1. The SecureSphere Web Application Firewall
An Automated Approach to Defending
Web applications have lowered costs and increased revenue by
extending the enterprise’s strategic business systems to
customers and partners. However, Web applications also
expose these critical systems to continuous threats from both
internal and external sources.
Defending Web applications is one of the most challenging
aspects of information security. Because Web applications
constantly change to meet business requirements, the security
model must adapt as changes are made to the applications. In
addition, because data centers are highly optimized, deploying
an application security solution must require minimal changes
to the existing infrastructure. Unfortunately, first generation
Web Application Firewalls are too inflexible for most customer
environments, too intrusive to deploy and too costly to
This paper provides an overview of the Web application threat
environment and presents Imperva’s SecureSphere Web
Application Firewall – an integrated approach that meets
stringent data center requirements for security, performance,
deployment, operations, and regulatory compliance.
2. The SecureSphere Web Application Firewall: An automated approach to defending Web applications
Web Application Security
Web applications have become the backbone of business in nearly every segment of the economy.
They connect employees, customers, and partners to the information they need anywhere and
anytime. This universal information accessibility has cut costs and dramatically accelerated the pace
of business. Unfortunately, as the information accessibility has grown, so too has risk. Identity theft,
data leakage, phishing, SQL injection, worms, denial of service (DoS) attacks, and malicious robots
increasingly target Web applications with consequences that impact brand, revenues, and regulatory
Attack Example - Identity Theft
Web application security solutions must provide protection against a range of attacks targeting
vulnerabilities in both custom application logic and underlying commercial software platforms.
Increasingly, these attacks also target vulnerabilities in Web services (XML, SOAP, etc.) components
of application software. As the following example illustrates, a single threat such as identity theft
may result from any number of vulnerabilities and associated attacks.
• SQL Injection attacks take advantage of input validation vulnerabilities in custom Web
application code to send unauthorized SQL commands to a back-end database. For example,
using SQL injection, an attacker may gain access to the entire contents of a backend
database including identity information. SQL injection is usually carried out by an external
attacker from outside the perimeter firewall.
• Cross–site Scripting attacks take advantage of script injection vulnerabilities in custom Web
application code to redirect a customer’s login credentials to an attacker. Often used as part
of a larger phishing scheme, cross-site scripting is usually carried out by an external attacker
from outside the perimeter firewall.
• Worm Infections take advantage of vulnerabilities in underlying operating systems and
commercial software platforms. Code Red, Nimda, and MSBlaster represent just a few widely
known worms targeting Web application platform software. In the case of identity theft,
platform software vulnerabilities may be exploited by worms (or individual attackers) to
install Trojan horse programs to enable back-door access to identify information.
There are many more examples of Web application vulnerabilities and attacks. For more information,
see the research by Imperva’s Application Defense Center (ADC) located at
Assessing Alternatives for Web Application Security
The complexity of the Web application threat environment makes it different from other segments of
the IT security landscape. Traditional network firewalls and intrusion prevention capabilities, while
necessary, do not have insight into the higher level data layer activity necessary to protect against
Web application attacks such as those described in the previous section. Complete Web application
security requires detailed understanding of the elements of legitimate user transactions within each
Web application – including URLS, HTTP methods, session IDs, cookies, XML/SOAP schema, and
more. This level of security can only be provided with advanced Web application firewall capabilities.
This section analyzes the strengths and weakness of the individual security capabilities required for
complete Web application security.
Network firewalls provide network layer access control and attack protection services. They have
been uniformly deployed at the network perimeter and in front of critical internal enterprise resources
Page 2 Imperva, Inc.
3. The SecureSphere Web Application Firewall: An automated approach to defending Web applications
– such as Web applications. As a component of overall Web application security architecture,
network firewalls provide necessary protection against network-layer hacking (network scanning,
telnet, etc.). They also provide a barrier against the spread of worms from corporate desktop
networks to Web applications via non-essential ports and protocols.
