PCI DSS Compliance with the Barracuda NG Firewall White Paper
About Payment Card Industry Data Security Standard (PCI DSS) Requirements In response to the increase in identity theft and security breaches, major credit card companies collaborated to create the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. It applies to all entities involved in payment card processing including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process, or transmit cardholder account data. The 12 PCI DSS requirements are organized into six main categories that prevent credit card fraud through increased controls around data and its exposure to compromise. To be fully compliant, an organization must satisfy all 12 requirements. This whitepaper will show how the Barracuda NG Firewall can help satisfy every specific requirement of PCI DSS compliance. RELEASE 3 About Barracuda NG Firewall The Barracuda NG Firewall is an ideal enterprise solution for IT administrators seeking to protect vital data in networks made chaotic and vulnerable by the explosion of mobile and BYOD devices, evasive Web 2.0 applications, and remote network users. The Barracuda NG Control Center adds a powerful and intuitive centralized management portal that makes it extremely simple to deploy, configure, update, and manage multiple units from a single location, while also providing comprehensive, real-time network visibility and reporting. As a result, it is an ideal solution for enterprises looking to manage large numbers of users or several sites with few IT personnel while meeting PCI Compliance requirements. Page 2 of 10
Build and Maintain a Secure Network #1 Install and maintain a firewall configuration to protect cardholder data The Barracuda NG Firewall is a full next-generation stateful firewall providing market-leading network security and data protection. Multiple firewalls can be managed through the Barracuda NG Firewall Control Center allowing full centralized management. The control center s Firewall Audit Viewer aggregates traffic information from multiple firewalls in one central location. For auditing purposes, you can activate the Revision Control System (RCS) (to support requirement 1.1.1). The RCS provides information on all configuration changes to your system as well as letting you retrieve and revert to older configuration versions. You can generate RCS Reports displaying information for specific configuration versions and administrator IP addresses. You can also search for information, export and import version settings, and print the RCS Report. When integrating multiple firewalls together into a single network architecture, we provide separate firewall service types to facilitate the efficient management of multiple devices. A single common ruleset for the common security policy is managed once, but shared across all the network firewalls, while cascading site local rulesets can be used to implement security policies specific to a network segment. This greatly reduces the administration overhead and hence the total cost of ownership. The Barracuda NG Firewall is the ideal device to place between the DMZ and the internal network or to protect access via one or more Internet connections (requirement 1.1.3). The Barracuda NG Firewall provides an ideal network segmentation gateway to police the border between trusted and untrusted networks. Rigorous security policies can be implemented to allow only required traffic for specific protocols or applications (requirement 1.2.1). It can also be used as a secure perimeter firewall between wireless networks and data environments. In addition, it can broadcast Wi-Fi networks (requirement 1.2.3) The Barracuda NG Firewall has the ability to enforce sophisticated firewall rules on traffic flows through the device. It integrates a comprehensive set of firewall technologies including: Layer 7 Application Control for Web 2.0 SSL Interception Stateful packet forwarding (in bridged or routed modes) Transparent proxying (TCP) NAT (src, dst, nets), NAPT, PAT Dynamic rules / timer triggers Virtual rule test environment User Authentication #1.1 Establish firewall and router configuration standards #1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment Separate Barracuda NG Firewalls can be used to protect each network segment. Or a single high performance Barracuda NG Firewall can be used as a central network segmentation gateway that protects multiple network segments, with separate security policies. A large number of ports and VLAN support means a single Barracuda NG Firewall can easily manage hundreds of separate network segments. Page 3 of 10
