www.obrela.

com

Swordfish
Web Application Firewall

www.obrela.com

Web Application Security

as a Service

Swordfish Web Application Security provides an innovative model to

help businesses protect their brand and online information,
incorporating a state-of-the-art transparent security layer over their
web applications.
Web Applications are a direct target for attacks, as they are directly accessible from all parts of the world and form a surface to valuable
information and, many times, Personally Identifiable information (PII) such as credit cards, identity numbers, health information, etc. Each year,
web-borne attacks are increased by 30%, while successful breaches reach up to a 60% increase, proving that not only new attack vectors are
created on a daily basis, but also their effectiveness and complexity is significantly raised. Critical vulnerabilities like HeartBleed and ShellShock
are disclosed leaving Web developers unable to implement means of protection or, worst, pro-actively plan these low-level vulnerabilities.
Businesses, on the other hand, have a critical demand of information and services to be available in the minimum amount of time to, amongst
others, increase profitability or make new business channels available worldwide. Adding to the complexity, regulation standards such as PCI or
HIPAA, enforce the design and implementation of security controls to safeguard information.
Swordfish Web Application Security was designed, in order to accommodate both business needs and security requirements. By implementing a
transparent security layer in front of web applications, security and compliance requirements are no longer a dependency, as all Web requests
handled by the Swordfish WAF, cleaned from malicious calls and legitimate traffic is directed to the Web Application for the business logic to be
performed.
Swordfish Web Application Security is equipped with state-of-the-art rules, optimized to zero-out false positives and false negatives, as well as a
set of features that establish a complete security solution for doing business today in the Web.

www.obrela.com

Why SWORDFISH?
The Swordfish Web Application Firewall Technology is engineered
to be fully customizable in terms of user and group access
privileges, aligned with both Corporate and Information Security
policy. In effect, our solution addresses the security need for
ongoing operational security not just the technology:

responses, the WAF learning engine understands the application

structure and elements that have changed since the last rule-set
upgrade. Swordfish WAF evolves with the web application in
parallel recognizing application changes, while simultaneously
protecting against deviations in known users behavior.

Continuous Research Based Rule-Set

Reputational Intelligence (Swordfish ReputationMonitor)

The carefully designed policies contain a comprehensive set of

rules that implement general-purpose hardening, common web
application security issues protecting against the latest threats,
while taking advantage of the continuous research on new threats
appearing on a daily basis on OSI Security Labs. OSI Security Labs
investigate the vulnerabilities identified, compiles them with the
latest threats reported by Bugtraq, CVE, Snort, and performs
primary research to deliver the most up-to-date and
comprehensive Web Application Firewall service available.

Obrela Security Industries Reputational Intelligence enhances

Swordfish WAF, by adding reputational context to all the actors
associated with the communications between the customer
infrastructure and the Internet. This is performed by integrating
and de-duplicating multiple proprietary and open reputational
feeds. OSI Domestic Intelligence Network uses SIEM and Honeypot
intelligence to extract and local attack formations & attackers
targeting multi-region telecommunication providers, amongst
other industries. Sources based on OSI proprietary intelligence
(SIEM based reputation, Malware Analysis, Regional Honeynets),
Commercial Feeds (eg DVLabs) and Open Source feeds allow OSI to
have total visibility of communication with TOR/Anonymity, C&C
Servers, Compromised Hosts, Malware Repositories, Phishing
Sites, etc.

Anomaly Detection
The rule-set keeps anomaly scores for each request, IP addresses,
application sessions, and user accounts. Attack from sources having
reconnaissance history, incomplete HTTP protocol transactions and
malicious content within HTTP transport protocol, amongst
multiple other factors, raise the abnormality score. Requests with
high anomaly scores are rejected altogether.

Positive Security Model

Swordfish WAF analyzes the full HTTP transaction in order to
understand the application structure, elements, and expected user
behavior. The positive security model is implemented through the
profiling of protected applications, including an enumeration of
application URLs, parameters, cookies, and methods. By the end of
the Learning phase, the WAF engine will have created a baseline of
rules including all "whitelist" rules, ready to protect the Client's
valuable web applications

HTTPS/SSL Inspection
The Engine analyzes the full HTTP transaction - even over
HTTPS/SSL- allowing complete requests and responses to be
inspected for malicious input. With the high technology inspection,
fine-grained decisions can take place, ensuring that only malicious
containing transactions are logged and intercepted.

