Barracuda Web Application Firewall Ensures PCI DSS Compliance

Download PDF

Introduction

Barracuda Web Application Firewalls protect networks against unauthorized access, data leakage, site defacement and other malicious attacks by hackers that compromise both the privacy and integrity of vital data. By installing a Barracuda Web Application Firewall, businesses that store, process and/or transmit credit card numbers can protect their Web applications and achieve PCI DSS compliance in one easy step.

Payment Card Industry Data Security Standard (PCI DSS) Requirements

In response to the increase in identity theft and security breaches, major credit card companies collaborated to create the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. It applies to all entities involved in payment card processing – including merchants, processors, acquirers, issuers and service providers, as well as all other entities that store, process or transmit cardholder account data.

The 12 PCI DSS requirements are organized into six main categories that prevent credit card fraud through increased controls around data and its exposure to compromise. To be fully compliant, an organization must satisfy all 12 requirements.

Goal 1 - Build and Maintain a Secure Network and Systems
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters

Goal 2 - Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks

Goal 3 - Maintain a Vulnerability Management Program
5. Protect all systems against malware and regulary update antivirus softeware or programs
6. Develop and maintain secure systems and applications

Goal 4 - Implement Strong Access Control Measure
7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data

Goal 5 - Regulary Monitor and Test Networks
10. Track and Monitor all access to network resources and cardholder data
11. Regularly test security systems and processes

Goal 6 - Maintain an Information Security Policy
12. Maintain policy that address information security for all personnel

Merchants and organizations should be most concerned with PCI DSS Section 6, which addresses the development and maintenance of secure systems and applications. PCI-DSS compliance requires organizations either submit to code audits or install a Web Application Firewall to secure their public facing Web applications.

A code audit places considerable strain on a company with a large quantity of code that needs tobe reviewed. This results in a considerable amount of time and cost for each application. Furthermore, code audit provides a point in time protection; quarterly reviews must be maintained to account for any change in the application code. This burdens organizations by constraining their engineering teams to fixing vulnerabilities rather than continuing to innovate and drive companies forward in the marketplace.

Barracuda Networks Enables PCI DSS Compliance

The simpler alternative to satisfy PCI DSS compliance is to invest and implement a comprehensive Web application firewall. Barracuda Web Application Firewalls are designed to be easy and costeffective solutions for PCI DSS compliance. It protects Web applications from attacks and ensures a layer of security regardless of the underlying code. Unlike traditional network firewalls or intrusion detection systems that simply pass HTTP/S traffic, Barracuda Web Application Firewalls proxy all traffic and insulate Web servers from direct access by attackers. This helps organizations ensure PCI DSS compliance across major requirements categories:
PCI-DSS Requirement Barracuda Web Application Firewall
Protect Data Proxies all inbound and outbound Web traffic to insulate Web servers from direct access by attackers.
Encryption Provides easy SSL encryption even if the application or server does not enable SSL encryption for inbound and outbound Web traffic.
Protect Against Vulnerabilities Safeguards custom development, legacy and third party applications from known and zero-day attacks as well as the industry-accepted top Web application vulnerabilities.
Restrict Access Utilize role- based administration to enforce security policies for accessing systems and SSL administration.
Track and Monitor Access Provides logs and report of application access and security violations.
Barracuda Web Application Firewalls also protect organizations from Top Web Application Threats listed by the PCI Council or other security organizations. These vulnerabilities include:
6.5.1 Injection Flaws
Description: Injection flaws are prevalent in Web applications and are often found in SQL queries, LDAP queries, OS commands, and program arguments.
Barracuda Web Application Firewall Solution: Inspects each client request to the Web application servers for malicious code and blocks any malicious request.
6.5.2 Buffer Overflow
Description: Overloads memory capacity to execute a malicious program to steal passwords, alter system configuration, install backdoors or launch other attacks.
Barracuda Web Application Firewall Solution: Proveds easy SSL encryption even if the application or server does not enable SSL encrytion for inbound and outbound Web traffic.
6.5.3 Insecure Cryptographic Storage
Description: Exploits applications that fail to store sensitive information such as credit card numbers as encrypted fields.
Barracuda Web Application Firewall Solution: Filters and intercepts outbound traffic to prevent the transmission of sensitive information.
6.5.4 Insecure Communications
Description: Failure by applications to encrypt network traffic containing sensitive communications.
Barracuda Web Application Firewall Solution: Cloaks details of the Web application infrastructure and blocks a server’s error messages from being sent out to the client. Filters and intercepts outbound traffic to prevent the transmission of sensitive information.
6.5.5 Improper Error Handling
Description: Exploits error messages to gather information about the OS and server versions, patch levels, etc. to launch targeted attacks on the server with known platform vulnerabilities.
Barracuda Web Application Firewall Solution: Safeguards custom development, legacy and third party applications from known and zero-day attacks as well as the industry-accepted top Web application vulnerabilities.
6.5.6 All “High” Vulnerabilities Identified
Description: All “high” vulnerabilities discovered in the vulnerability identification process.
Barracuda Web Application Firewall Solution: Protects against all of the top threats. Reverse proxy deployment is architecturally superior and more secure than sniffer or bridge solutions.
6.5.10 Authentication and Session Management
Description: Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.
Barracuda Web Application Firewall Solution: Enforces session security and integrity in web applications by encrypting session tokens. Prevents MITM, MITB, and cookie replay attacks. Protects against tampering of hidden variables. Integrates with hardened browsers to prevent client-side session hijacking by keyloggers, framegrabbers, and other client-side malware.