In contrary to process or thread bound WAFs, Profense web application firewall handles a practically unlimited number of clients with much fewer resources and scales better vertically with additional hardware (CPU and memory) thanks to its non-blocking asynchronous I/O model. It is built upon an event driven architecture which scales way beyond 10000 concurrent users (the "C10K problem") with great ease.

Protecting and securing websites and web applications can be a complicated business. Profense web application firewall simplifies protection with an affordable and easy to use, feature rich, solution that gives you full PCI DSS 2.0 section 6.5 and 6.6 compliance.

To make it easy, we put this all together in an easily configurable software solution with its own hardened OS (the ultra secure OpenBSD) to allow easy install and the ability to use it in your production, development and staging environments with only one license saving you tens of thousands of dollars.

If you wish to learn more about the features listed below, please contact us at sales [at] armorlogic [dot] com.

Web Application Firewall - Performance

Performance - HTTPS requests/second

Performance depends on available hardware resources , request complexity and complexity of the policy. On entry level $1K server hardware (a Dell Poweredge R210 II with Xeon e3-1240) Profense processes 18,750+ HTTPS req/sec for simple requests. Two of these servers running active/active processes 32000+ HTTPS req/sec.

As Profense is a software appliance you can easily scale performance by adding extra CPUs or moving to a more powerful platform.

Concurrency

In contrary to process or thread bound WAFs, Profense web application firewall handles a practically unlimited number of concurrent clients with much fewer resources and scales better vertically with additional hardware (CPU and memory) thanks to its non-blocking asynchronous I/O model. It is built upon an event driven architecture which scales way beyond 10000 concurrent users (the "C10K problem") with great ease.

Most of the CPU time consumed by a reverse proxy in a normal HTTP transaction is spent waiting for network I/O. Profense wastes practically no resources waiting for client requests or back-end server responses (10 thousand idle HTTP clients occupy approximately 2.5 megabytes of RAM on a 64-bit platform). With I/O overhead virtually eliminated, Profense uses available resources to handle a massive client concurrency and request rate while protecting and accelerating web servers and web applications.

If you get more concurrent visitors than your WAF can handle some of those visitors will never reach your website and the rest will all suffer from slow response times and errors.

Web Application Firewall - Filtering

Positive and negative URL filtering

Profense validates all parts of a HTTP request (including the path, query and segment) according to the defined access policy.

Requests not-matching the access-policy, are per default flagged as illegitimate, rejected and logged for further analysis. This allows system administrators to have a strict white-list of legitimate URLs for a given web application.

Positive and negative query filtering

Profense validates all parts of a query in a URL request according the defined access policy.

Each parameter and the corresponding value is validated. This allows system administrators to specify what input is allowed for a given URL resource.

Positive and negative web services requests filtering

XML (including XML-RPC and SOAP) and JSON services are supported.

Profense validates all parts of a web services request according the defined access policy.

Web services requests are mapped as queries and as with normal queries combinations of negative and positive policy rules can be enforced.

Data leak prevention

Profense allows for parsing and blocking or rewriting the body of server responses. This is useful for screening output for confidential data like credit card numbers in order to prevent information leakage.

Global parameter wild-cards

Rules which match parameters on a global basis can be specified using regular expressions or signature based matching.

This is particularly useful when for instance the web application uses global parameters for session tracking or for printer friendly displaying instructions.

HTTP headers compliance checking

Profense can enforce pragmatic and strict standard HTTP headers compliance (RFC2068/RFC2616).

Pragmatic HTTP headers checking allow non-standard headers to pass through Profense.

Web server cloaking and isolation

Profense completely isolates the web server from direct internet requests by removing web system technology information from web server responses and intercepting backend error messages and replacing them with general (configurable) messages.

Session validation and CSRF protection

Profense protects against session hijacking and CSRF (Cross Site Request Forgery) by injecting cryptographic validation cookies and parameters to responses from the web system.

Additionally idle sessions are timed out in order to prevent users from staying logged in making them vulnerable to CSRF attacks.

Session and CSRF protection policies are built automatically by the Learner.

DoS mitigation

Profense mitigates the effect of DoS and DDoS attacks by limiting the number of concurrent TCP connections and the rate at which connections can be established on a source IP basis. IP's exceeding these limits are blocked at the network level for a configurable time. The limits are configurable.

Network level blocking

Instead of denying the request at the application level Profense can be configured to automatically create network firewall policy rules that blocks IP addresses at the network level if attacks exceeding a certain risk level are denied.

SSL Client Authentication

Profense supports SSL client certificate based authentication and authorization.

SSL client certificates are forwarded to the backend web server.

Web Application Firewall - Policy management

Automated Policy Generation

Profense automatically generates access policies for even complex web applications and web systems.

All relevant information for a web application including URLs, parameters and HTTP methods is automatically learned by Profense and applied to the running access policy. This allows system administrators to quickly enable new or updated information about the web application thus reducing the manual work needed when implementing new or changed access policies.

Regular expressions support

Profense has full support for standard PCRE (Perl Compatible Regular Expressions).

This feature allows system administrators to manually fine-tune and implement strict values for legitimate HTTP parameters.

Global URL wild-cards

In order to simplify the ACL Profense supports the definition of URL wild cards based on regular expressions which matches URLs without parameters on a proxy global basis.

Global parameter wild-cards

Rules which match parameters on a global basis can be specified using regular expressions.