Evolution in parallel with Web Applications

Swordfish WAF combines negative and positive security model in
order to identify the evolution of a web application. Analyzing the
full HTTP transaction and inspecting the complete requests and

Web Resource Surveillance (Swordfish SocialMonitor)

The customer's key web resources and their approved activities
are extensively tested until a Gold Standard behavior mapping is
developed. This Gold Standard mapping is then applied to OSI's
Security Operations Center (SOC) and monitored round-the-clock.
Any deviation from this mapping will trigger flags within OSI's SOC
and strict rules of engagement are followed, allowing the
customer to act quickly and decisively. Features include, but are
not limited to, screenshot rendering changes, HTML source
changes, key string monitoring, monitoring against sensitive
information disclosure.

Virtual Patching Through Vulnerability Scanner Integration

Swordfish WAF acts as an external patching tool for systems with
known weaknesses and vulnerabilities. OSI engineers create
custom rules in order to reduce the window of opportunity.
Provided the time needed to patch application vulnerabilities,
OSImWAF allows applications to be patched from the outside,
without touching the application source code, making the
protected systems secure, until a proper patch is produced and
deployed.

www.obrela.com

Web Fraud Prevention

Phishing criminals are getting smarter, whilst their techniques are
constantly evolving. Their enhanced efforts continue to generate
results from phishing, with the criminals focusing their effort where
they can get results. Through the optional integration with
FraudWatch, organizations are able to identify and stop fraudulent
transactions damaging client's reputation.

Monitor Mode Option

A full bandwidth
of services not
just a web
application
firewall

With the high technology inspection, fine-grained decisions can take

place, ensuring that only malicious containing transactions are logged
without being blocked. In case the positive model is selected, the
ruleset created during Learning mode, is used to identify deviations
from normal behavior and instantly produce alerts. In case negative
security model is selected, the carefully designed ruleset contains a
comprehensive set of rules that identify common web application
security issues protecting against the latest threats, while taking
advantage of the continuous research on OSI Security Labs. In monitor
mode, the WAF monitors traffic without blocking malicious activity.
Operators are instantly alerted in case of malicious activity in order to
manually mitigate the incident.

Zero Impact Deployment and Ultra High Performance

Swordfish WAF deployment only takes a few minutes to add web sites
no matter what technology is used or even no matter the web server
platform is used. It is practically deployed by just changing the DNS
record of the site to point to the Swordfish WAF farm. In-house
setups are also designed with speed-of-deployment in mind.

Security Updates and Enhancements

The Swordfish WAF Policies are continuously evolving, by taking
advantage of the continuous research on new threats appearing on a
daily basis on OSI Security Labs. Rules and definitions are getting
updated monthly in order to protect Client's valuable Web
Applications against the latest threats.

In-House Deployment Options

Swordfish WAF appliances provide superior performance, scalability,
and resiliency for demanding web application environments. To
maximize uptime, the Swordfish WAF hardware appliances optionally
feature redundant, redundant power supplies, multiple network
interfaces and hard drives. Swordfish WAF hardware appliances
provide the flexibility, reliability and performance required to support
multiple Swordfish WAF instances protecting multiple client's web
applications. Swordfish WAF Virtual Appliances take advantage of
existing virtualization by integrating with all modern virtualization
technologies. Virtual Appliances offer adaptable, reliable and
manageable security for organizations of all sizes.

www.obrela.com

SWORDFISH as a Service (SaaS) helps you leverage SWORDFISH Technology

without requiring capital expenditures in technology infrastructure or staff
training.

SWORDFISH as a Service (SaaS) helps you leverage SWORDFISH

solutions without requiring capital expenditures in technology
infrastructure or staff training. SWORDFISH services can be
tailored to your information security model and integrated to your
existing security organization and procedures.
The look and feel can also be adjusted to address corporate
branding and internal marketing requirements. SWORDFISH is also
integrated with the Obrela Security Industries Corporate Security
Intelligence Services and can be monitored on a real time basis, by
leveraging existing Security Operations Centers and Infrastructure.
SWORDFISH services can be tailored to your information security
model and integrated to your existing security organization and
procedures.

Swordfish Web Application Firewall is accompanied with a web

console providing an instant view on all operations undertaken by
the WAF to protect the applications.

