Web Application Firewall
Safeguard Sensitive Data. Enforce Security Policies with Web Application Firewall.
Advanced Web Application Security and Compliance Solution
Profense Web application firewall (WAF) is software that secures Web applications. It enables PCI compliance by mitigating Web application security threats and vulnerabilities to prevent data theft and manipulation of sensitive corporate and credit card information. Profense incorporates advanced Web application security filtering technologies to seamlessly detect threats, block attacks and report events. Profense improves the security and availability of business-critical Web applications and creates a higher return on investment (ROI) for Web-based applications.
With installation taking less than an hour, the Profense web application firewall software quickly and easily turns most standard servers into a powerful, standalone web application firewall allowing you to affordably join the thousands of others who trust Profense to protect their web sites, web applications, web services and data.
 |
I had a full featured trial version installed within minutes. During the trial period, the support was excellent.
Recently we bought our second cluster license.
I recommend it to anyone.
Large financial industry company Chicago, IL |
Complete web site protection |
Five * * * * * for Ease of Use, performance and Support from SC Magazine“…fills a larger gap than most application level firewalls.”SC Magazine January 2009  |
|
Web Application Security, the Next LevelProfense is a comprehensive Web application firewall supporting small- to medium – scale Web application deployments. It secures Web applications by enforcing security policies to seamlessly detect threats, generate security events, and block both internal and external attacks on critical corporate data with minimal impact on day-to-day operations and enhanced savings. |
Benefits:Auto learning mode with instant protection Adaptive learning positive and negative Filtering XML, JSON and SOAP services Support session validation CSRF protection Output rewriting Log data masking Load balancing Session persistence Web server health checking DoS mitigation Network level blocking (optional) Threats prevented include: |
|
Deployments
1. Simple single-homed Profense implementation
Figure 9.1. Simple single-homed Profense implementation
This scenario is the easiest to implement, since Profense can be introduced in the already established network without any major reconfigurations. A caveat with this setup is that all Profense traffic (both inbound from clients and outbound to the web systems) is using a single ethernet interface.
Profense is placed on the same network (DMZ) with the web systems web1 and web2) it is protecting.
HTTP/HTTPS traffic designated to the web systems (192.168.0.3 and 192.168.0.4) is redirected (either by forwarding IP packets via the router or by altering web systems’ DNS settings) to Profense’s IP address 192.168.0.2.
The web systems’ default gateway is unaltered and is still the router with IP address 192.168.0.1.
2. Firewalled single-homed Profense implementation
Figure 9.2. Firewall’ed single-homed Profense implementation
This scenario requires an extra interface in the firewall since Profense is deployed in a DMZ-segment separated from the segment in which the web servers are placed. A caveat with this setup is that all Profense traffic (both inbound from clients and outbound to web systems) is using a single ethernet interface.
A separate network segment (subnet 2) is configured between Profense and the firewall.
HTTP/HTTPS traffic designated to the web systems (192.168.0.3 and 192.168.0.4) is redirected (either by forwarding IP packets via the router or by altering web systems’ DNS settings) to Profense’s IP address 192.168.1.10.
Outbound traffic from Profense to web systems is again inspected by the firewall and sent to the web systems on subnet 3.
The web systems’ default gateway is the firewall with IP address 192.168.0.1.
3. Firewalled Profense implementation with a fail-over/backup Profense
Figure 9.3. Firewalled Profense implementation with a fail-over/backup Profense
In this scenario Profense is deployed in a high avalibility configuration with an extra Profense (backup) used for fail-over. A dedicated network or crossover cable is used to connect the Profense cluster and a separate interface is used for synchronization of various information between the active and the backup Profense. Inbound and outbound traffic share the same interface.
The two Profense systems share a virtual (VIP) IP address 192.168.1.12.
HTTP/HTTPS traffic designated to the web systems (192.168.0.3 and 192.168.0.4) is redirected (either by forwarding IP packets via the router or by altering web systems’ DNS settings) to Profense’s VIP address 192.168.1.12.
In case the active Profense system fails or looses the connectivity, the backup will take over the VIP and start handling the requests from clients.
The web systems’ default gateway is the firewall with IP address 192.168.0.1.
4. Dual-homed performance optimized Profense implementation
Figure 9.4. Dual-homed performance optimized Profense implementation
In this scenario Profense is configured in a dual-homed setup with separation of inbound and outbound web traffic. 2 ethernet interfaces are utilized. Client requests are terminated in VLAN2 and responses from web systems are terminated in VLAN3. This setup (or similar) potentially provides greater performance (since 2 interfaces are used) and security.
A separate network segment (VLAN2) is configured between Profense and the layer 3 switch.