While network firewalls prevent network-layer attacks and worm propagation, firewall rulesets must
allow essential protocols such as HTTP and HTTPS unrestricted access to Web applications. Over
time, the hacking community has learned to use this fact to their advantage by embedding attacks
into Web traffic that is perfectly legitimate from a protocol perspective. Code Red and Nimda are
examples of Web application worms that easily traverse network firewalls via protocol-compliant Web
communications. Similarly, SQL injection and cross-site scripting represent two targeted Web
application attacks (among many) that go completely unnoticed by network firewalls since they are
similarly implemented via protocol compliant Web traffic. As long as an attack is carried out via
commonly allowed application protocols, network firewalls are ineffective.
Intrusion Prevention Systems (IPS)
The broader security industry has responded to the need for a deeper understanding of application
layer behavior with intrusion prevention systems (IPS). IPSs look at the contents of a packet’s
payload and compare it to a list of known attacks (signatures or other defenses) derived from
documented vulnerabilities in commercial software. IPS technology may also enforce protocol
restrictions to protect against known protocol related vulnerabilities in commercial software. Since
virtually all worms are based on known software vulnerabilities, IPS can be an effective worm defense
and therefore a useful component of a comprehensive Web application security architecture.
Unfortunately, IPSs are ineffective against targeted Web application attacks targeting unknown
vulnerabilities in custom code 1 . Since the vulnerabilities are unknown, no signatures are available.
Web Application and Web Services Firewalls
Web application and Web Services parse Web application protocols and enforce a policy over detailed
data layer variables such as URLs, URL parameters, session IDs, cookies, etc. Standard Web
application firewalls focus on HTTP/HTTPS protocol traffic. Web services firewalls handle XML, SOAP,
and WSDL protocols. Some modern applications require both Web and Web services support.
Together these products provide critical protection against application attacks targeting
vulnerabilities in custom Web applications.
The biggest challenge to implementing a Web application firewall is building and maintaining an
accurate policy over time. A policy for a single application firewall may contain thousands or even
millions of variables (URLs, parameters, cookies, SQL queries, etc.) that are unique to each Web
application. To make matters worse, application developers change these variables on a regular
basis. Given this degree of complexity and speed of application change, expecting a human
administrator (or a team of administrators drawn from application development, operations, and
security groups) to manually create and maintain application firewall rules is unrealistic. Any
practical Web application firewall must completely automate the creation and ongoing maintenance
Although some IPS solutions claim to defeat certain targeted attacks such as SQL injection and cross-site scripting,
these claims should be treated with caution. IPS products rely on signatures that are commonly used as part of SQL
injection or cross-site scripting attacks. These signatures, however, are words such as “union,” “select” and “script”.
They are prone to false positives since they commonly appear in normal Web site content. Therefore, these signatures
are usually not enabled, leaving the application open to these attacks. Even if these signatures are enabled, they can
be circumvented using well-known evasion techniques.
Page 3 Imperva, Inc.
4. The SecureSphere Web Application Firewall: An automated approach to defending Web applications
of an accurate policy. Unfortunately, most application firewalls have not adequately addressed this
fundamental challenge. Instead, they force administrators to manually configure and tune rules to an
extent that does not scale in real-world application environments.
Point Solutions are Problematic
As discussed in the previous section, complete Web application security traditionally requires a
combination of network firewall, IPS, Web application firewall and Web services firewall capabilities.
However, integration of so many disparate solutions can be problematic. Without integration there is
no way to stop sophisticated attacks that can only be identified by correlating information from
across the multiple components. Moreover, the combined cost to manage the discrete systems is
extremely high. Product selection, purchasing, training, deployment, configuration, ongoing policy
management, and audit functions must be duplicated for each solution. To make matters worse, each
inline security device introduces an additional point-of-failure and a performance risk that must be
managed closely. In short, the operational cost and risks associated with maintaining disparate Web
application security solutions are too high to be practical.
Deployment and Operational Challenges
The threat environment is not the only area in which Web application security challenges are unique.
