Introduction | Nemesida WAF

Overview of Nemesida WAF modules and hardware requirements for their installation. It is necessary to familiarize yourself before starting to work with the product.

General information about Nemesida WAF

🔗 Permissions

For all Nemesida WAF components to work correctly on each server where they are installed, allow:

1. Access to external resources:

nemesida-security.com:443;
nw-auth-extra.nemesida-security.com:443;
geoip.nemesida-security.com:443.

2. Incoming/outgoing calls to services on servers with installed modules:

Dynamic module and Nemesida AI MLA
Incoming connections:	Nginx (for example, port `80`); Nemesida AI MLA (for example, port `5101`).
Outgoing connections:	Nemesida WAF API (for example, port `8080`).

Nemesida AI MLC
Outgoing connections:	RabbitMQ (for example, port `5672`); Nemesida WAF API (for example, port `8080`).

Nemesida WAF API/Cabinet
Incoming connections:	Nemesida WAF Cabinet (for example, port `80`); PostgreSQL (for example, port `5432`); Nemesida WAF API (for example, port `8080`).

Nemesida WAF Scanner
Outgoing connections:	The server of the protected web application (for example, port `80`); Nemesida WAF API (for example, port `8080`); PostgreSQL (for example, port `5432`).

3. Local access (localhost) to services on servers with installed modules.

🔗 Free Trial

Get your license key to evaluate all the benefits of Nemesida WAF in 14 days for free.

🔗 Docker Image and Virtual Appliance

Nemesida WAF is available as installation distributions for Linux (Debian, Ubuntu, CentOS) and FreeBSD OS, in the form of Docker image and virtual disk for KVM/VMware/VirtualBox and Yandex VM.

🔗 Licensing model

Each instance of the filtering node (nwaf-dyn installation package) must use a unique license key (license). The license includes the right to use all components included in Nemesida WAF, updates and technical support. The license is granted for one calendar year.

🔗 Diagram of Nemesida WAF modules interaction

¹ Includes Nginx, the Nemesida WAF dynamic module and the Nemesida AI MLA machine learning agent.

Nemesida WAF dynamic module carries out a signature analysis of requests coming to the server and, based on the behavioral models built by Nemesida AI MLC, makes a decision to block them or transfer them to other modules.
Nemesida AI MLA machine learning module applies behavioral models built by Nemesida AI MLC to requests received from the dynamic module and sends a blocking command.
Nemesida AI MLC machine learning module is designed to build behavioral models and detect other anomalies (for example, Brute-force, Flood, DDoS L7).
The Nemesida WAF API is designed to receive information about attacks and identified vulnerabilities, as well as transmit information about blocked requests and the results of the Nemesida AI and Nemesida WAF Scanner modules to the PostgreSQL DBMS.
Nemesida WAF Cabinet is designed for visualization and analysis of the events of the components from the PostgreSQL DBMS, management of Nemesida WAF settings, management of OpenAPI request schemes, configuration of the use of behavioral models built and applied by the Nemesida AI module, as well as systematization of information about anomalies and identified vulnerabilities.
The Nemesida WAF Scanner Vulnerability Scanner is designed to detect vulnerabilities in a protected web application.

🔗 Hardware Requirements

For the effective operation of Nemesida WAF components, it is recommended to use servers with the following technical characteristics:

Table of technical characteristics (TTC)*

Server for dynamic module and Nemesida AI MLA analyzes and redirects unblocked requests to a server with a web application
Processor	4 cores x 2.4 GHz
RAM	6 GB
Disk space	10 GB

Server for Nemesida AI MLC is used to build behavioral models and analyze all incoming requests with their help, detects brute force attacks, flood and DDoS attacks at the application level
Plans	Light	Business, Enterprise
CPU	6 cores x 2.4 GHz
RAM	4 GB	24 GB
Disk space	25 GB

Server for Nemesida WAF API, Nemesida WAF Cabinet and PostgreSQL DBMS is used to store and visualize identified anomalies and shortcomings of the web application, as well as to control the behavior of the machine learning module
Processor	4 cores x 2.4 GHz
RAM	6 GB
Disk space	25 GB

^* The stated technical requirements are approximate (for loads up to 10k RPS) and are selected individually, depending on the amount and type of incoming traffic.

The configuration of components, storage and management of behavioral models are performed within the network perimeter.

To ensure the failover operation of the Nemesida WAF complex, we recommend that you familiarize yourself with the scheme that reflects the minimum number of servers used by the components:

The scheme of ensuring failover operation of Nemesida WAF

The scheme assumes the provision of failover operation for Nemesida WAF components with different levels of criticality:

Cluster of filtering nodes analyzes and redirects unblocked requests to a server with a web application
Criticality	High
Minimum number of servers	2
Description	If the component is unavailable: no request analysis will be performed; the services to which traffic is proxied through the filtering node will be unavailable.