The Barracuda NG Firewall can be easily configured to prevent direct access between the Internet and system components in the cardholder network segment. It can implement and manage a network zone for a DMZ (requirement 1.3.1), ensure that inbound Internet traffic can only access IP addresses in the DMZ (requirement 1.3.2), prevent direct connections (requirement 1.3.3), protect internal IP addresses (requirement 1.3.4), only allow specifically authorized outbound traffic (requirement 1.3.5), perform stateful inspection (requirement 1.3.6), segregate a network zone for cardholder data (requirement 1.3.7), and implement NAT as well as proxy services (requirement 1.3.8) The Barracuda NG Firewall can completely control what comes in and out of a network based on user, time of day, location, protocol, and application (more than 1200 applications can be detected). Our High Availability (HA) feature ensures continuity of service and our site-to-site VPN allows remote sites to be seamlessly integrated into a secure network architecture. The Barracuda Network Access Client provides a powerful firewall for PCs that can be easily rolled out and centrally configured via the Barracuda NG Firewall. Local reconfiguration of the personal firewall can be blocked. The Barracuda Network Access Client can also ensure that only computers meeting centrally defined security and health standards can connect to the organization s network. #2 Do not use vendor-supplied defaults for system passwords and other security parameters The Barracuda NG Firewall and associated documentation encourages customers to change supplied defaults (usernames, passwords, and IP addresses) before deployment. In addition the Setup Wizard prompts for password change. The Barracuda NG Firewall can help enforce this requirement by ensuring that only specific protocols, services, or applications are allowed to access specific services or network segments. If they are not required, they are blocked by default. The Barracuda NG Firewall administrative access is encrypted using SSL. Administration is via a Windows.exe application. The virtualized versions of the Barracuda NG Firewall (for example for VMware, KVM, and XenServer) allow deployments in virtualized networks on a single platform. This is ideal for shared hosting providers, as they can segregate the data from different organizations, while using a single platform. #1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment #1.4 Install personal firewall software on any mobile and/or employee-owned computers... #2.1 Always change vendor-supplied defaults before installing... #2.2 Develop configuration standards for all system components... #2.3 Encrypt all non-console administrative access using strong cryptography... #2.4 Shared hosting providers must protect each entity s hosted environment and cardholder data... Page 4 of 10
Protect Cardholder Data #3 Protect stored cardholder data This item is not addressed by the Barracuda NG Firewall. However, Barracuda s business partners can provide services to help an organization satisfy this requirement. #4 Encrypt transmission of cardholder data across open, public networks The Barracuda NG Firewall manages secure site-to-site (and client-to-site) VPN tunnels, across public networks, to deliver secure and stable remote office or cloud connectivity. VPN tunnels can be secured using either IPSec or the Barracuda hybrid protocol (IPSec s ESP and enhanced key exchange). Supported encryption includes AES- 128/256, 3DES, DES. The Barracuda NG Firewall s generic pattern matching provides DLP functionality and can be set up to include blocking PANs (credit card numbers). #4.1 Use strong cryptography and security protocols... #4.2 Never send unprotected PANs... Maintain a Vulnerability Management Program #5 Use and regularly update anti-virus software or programs The Barracuda NG Firewall integrates with the Barracuda Web Security Service to provide cloud-based malware scanning and content filtering without performance degradation. Barracuda NG Malware Protection provides gateway-based protection against malware, viruses, spyware, and other unwanted programs inside SMTP, HTTP, POP3, and FTP traffic. Features include: Configurable archive recursion depth Quarantine functionality for proxy Configurable unknown archive policy Configurable maximum archive size Archiver package support Office file-types support Proactive detection of new threats Advanced heuristics detection techniques Hundreds of thousands of signatures Multiple signature updates per day The Barracuda NG Web Filter is a subscription option that enforces Internet usage policies by blocking access to websites and Internet applications that are not related to business and/or a potential security risk. Features include: Customizable black and white lists Filter entire URL string beyond FQDN 69 content categories Multiple category selection ~100 million entries with ~100,000 new URL database entries everyday Temporal constraints User-specific / groupspecific restrictions Category database Local or online updates Hourly or continuously update interval Customizable block pages #5.1 Deploy anti-virus software on all systems... Page 5 of 10
