PCI DSS Compliance. with the Barracuda NG Firewall. White Paper



Similar documents
Achieving PCI-Compliance through Cyberoam

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

74% 96 Action Items. Compliance

SonicWALL PCI 1.1 Implementation Guide

March

Did you know your security solution can help with PCI compliance too?

Barracuda Intrusion Detection and Prevention System

PCI Requirements Coverage Summary Table

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

1.3 Prohibit Direct Public Access - Prohibit direct public access between the Internet and any system component in the cardholder data environment.

PCI DSS Requirements - Security Controls and Processes

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Achieving PCI Compliance Using F5 Products

GFI White Paper PCI-DSS compliance and GFI Software products

PCI Requirements Coverage Summary Table

Barracuda Web Site Firewall Ensures PCI DSS Compliance

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Best Practices for PCI DSS V3.0 Network Security Compliance

Firewall and UTM Solutions Guide

University of Sunderland Business Assurance PCI Security Policy

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Global Partner Management Notice

LogRhythm and PCI Compliance

PCI and PA DSS Compliance Assurance with LogRhythm

Retail Stores Networks and PCI compliance

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard (PCI / DSS)

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

Using the AppGate Network Segmentation Server TO ACHIEVE PCI COMPLIANCE

Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper

When it Comes to Monitoring and Validation it Takes More Than Just Collecting Logs

BARRACUDA NG FIREWALL TECHNOLOGY

Achieving PCI DSS Compliance with Cinxi

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

PCI COMPLIANCE Protecting Against External Threats Protecting Against the Insider Threat

MEETING PCI DSS MERCHANT REQUIREMENTS WITH A WATCHGUARD FIREBOX

Meeting PCI-DSS v1.2.1 Compliance Requirements. By Compliance Research Group

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

REDSEAL NETWORKS SOLUTION BRIEF. Proactive Network Intelligence Solutions For PCI DSS Compliance

The Comprehensive Guide to PCI Security Standards Compliance

MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE

Windows Azure Customer PCI Guide

CorreLog Alignment to PCI Security Standards Compliance

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

Automate PCI Compliance Monitoring, Investigation & Reporting

Payment Card Industry Self-Assessment Questionnaire

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Becoming PCI Compliant

Using Skybox Solutions to Achieve PCI Compliance

Mobile Network Access Control

PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data

Unified Security Anywhere PCI COMPLIANCE PCI COMPLIANCE WE CAN HELP MAKE IT HAPPEN

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 2

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

WHITEPAPER. Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with NetMRI

Enforcing PCI Data Security Standard Compliance

Security Technology: Firewalls and VPNs

Maintaining Strong Security and PCI DSS Compliance in a Distributed Retail Environment

Demystifying the Payment Card Industry - Data Security Standard

Move over, TMG! Replacing TMG with Sophos UTM

NERC CIP Whitepaper How Endian Solutions Can Help With Compliance

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

A Decision Maker s Guide to Securing an IT Infrastructure

Improving PCI Compliance with Network Configuration Automation

Payment Card Industry Data Security Standard

Parallels Plesk Panel

全 球 資 安 剖 析, 您 做 確 實 了 嗎? Albert Yung Barracuda Networks

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

Barracuda Message Archiver Vx Deployment. Whitepaper

Barracuda Message Archiver Vx Deployment. Whitepaper

How to Dramatically Reduce the Cost and Complexity of PCI Compliance

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

Guideline on Auditing and Log Management

Secure Auditor PCI Compliance Statement

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

IREBOX X. Firebox X Family of Security Products. Comprehensive Unified Threat Management Solutions That Scale With Your Business

COORDINATED THREAT CONTROL

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:

Firewall Feature Overview

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

PCI Wireless Compliance with AirTight WIPS

Meeting PCI Data Security Standards with

Content-ID. Content-ID URLS THREATS DATA

How To Protect A Web Application From Attack From A Trusted Environment

Content-ID. Content-ID enables customers to apply policies to inspect and control content traversing the network.