This is particularly useful when for instance the web application uses global parameters for session tracking or for printer friendly displaying instructions.

Class based policy rules

Filtering rules can be specified using classes for easy administration.

Classes are defined globally and can be applied both when manually editing the access policy, when the access policy is built automatically and when rules are added or modified from log.

Audit logging

All administrative actions are logged to a system log with requested action, payload (what to do), user and IP, success or failure.

The audit log and other system logs can be sent to an external Syslog server.

Fine grained violation action control

Profense allows for very fine grained control over what violations to block and what violations to just log. Violation action control can be configured for each type of violation and for entire web applications.

Load balancing

Session persistence

Session persistence is achieved through insertion of a cookie tracking the session.

When the Profense Load Balancer is configured in an active/active cluster (is load balanced itself) the session persistence is independent of the cluster node handling the request.

Guaranteed secure persistence

Profense Load Balancer offers guaranteed SSL session persistence by decrypting the SSL content.

In this way the client is guaranteed a secure persistent browsing experience without loss of state information.

Rate limiting

Profense offers HTTP request throttling which limits the rate at which client IPs can request pages and HTTP connection limiting which limits the total number of concurrent connections a client IP can make to a website. Clients exceeding the configured limits can either be slowed down by delaying responses or be sent an error message.

HTTP and HTTPS request switching

As SSL-connections are terminated by Profense it works equally well with HTTP and HTTPS.

Optionally requests from clients can be re-encrypted before being forwarding to back-end servers.

Round robin, source hashing and session persistence based on cookies or headers are supported.

Health checking

Profense proactively checks backend web server availability and allows programmed event based disabling of failed or overburdened web servers with immediate alerting of the event via email or Syslog. HTTP response code and response body checksum methods are supported.

Web acceleration

Caching

Caching of static and dynamic documents improves performance by 300 - 500%.

Documents that can be cached, are locally stored by Profense. Any further requests for documents found in the cache, are automatically delivered to clients directly from Profense. Therefore, the back-end web servers can focus on delivering dynamic content with improved response times to clients, without the overhead of delivering static content like images, PDF documents, static HTML documents, style-sheets and others.

Dynamic caching allows for caching dynamically served content, like newspaper articles, for a short time. Caching rules are specified using regular expressions and caching time can be just a few seconds.

HTTP compression

Dynamic compression of transmission data reduces bandwidth usage by 30 - 60% and increases transfer rate by 50 - 100%.

HTTP compression reduces the transfer volume of static and dynamically generated web pages to approximately 1/3 of their original size proportionally speeds up the load time performance. This results in reduced traffic costs and in a better experience for the web site visitors.

SSL acceleration

Profense has the ability to terminate HTTPS (SSL) based connections and requests from clients before forwarding them as HTTP non-SSL) to back-end servers.

This off-loads the back-end web servers from expensive SSL calculations thus allowing them to focus on faster content delivery to clients.

Log functions

Profense Management Dashboard

The Profense Management Dashboards presents system and website statistics and events in an aggregated view allowing for rapidly identifying and focusing on the most important events. The website deny log Dashboard give greater visibility to threatening activity and allow for aggregate and individual website deny log viewing, highly specific policy building and highly configurable event reporting. The Profense Dashboard allows for individual and cross website analysis.

Attack classification

All rejected requests are classified in major attack groups (i.e. SQL-injection, buffer overflow, etc.) using a combination of cross validation, heuristic patterns and statistics.

External notification

Alerts can be sent to external syslog server or email. Alert levels are completely configurable and are mapped to standard syslog priorities (information levels).

Deny log

The management interface includes a comprehensive security log displaying all the necessary details about blocked requests, including the time stamp, IP address, HTTP methods, path and query segments, HTTP headers violations, attack classification and raw request data.

Access log

The access log includes information about all requests including request, ip-address, timestamp, response size, response time, server response error code and caching status.

Traffic statistics

Traffic statistics are generated for 8 hour, 24 hour, week and month intervals. Data are displayed graphically and includes served requests, caching and compression ratio and web server response code ratio.

Customizable search criteria

Multiple search criteria can be specified using wildcards allowing for detailed drill down searches.

Customizable reporting

All log views (search filter sets) can be exported to printable reports or XML

Audit logging

All administrative actions are logged to a system log with requested action, payload (what to do), user and IP, success or failure.

The audit log and other system logs can be sent to an external Syslog server.

Operation

Automated remote backup

The complete running Profense™ installation including all settings, proxies and access policies can be automatically backed up by Profense™ to a remote FTP server.

Manual full and partial backup

A complete Profense™ installation or the entire configuration of a single proxy can also be backed up manually with a few clicks in the management interface.

Easy restore

A complete Profense™ configuration including access policy for all defined proxies can be restored from an FTP-server or the file system with a few clicks in the management interface.

Scalability and availability

Policy synchronization

All policy changes are automatically synchronized across the nodes in a Profense™ cluster.

High availability

Profense™ can be run in active/passive configurations where two or more physical Profense™ nodes together comprise a logical Profense™ unit with automatic fail-over.

Clustering

Active/active clustering with automatic policy synchronization allows for virtually unlimited scalability. No additional load balancer is required as Profense™ is "self load balancing".

Requirements compliance

OWASP Top Ten

Defenses against all OWASP Top Ten vulnerabilities.

PCI DSS 2.0 section 6.5 and 6.6 requirements

Profense™ provides full PCI DSS 2.0 section 6.5 and 6.6 requirements compliance.