Overview of Nemesida WAF modules and hardware requirements for their installation. It is necessary to familiarize yourself before starting to work with the product.

General information about Nemesida WAF

Permissions

For all Nemesida WAF components to work correctly on each server where they are installed, allow:

1. Access to external resources:

  • nemesida-security.com:443;
  • auth.nemesida-security.com:443;
  • nw-auth-extra.nemesida-security.com:443;
  • geoip.nemesida-security.com:80.

2. Incoming/outgoing calls to services on servers with installed modules:

Dynamic module Nemesida WAF and Nemesida AI MLA
Incoming connections: Nginx (for example, port 80);
Nemesida AI MLA (for example, port 5101).
Outgoing connections: Nemesida WAF API (for example, port 8080).
Nemesida AI MLC
Outgoing connections: RabbitMQ (for example, port 5672);
Nemesida WAF API (for example, port 8080).
Nemesida WAF API/Cabinet
Incoming connections: Nemesida WAF Cabinet (for example, port 80);
PostgreSQL (for example, port 5432);
Nemesida WAF API (for example, port 8080).
Nemesida WAF Scanner
Outgoing connections: The server of the protected web application (for example, port 80);
Nemesida WAF API (for example, port 8080);
PostgreSQL (for example, port 5432).

3. Local access (localhost) to services on servers with installed modules.

Free Trial

Request a license key to evaluate all the benefits of Nemesida WAF in 14 days for free.

Docker Image and Virtual Appliance

Nemesida WAF is available as installation distributions for Linux and FreeBSD OS, in the form of Docker image and virtual disk for KVM/VMware/VirtualBox and Yandex VM.

Licensing model

Each instance of the Nemesida WAF dynamic module for Nginx (nwaf-dyn installation package) must use a unique license key (license). The license includes the right to use all components included in Nemesida WAF, updates and technical support. The license is granted for one calendar year.

Diagram of Nemesida WAF modules interaction

  • Nemesida WAF dynamic module carries out a signature analysis of requests coming to the server and, based on the behavioral models built by Nemesida AI MLC, makes a decision to block them or transfer them to other modules.
  • Nemesida AI MLA 1 machine learning module applies behavioral models built by Nemesida AI MLC to requests received from the dynamic module and sends a blocking command.
  • Nemesida AI MLC 1 machine learning module is designed to build behavioral models and detect other anomalies (for example, Brute-force, Flood, DDoS L7).
  • The Nemesida WAF API is designed to receive information about attacks and identified vulnerabilities, as well as transmit information about blocked requests and the results of the Nemesida AI and Nemesida WAF Scanner modules to the PostgreSQL DBMS.
  • Nemesida WAF Cabinet is designed to visualize and analyze the events of components from the PostgreSQL DBMS, manage Nemesida WAF settings, manage OpenAPI request schemes, configure the use of behavioral models built and applied by the Nemesida AI module, as well as systematize information about anomalies and identified vulnerabilities.
  • The Nemesida WAF Scanner Vulnerability Scanner is designed to detect vulnerabilities in a protected web application.

1 Attack detection using machine learning is only available for Business and Enterprise plans.

Hardware Requirements

For the effective operation of Nemesida WAF components, it is recommended to use servers with the following technical characteristics:

Table of technical characteristics (TTC)*
Server for dynamic module Nemesida WAF and Nemesida AI MLA
analyzes and redirects unblocked requests to a server with a web application
Processor 4 cores x 2.4 GHz
RAM 6 GB
Disk space 10 GB
Server for Nemesida AI MLC
is used to build behavioral models and analyze all incoming requests with their help, detects brute force attacks, flood and DDoS attacks at the application level
Plans Light Business, Enterprise
CPU 6 cores x 2.4 GHz
RAM 4 GB 6**/24 GB
Disk space 25 GB
Server for Nemesida WAF API, Nemesida WAF Cabinet and PostgreSQL DBMS
is used to store and visualize identified anomalies and shortcomings of the web application, as well as to control the behavior of the machine learning module
Processor 4 cores x 2.4 GHz
RAM 16 GB
Disk space 25 GB

* The stated technical requirements are approximate (for loads up to 10k RPS) and are selected individually, depending on the amount and type of incoming traffic.
** For the Business plan behavioral models can be built using cloud Nemesida AI MLS server to save server hardware resources.