Traffic statistics are provided to track bandwidth

utilization, countries and user agents.

Security statistics illustrate an overview of the web

firewalling process grouped by threat category, as well
as their association with compliance sections such as PCI
and SOX.

Events that constitute malicious behavior being cleaned

are available, along with the endpoint details, headers
and rules that were triggered.

Administration sections that allows for easy

management of various WAF features, dashboards per
sites protected, user management and mapping of users
to protected applications

Multiple Swordfish WAF instances can be managed from within a

single Web Console.

www.obrela.com

One-click
integration
with
Corporate
Security
Intelligence

All services provided by Obrela Security Industries are tightly integrated with
each other in order to benefit from a multi-dimension protection platform,
under a single contract, tailored to each individual requirement or use case.
The Swordfish Web Application Security, either deployed As-A-Service
(SecSAAS) or in-house (physical or virtual appliance) can be integrated with the
Corporate Security Intelligence services providing real-time monitoring of all
security aspects utilizing state-of-the-art SIEM deployments.
Security event information generated by the Swordfish WAF is being
consolidated and reported to our Security Operations Centers (SOC), where it is
being correlated & monitored and manually validated on a 24X7 basis. Incidents
requiring attention are escalated based on mutually agreed SLA and are
monitored until closure via an integrated ticketing system.
The integration allows Obrela Security Industries engineers to identify patterns
in traffic and correlate behaviors based on statistical models that would be
otherwise left unattended.
Such cases include identification of business logic vulnerabilities, identification
of changes in the underlying web application and evaluation against the
behavioral model, live identification of distributed denial of service attacks
being formatted or taking place.

www.obrela.com

Specifications
As A Service

V2100

V4100

V8100

A4100

A8100

A12100

Managed

Virtual

Virtual

Virtual

Physical

Physical

Type

Service

Appliance

Appliance

Appliance

Appliance

Appliance

Physical Appliance

CPU

Unlimited

2 Vcores

4 Vcores

8 Vcores

1 x Xeon Quad

2 x Xeon Quad

2 x Xeon Eight

Ram (GB)

Unlimited

16

Disk (GB)

Unlimited

50

100

200

250

250

500

Hypervisor

Hypervisor

Hypervisor

(SecSaaS)

Interface

N/A

depended

depended

depended

4 x Copper

4 x Copper

4 x Copper

Disk redundancy

Included

N/A

N/A

N/A

Yes

Yes

Yes

PSU redundancy

Included

N/A

N/A

N/A

Yes

Yes

Yes

Geographic

A/A

A/A

A/A

A/A

A/A

A/A

High Availability

Relocation

A/P

A/P

A/P

A/P

A/P

A/P

Form Factor

N/A

N/A

N/A

N/A

1u

1u

1u

AC Power -

100-240V, 50-

100-240V, 50-

100-240V, 50-60

Consumption - Heat

60 Hz, 130W,

60 Hz, 225W,

Hz, 250W,

450BTU/h

750BTU/h

800BTU/h

Output

N/A

N/A

N/A

N/A

3y 4h
Hardware Support

N/A

N/A

N/A

N/A

3 y NBD

Response

3y 4h Response

Unlimited

40

80

160

150

300

600

Peak Throughput
(mbps)

Positive Security Model, Negative Security Model, Automatic WebApp learning, Web server & application signatures, HTTP
Web Security

Protocol Abnormalities, Encoding normalization

Network security

Stateful firewall, DoS prevention

Web Console / UI

Provided

User Interface

Live monitoring, Dashboard Monitoring, Alerting Through ArcSight Web Console

Deployment Modes

Block Mode / Learning Mode / Monitor Mode

Session Awareness

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Intelligence

Yes

Yes

Yes

Yes

Yes

Yes

Yes

SSL Inspection

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Surveillance

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Fraud Protection

Optional

Reputational

Web Resource

www.obrela.com
Virtual Patching

Yes

Yes

Yes

DDoS Protection

Optional

Depending on infrastructure DDoS mitigation capabilities

SIEM Integration /
24x7x365
Monitoring

Optional
Monthly Rules and definitions
Major version upgrades every 12 to 18 months.
Minor releases (service packs) every 4 to 6 months.

Updates

Patches are released as needed.

Yes

Yes

Yes

Yes

www.obrela.com

Learn More
http://www.obrela.com/WAF