PCI Compliance Considerations

Similar documents
SonicWALL PCI 1.1 Implementation Guide

How to Make the Client IP Address Available to the Back-end Server

INFORMATION SUPPLEMENT. Migrating from SSL and Early TLS. Version 1.0 Date: April 2015 Author: PCI Security Standards Council

Achieving PCI Compliance Using F5 Products

GFI White Paper PCI-DSS compliance and GFI Software products

March

Catapult PCI Compliance

Achieving PCI-Compliance through Cyberoam

REDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance

Passing PCI Compliance How to Address the Application Security Mandates

PCI Requirements Coverage Summary Table

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

How To Protect A Web Application From Attack From A Trusted Environment

LogRhythm and PCI Compliance

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

Corporate and Payment Card Industry (PCI) compliance

74% 96 Action Items. Compliance

SECURITY ADVISORY FROM PATTON ELECTRONICS

PCI v2.0 Compliance for Wireless LAN

White Paper. Managing Risk to Sensitive Data with SecureSphere

SSL BEST PRACTICES OVERVIEW

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Deploying the BIG-IP LTM System and Microsoft Outlook Web Access

FormFire Application and IT Security. White Paper

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

CONTENTS. PCI DSS Compliance Guide

AUTOMATING AUDITS AND ENSURING CONTINUOUS COMPLIANCE WITH ALGOSEC

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

1.3 Prohibit Direct Public Access - Prohibit direct public access between the Internet and any system component in the cardholder data environment.

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

PCI Wireless Compliance with AirTight WIPS

Chapter 7 Transport-Level Security

IIS Reverse Proxy Implementation

BANKING SECURITY and COMPLIANCE

Complying with PCI Data Security

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

Best Practices for PCI DSS V3.0 Network Security Compliance

PCI Requirements Coverage Summary Table

Retention & Destruction

IBM Security QRadar Vulnerability Manager Version User Guide

Barracuda Web Site Firewall Ensures PCI DSS Compliance

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

How Reflection Software Facilitates PCI DSS Compliance

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Management, Logging and Troubleshooting

Application Delivery in PCI DSS Compliant Environments

SANS Top 20 Critical Controls for Effective Cyber Defense

WhiteHat Security White Paper. Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program

Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems

Solutions to Meet Your PCI Compliance Needs A whitepaper prepared by Coalfire Systems and HP

NetBrain Security Guidance

Bottom line you must be compliant. It s the law. If you aren t compliant, you are leaving yourself open to fines, lawsuits and potentially closure.

Payment Card Industry (PCI) Data Security Standard

Deployment Guide Microsoft IIS 7.0

Payment Card Industry Self-Assessment Questionnaire

PCI DSS Compliance. with the Barracuda NG Firewall. White Paper

How To Protect Your Data From Being Stolen

Data Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment

How To Achieve Pca Compliance With Redhat Enterprise Linux

McAfee Firewall Enterprise 8.3.1

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

Automate PCI Compliance Monitoring, Investigation & Reporting

Alliance Key Manager Solution Brief

Accellion Security FAQ

Oracle Database 11g: Security

IT Security & Compliance. On Time. On Budget. On Demand.

1. Barracuda Load Balancer - Overview What's New in the Barracuda Load Balancer Barracuda Load Balancer Release Notes

Configuring the BIG-IP system for FirePass controllers

Microsoft Lync Server Overview

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Cleaning Encrypted Traffic

Overview. SSL Cryptography Overview CHAPTER 1

Acano solution. Security Considerations. August E

SSL-TLS VPN 3.0 Certification Report. For: Array Networks, Inc.

PCI Compliance Report

S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s

HP A-IMC Firewall Manager

Information Security Office

IBM Managed Security Services (Cloud Computing) hosted and Web security - express managed Web security

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

DMZ Gateways: Secret Weapons for Data Security

PCI Vulnerability Validation Report

Polycom Recommended Best Security Practices for Unified Communications

Oracle Database 11g: Security. What you will learn:

Cyber-Ark Software and the PCI Data Security Standard

DEPLOYMENT GUIDE Version 1.0. Deploying F5 with the Oracle Fusion Middleware SOA Suite 11gR1

Payment Card Industry Data Security Standard

paypoint implementation guide

Unified Security Anywhere PCI COMPLIANCE PCI COMPLIANCE WE CAN HELP MAKE IT HAPPEN

8070.S000 Application Security

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

Payment Card Industry (PCI) Penetration Testing Standard

Deploying the Barracuda Load Balancer with Office Communications Server 2007 R2. Office Communications Server Overview.