HTTP/HTTPS traffic designated to the web systems (192.168.0.3 and 192.168.0.4) is redirected (either by forwarding IP packets via the router or by altering web systems’ DNS settings) to Profense’s IP address 192.168.1.9.
Outbound traffic (downstream) from Profense is sent to web systems via VLAN3.
The layer 3 switch is configured only to allow traffic on the necessary ports (typically 80/tcp for HTTP and 443/tcp for HTTPS to pass from Profense to the web systems.
The web systems’ default gateway is the layer 3 switch with IP address 192.168.0.1.
Profense Web Application Firewall - Single Node License 8/5 Support
Features include auto mode with instant protection and adaptive learning, positive and negative filtering, XML and JSON services support, session validation and CSRF protection, output rewriting and log data masking, load balancing with session persistence, acceleration, automated learning, access log, audit logging, automated push backup.
Includes 1 year 8/5 business day support by phone, email and web, automated updates, all upgrades. Annual support renewal: $ 1495
License: Single node license . Allows for installation of one node in production
environment. Additional nodes in non-production environment for development and testing are allowed.
Support: Standard support – first year. 8/5 business day support by phone, email and web, automated updates, all upgrades.
Support upgrade and renewal options:
Upgrade to Premium support (24/7) first year: $595
Standard support renewal one year : $1,495
Premium support renewal one year: $1,995
Profense Web Application Firewall - Single Node License 24/7 Support
Features include auto mode with instant protection and adaptive learning, positive and negative filtering, XML and JSON services support, session validation and CSRF protection, output rewriting and log data masking, load balancing with session persistence, acceleration, automated learning, access log, audit logging, automated push backup.
Includes 1 year 24/7 business day support by phone, email and web, automated updates, all upgrades.
License: Single node license . Allows for installation of one node in production
environment. Additional nodes in non-production environment for development and testing are allowed.
Support upgrade and renewal options:
Premium support renewal one year: $1,995
Profense Web Application Cluster - Two Node License 8/5 Support
|
Profense™ Cluster Two Node License Standard support |
Perfect for companies who with high traffic volumes who also want the comfort of instant backup for their security.
Features include auto mode with instant protection and adaptive learning, positive and negative filtering, XML and JSON services support, session validation and CSRF protection, output rewriting and log data masking, load balancing with session persistence, acceleration, automated learning, access log, audit logging, automated push backup, active/active clustering with policy synchronization.
License: Two node license. Allows for installation of one master node and one
slave node in production environment. Additional nodes in non-production environment for development and testing are allowed.
Unlike most traditional web application firewall appliances, Profense cluster nodes run side by side, sharing the traffic load and providing instant backup for each other.
These nodes “self balance” so no additional hardware is required for high volume environments, giving you performance you’d have to pay a minimum of 50% more for with traditional solutions.
Includes 1 year 8/5 business day support by phone, email and web, automated updates, all upgrades.
Support and upgrade options:
Upgrade to Premium support (24/7) first year: $845
Standard support renewal one year : $1,995
Premium support renewal one year: $2,495
Profense Web Application Cluster - Two Node License 24/7 Support
|
Profense™ Cluster Two Node License Includes Premium support (24/7) first year |
Perfect for companies who with high traffic volumes who also want the comfort of instant backup for their security.
Unlike most traditional web application firewall appliances, Profense cluster nodes run side by side, sharing the traffic load and providing instant backup for each other.
Features include auto mode with instant protection and adaptive learning, positive and negative filtering, XML and JSON services support, session validation and CSRF protection, output rewriting and log data masking, load balancing with session persistence, acceleration, automated learning, access log, audit logging, automated push backup, active/active clustering with policy synchronization.
License: Two node license .
Allows for installation of one master node and one slave node in production environment. Additional nodes in non-production environment for
development and testing are allowed.
These nodes “self balance” so no additional hardware is required for high volume environments, giving you performance you’d have to pay a minimum of 50% more for with traditional solutions.
Includes 1 year 24/7 business day support by phone, email and web, automated updates, all upgrades.
Premium support renewal one year: $2,495
Profense Base Web Application Firewall - Single Node License 8/5 Support
Features include Auto mode with instant protection and adaptive learning, positive and negative filtering, load balancing with session persistence, acceleration, automated learning.
License: Single node license. Allows for installation of one node in production environment. Additional nodes in non-production environment for development and testing are allowed.
Includes 1 year Web and email based technical support, automated updates.
Support upgrade and renewal options:
Upgrade to Standard Profense version, standard first year: $300
Basic support renewal one year: $995
Standard support renewal one year: $1,250
Loading...
