Imperva On Prem WAF with Bot Specifications

Srl. No Specifications
1 The Proposed Solution shall be cited within the Leaders segment in the most recent
Gartner Magic Quadrant for WAAP.
2 The WAF Appliance must be a dedicated hardware and it should not be clubbed
with Load Balancers. For Load Balancer a seprate hardware box needs to be
proposed, as the per the Load Balancer specifications given in the RFP.
3 The proposed solution must support 2 Gbps of WAF throughput .In case any
OEM/Bidder has L4/L7 throughput mentioned in the Datasheet then the L7
throughput of the appliance must be atleast 50Gbps. The Bidder must provide
evidence of asked throughput on publicly available documents at OEM
website.
4 The solution must have more than 128 GB RAM and should have at least 2 * 4 TB
(Raid 1) Hard Disk.
5 The solution must have inbuilt bypass semgements to ensure that fail open in case
of hardware failure.
6 The appliance MUST NOT USE Hypervisors. The appliance must be a purpose built
WAF with its own custom specialised hardened OS integrated with the hardware. It
must not have any Virtualisation components to split the resources.
7 The solution must support the following deployment modes to protect the application
traffic. Both HTTP and HTTPS must be supported in all these modes. Based on the
use case Bank may choose to deploy the solution in any of these modes.
- Inline Mode - Layer 2 Bridge
- Inline Mode - Layer 3 Reverse Proxy
- Out of Band Mode
8 The WAF solution should not be any white labeled or 3rd party WAF solution
deployed on any other OEM's hardware/software.
9 The Proposed WAF Solution should support both a Positive Security Model
Approach ( A positive security model states what input and behavior is allowed and
everything else that deviates from the positive security model is alerted and/or
blocked) and a Negative Security Model (A negative security model explicitly defines
known attack signatures) . The solution must support automatic updates to the
signature database to ensure complete protection against the latest web application
threats
10 Both Positive and Negative security model should continuously learn the application.
Learning should be a continuous process and should not stop after a certain stage.
11 The solution must allow the re-learning of an application profile on a per-URL or per-
page basis. The administrator should not be required to relearn the entire application
when only a few pages have changed.
12 The Proposed Solution should have Correlated Attack Validation capability which
examines multiple attributes such as HTTP protocol conformance, profile violations,
signatures, special characters, and user reputation, to accurately alert on or block
attacks and also to eliminate false positives.
13 Proposed WAF Solution should have capability to automatic learning should include
Directories, URLs, Form Field Values, Whether the field values is numeric/
alphanumeric/ alphabets, length of the field etc.

Page 1 of 4
Imperva On Prem WAF with Bot Specifications

Srl. No Specifications
14 The solution must provide the following features and protection.
- HTTP (1.x and 2) protocol validation
- Web service layer correlated attack validation
- HTTP protocol attack signatures
- Web service layer customized protection
- Cookie signing validation
- Anti site scrapping
- Web profile protection
- Web worm protection
- Web application attack signatures
- Web application layer customized protection
- OCSP protocol validation
15 The solution must be able to decrypt SSL web traffic that are using Diffie-Hellman
key exchange protocols with the WAF deployed in Layer-2 mode
16 The solution must automatically discover HTTP traffic content type, regardless of the
content-type HTTP header. With this capability, WAF should be able to parse and
protect HTTP Requests with missing or wrong content-type header
17 The solution should protect against Deserialization attacks, accomplished by
searching for signatures in the 'Request-Content' header

18 The Proposed Solution should be able to work in High Availability (HA) mode and
should be deployable in an Active-Standby & Active-Active in both DC & DR
Environments.
19 The WAF should have high availability in both layer 3 and layer 2 deployment
20 All the custom policy and signature creation must be done via GUI.There should not
be any need to create any advanced policy from CLI.
21 The solution must have a GUI based option to create policies to detect and block
Double encoding attacks.
22 The WAF solution must have a Cloud based AI and ML based Anaytics Engine that
would correlate and distill thousands of security events into a
few distinct readable events.
23 The solution must be able to provide a threat intelligence feed and service based on
source reputation.
The feed must be provided in near-real time for the following known attack sources:
- Malicious IP
- Anonymous Proxies
- TOR IPs
- Geo Location
24 The solution should be able to perform client identification, i.e., acquire data about
the browser's runtime environment by injecting JavaScript code into the browser to
analyze that environment. The acquired data should detail browser parameters in
the form of at least 150 attributes, including being able to detect various anomalies
· presence of automation
· unusual screen resolution

Page 2 of 4
Imperva On Prem WAF with Bot Specifications

Srl. No Specifications
· unusual user behavior (such as mouse movements)
· unusual drivers
25 The client component (JavaScript) should be resistant to reverse-engineering
techniques through advanced code obfuscation techniques and frequent script
changes.
26 The client component (JavaScript) should be downloaded from the same domain as
the application (first party). It is not allowed to use external locations to upload the
script.
27 The vendor should include the service of a dedicated analyst who has extensive
knowledge and experience in fighting bots. His task will be to analyze the current
traffic and assisting in adjusting the configuration to be as effective as possible in the
face of ever-changing bot usage techniques and constant changes in the protected
application. The analyst should devote a minimum of 5 hours per month to carry out
the forementioned activities.
28 The solution should also provide protection for APIs that are consumed by browsers.
Interfaces can then be accessible depending on the presence of a valid session key
assigned at identification time.
29 The system should provide the ability to apply the following actions against traffic
classified as BOT:
· blocking
· monitoring
· displaying a captcha
· identify
· delay
30 Part of the product should be a flexible reporting system that can generate detailed
views, including:
· Applied actions on the timeline
· Number of solved/unsolved captcha
· The performance of ML models
· The incidence of customer anomalies
· Ratio of bad bot/good bot/human traffic
· Endpoints with the highest number of requests.
31 API Security solution should offer the most Advanced and comprehensive API
Security in the Industry. Including API Discovery , Catalogue, Risk Rating , OWASP
top 10 API, Vulnerability pre post development for East West traffic
32 API Security must do Deep Discovery of both External ( North South) and Internal (
East West ) API right up till data type level of each endpoint
33 API Security solution must detect and classify sensitive data both in the request as
well as in the response for both External ( North South) and Internal ( East West )
API Endpoints
34 API Security must have the ability to identify API that are vulnerable namely
Unauthenticated API
35 API Security must have the ability to detect API Top 10 attacks which includes
BOLA, Mass Assignment, BFLA,Broken Authentication

Page 3 of 4
Imperva On Prem WAF with Bot Specifications

Srl. No Specifications
36 API Security should be able to run Vulnerability Test on the API Endpoints without
integrating with any VA Tool.
37 API Security should have the ability to integrate with On Prem WAF natively.

Page 4 of 4