Transcription:

PCI Compliance Considerations This article outlines implementation considerations when deploying the Barracuda Load Balancer ADC in an environment subject to PCI Data Security Standard (PCI DSS) compliance. This article focuses on the requirements placed on the Barracuda Load Balancer ADC for achieving PCI compliance, in an environment that includes the following: Barracuda Load Balancer ADC Application Server Database Server For PCI DSS Requirement 6.6 compliance [1] and added application security, consider purchasing an Application Security license for the Barracuda Load Balancer ADC. Efficient PCI Compliance PCI Compliance applies to entities that process, store, or transmit cardholder data. The Barracuda Load Balancer ADC intelligently distributes traffic among servers for efficient use of server resources, and provides server failover for High Availability. The Barracuda Load Balancer ADC, as an underlying technology infrastructure in your network, does not directly manage or store cardholder data. However, it provides a secure environment for the transmission of all application data including cardholder data. For merchants subject to PCI DSS, this facilitates certification attainment. According to section 4.1 of the Payment Card Industry (PCI) Data Security Standard v1.2 [2], merchants handling credit card data are required to "...use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. Deploying services behind the Barracuda Load Balancer ADC simplifies your PCI compliance by relying on a secure, up-to-date PCI-compliant stack front-end for back-end servers. Additionally, the Barracuda Load Balancer ADC provides risk mitigation and business continuity by relieving your certification process from full scanning, and operating system, middle-ware, and application update and patching on all your Internet-facing production servers which can result in downtime and administrator overhead. An information supplement to the PCI DSS notes that as long as the servers behind a load Balancer ADC are configured similarly, they are exempt from an internal scan. For more information, refer to Account for Load Balancer ADCs [3] (page 14 of the PCI Approved Scanning Vendors Program Guide [4] ). Configure Front-End SSL Front-end SSL refers to the SSL implemented between the Barracuda Load Balancer ADC and the client connecting to the Barracuda Load Balancer ADC from the Internet. Configure SSL for each Service that requires compliance. The use of SSL has the following security implications under PCI DSS compliance: 1. Disables Secure Sockets Layer version 2 (SSLv2); 2. Disallows "weak" cryptography; PCI Compliance Considerations 1 / 10

3. Quarterly PCI security vulnerability scans conducted against your external-facing PCI systems. Without the first two measures, the scans are likely to fail, leading to falling out of compliance and the associated risks and consequences. Barracuda Load Balancer ADC provides secure SSL Offloading for your services. To enable this, log into the Barracuda Load Balancer ADC web interface, go to the BASIC > Services page, select a service, and scroll down to the SSL Settings section: PCI Compliance Considerations 2 / 10

By default the Barracuda Load Balancer ADC disables the deprecated cipher and is therefore "secure by default". As shown in the screenshots above, the Barracuda Load Balancer ADC enables only: SSL Protocols SSL v3, TLS v1.0/1.1/1.2 SSL Ciphers Only the RC4-MD5 cipher is disabled. All other ciphers are enabled (see Selected Ciphers). Additionally, security researchers have recently identified new vulnerabilities in the SSL protocol; these are mitigated by the secure SSL stack in the Barracuda Load Balancer ADC as shown in Table 1. Table 1. SSL Protocol Vulnerabilities Vulnerability Impact Remediation Insecure Renegotiation High BEAST Attack CRIME Attack Low Low Barracuda Load Balancer ADC only supports secure renegotiation initiated by the Server. SSL v3 and TLS 1.0 may be vulnerable to this attack even when block ciphers are used; configure the Barracuda Load Balancer ADC to prioritize or enforce stream (RC4) cipher suites. This attack exploits the protocol compression feature. By default, SSL compression is disabled in the Barracuda Load Balancer ADC. Configuring Back-End SSL Back-end SSL refers to the use of the SSL protocol to re-encrypt traffic between the Barracuda Load Balancer PCI Compliance Considerations 3 / 10

ADC and the back-end servers. PCI mandates SSL when transmitting data over "open, public" networks; see Requirement 4: Encrypt transmission of cardholder data across open, public networks [5] (page 35 of the PCI Data Security Standard [6] ). When the path between the Barracuda Load Balancer ADC and the servers is within a secure zone, organizations are not mandated to re-encrypt the traffic assuming the privacy of the path can be demonstrated for compliance. If your network architecture, environment, or the associated risk necessitates back-end SSL, go to the BASIC > Services page, click Edit for the Server you wish to modify, and update the SSL section as shown in the following image: Back-end SSL uses the same secure SSL protocols and ciphers as front-end SSL. Secure Certificates Though PCI does not specify minimum certificate key sizes, Barracuda Network recommends a minimum of 2048 bit key strength when renewing certificates or deploying new services. Note that the National Institute for Standards and Technology (NIST) has mandated moving to 2048 bit certificates, which the Barracuda Load Balancer ADC fully supports. Ensure that all SSL services, as well as the Management UI, employ strong certificates. Secure the Web-based Management UI To allow Web Interface access by HTTPS/SSL only, enable HTTPS/SSL Access Only to Yes on the ADVANCED > Secure Administration page. You can select a Private certificate if you have restricted access to a private network as in the screenshot shown above. PCI Compliance Considerations 4 / 10