When using the Enterprise plan, the configuration of components, storage and management of behavioral models are performed within the network perimeter.

Nemesida WAF Installation Packages

Basic:

  • nwaf-dyn – dynamic module Nemesida WAF for Nginx and Nemesida AI MLA machine learning agent, is intended to detect and/or block anomalies using signature analysis and behavioral models, as well as traffic transfer for further processing via RabbitMQ to the Nemesida AI MLC module.
  • nwaf-mlc – machine learning module Nemesida AI MLC, is intended to build behavioral models and identify other anomalies (for example, DDoS L7, Brute-force attack, etc.).

Auxiliary:

  • nwaf-apiNemesida WAF API module is intended to transmit information about blocked requests and the results of the Nemesida AI and Nemesida WAF Scanner modules to the PostgreSQL DBMS.
  • nwaf-cabinetNemesida WAF Cabinet module is designed to visualize and analyze the events of components from the PostgreSQL DBMS, manage Nemesida WAF settings, manage OpenAPI query schemes, configure the use of behavioral models built and applied by the Nemesida AI module, as well as systematize information about anomalies and identified vulnerabilities.
  • nwaf-scannerNemesida WAF Scanner vulnerability scanner.

Auxiliary modules are not available for distributions using a deprecated version of Python. Before installing the auxiliary module, we recommend that you familiarize yourself with the list of supported distributions posted on the page of each module.

Accuracy of behavioral models

During the training period, in order to build better models, it is not recommended to scan the web application for vulnerabilities, as well as send other illegitimate requests. Immediately after the first training, it is recommended to retrain the models. False alarms are controlled using the module Nemesida WAF Cabinet.

Queries defined as BT 1, BT 2, BT 3 and BT 4 are not added to the training sample, even if they fall under the LM mode.

Storage of behavioral models

Behavioral models created by the Nemesida AI MLC module are transmitted to the remote Nemesida AI MLS server and automatically distributed to all running instances of Nemesida AI MLA and Nemesida AI MLC in accordance with the WAF ID.

Nemesida WAF Cluster

Enables automatic synchronization of the settings of the dynamic module Nemesida WAF, Nemesida AI MLC and the list of blocked IP addresses between servers. The functionality is enabled by default and is useful in cases of licensing more than one instance of the Nemesida WAF dynamic module. To use all instances of the Nemesida WAF dynamic module as part of a cluster, you must purchase a primary and additional license. For example, when licensing 5 dynamic modules Nemesida WAF, you need to purchase 1 basic license and 4 additional.

All license keys used have a single WAF ID (an identifier that allows you to combine different license keys into a group).

Behavioral machine learning models, as well as requests exported via the Cabinet functionality, will be automatically uploaded to all cluster instances in accordance with the WAF ID. For more accurate detection of attacks, it is recommended to use one installed instance of the Nemesida AI MLC module at one time.

Exclusion rules (WL) and extended blocking rules (ERL) are applied to all instances of the Nemesida WAF dynamic module that have a single WAF ID.

Error message sources

During the operation of Nemesida WAF, error information may contain:

  • in the OS system logs;
  • in the Nginx work log;
  • in the RabbitMQ work log;
  • in the Nemesida WAF module operation log /var/log/nwaf/.

Technical support

For Nemesida WAF Community Edition users, technical support is provided only on forum.

In case of unforeseen errors in the Nemesida WAF operation, contact technical support by email or leave a message at forum.

Other information

Domain name example.com together with subdomains, it is used as an example in the manuals.