 The
Barracuda Web Site Firewall assists organizations of all types
that store, process and/or transmit credit card numbers, comply
with the Payment Card Industry Data Security Standard (PCI DSS)
requirements. In response to increased identity theft incidents
and security breaches, major credit card companies collaborated
in Sept. 2006 to create the 12 procedural and system
requirements, commonly known as PCI DSS version 1.1, to
standardize how to store and access Primary Account Number (PAN)
information.
Most immediate for today’s merchants and organizations is
Section 6.6 of the PCI DSS compliance deadline on June 30, 2008,
addressing the development and maintenance of secure systems and
applications. Section 6.6 mandates all enterprise and Web
applications handling credit card and account information must
undergo an extensive audit of all custom application code that
can be time consuming, labor intensive and a costly process to
visit and revisit with each change to the application code. The
alternative to satisfy PCI DSS Section 6.6 compliance is simply
installing a Web application firewall.
Payment Card Industry Data Security Standard (PCI DSS) Requirements:
The 12 PCI DSS requirements are organized into 6 main categories.
To be fully compliant, an organization must satisfy all 12 requirements.
- Maintain a Secure Network: Requirements 1 and 2
- Install and maintain a firewall configuration to protect
cardholder data
- Do not use vendor-supplied defaults for system passwords
and other security parameters
- Protect Cardholder Data: Requirements 3 and 4
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open,
public networks
- Maintain a Vulnerability Management Program: Requirements
5 and 6
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
- Implement Strong Access Controls: Requirements 7, 8, and
9
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Regularly Monitor and Test Networks: Requirements 10 and
11
- Track and monitor all access to network resources and
cardholder data
- Regularly test security systems and processes
- Maintain an Information Security Policy: Requirement 12
- Maintain a policy that addresses information security
Source: PCI Security Standards version 1.1 - http://www.PCISecurityStandards.org.
Barracuda Networks Enables PCI DSS Compliance:
Barracuda Web Application Controllers, consisting of the Barracuda
Web Application Firewall and Barracuda Application Gateway, are
designed as easy and cost-effective solutions to achieve PCI DSS
compliance. In addition to satisfying the time sensitive need to
install a Web application firewall into your network for PCI DSS
Section 6.6 compliance, Barracuda Web Application Controllers further
ensures PCI DSS compliance with a host of other advanced technologies.
Barracuda Web Site Firewall enable PCI DSS compliance
across major requirements:
| Requirement |
Barracuda
Web Site Firewall |
| 1 - Install a Firewall |
Acts as a network firewall and a Web application
firewall |
| 3 - Protect data |
Proxies Web traffic and insulates Web servers from
direct access by attackers |
| 4 - Encryption |
Provides easy SSL encryption even if the application
or server does not enable SSL |
| 6 - Protect Against Vulnerabilities |
Blocks known and zero-day attacks as well as the
industry-accepted top 10 Web application vulnerabilities
for custom development, legacy and third-party applications |
| 7 - Restrict Access |
Provides role-based administration to security policies |
| 8 - Assign Unique IDs |
Integrates with external authentication systems,
such as LDAP for unique IDs |
| 10 - Track and Monitor Access |
Provides application access logging and interacts
with AAA systems |
PCI DSS section 6.5 is perhaps the most significant set of detailed
requirements as it addresses application vulnerability, including
coding guidelines, such as Open Web Application Security Project
(OWASP). Barracuda Web Site Firewall directly address
each of the requirements in section 6.5.
| Requirement |
Barracuda
Web Site Firewall |
| 6.5.1 Unvalidated input (i.e., hidden field manipulation) |
Validates incoming and outgoing session content
against legitimate application behavior and usage |
| 6.5.2 Broken access control (i.e., malicious use
of user IDs) |
Authenticates user access requests via integrated
LDAP, RADIUS, CAs SiteMinder and RSA Access Manager
interfaces |
| 6.5.3 Broken authentication and session management
(i.e. cookie tampering, session hijacking) |
Automatically encrypts session cookies and assigns
unique session-IDs to ensure secure user sessions |
| 6.5.4 Cross-site scripting (XSS) attacks |
Inspects and verifies user input and incoming requests
for any malicious code before forwarding it to backend
servers |
| 6.5.5 Buffer overflows |
Detects and prevents attempts via the header or
input fields to exceed memory capacity |
| 6.5.6 Injection flaws (i.e., SQL injection) |
Validates legitimacy of all Web requests and code
accessing backend systems |
| 6.5.7 Improper error handling |
Cloaks Web application infrastructure from hackers
attempting to expose vulnerabilities in error response
and other messages |
| 6.5.8 Insecure storage |
Filters and intercepts outbound traffic to prevent
transmission of sensitive information, such as passwords,
credit card numbers, account records or proprietary
information |
| 6.5.9 Application Denial of service (DoS) |
Monitors and controls amount of queries to the same
URL from a single user |
| 6.5.10 Insecure configuration management |
Proxies all inbound and outbound Web traffic to
neutralize any configuration vulnerabilities |
|
Web Site Firewalls:
Barracuda
Web Application Controller PCI DSS Compliance