrypting the SSL content.
In this way the client is guaranteed a secure persistent browsing experience without loss of state information.
HTTP and HTTPS request switching
As SSL-connections are terminated by Profense™ it works equally well with HTTP and HTTPS.
Optionally requests from clients can be re-encrypted before being forwarding to back-end servers.
Requests are distributed to backend servers following one of the two methods below:
- Round robin
- Requests are distributed equally in a round robin fashion to all active servers.
- Session persistence
- When a server is selected according to the methods above all subsequent requests for the same client can be sent to the same physical server in order keep state information for that client on that server. This method is also referred to as client stickyness.
Web Acceleration
The web accelerator module accelerates web application and web system performance by:
- Lowering the web and application server workload
- Optimizing and reducing bandwidth usage
- Off-loading SSL operations from web servers
- Optimizing TCP-connection handling
Caching
Caching of static documents improves performance by 300 - 500%.
Documents that can be cached, are locally stored by Profense™. Any further requests for documents found in the cache, are automatically delivered to clients directly from Profense™. Therefore, the back-end web servers can focus on delivering dynamic content with improved response times to clients, without the overhead of delivering static content like images, PDF documents, static HTML documents, style-sheets and others.
HTTP compression
Dynamic compression of transmission data reduces bandwidth usage by 30 - 60% and increases transfer rate by 50 - 100%.
HTTP compression reduces the transfer volume of static and dynamically generated web pages to approximately 1/3 of their original size proportionally speeds up the load time performance. This results in reduced traffic costs and in a better experience for the web site visitors.
SSL acceleration
Profense™ has the ability to terminate HTTPS (SSL) based connections and requests from clients before forwarding them as HTTP non-SSL) to back-end servers.
This off-loads the back-end web servers from expensive SSL calculations thus allowing them to focus on faster content delivery to clients.
TCP connection off-loading
When forwarding legitimate requests from clients to back-end web servers, Profense™ will reuse socket connections already established with the back-end web server.
This gives a performance increase since back-end servers don't waste resources on establishing new and tearing down old socket connections.
| 