The Barracuda Web Security Service, as a cloud service, is always up-to-date without any need for local updates. Malware signatures update continuously for fast response to new and know threats. Advanced heuristics block unknown web viruses and spyware. The service is also centrally manageable (via a web interface) with central reporting and drill down reports. Barracuda NG Malware Protection receives multiple signature updates per day. A virus scanner log can also be enabled for different levels to enable debugging or auditing. Barracuda NG Web Filter can be set to have an hourly or continuous update interval. You can log which requests are allowed and denied, and specify the types of statistics that are generated for the service. #6 Develop and maintain secure systems and applications The Barracuda NG Firewall Control Center provides centralized antivirus pattern updates and version monitoring across all of an organization s firewalls. Items #6.2 - #6.6 are not addressed by the Barracuda NG Firewall. However, Barracuda s business partners can provide services to help an organization satisfy this requirement. #5.2 Ensure that all antivirus mechanisms are current, actively running, and generating audit logs #6.1 Ensure that all system components and software are protected from known vulnerabilities... Implement Strong Access Control Measures #7 Restrict access to cardholder data by business need-to-know The Barracuda NG Firewall can be used to enforce access control policies via firewall rules that enforce granular access control based on users, time, application, and protocol. In addition, the Barracuda Network Access Client (NAC) can ensure that only healthy PCs and authenticated users are able to connect to the corporate network. Two factor authentication is also available by combining different authentication types (e.g., password and token (OTP, SMS PASSCODE). The Barracuda NG Firewall can implement access control policies based on user groups. For example, a particular network segment (containing cardholder data) can be protected by an NG Firewall and only users belonging to a specified user group (in Active Directory) are able to access the segment at specified times (e.g., office hours). #7.1 Limit access to system components... #7.2 Establish an access control system for systems components with multiple users... Page 6 of 10
#8 Assign a unique ID to each person with computer access User authentication, User Objects, for firewall rules, allows the Barracuda NG Firewall to control network access for authenticated users. The Barracuda NG Firewall supports numerous authentication types, including Microsoft Certificate Management, Microsoft Active Directory, LDAP, RADIUS, MSNT, RSAACE, External X509 certificates, SMS PASSCODE, RSA tokens, and Smart cards. In addition, ensuring that all PCs connect to the network via the Barracuda Network Access Client (NAC), means that users can only connect to the network via highly secure two-factor authentication and only from healthy PCs. #8.1 Assign all users an unique ID before allowing them to access system components or cardholder data #8.2 In addition to assigning an unique ID, employ at least one of the following methods to authenticate all users... The different authentication types (listed above) can also be combined to implement rock-solid two-factor authentication on a Barracuda NG Firewall. For even tighter security, it is possible enforce the use of strong or specific ciphers. All passwords used to connect to a Barracuda NG Firewall are rendered unreadable during transmission using strong cryptography. #9 Restrict physical access to cardholder data This item is not addressed by the Barracuda NG Firewall. However, Barracuda s business partners can provide services to help an organization satisfy this requirement. #8.3 Incorporate two-factor authentication for remote access... #8.4 Render all passwords unreadable during transmission and storage... Regularly Monitor and Test Networks #10 Track and monitor all access to network resources and cardholder data The Barracuda NG Firewall allows the use of separate administrative accounts for each system admin with varying privileges. #10.1 Establish a process for linking all access to system components... Page 7 of 10