Web applications must maintain exacting service levels, so they have stringent requirements related
to deployment and operations. Specific issues include performance, deployment risk, availability,
and centralized management.
• Performance – Web applications are designed to handle high throughput and transaction
rates. The performance of Web application security solutions must match or exceed other
elements of the application infrastructure or they cannot be deployed without degrading
• Deployment Risk – Web applications are finely tuned and extremely sensitive to change.
Any change to the network, application software, back-end databases, or Web server
platforms introduces risk to availability, performance, and security. Mitigating this risk
requires costly testing which is a serious barrier to deployment. Therefore, Web
application security solutions should be transparent the surrounding infrastructure. In
other words, they must require no changes to that infrastructure.
• Availability – Any Web application downtime or poor service levels have a negative impact
on revenues, customer satisfaction and productivity. Therefore, Web application security
solutions must incorporate high availability capabilities.
• Centralized Management – Web application infrastructure is often distributed across the
globe. Security managers need to manage devices without connecting to each device
separately. Therefore, a centralized management server that automatically aggregates
management of distributed devices is a necessity.
Page 4 Imperva, Inc.
5. The SecureSphere Web Application Firewall: An automated approach to defending Web applications
SecureSphere Web Application Firewall
The SecureSphere® Web Application Firewall is the only solution to provide automated attack
protection for Web and Web Services applications. Imperva’s Dynamic Profiling technology builds a
model of legitimate application behavior and adapts to application changes over time, keeping
SecureSphere’s application protection up to date and accurate. Deployed in minutes with no changes
to the data center infrastructure, SecureSphere enables precise attack protection without manual
configuration or tuning.
Dynamic Profiling is the foundation of a multi-layer security architecture that provides complete
protection for all layers of the application infrastructure, including the network, server and
application. Imperva’s Transparent Inspection technology delivers multi-gigabit performance, sub-
millisecond latency and options for high availability that meet the most demanding data center
requirements. For large scale deployments, the SecureSphere MX Management Server centralizes
and streamlines configuration, administration, monitoring and reporting. And because SecureSphere
supports a broad range of network deployment options, it can be deployed into any environment
without requiring any network changes.
SecureSphere includes both firewall gateway and management server components. Gateway appliances
are deployed in the path of Web servers where they can identify and immediately block attacks. The MX
Management Server provides centralized management for multi-gateway deployments.
SecureSphere Provides Automated and Accurate Protection Against …
• Web, HTTPS and XML • Denial of Service • Command Injection
application attacks • Malicious Robots • Illegal Encoding
• SQL Injection • Parameter Tampering • Identity Theft
• Session Hijacking • Brute Force Login • Data Theft
• Cross Site Scripting (XSS) • Malicious Encoding • Patient and Financial Data
• Form Field Tampering • Directory Traversal Disclosure
• Known Worms • Web Server and Operating • Corporate Espionage
• Zero Day Web Worms System Attacks • Phishing
• Buffer Overflow • Scanning • Data Destruction
• Cookie Poisoning
Page 5 Imperva, Inc.
6. The SecureSphere Web Application Firewall: An automated approach to defending Web applications
SecureSphere’s foundation technology meets the unique security, deployment and operational
demands of enterprise Web applications. This section provides a detailed explanation of this core
technology. The following (and final) section of this document covers key features and benefits that
are derived from the core technology.
Security Models and Security Enforcement
SecureSphere incorporates both dynamic positive (white list) and dynamic negative (black list)
security models. Instant Attack Validation (IAV) immediately validates and blocks any clear violations
according to either model. For complex attacks that are neither clearly good nor clearly bad,
Imperva’s unique Correlated Attack Validation (CAV) technology correlates violations across multiple
layers and over time to separate actual attacks from legitimate user traffic. CAV effectively correlates
information from all of SecureSphere security layers to achieve overall accuracy that cannot be
matched by several standalone security products.
Dynamic positive and negative security models are combined with SecureSphere’s
Instant Attack Validation and Correlated Attack Validation enforcement algorithms.