Server for Nemesida AI MLC is used to build behavioral models and analyze all incoming requests with their help, detects brute force attacks, flood and DDoS attacks at the application level
Criticality	Average
Minimum number of servers	1
Description	If the component is unavailable: DDoS/Brute/Flood attacks will not be detected; the process of learning/retraining the behavioral model will be suspended. The unavailability of the component does not affect the analysis of requests by the machine learning module on the filtering node, if the behavioral model has already been created and applied before; the request analysis process for generating the OpenAPI specification will be suspended.

Server for Nemesida WAF API and PostgreSQL DBMS is used to store identified anomalies and shortcomings of the web application, as well as to control the behavior of the machine learning module and the filtering node
Criticality	High
Minimum number of servers	2*
Description	If the component is unavailable: settings will not be received by other components, as well as their configuration; the process of receiving and recording detected anomalies will be suspended.

^* – using a single copy of the Nemesida WAF API in mode Read only will allow components to get a list of settings for them (filter node settings, information about behavioral models, exclusion/blocking rules, etc.), but will not allow new data to be written to the database.

Server for the Personal Account component is used to visualize detected anomalies
Criticality	Low
Minimum number of servers	1
Description	If the component is unavailable: access to the Personal Account interface will be suspended.

Server for Nemesida WAF Scanner is used to identify the shortcomings of the web application
Criticality	Low
Minimum number of servers	1
Description	If the component is unavailable: it will be impossible to scan the protected web application to identify vulnerabilities; it will be impossible to use the `Recheck` functionality;

🔗 Nemesida WAF Installation Packages

Basic:

nwaf-dyn – dynamic module for Nginx and Nemesida AI MLA machine learning agent, is intended to detect and/or block anomalies using signature analysis and behavioral models, as well as traffic transfer for further processing via RabbitMQ to the Nemesida AI MLC module.
nwaf-mlc – machine learning module Nemesida AI MLC, is intended to build behavioral models and identify other anomalies (for example, DDoS L7, Brute-force attack, etc.).

Auxiliary:

nwaf-api – Nemesida WAF API module is intended to transmit information about blocked requests and the results of the Nemesida AI and Nemesida WAF Scanner modules to the PostgreSQL DBMS.
nwaf-cabinet – Nemesida WAF Cabinet module is designed to visualize and analyze the events of components from the PostgreSQL DBMS, manage Nemesida WAF settings, manage OpenAPI request schemes, configure the use of behavioral models built and applied by the Nemesida AI module, as well as systematize information about anomalies and identified vulnerabilities.
nwaf-scanner – Nemesida WAF Scanner vulnerability scanner.

Auxiliary modules are not available for distributions using a deprecated version of Python. Before installing the auxiliary module, we recommend that you familiarize yourself with the list of supported distributions posted on the page of each module.

🔗 Behavioral models

For more accurate operation of the machine learning module, we recommend creating a behavioral model for each specific web application.

During the training period, in order to build better models, it is not recommended to scan the web application for vulnerabilities, as well as send other illegitimate requests. False positive are managed using the module Nemesida WAF Cabinet.

All behavioral models created by the Nemesida AI MLC module are stored in the PostgreSQL DBMS (the waf database, which also stores the Nemesida WAF settings, exclusion and blocking rules, Nginx web server settings), which is accessed through the Nemesida WAF API component. Behavioral models are managed using the Nemesida WAF Cabinet interface or API.

Requests identified as illegitimate, with the exception of DDoS/Brute-force/Flood attacks, are not added to the training sample, even if they fall under the LM mode.

🔗 Nemesida WAF Cluster

Allows to combine many filtering nodes of Nemesida WAF into a single cluster, providing automatic synchronization of settings, IP Block list and other parameters between nodes. To use the functionality, all software keys used must have a single WAF ID.

🔗 Error message sources

During the operation of Nemesida WAF, error information may contain:

in the OS system logs;
in the Nginx work log;
in the RabbitMQ work log;
in the Nemesida WAF module operation log /var/log/nwaf/.

🔗 Technical support

For Nemesida WAF Community Edition users, technical support is provided only on forum.

In case of unforeseen errors in the Nemesida WAF operation, contact technical support by email or leave a message at forum.

🔗 Other information

Domain name example.com together with subdomains, it is used as an example in the manuals.

During operation, the Nemesida WAF use the service header x-nova for-request-id. Using a similar header in a web application is not recommended in order to avoid possible errors in operation.