Secure SNMP Access To secure the SNMP access for compliance, go to the ADVANCED > SNMP Configuration page, and complete the following steps: 1. In the SNMP Manager section, select the SNMP Version as v3. 2. Provide a secure password for the admin user. 3. Select SHA and AES as the Authentication Method and Encryption Method respectively; these are more secure than MD5 and DES. 4. Restrict SNMP Access to an internal network via the Allowed SNMP IP/Range control: 5. If you choose to use SNMP v2c to support legacy SNMP clients, ensure that you change the default SNMP Community String: PCI Compliance Considerations 5 / 10

For details on scanner false positives with respect to SNMP, refer to PCI-DSS Requirement 4 later in this article. Enable Syslog for Audit Compliance Continuous activity log monitoring alerts you to any unusual activity on the Barracuda Load Balancer ADC. To enable Syslog: 1. Go to the ADVANCED > Export Logs page. 2. In the Syslog section, click Add Syslog Server. The Add Syslog Server window appears. 3. Specify values for the following fields: 1. Name Enter a name to identify this syslog server. 2. IP Address - Enter the IP address of the syslog server. 3. Port Enter the port associated with the IP address of the syslog server. 4. Connection Type Select the connection type to transmit the logs from the Barracuda Load Balancer ADC to the Syslog server. 5. Validate Server Certificate Set to Yes to validate the syslog server certificate using the internal bundle of Certificate Authority's (CAs) certificates packaged with the system. If set to No, any certificate from the syslog server is accepted. 6. Client Certificate When set to Yes, the Barracuda Load Balancer ADC presents the certificate while connecting to the syslog server. 4. Click Add. PCI Compliance Considerations 6 / 10

Ensure Password Security Before you install and deploy one or more Barracuda Load Balancer ADCs, ensure that you have changed the default password on all devices. It is recommended that you have an organizational policy in place for setting passwords with a minimum strength that are distinct from personal passwords used by employees on the public Internet. Enabling HTTPS/SSL-only access to the web-based interface, as noted earlier in this article, further enhances credential security over public and private networks. The console and web-based interface use separate passwords; be sure to change both passwords. Encrypt All Configuration Backups Ensure that all manual and automated backups are encrypted so that configuration and sensitive information is not compromised in the event the backup file is compromised. To configure encryption on all configuration backups, go to the ADVANCED > Backups page, and set Encrypt Backup to Yes. PCI Compliance Considerations 7 / 10

Click Generate to create a strong encryption key for your backup file. A new window opens with the generated key. Copy this key into the Backup Encryption Key field. This key is required to decrypt or restore the backup configuration. Click Save when you have finished. Additional PCI Compliance Barracuda Networks is committed to security of its devices and helping customers achieve compliance. Barracuda Networks has additional best-of-breed security product offerings that can help you achieve additional PCI compliance cost effectively, especially for web application security, email encryption, anti-virus, and web filtering. Customers evaluating Barracuda Networks products can be assured of security and compliance commitment throughout the product s life cycles. For any issues or questions related to PCI compliance, contact Barracuda Networks Technical Support or your sales representative. Scanner False Positives Following are two false positives that some scanners have reported during PCI evaluations. SNMP vulnerability Some scanners incorrectly report that the Barracuda Load Balancer ADC is susceptible to CVE 2002-0012 CVE 2002-0013 CVE2002-0053. Barracuda Load Balancer ADC includes a customized port of NET-SNMP version: 5.4.2.1, which is not susceptible to the vulnerabilities mentioned in the reports. Only versions of NET-SNMP prior to 4.2.2 are susceptible to these. For additional information refer to CERT Advisory CA-2002-03 Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP) [7] (http://www.cert.org/advisories/ca-2002-03.html [8] ) If you encounter this false positive, submit the report to the scanning organization for validation. Additionally, Barracuda Networks has implemented the following additional security measures as recommended by the security advisory: Ability to filter SNMP traffic from non-authorized internal hosts Ability to change default community strings Ability to disable SNMP service if not explicitly required PCI Compliance Considerations 8 / 10

Insecure Cookies The Barracuda Load Balancer ADC inserts cookies for a service when the Persistence type is set to HTTP Cookies. Some scanners confuse these with application cookies and report them as insecure if the HTTP only or secure attribute is not set. You can configure both of these from the Persistence properties of a Service to avoid this false positive. PCI Compliance Considerations 9 / 10

Links 1. https://www.pcisecuritystandards.org/pdfs/infosupp_6_6_applicationfirewalls_codereviews.pdf 2. https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf 3. https://www.pcisecuritystandards.org/documents/asv_program_guide_v1.0.pdf 4. https://www.pcisecuritystandards.org/documents/asv_program_guide_v1.0.pdf 5. https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf 6. https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf 7. http://www.cert.org/advisories/ca-2002-03.html 8. http://www.cert.org/advisories/ca-2002-03.html PCI Compliance Considerations 10 / 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information