PCI PA - DSS. Point BKX Implementation Guide. Version Atos Xenta, Atos Xenteo and Atos Yomani using the Point BKX Payment Core

You Can Survive a PCI-DSS Assessment

Mastering Common Core State Standards Challenges with Barracuda Next Generation Firewalls. White Paper

Networking for Caribbean Development

General Standards for Payment Card Environments at Miami University

With Globalscape EFT and the High-Security Module. The Case for Compliance

Professional Integrated SSL-VPN Appliance for Small and Medium-sized businesses

Firewall and Router Policy

Payment Card Industry (PCI) Compliance. Management Guidelines

Nominee: Barracuda Networks

Barracuda SSL VPN Administrator s Guide

Transcription:

PCI DSS Compliance with the Barracuda NG Firewall White Paper

About Payment Card Industry Data Security Standard (PCI DSS) Requirements In response to the increase in identity theft and security breaches, major credit card companies collaborated to create the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. It applies to all entities involved in payment card processing including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process, or transmit cardholder account data. The 12 PCI DSS requirements are organized into six main categories that prevent credit card fraud through increased controls around data and its exposure to compromise. To be fully compliant, an organization must satisfy all 12 requirements. This whitepaper will show how the Barracuda NG Firewall can help satisfy every specific requirement of PCI DSS compliance. RELEASE 3 About Barracuda NG Firewall The Barracuda NG Firewall is an ideal enterprise solution for IT administrators seeking to protect vital data in networks made chaotic and vulnerable by the explosion of mobile and BYOD devices, evasive Web 2.0 applications, and remote network users. The Barracuda NG Control Center adds a powerful and intuitive centralized management portal that makes it extremely simple to deploy, configure, update, and manage multiple units from a single location, while also providing comprehensive, real-time network visibility and reporting. As a result, it is an ideal solution for enterprises looking to manage large numbers of users or several sites with few IT personnel while meeting PCI Compliance requirements. Page 2 of 10

Build and Maintain a Secure Network #1 Install and maintain a firewall configuration to protect cardholder data The Barracuda NG Firewall is a full next-generation stateful firewall providing market-leading network security and data protection. Multiple firewalls can be managed through the Barracuda NG Firewall Control Center allowing full centralized management. The control center s Firewall Audit Viewer aggregates traffic information from multiple firewalls in one central location. For auditing purposes, you can activate the Revision Control System (RCS) (to support requirement 1.1.1). The RCS provides information on all configuration changes to your system as well as letting you retrieve and revert to older configuration versions. You can generate RCS Reports displaying information for specific configuration versions and administrator IP addresses. You can also search for information, export and import version settings, and print the RCS Report. When integrating multiple firewalls together into a single network architecture, we provide separate firewall service types to facilitate the efficient management of multiple devices. A single common ruleset for the common security policy is managed once, but shared across all the network firewalls, while cascading site local rulesets can be used to implement security policies specific to a network segment. This greatly reduces the administration overhead and hence the total cost of ownership. The Barracuda NG Firewall is the ideal device to place between the DMZ and the internal network or to protect access via one or more Internet connections (requirement 1.1.3). The Barracuda NG Firewall provides an ideal network segmentation gateway to police the border between trusted and untrusted networks. Rigorous security policies can be implemented to allow only required traffic for specific protocols or applications (requirement 1.2.1). It can also be used as a secure perimeter firewall between wireless networks and data environments. In addition, it can broadcast Wi-Fi networks (requirement 1.2.3) The Barracuda NG Firewall has the ability to enforce sophisticated firewall rules on traffic flows through the device. It integrates a comprehensive set of firewall technologies including: Layer 7 Application Control for Web 2.0 SSL Interception Stateful packet forwarding (in bridged or routed modes) Transparent proxying (TCP) NAT (src, dst, nets), NAPT, PAT Dynamic rules / timer triggers Virtual rule test environment User Authentication #1.1 Establish firewall and router configuration standards #1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment Separate Barracuda NG Firewalls can be used to protect each network segment. Or a single high performance Barracuda NG Firewall can be used as a central network segmentation gateway that protects multiple network segments, with separate security policies. A large number of ports and VLAN support means a single Barracuda NG Firewall can easily manage hundreds of separate network segments. Page 3 of 10