Dynamic Positive Security Model
At the heart of SecureSphere’s automated approach to security is Dynamic Profiling. Dynamic
Profiling automatically examines live traffic to create a comprehensive model (profile) of an
application’s structure and dynamics. The profile serves as the baseline for a positive security model
governing detailed application-layer behavior. By comparing actual traffic to the profile,
SecureSphere is able to detect malicious activity of any kind. Valid application changes are
automatically recognized and incorporated into the profile over time.
SecureSphere employs Dynamic Profiling to create positive security models of legitimate user
behaviors for Web and Web Services applications. By comparing profiled elements to actual traffic,
SecureSphere is able to detect malicious activity of any kind.
Dynamic Profiling overcomes the biggest drawback of other application firewall solutions – manual
rule creation and maintenance. Unlike network firewall solutions where policy may be limited to a few
dozen static rules, application firewall policy requires hundreds or thousands of rules governing
Page 6 Imperva, Inc.
7. The SecureSphere Web Application Firewall: An automated approach to defending Web applications
thousands of constantly changing variables including URLs, parameters, cookies, XML elements and
Any application security architecture that relies upon manual rule creation by a security administrator
requires constant rule-base tuning to account for changes to the applications. For example, many
Web application firewalls require manually created rules to define expected behaviors for client-side
scripts. These manual rules specify detailed application variables such as allowed URLs, parameters,
parameter types, and parameter constraints. Maintenance of these rules can be a major source of
operational overhead as many sites rely on hundreds of scripts. Any script change requires a parallel
rule change to avoid false positives. Considering that many operations and security managers are
not kept abreast of every application change and some may not have the application expertise to
evaluate application changes, manual rule maintenance is an unrealistic expectation 2 . Dynamic
Profiling, on the other hand, delivers completely automated security with no need for manual
configuration or tuning 3 . If desired, administrators can always manually modify the profiles to bridge
any differences between actual usage and corporate security policies.
Completing the Positive Security Model
In addition to application structure and dynamics modeled by Dynamic Profiling, SecureSphere’s
positive model security capabilities include network firewall white lists and http protocol checks.
Together, these combined capabilities form a complete picture of normal data center behavior that
extends from the valid network IP addresses to high-level Web application operations.
Dynamic Negative Security Model
SecureSphere’s dynamic negative security model capabilities include network firewall black lists and
Intrusion Prevention System (IPS). Network firewall black lists define specific protocol/IP address
combinations that are specifically not allowed into the data center. For example, Telnet from
corporate desktops might be specifically restricted. Similarly, signatures define patterns that match
known attacks targeting commercial software platforms. For more information on SecureSphere’s
integrated IPS, see the SecureSphere Features and Benefits section of this document.
Custom Policy Definition
In addition to the automated policy definition provided by Dynamic Profiling, SecureSphere allows
security administrators to define policies regarding specific attributes of Web traffic. Custom policy
rules are manually configured and provide the power to perform operations that are not available or
convenient to implement via profile and protocol violation rules.
Enforcement Algorithms – Instant and Correlated Attack Validation
SecureSphere separates attacks from legitimate interactions using two enforcement algorithms -
Instant Attack Validation (IAV) and Correlated Attack Validation (CAV). IAV immediately validates and
blocks clear violations of any dynamic positive or negative security model. However, certain
suspicious violations cannot be classified as either clearly good or clearly bad. These suspicious
Application developers, data center operations and security teams usually operate independently. Any application
firewall architecture that relies upon manual administrator rule maintenance requires that application developers work
closely with the operations and security teams in advance of all changes. The operations team, security team and
developers must then test and deploy changes in parallel to avoid false positives that block legitimate users.
In addition to the automated policy definition provided by Dynamic Profiling, SecureSphere allows security
administrators to define policies regarding specific attributes of Web traffic. Custom policy rules are manually
configured and provide the power to perform operations that are not available or convenient to implement via profile
and protocol violation rules.
Page 7 Imperva, Inc.
