A Secure Computing executive has called on the PCI Security Standards Council to clarify what it means when it instructs merchants to deploy ‘application firewalls.’
The standard is too vague, said Secure’s vice president of technology evangelism Paul Henry, in an interview.
Henry said the PCI guidelines, which the big five credit card companies are obliging their merchant partners to abide by, should define application layer firewall to mean a firewall that breaks the client-server model.
Not coincidentally, that definition would be met by Secure’s longstanding proxy-based firewall products, but perhaps not by rival products from competitors that have their roots in the packet-filter firewall segment.
For many many years an application firewall was one that broke the client-server model and used knowledge about a given application to reduce the threat envelope, Henry said.
About four years ago, packet filter vendors realised that they were going to lose market share due to application-layer attacks, and moved to use signatures at Layer 7, layered on top of the packet filter in order to offer some form of application layer protection, he said. The problem we have with that is that using signatures affords very little real application protection.
Currently, the PCI Data Security Standard v1.1 requires merchants to either have all custom application code reviewed for common vulnerabilities by an organization that specializes in application security to to install an application layer firewall in front of web-facing applications.
This guideline, numbered 6.6, is just one of dozens of bullet-pointed rules in the standard, but it’s the only one that is currently just a best practice. It will not become a requirement until June 30 2008.
This irks Henry, who claimed he believes that this delay was put in place in order to give other firewall makers time to catch up with the type of technology Secure already sells.
That’s not true, said Bob Russo, general of the PCI Security Standards Council. That hadn’t even entered our thought process, he said. The delay is related to the custom code-review part of section 6.6, not the firewall part of it, he said.
We didn’t feel we could make this [code review] requirement immediately, without putting people who have already become compliant out of compliance, so we gave them a year or so, he said.
But Russo was willing to concede that, however self-serving Secure’s criticisms may appear, PCI does intend to address and hopefully clarify the definition of application layer firewall at its next community meeting, scheduled for September.
It’s not a normal firewall that stands in front of the network gateway and looks at application Layer 7, but something that looks at the applications themselves, he suggested. We had feedback that we need some clarification.
The September meeting will likely be absent Secure’s input, however, given that the company is not an official participating organization within PCI.
Henry said that Cyberguard, a firewall maker Secure acquired two years ago, was involved with PCI, but that the company chose to leave after feeling its comments were falling on deaf ears.
We became a little disenchanted at Cyberguard that we were not at all being listened to, he said.
There are current 279 organizations officially participating in PCI and, as we reported in April, is keen to be seen as an inclusive organization that accepts input from vendors, merchants and auditors.
PCI SSC was created by the payment card industry’s big five – Mastercard, Visa, Discover, American Express and JCB – as a means to compel retailers and etailers into securing credit card data.
The PCI Data Security Standard, among other things, mandates the obfuscation of credit card numbers, the deployment of firewalls and antivirus, and the use of access control.