The Barracuda NG Firewall can be easily configured to prevent direct access between the Internet and system components in the cardholder network segment. It can implement and manage a network zone for a DMZ (requirement 1.3.1), ensure that inbound Internet traffic can only access IP addresses in the DMZ (requirement 1.3.2), prevent direct connections (requirement 1.3.3), protect internal IP addresses (requirement 1.3.4), only allow specifically authorized outbound traffic (requirement 1.3.5), perform stateful inspection (requirement 1.3.6), segregate a network zone for cardholder data (requirement 1.3.7), and implement NAT as well as proxy services (requirement 1.3.8) The Barracuda NG Firewall can completely control what comes in and out of a network based on user, time of day, location, protocol, and application (more than 1200 applications can be detected). Our High Availability (HA) feature ensures continuity of service and our site-to-site VPN allows remote sites to be seamlessly integrated into a secure network architecture. The Barracuda Network Access Client provides a powerful firewall for PCs that can be easily rolled out and centrally configured via the Barracuda NG Firewall. Local reconfiguration of the personal firewall can be blocked. The Barracuda Network Access Client can also ensure that only computers meeting centrally defined security and health standards can connect to the organization s network. #2 Do not use vendor-supplied defaults for system passwords and other security parameters The Barracuda NG Firewall and associated documentation encourages customers to change supplied defaults (usernames, passwords, and IP addresses) before deployment. In addition the Setup Wizard prompts for password change. The Barracuda NG Firewall can help enforce this requirement by ensuring that only specific protocols, services, or applications are allowed to access specific services or network segments. If they are not required, they are blocked by default. The Barracuda NG Firewall administrative access is encrypted using SSL. Administration is via a Windows.exe application. The virtualized versions of the Barracuda NG Firewall (for example for VMware, KVM, and XenServer) allow deployments in virtualized networks on a single platform. This is ideal for shared hosting providers, as they can segregate the data from different organizations, while using a single platform. #1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment #1.4 Install personal firewall software on any mobile and/or employee-owned computers... #2.1 Always change vendor-supplied defaults before installing... #2.2 Develop configuration standards for all system components... #2.3 Encrypt all non-console administrative access using strong cryptography... #2.4 Shared hosting providers must protect each entity s hosted environment and cardholder data... Page 4 of 10

Protect Cardholder Data #3 Protect stored cardholder data This item is not addressed by the Barracuda NG Firewall. However, Barracuda s business partners can provide services to help an organization satisfy this requirement. #4 Encrypt transmission of cardholder data across open, public networks The Barracuda NG Firewall manages secure site-to-site (and client-to-site) VPN tunnels, across public networks, to deliver secure and stable remote office or cloud connectivity. VPN tunnels can be secured using either IPSec or the Barracuda hybrid protocol (IPSec s ESP and enhanced key exchange). Supported encryption includes AES- 128/256, 3DES, DES. The Barracuda NG Firewall s generic pattern matching provides DLP functionality and can be set up to include blocking PANs (credit card numbers). #4.1 Use strong cryptography and security protocols... #4.2 Never send unprotected PANs... Maintain a Vulnerability Management Program #5 Use and regularly update anti-virus software or programs The Barracuda NG Firewall integrates with the Barracuda Web Security Service to provide cloud-based malware scanning and content filtering without performance degradation. Barracuda NG Malware Protection provides gateway-based protection against malware, viruses, spyware, and other unwanted programs inside SMTP, HTTP, POP3, and FTP traffic. Features include: Configurable archive recursion depth Quarantine functionality for proxy Configurable unknown archive policy Configurable maximum archive size Archiver package support Office file-types support Proactive detection of new threats Advanced heuristics detection techniques Hundreds of thousands of signatures Multiple signature updates per day The Barracuda NG Web Filter is a subscription option that enforces Internet usage policies by blocking access to websites and Internet applications that are not related to business and/or a potential security risk. Features include: Customizable black and white lists Filter entire URL string beyond FQDN 69 content categories Multiple category selection ~100 million entries with ~100,000 new URL database entries everyday Temporal constraints User-specific / groupspecific restrictions Category database Local or online updates Hourly or continuously update interval Customizable block pages #5.1 Deploy anti-virus software on all systems... Page 5 of 10