8. The SecureSphere Web Application Firewall: An automated approach to defending Web applications
violations usually result from harmless application changes or user error – but they could represent
dangerous attacks or attack reconnaissance. To handle these suspicious violations, CAV validates
attack activity by tracking events across multiple detection layers (Web, database, IPS, etc) and over
time. Based on Imperva’s deep understanding of attack strategies, information from multiple
violations can be correlated to definitively distinguish attacks from harmless user error and
The figure below presents a specific example of CAV in action. The Web application firewall identifies
a parameter length violation in a user’s request. While suspicious, this could also be the result of a
change in the application (for instance, changing the allowed values of a parameter to include a new
product category). Therefore, this single violation alone is not enough to confirm an attack. However,
if the user continues to generate parameter length violations in rapid succession, CAV would correlate
these actions and correctly conclude that attack reconnaissance (i.e. looking for parameters
vulnerable to SQL Injection or buffer overflow) is in progress. By basing security decisions upon
multiple events rather than a single event, CAV is able to detect attacks with a degree of accuracy that
is not possible via Instant Attack Validation.
SecureSphere's CAV engine tracks and correlates events over time to
accurately identify and block attack activities.
SecureSphere can be deployed inline as a transparent bridge, router, or a reverse proxy 4 .
SecureSphere can also be deployed as an offline network monitor (sniffer). Imperva’s Transparent
SecureSphere is often deployed as a direct replacement for legacy reverse proxy appliances. In most cases, customers
choose to configure SecureSphere as a bridge or a router because it fits into the existing architecture and reduces the
deployment and operational burden associated with reverse proxies. However, in some cases, customers must deploy
Page 8 Imperva, Inc.
9. The SecureSphere Web Application Firewall: An automated approach to defending Web applications
Inspection technology delivers multi-gigabit performance, sub-millisecond latency, and options for
high availability that meet the most demanding Web application requirements. Moreover,
Transparent Inspection technology makes it possible for SecureSphere to be deployed in minutes
with no changes to the existing data center infrastructure
From a security perspective, inspecting the upper layers of the OSI model and beyond is required to
deliver protection. From an operational networking perspective, the chief desire is for seamless,
transparent operation. As such, from the perspective of how a device functions as a networking node,
operating at lower layers is desirable for application security solutions.
Transparent Inspection allows SecureSphere to operate as a transparent bridge, a network router or a
reverse proxy. SecureSphere intercepts traffic at the kernel level and reconstructs all layers of the
application stack in order to inspect application behavior. The benefits of this are as follows.
1. High Performance – SecureSphere performance is an order of magnitude faster than
competing approaches. Because SecureSphere security processing is done at the kernel
level, it requires far less processing overhead than competing reverse proxy products that
must do security processing in user space.
2. No Changes to Applications - Since network traffic passes through SecureSphere without
modification, SecureSphere is transparent to the traffic endpoints (the client and the web
servers). This means SecureSphere can easily drop into any enterprise’s data center without
changing carefully optimized Web application infrastructure.
By comparison, many competing Web application security devices can only operate as reverse
proxies. From a network perspective, this means traffic is terminated at layer 7 of the OSI model. The
implications of this are as follows.
1. Diminished Performance - Security processing must take place in the user space, greatly
increasing processing overhead. Because traffic is terminated and passed to the user space,
the communications of the security device must process the traffic for inspection, but also re-
encode and re-construct an independent communication with the server, resulting in low
performance, low throughput, and high latency.
2. Changes to Existing Infrastructure - The proxy must modify network traffic. For the network,
this means that existing IP address and routing infrastructure must be changed during
deployment. For the application, this means that URLs must be re-written and embedded
calls to dynamic objects must be translated. The result is a high level of deployment impact.
3. Weakening of Non-Repudiation - The security device must terminate and decrypt SSL
encrypted traffic, re-package the communications, re-negotiate a new SSL connection to the
server, and re-encrypt the information. The result is weak link in the non-repudiation
processes as well as significant additional performance reduction.
SecureSphere as a reverse proxy to meet special pre-existing architectural or design requirements. When deployed as a
reverse proxy, Transparent Inspection still performs the data inspection and analysis; the proxy functionality is used to
provide networking connectivity that maps to pre-existing requirements.
Page 9 Imperva, Inc.
10. The SecureSphere Web Application Firewall: An automated approach to defending Web applications
SecureSphere Features and Benefits
This section details key SecureSphere features and benefits derived from SecureSphere’s core
technology described in the previous section.
Complete Web Application Protection
SecureSphere integrates four security enforcement components: a Dynamic Profile of the Web
application, an IPS, a network firewall, and an optional Database Security Gateway.
Web Application Firewall
SecureSphere protects custom Web application code against attacks such as SQL injection, cookie
poisoning, parameter tampering, directory traversal and more. Dynamic Profiling automatically
creates a dynamic positive security model of Web application usage and structure, including URLs,
http methods, parameters, hidden fields, cookies, session IDs and response codes. As users interact
with the application, SecureSphere closely monitors their activities and compares them to the profile.
Any attempted attack is detected and blocked.
SecureSphere identifies web attacks and can generate alerts and/or block the attacks.
Web Services Firewall
SecureSphere’s Web services firewall protects against attacks targeting XML, SOAP and WSDL
applications. Like SecureSphere’s Web application firewall the Web services firewall leverages
Dynamic Profiling technology to create a dynamic positive security model of allowed application
usage and structure, including XML URLs, SOAP actions, XML elements and XML attributes. Any
attempts to tamper with Web services application schemas or variables are identified and blocked.
Page 10 Imperva, Inc.
11. The SecureSphere Web Application Firewall: An automated approach to defending Web applications
Custom Policy Enforcement
As a supplement to the automated policy definition provided by Dynamic Profiling, SecureSphere
allows security administrators to define policies regarding specific attributes of Web traffic.
Enforcement of custom policy rules supplements SecureSphere’s enforcement of dynamically
generated Web and Web services security policies.
Intrusion Prevention System (IPS)
SecureSphere IPS provides broad protection against known infrastructure attacks and zero day
worms. These attacks typically target vulnerabilities in commercial web server, application server and
operating system software (e.g. IIS, Apache, and Windows 2000).
SecureSphere protocol compliance checks ensure that Web traffic meets RFC and expected
usage requirements. For example, SecureSphere checks HTTP for malformed URLs,
abnormally long URLs, abnormally long header lines, and many other protocol anomalies. By
ensuring that the protocols meet guidelines, protocol compliance prevents attacks on
vulnerabilities in server platform protocol implementations.
Signature Detection for All Protocols
SecureSphere supports Snort®-compatible signatures across all protocols. The Application
Defense Center, Imperva’s international security research organization, enhances the
Snort®-compatible signature database with contextual attributes such as affected systems,
risk, accuracy and frequency. SecureSphere administrators can use this information to
modify the signature dictionaries or adjust action policies to meet their specific
requirements. In addition, the ADC has added advanced HTTP and SQL signatures designed
specifically for Web application attack detection. These unique signatures provide critical
inputs to SecureSphere’s Correlated Attack Validation (CAV), enabling it to detect
sophisticated attacks and even attack reconnaissance. The SecureSphere Security Update
Service provides regular updates to ensure the most up to date protection is continuously
Zero-Day Web Worm Profiling
SecureSphere’s Web Worm Profile defends against zero day Web Worms and all Web-based
worms without relying on signatures or computationally intensive techniques such as inline
code simulation. Instead, SecureSphere’s zero day worm profiling technology identifies
attacks for which there are no signatures by detecting the specific combinations of attributes
that uniquely characterize such attacks.
SecureSphere’s integrated stateful network firewall protects against unauthorized users, dangerous
protocols, common network layer attacks and worm infections. Access control policies support both
black and white listing of protocol/IP address combinations to eliminate data center exposure to non-
essential or dangerous protocols such as Telnet, pcAnywhere, or even SQL. The network firewall plays
an important worm defense role by preventing the spread of worms from internal user desktops to
Web applications via non-essential ports and protocols.
Page 11 Imperva, Inc.
12. The SecureSphere Web Application Firewall: An automated approach to defending Web applications
Extending SecureSphere to Databases
The SecureSphere Web Application Firewall can be extended to include database protection for
Oracle, MS-SQL Server, DB2 (including mainframe) and Sybase databases. Dynamic Profiling
automatically creates a dynamic positive security model of database usage dynamics and structure,
including user names, IP addresses, tables, operations, queries, query patterns, privileged
commands, and stored procedures. Any interaction that violates the profile triggers an alert and can
be blocked depending upon policy for the threat level of the violation. SecureSphere database
security protects against external attacks and insider abuse, providing end-to-end defense for the
SecureSphere incorporates a multi-layer security architecture that enables precise attack protection
without manual configuration or tuning. SecureSphere’s security architecture incorporates both
dynamic positive (white list) security models and dynamic negative (black list) security models.
Sophisticated enforcement algorithms draw on both security models to identify and block even the
most sophisticated attacks. For more information, see the Security Model and Security Enforcement
section earlier in this document.
Imperva’s Transparent Inspection processing architecture allows SecureSphere to be completely
transparent to the surrounding data center. SecureSphere deployment requires no changes to the
network or application infrastructure, supports multi-gigabit network performance, and offers a host
of high availability options.
No Changes to Existing Network
SecureSphere can be flexibly deployed in the network as a transparent inline bridge, an inline proxy,
an inline router, or a non-inline network monitor. Because of this flexibility, deployment requires no
changes to the existing network architecture, including network routers, load balancers and servers.
No Changes to Application
Powered by a unique Transparent Inspection technology, SecureSphere examines Web application
traffic for attacks and malicious activity without altering or rewriting Web content. This enables
SecureSphere to provide complete and accurate application security without forcing organizations to
redesign their Web applications, change authentication schemes or install new SSL certificates.
SecureSphere delivers multi-gigabit throughput
Performance Metric SecureSphere
and over 16,000 transactions per second while
maintaining sub-millisecond packet latency. This Throughput 2 Gbps
level of performance is an order of magnitude Request/Sec 16,000
better than competing approaches. A single Latency <1 millisecond
SecureSphere gateway is sufficient for many
customers and SecureSphere can scale to meet the requirements of the largest enterprise by
deploying multiple gateways managed from a single unified management server. With SecureSphere,
security will never impact your data center service level agreements (SLAs).
Page 12 Imperva, Inc.
13. The SecureSphere Web Application Firewall: An automated approach to defending Web applications
SecureSphere supports a broad range of options to ensure maximum uptime and application
• Imperva High Availability (IMPVHA) protocol provides sub-second failover for two or more
SecureSphere gateways deployed in bridging mode.
• Virtual Router Redundancy Protocol (VRRP) provides for failover when SecureSphere is
configured as a router or proxy.
• Redundant gateways can be deployed in environments with redundant system
infrastructures. SecureSphere’s transparent deployment modes support both active-active
and active-passive fail-over configurations when using external HA mechanisms.
• Inline fail-open network interfaces ensure availability in the event of software, hardware, or
• Non-inline monitoring configuration offers transparent deployment with no single point of
SecureSphere Active-Active Configuration
Load Balancers Load Balancers
Normal Operation Failure / Recovery
Active-Active Fail-over ensures continuous data availability and security
Page 13 Imperva, Inc.
14. The SecureSphere Web Application Firewall: An automated approach to defending Web applications
Automated Web Application Security
Ongoing tuning of manually created policies is often the most significant component of a Web
application firewall’s total cost of ownership. It is not practical to expect multiple organizations (e.g.
operations, security, and software development) to jointly tune a security product every time the
application changes. Dynamic Profiling eliminates manual tuning by automatically adapting to Web
application changes as they are deployed. The result is
comprehensive security without burdensome operational
Centralized, Scalable Management
SecureSphere G4 and G8 appliances can be deployed in
standalone configurations and include all of the
administration and reporting capabilities needed to manage
a single gateway deployment.