The Audit Service in the Barracuda NG Control Center aggregates all audit information, across multiple firewalls, related to firewall sessions. It also allows complex queries. This enables the implementation of automated audit trails for those who have accessed (or attempted to access) cardholder data. The Barracuda NG Firewall implements detailed logging of data passing through the firewall. This data can be used to see who has accessed what network segment when. The Barracuda NG Firewall can continuously synchronize time using the network time protocol (NTP) and a trusted NTP Server. The log files that constitute an audit trail are securely stored on the Barracuda NG Firewall or the Barracuda NG Control Center so that they cannot be altered. All traffic relating to the logs is encrypted. In addition, the Syslog Service collects Revision Control System (RCS), as well as log messages, from Barracuda NG Firewalls that are managed by the Barracuda NG Control Center and streams those log messages to an external log host or sends them to the HA partner (with or without SSL encryption). This means that even changes made by the root user can be tracked and audited. On the Barracuda NG Firewall and Barracuda NG Control Center, you can configure notifications for specific system events. These event notifications can be sent via email or SNMP trap messages. Notifications can be configured for the different event types. Logs can be easily exported from Barracuda NG Firewalls and Barracuda NG Control Centers for archiving. #10.2 Implement automated audit trails for all system components... #10.3 Record at least the following audit trail entries for all system components for each event... #10.4 Using timesynchronization technology, synchronize all critical system clocks and times... #10.5 Secure audit trails so they cannot be altered... #10.6 Review logs for all system components at least daily... #10.7 Retain audit trail history... #11.1 #11.2 #11.3 Page 8 of 10
#11 Regularly test security systems and processes Items #11.1 - #11.3 are not addressed by the Barracuda NG Firewall. However, Barracuda s business partners can provide services to help an organization satisfy this requirement. The Barracuda NG Firewall provides easy to use out-of-the box Intrusion Prevention (IPS) against a vast number of exploits and vulnerabilities in operating systems, applications, and databases to prevent network attacks such as: SQL injections Arbitrary code executions Access control attempts and privilege escalations Cross-Site Scripting Buffer overflows Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks Directory traversal attempts Probing and scanning attempts Backdoor attacks, Trojans, rootkits, viruses, worms, and spyware #11.4 Use intrusiondetection systems, and/or intrusionprevention systems... Our firewall can block threats according to policy. Depending on the severity of the threat, highly granular actions can be assigned on a per firewall rule base enabling the Barracuda NG Firewall to allow, block, or log questionable traffic based on severity, location, user/group, type, and Layer 7 application detection. As part of the Barracuda Energize Updates subscription, automatic signature updates are delivered on a weekly schedule (or on an emergency basis) to ensure that the Barracuda NG Firewall is constantly up to date. If the firewall unit is centrally managed, the pattern updates are conveniently distributed by the Barracuda NG Control Center. Maintain an Information Security Policy #12 Maintain a policy that addresses information security This item is not addressed by the Barracuda NG Firewall. However, Barracuda s business partners can provide services to help an organization satisfy this requirement. Page 9 of 10
Conclusion The concept of protecting separate network segments with tailored security policies, has been supported by our (phion) netfence sectorwall and Barracuda NG Firewall since 2005. There are two architectural options: Separate Barracuda NG Firewalls can be used as individual network segmentation gateways to protect each network segment. Or a single high performance Barracuda NG Firewall can be used as a central network segmentation gateway that protects multiple network segments with separate security policies. A large number of ports and VLAN support means a single Barracuda NG Firewall can easily manage multiple network segments. Our support for virtual systems means that the Barracuda NG Firewall can also be used easily to implement network segments within a virtual environment. About Barracuda Networks, Inc. Protecting users, applications, and data for more than 150,000 organizations worldwide, Barracuda Networks has developed a global reputation as the go-to leader for powerful, easy-to-use, affordable IT solutions, The company s proven customer-centric business model focuses on delivering high-value, subscription-based IT solutions for security and data protection. For additional information, please visit barracuda.com. Barracuda Networks and the Barracuda Networks logo are registered trademarks of Barracuda Networks, Inc. in the United States. All other names are the property of their respective owners. Barracuda Networks 3175 S. Winchester Boulevard Campbell, CA 95008 United States 1-408-342-5400 1-888-268-4772 (US & Canada) www.barracuda.com info@barracuda.com