The Barracuda Web Security Service, as a cloud service, is always up-to-date without any need for local updates. Malware signatures update continuously for fast response to new and know threats. Advanced heuristics block unknown web viruses and spyware. The service is also centrally manageable (via a web interface) with central reporting and drill down reports. Barracuda NG Malware Protection receives multiple signature updates per day. A virus scanner log can also be enabled for different levels to enable debugging or auditing. Barracuda NG Web Filter can be set to have an hourly or continuous update interval. You can log which requests are allowed and denied, and specify the types of statistics that are generated for the service. #6 Develop and maintain secure systems and applications The Barracuda NG Firewall Control Center provides centralized antivirus pattern updates and version monitoring across all of an organization s firewalls. Items #6.2 - #6.6 are not addressed by the Barracuda NG Firewall. However, Barracuda s business partners can provide services to help an organization satisfy this requirement. #5.2 Ensure that all antivirus mechanisms are current, actively running, and generating audit logs #6.1 Ensure that all system components and software are protected from known vulnerabilities... Implement Strong Access Control Measures #7 Restrict access to cardholder data by business need-to-know The Barracuda NG Firewall can be used to enforce access control policies via firewall rules that enforce granular access control based on users, time, application, and protocol. In addition, the Barracuda Network Access Client (NAC) can ensure that only healthy PCs and authenticated users are able to connect to the corporate network. Two factor authentication is also available by combining different authentication types (e.g., password and token (OTP, SMS PASSCODE). The Barracuda NG Firewall can implement access control policies based on user groups. For example, a particular network segment (containing cardholder data) can be protected by an NG Firewall and only users belonging to a specified user group (in Active Directory) are able to access the segment at specified times (e.g., office hours). #7.1 Limit access to system components... #7.2 Establish an access control system for systems components with multiple users... Page 6 of 10

#8 Assign a unique ID to each person with computer access User authentication, User Objects, for firewall rules, allows the Barracuda NG Firewall to control network access for authenticated users. The Barracuda NG Firewall supports numerous authentication types, including Microsoft Certificate Management, Microsoft Active Directory, LDAP, RADIUS, MSNT, RSAACE, External X509 certificates, SMS PASSCODE, RSA tokens, and Smart cards. In addition, ensuring that all PCs connect to the network via the Barracuda Network Access Client (NAC), means that users can only connect to the network via highly secure two-factor authentication and only from healthy PCs. #8.1 Assign all users an unique ID before allowing them to access system components or cardholder data #8.2 In addition to assigning an unique ID, employ at least one of the following methods to authenticate all users... The different authentication types (listed above) can also be combined to implement rock-solid two-factor authentication on a Barracuda NG Firewall. For even tighter security, it is possible enforce the use of strong or specific ciphers. All passwords used to connect to a Barracuda NG Firewall are rendered unreadable during transmission using strong cryptography. #9 Restrict physical access to cardholder data This item is not addressed by the Barracuda NG Firewall. However, Barracuda s business partners can provide services to help an organization satisfy this requirement. #8.3 Incorporate two-factor authentication for remote access... #8.4 Render all passwords unreadable during transmission and storage... Regularly Monitor and Test Networks #10 Track and monitor all access to network resources and cardholder data The Barracuda NG Firewall allows the use of separate administrative accounts for each system admin with varying privileges. #10.1 Establish a process for linking all access to system components... Page 7 of 10

