Saturday, March 29, 2008

PCI DSS - UTM technology requirements

Many security vendors claim that their products can be used to comply with PCI DSS requirements. But, it is difficult to find exactly what is it one should look for in these kinds of products. I try to address this in this blog entry. My focus in this article is on network firewall, IPS, VPN , AntiVirus and web application proxy firewall products.

PCI DSS (Payment Card Industry Data Security Standard) defined 12 requirements. For more information on these requirements, please refer to PCI DSS standards. Those 12 requirements are:
  • Requirement 1 - Install and Maintain a firewall configuration to protect cardholder data.
  • Requirement2 - Don't use vendor-supplied defaults for system passwords and other security parameters.
  • Requirement3 - Protect stored cardholder data
  • Requirement4 - Encrypt transmission of cardholder data across open, public networks.
  • Requirement 5 - Use and regularly update anti-virus software or programs.
  • Requirement 6 - Develop and maintain secure systems and applications.
  • Requirement 7 - Restrict strong access to cardholder data by business need-to-know.
  • Requirement 8 - Assign a unuqie ID to each person with computer access
  • Requirement 9: Restrict physicall access to cardholder data
  • Requirement 10: Regularly monitor and test networks
  • Requirement 11: Regularly test security systems and processes
  • Requirement 12: Maintain an Information Security Policy
Security infrastructure products like firewall, IPS, VPN, Web application firewalls are used to satisfy the PCI DSS requirements.

Expectation from Network based Firewalls:
  • Ability to support multiple zones: Cardholder data servers must be separated from the frontend servers such as Web Servers. Thereby, any compromised front server does not give access to cardholder information to attackers. Typically, frontend servers are kept in DMZ of firewall. Cardholder information must be kept in other zones. Firewall should have facility to define new zone and firewall must have facility to setup rules for each zone. All cardholder servers can be kept in the zone separate from 'corporate zone', 'dmz zone' and 'untrusted zone'.
  • Ability to create access control policy rules: Firewalls must support creation of rules among zones. For example, access to cardholder data servers should only be allowed from 'frontend servers' in 'DMZ' zone. In addition, only specifc ports should be allowed. Firewalls must have capability allowing rule creation with 'From' and 'To' Zones, 'From' and 'To' IP addresses and Service Ports.
  • Ability to define rules with named objects: Firewall rules can become pretty complex. For readability and manageability, administrators would like to create rules with named objects (IP address objects and Service Objects).
  • Ability to generate logs and alerts: Any attempt to card holder data other than the allowed policy rules must be notified. It is also required that firewalls have ability to generate log events for each connection that was allowed. Firewalls should send enough information along with the notification for analysis.
  • Ability to detect and protect from DOS & DDOS attacks.
  • Ability to hide internal IP addresses using NAT capability : Any outbound connection from any zone should hide its internal addresses.
  • Factory defaults:
    • 5 zones - DMZ for front end servers, PCI for payment systems, CORP for internal users, VISITOR for visitors and MGMT for management traffic.
    • ACL rules:
      • Allow only DMZ to PCI traffic. Deny PCI to ALL zone traffic.
      • Allow only HTTP and HTTS traffic from ANY to DMZ.
      • Allow only Enterprise protocol from CORP to ANY and VISITOR to ANY.
Expectation from Network based Intrusion Prevention Systems:
  • Ability to protect all services of machines in corporate network, card holder data zone, DMZ zone from attacks exploiting known vulnerabilities: IPS devices are expected to have up-to-date signatures to protect internal resources from exploiting known vulnerabilities.
  • Ability to differentiate from patched and un-patched services in internal machines: IPS devices are expected to have facility to control generation of logs based on targeted system version.
  • Ability to detect and stop connections and packets transporting malware to internal network: IPS devices are expected to have up-to-date signatures to detect malware by monitoring the connections and packets.
  • Ability to detect infected machines in internal zones by monitoring the traffic and connections from the internal machines to other zones: This typically happens if an infected system was brought into the network. IPS devices are expected to detect these machines by monitoring the traffic using up-to-date signatures.
  • Ability to provide signature additions and editions: Beyond signatures which are auto updated, IPS systems are expected to provide facilities to create custom signature rules. It facilitates the administrator to create rules which are specific to the deployment. Administrator can create rules to detect default passwords of the applications and other characteristics of applications. Also administrator can create rules to detect specific information about cardholders.
  • Ability to detect protocol anomalies of HTTP.
  • Ability to detect traffic anomaly: Especially this is required to detect anomaly between frontend servers and cardholder data servers. Administrator can setup normal traffic profile for day and night and check for any anomaly. IPS deviecs are expected to provide this function.
  • Ability to detect and prevent from SQL, XSS injections: IPS devices are expected to monitor HTTP POST values, GET values and XML data to detect SQL or XSS injections and check for any blind SQL and XSS injections using its up-to-date signatures.
  • Ability to generate logs and alerts: IPS devies are expected to generate logs with comprehensive information for administrators to analyze the issue and take corrective actions.
Expectation from IPSec VPN:
  • Ability to create Site-to-Site tunnels: Yet times, frontend servers and cardholder data servers may not be in same location. In these cases, it is expected that Ipsec VPN tunnels are used to transport data among these servers to provide data security on wire.
  • Ability for Remote Access VPN: Administrators and other privileged users may need to get to the cardholder data servers remotely. IPSec VPN component of security appliance is expected to allow remote access via VPN tunnel.
  • Ability to create new key generation periodically ( as small as 5 minutes).
  • Ability to create IKE policies without preshared keys. When preshared keys are used, IPsec VPN should check for the strengh of the preshared keys.
    • Atleast one digit.
    • Atleast one non-alphabet and digit.
    • Minimum length of 6 characters.
  • Ability to support EAP authentication in remote Access VPN cases.
Expectation from Network based AntiVirus:
  • Ability to scan email/HTTP traffic for virus and stop virus reaching internal machines: Internal machines are eventually used to access cardholder servers. Network based Virus scanning is one way to stop viruses reaching the internal servers and machines. Note that, network based AV can only do limited job. It is required that host based AV software is installed on all endpoints and servers.
Expectation from Web Application Firewalls:
  • Ability to look into SSL traffic: All transactions are based on SSL. Any deep inspection requires decoding SSL traffic.
  • Ability to provide HTTP protocol anomaly detection
  • Ability to detect exploit traffic
  • Ability to detect SQL and XSS injections.
  • Ability to provide access control for different services running on HTTP.
  • Ability to look deep into XML for SQL, XSS, command injections.
  • Ability to generate log events and alerts.

Since these security devices are part of merchant network, these also must adhere to generic requirements of PCI DSS. They are:
  • Configuration management of these devices should only be allowed by privileged users.
  • Auditing of configuration changes: If there are multiple administrators, then each administrators must have unique ID. Each change in the configuration must be logged with information such as 'name of user' , ' change made', 'time & date of change' etc..
  • Security devices also can be vulnerable. It must have facilities to upgrade new firmware.
  • Mandate change of default passwords first time administrators log in, if local user database is used.
  • Check for strong passwords, if local database is used.
    • 6 Character length.
    • Atleast one digit
    • Atleast one non-alphanumeric character.
  • Security devices predominantly should show alert message in their home page of default passwords.
  • Mandate the password change if unchanged for a month or as per company policy.

No comments: