Archive for March 2nd, 2009


Requirement 6.6 – Part 2

In regarding the options you have in protecting your applications, let’s talk about option 2 of 6.6 first, the Web application firewall (WAF).  For those that have the budget, this is where they typically go to achieve compliance.
The first thing that people get wrong is that they assume that their existing firewall will also serve as an application firewall.  Wrong!  What most organizations have is a network firewall that works at ISO layers 1 through 4 (remember the ISO 7 layer model?).  Application firewalls work at ISO layers 4 through 7.  And while some network firewall vendors do have application firewall add-ons, experience with these add-ons indicates that you really need a dedicated application firewall to ensure performance.  That’s because like their network firewall cousins, application firewalls perform stateful inspection and that requires significant computational horsepower to conduct.  Even then, an application firewall can create issues for Web sites such as those that have extremely high transaction volumes or deliver streaming content, so an application firewall is not the answer for everyone.
Where I see application firewalls fall down the most is that they are not appropriately monitored.  And they are not monitored because they are not properly configured and maintained and therefore generate too many false positives.  Another big difference is that application firewalls need a significant amount of periodic ‘tweaking’, particularly after updates, in order to ensure false positives are kept to a minimum.  And since most organizations don’t periodically ‘tweak’ their application firewalls, the alerts generated take too much time to determine if they are real or false and people naturally ignore them all.
Unlike network firewalls, application firewalls require knowledge of how browser-based applications work at ISO levels 4 through 7.  Such a knowledge base is not something a typical network administrator has a clue and, to be fair, many application developers also do not understand how their applications work at these ISO levels.  Therefore, organizations need to find people with such knowledge to assist in configuring and maintaining their application firewalls.  This is likely best handled by a qualified consultant on a retainer basis.
And just because you chose the application firewall route, that does not get you off the hook regarding code reviews or the use of an application vulnerability testing tool.  I would highly recommend that you also conduct these processes as well.  An application firewall is not justification to toss out just any solution you want.  Even an application firewall has limits and cannot protect poorly constructed applications.
In my final posting, I’ll discuss the use of code reviews and application vulnerability testing tools as methods of compliance.


Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

March 2009