The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Cloud Application Protection Service Plans
Secure Cloud Web Application Firewall (WAF) Protection provides intelligent AI-powered security capabilities alongside advanced automation and industry-leading security services provided by Radware’s[1] industry-recognized Emergency Response Team (ERT).
The service is offered in three convenient service plans. Each plan is designed to meet different security needs and risk exposures and to provide different levels of managed services.
Cloud Application Protection Service Plans
Essentials Plan
The Essentials plan offers industry benchmark protection with additional unique features and capabilities. It includes Cisco® Cloud WAF, API protection, zero-day attack protection, Basic bot protection, and 1Gbps of network DDoS protection, and an industry-leading Service Level Agreement (SLA).
Advantage Plan
Cisco’s Advanced plan takes application security to the next level by offering advanced protection capabilities that provide protection from more sophisticated and unknown attacks. The plan includes, on top of the Essentials plan, Cisco Advanced WAF with its path access protection engine that protects against more sophisticated unknown and zero-day attacks, AI-based Correlation Engine (Source Blocking), 10Gbps of network DDoS Protection, as well as JS supply chain mapping, monitoring, and attack detection for client-side protection. It also includes Radware’s ERT Active Attackers Feed (EAAF) intelligence feed and support for onboarding and policy reviewing.
Premier Plan
The Premier plan provides a comprehensive security blanket for your entire application environment. From client-side to server-side and everything in between. This plan includes everything in the Advantage plan in addition to Bot Manager, behavioral-based multi-layered detection and mitigation, automated API discovery and API security policy generation, and client-side protection enforcement.
|
|
Cisco Cloud WAF Protection Service |
||
|
|
Essentials |
Advantage |
Premier |
| Web Application Firewall (WAF) |
ü |
ü |
ü |
| API Protection |
ü |
ü |
ü |
| Basic Bot Protection |
ü |
ü |
ü |
| Advanced Rules |
ü |
ü |
ü |
| Rate Limit |
ü |
ü |
ü |
| Access Control & IP Geo Rules |
ü |
ü |
ü |
| Reporting & Analytics |
ü |
ü |
ü |
| DDoS Protection |
1Gbps |
10Gbps |
10Gbps |
| Standard Support |
ü |
ü |
ü |
| Advanced Support |
û |
ü |
ü |
| Advanced WAF (Path Access Protection and Al-based Correlation Engine) |
û |
ü |
ü |
| ERT Active Attackers Feed (EAAF) |
û |
ü |
ü |
| Client Side Protection – Detection |
û |
ü |
ü |
| Client Side Protection – Mitigation |
û |
û |
ü |
| API Discovery |
û |
û |
ü |
| Bot Manager |
û |
û |
ü |
| Web DDoS Protection |
Add-on |
Add-on |
Add-on |
| Load Balancer as a Service* |
Failover |
Basic |
Advanced |
| DNS as a Service |
Add-on |
Add-on |
Add-on |
| PCI DSS 4 Compliance Extension |
û |
Add-on |
Add-on |
| Data Retention |
30 Days |
60 Days |
90 Days |
| Unlimited DDoS |
Add-on |
Add-on |
Add-on |
| CDN |
Add-on |
Add-on |
Add-on |
| Premium Support |
Add-on |
Add-on |
Add-on |
Web DDoS Protection
Industry-leading application-layer (L7) protection against DDoS attacks, based on advanced machine-learning-based behavioral detection that distinguishes between legitimate and malicious traffic, and automatically generates granular signatures in real-time to protect against zero-day attacks. With hybrid, always-on, and on-demand cloud DDoS service deployment options, Cloud Web DDoS Protection provides best-in-class security against a wide variety of threats, including HTTP Floods, HTTP bombs, low-and-slow assaults, Brute Force attacks, and disruptive web DDoS Tsunamis.
Emergency Response Team (ERT) Premier Managed Service
For organizations lacking in-house cybersecurity expertise or those who need to reduce security overheads, Cisco offers ERT Premier managed services through it OEM partner Radware:
● 10-minute response SLA via “Hot-line” access
● On-demand emergency response attack mitigation
● Designated Customer Success Manager
● Post-attack forensics and recommendations
● Periodic security status reports
● Priority service case handling
● Policy tuning and application security insights
● Access logs
● NoKey – SSL/TLS certificate private key storage service through HSM integration
Content Delivery Network
For enterprises that wish to combine website delivery with web application security, Secure Cloud WAF offers a content delivery network (CDN) solution integrated directly into our application protection portal. The CDN solution, which is based on the Amazon CloudFront CDN, provides a massive and globally distributed footprint, enhanced performance, and DevOps-friendly usability.
Unlimited DDoS Protection
For enterprises that suffer from high-volume DDoS attacks where 1G or 10G of mitigation capacity is insufficient, Cisco offers unlimited protection with the industry’s top-rated DDoS protection solution. Defend your organization against today’s most advanced DDoS attacks – no matter their frequency or volume.
Talk to your Cisco sales representative about which plan best suits your organization’s security needs.
PCI DSS 4 Compliance
In addition to WAF and API protection against business logic attacks, which are necessary for PCI DSS 4 compliance and included in the Secure Cloud WAF Protection service plans, the PCI DSS 4 add-on offers extended, specific client-side protection controls as required by PCI DSS 4 Sections 6.4.3 and 11.6.1:
● The PCI DSS 4 add-on provides complete visibility of all third-party scripts running on the client side of your application, along with a detailed inventory of all scripts. This includes real-time activity tracking alerts and threat-level assessments, as well as information about the script, such as whether the scrip is authorized as well as details about the script source and destination domain.
● The add-on notifies the user of any attempts to manipulate HTTP headers, form and payment pages, and any attempts at DOM XSS.
Load Balancer as a Service
Load Balancer as a Service (LBaaS) complements cloud application protection services with improved SLA and scalability while maintaining high availability and protecting all origin sites. It provides Active/Active traffic and user load balancing between origin sites.
|
|
Cloud Application Protection Service |
||
|
|
Essentials |
Advantage |
Premier |
| Failover (Active-Standby) |
ü |
ü |
ü |
| Number of Active Real Servers (Origins) |
1 |
8 |
8 |
| Multi-port Support |
û |
ü |
ü |
| Active-Active Load Balancing – Round Robin |
û |
ü |
ü |
| IP-Based Persistency |
û |
ü |
ü |
| URL-based Load Balancing |
û |
û |
ü |
| Active-Active Load Balancing – Least Connection |
û |
û |
ü |
| Cookie-Based Persistency |
û |
û |
ü |
DNS as a Service
DNS as a Service (DNSaaS) provides comprehensive Domain Name System (DNS) management, which is essential for the seamless functioning of all online applications. An integral component for any business that prioritizes application availability, security, and performance, investing in DNSaaS is more than just managing domain names; it’s about safeguarding your business’s digital presence and ensuring end users have a seamless experience. DNSaaS includes:
● A centralized management console with an easy-to-use interface for managing all DNS hosts, records, and health check configurations in one place.
● Customizable health checks for continuous monitoring of application sources status.
● Flexible record routing options for high availability based on Geo and Failover policies.
● Control over traffic distribution to specific resources or endpoints so end users can be served from the closest or most appropriate data center, improving latency and user experience.
● Real-time analytics that monitor the number of queries per hosted zone.
DNS-as-a-Service is offered in three distinct packages, each priced based on the number of hosted zones, the volume of monthly DNS queries, and the quantity of health check objects.
Managed Services Support Levels
|
|
Risk/Impact-based Priority |
Essentials Support |
Advantage Support |
ERT Premier Service |
| Response SLA |
P1 (Phone) |
40 Min |
30 Min |
10 Min |
| P1 (Ticket) |
3 Hours |
2 Hours |
60 Min |
|
| P2 |
6 Hours |
4 Hours |
2 Hours |
|
| P3 |
16 Hours |
12 Hours |
4 Hours |
|
| P4 |
24 Hours |
24 Hours |
12 Hours |
|
| Ticket Updates |
P1 |
48 Hours |
48 Hours |
24 Hours |
| P2 |
96 Hours |
72 Hours |
48 Hours |
|
| P3 |
120 Hours |
96 Hours |
72 Hours |
|
| P4 |
144 Hours |
120 Hours |
96 Hours |
|
| Managed Services |
Certificate Management & Notifications |
û |
ü |
ü |
| Onboarding & Policy Review |
û |
ü |
ü |
|
| Post-attack Analysis |
û |
ü |
ü |
|
| Chart Support |
û |
ü |
ü |
|
| Access logs |
û |
û |
ü |
|
| Quarterly Premium Security Report |
û |
û |
ü |
|
| Annual Special Event Preparation |
û |
û |
ü |
|
| Annual Attack Test (DDoS L3-7) |
û |
û |
ü |
|
| Proactive Security Recommendations |
û |
û |
ü |
|
| Security Configuration Review |
û |
6 Months |
3 Months |
|
| Extended Monitoring |
û |
External Monitoring on Top 5 Apps |
External Monitoring on |
|
| NoKey- HSM Integration |
û |
û |
ü Limited Availability |