Large enterprise security deployments require mature
management tools to scale across multi-gateway
environments. To meet this requirement, the SecureSphere
MX Management Server serves as the focal point of a three-
tier management architecture that automates the task of
managing multi-gateway deployments.
Rather than require each gateway be managed individually,
the Management Server provides a single point for The MX Management Server automates the
aggregating policy, real-time monitoring, logging, and task of managing multiple gateways
reporting activity across multiple SecureSphere gateways.
For example, generating a report analyzing high-priority security alerts across ten distributed
gateways requires a few simple clicks with SecureSphere. By comparison, less mature two-tier
management infrastructures require that security managers connect to ten separate devices, collect
ten alert files, and run ten separate reports using a third-party reporting product.
SecureSphere provides alerts and reporting across the enterprise
Page 14 Imperva, Inc.
15. The SecureSphere Web Application Firewall: An automated approach to defending Web applications
Specific management capabilities for single-gateway and multi-gateway deployments include the
• Graphical Reporting - Both pre-configured and customized reporting is supported with a full
Crystal Reports™ package and ODBC-compliant database access. Pre-configured reports
provide immediate visibility into performance, regulatory compliance, security events,
application vulnerabilities, database usage anomalies, and application changes.
• Unified Real-Time Alert Monitoring – Real-time alerts originating from multiple SecureSphere
security layers (Dynamic Profile, IPS, etc.) are collected, prioritized and presented to the
administrator within a single unified view. Alerts notifications may be sent via email, phone,
pager, SNMP, and syslog messages. There is no need to connect to individual devices
distributed throughout the data center. Log data from multiple gateways are also presented
in a single view and stored in a single MX Management Server database.
• Alert Auditing – Alerts from multiple gateways are collected and stored in a single MX
Management Server database. To support audit initiatives, alerts can be sorted and
searched based upon a variety of parameters with a few clicks. Even specific user violations
(identified by session ID or IP address) originating from different SecureSphere security
services (network firewall, Web firewall, CAV, etc.) may be instantly traced. Log data from
multiple gateway deployments are collected and stored in a single MX Management Server
• Intelligent Attack Summaries – Intelligent attack summaries improve administrator
productivity by intelligently aggregating a sequence of events caused by complex attacks
into a single actionable alert. For example, thousands of related scanning events extending
across multiple gateways are aggregated into a single attack alert. This highly focused
information allows administrators to quickly respond to immediate threats. Aggregated
alerts preserve underlying component alert information for detailed forensics.
• Centralized Policy Distribution – Dynamic Profile, IPS policy, and system parameters for
multiple gateways are stored centrally on the MX Management Server. Changes are made on
the server and automatically distributed to multiple gateways with a single click.
Page 15 Imperva, Inc.
16. The SecureSphere Web Application Firewall: An automated approach to defending Web applications
The SecureSphere Web Application Firewall is designed from the ground up to meet the unique
security, deployment and operational requirements of enterprise Web Applications. It integrates the
capabilities of a traditional Web application firewall, with Web Services firewall, IPS, network firewall,
and optional database security capabilities. Imperva’s Dynamic Profiling technology enables a
completely automated security model with no need for manual configuration or tuning. Transparent
Inspection technology delivers multi-gigabit performance, rapid deployment, and multiple high
availability deployment options. Finally, the MX Management Server delivers the multi-gateway
management capabilities necessary to support the largest Web application environments.
950 Tower Lane
Foster City, CA 94404
Tel: (650) 345-9000
Fax: (650) 345-9004
12 Hachilazon Street
© 2006 Imperva, Inc. All rights reserved. Imperva and SecureSphere are registered trademarks of Imperva, Inc.
Dynamic Profiling is a trademark of Imperva, Inc. All other brand or product names are trademarks or registered
trademarks of their respective holders.
Page 16 Imperva, Inc.