The Audit Service in the Barracuda NG Control Center aggregates all audit information, across multiple firewalls, related to firewall sessions. It also allows complex queries. This enables the implementation of automated audit trails for those who have accessed (or attempted to access) cardholder data. The Barracuda NG Firewall implements detailed logging of data passing through the firewall. This data can be used to see who has accessed what network segment when. The Barracuda NG Firewall can continuously synchronize time using the network time protocol (NTP) and a trusted NTP Server. The log files that constitute an audit trail are securely stored on the Barracuda NG Firewall or the Barracuda NG Control Center so that they cannot be altered. All traffic relating to the logs is encrypted. In addition, the Syslog Service collects Revision Control System (RCS), as well as log messages, from Barracuda NG Firewalls that are managed by the Barracuda NG Control Center and streams those log messages to an external log host or sends them to the HA partner (with or without SSL encryption). This means that even changes made by the root user can be tracked and audited. On the Barracuda NG Firewall and Barracuda NG Control Center, you can configure notifications for specific system events. These event notifications can be sent via email or SNMP trap messages. Notifications can be configured for the different event types. Logs can be easily exported from Barracuda NG Firewalls and Barracuda NG Control Centers for archiving. #10.2 Implement automated audit trails for all system components... #10.3 Record at least the following audit trail entries for all system components for each event... #10.4 Using timesynchronization technology, synchronize all critical system clocks and times... #10.5 Secure audit trails so they cannot be altered... #10.6 Review logs for all system components at least daily... #10.7 Retain audit trail history... #11.1 #11.2 #11.3 Page 8 of 10

#11 Regularly test security systems and processes Items #11.1 - #11.3 are not addressed by the Barracuda NG Firewall. However, Barracuda s business partners can provide services to help an organization satisfy this requirement. The Barracuda NG Firewall provides easy to use out-of-the box Intrusion Prevention (IPS) against a vast number of exploits and vulnerabilities in operating systems, applications, and databases to prevent network attacks such as: SQL injections Arbitrary code executions Access control attempts and privilege escalations Cross-Site Scripting Buffer overflows Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks Directory traversal attempts Probing and scanning attempts Backdoor attacks, Trojans, rootkits, viruses, worms, and spyware #11.4 Use intrusiondetection systems, and/or intrusionprevention systems... Our firewall can block threats according to policy. Depending on the severity of the threat, highly granular actions can be assigned on a per firewall rule base enabling the Barracuda NG Firewall to allow, block, or log questionable traffic based on severity, location, user/group, type, and Layer 7 application detection. As part of the Barracuda Energize Updates subscription, automatic signature updates are delivered on a weekly schedule (or on an emergency basis) to ensure that the Barracuda NG Firewall is constantly up to date. If the firewall unit is centrally managed, the pattern updates are conveniently distributed by the Barracuda NG Control Center. Maintain an Information Security Policy #12 Maintain a policy that addresses information security This item is not addressed by the Barracuda NG Firewall. However, Barracuda s business partners can provide services to help an organization satisfy this requirement. Page 9 of 10

Conclusion The concept of protecting separate network segments with tailored security policies, has been supported by our (phion) netfence sectorwall and Barracuda NG Firewall since 2005. There are two architectural options: Separate Barracuda NG Firewalls can be used as individual network segmentation gateways to protect each network segment. Or a single high performance Barracuda NG Firewall can be used as a central network segmentation gateway that protects multiple network segments with separate security policies. A large number of ports and VLAN support means a single Barracuda NG Firewall can easily manage multiple network segments. Our support for virtual systems means that the Barracuda NG Firewall can also be used easily to implement network segments within a virtual environment. About Barracuda Networks, Inc. Protecting users, applications, and data for more than 150,000 organizations worldwide, Barracuda Networks has developed a global reputation as the go-to leader for powerful, easy-to-use, affordable IT solutions, The company s proven customer-centric business model focuses on delivering high-value, subscription-based IT solutions for security and data protection. For additional information, please visit barracuda.com. Barracuda Networks and the Barracuda Networks logo are registered trademarks of Barracuda Networks, Inc. in the United States. All other names are the property of their respective owners. Barracuda Networks 3175 S. Winchester Boulevard Campbell, CA 95008 United States 1-408-342-5400 1-888-268-4772 (US & Canada) www.barracuda.com info@barracuda.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information