Requirement 6.6 – Part 2

In regarding the options you have in protecting your applications, let’s talk about option 2 of 6.6 first, the Web application firewall (WAF).  For those that have the budget, this is where they typically go to achieve compliance.
The first thing that people get wrong is that they assume that their existing firewall will also serve as an application firewall.  Wrong!  What most organizations have is a network firewall that works at ISO layers 1 through 4 (remember the ISO 7 layer model?).  Application firewalls work at ISO layers 4 through 7.  And while some network firewall vendors do have application firewall add-ons, experience with these add-ons indicates that you really need a dedicated application firewall to ensure performance.  That’s because like their network firewall cousins, application firewalls perform stateful inspection and that requires significant computational horsepower to conduct.  Even then, an application firewall can create issues for Web sites such as those that have extremely high transaction volumes or deliver streaming content, so an application firewall is not the answer for everyone.
Where I see application firewalls fall down the most is that they are not appropriately monitored.  And they are not monitored because they are not properly configured and maintained and therefore generate too many false positives.  Another big difference is that application firewalls need a significant amount of periodic ‘tweaking’, particularly after updates, in order to ensure false positives are kept to a minimum.  And since most organizations don’t periodically ‘tweak’ their application firewalls, the alerts generated take too much time to determine if they are real or false and people naturally ignore them all.
Unlike network firewalls, application firewalls require knowledge of how browser-based applications work at ISO levels 4 through 7.  Such a knowledge base is not something a typical network administrator has a clue and, to be fair, many application developers also do not understand how their applications work at these ISO levels.  Therefore, organizations need to find people with such knowledge to assist in configuring and maintaining their application firewalls.  This is likely best handled by a qualified consultant on a retainer basis.
And just because you chose the application firewall route, that does not get you off the hook regarding code reviews or the use of an application vulnerability testing tool.  I would highly recommend that you also conduct these processes as well.  An application firewall is not justification to toss out just any solution you want.  Even an application firewall has limits and cannot protect poorly constructed applications.
In my final posting, I’ll discuss the use of code reviews and application vulnerability testing tools as methods of compliance.


2 Responses to “Requirement 6.6 – Part 2”

  1. 1 Mark
    July 14, 2015 at 5:02 PM

    If my PA-DSS application is not public facing, do I still need a web application firewall?

    • July 15, 2015 at 4:35 AM

      No, you do not need a Web application firewall for an internal facing application.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.


March 2009
« Feb   Apr »

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,941 other followers


%d bloggers like this: