Project Barracuda - Hastings & Prince Edward Counties Health Unit
A serious data breach often signals that one of your web applications has problems. Finding the vulnerability can be difficult, particularly with hundreds of lines code to check.
The Barracuda Web Application Firewall quickly protects web servers from data breaches and websites from defacement without administrators waiting for clean code or even knowing how an application works.
The Barracuda Web Application Firewall provides complete protection of Web applications and is designed to enforce policies for both internal and external data security standards, such as Payment Card Industry Data Security Standard (PCI DSS). At the same time the Barracuda Web Application Firewall 460 and higher models feature a comprehensive set of application delivery capabilities designed to improve the performance, scalability and manageability of today’s most demanding data center infrastructures.
Powerful, Complete Solution
The Barracuda Web Application Firewall protects Web applications and Web services from malicious attacks, and can also increase the performance and scalability of these applications. The Barracuda Web Application Firewall offers every capability needed to deliver, secure and manage enterprise Web applications from a single appliance through an intuitive, real-time user interface.
- Single point of protection for inbound and outbound traffic for all Web applications
- Protects Web sites and Web applications against application layer attacks
- Delivers best practices security right out of the box
- Monitors traffic and provides reports about attackers and attack attempts
- Protection against common attacks
- Outbound data theft protection
- Web site cloaking
- Granular policies
- Secure HTTP traffic
- SSL Offloading
- SSL Acceleration
- Load Balancing
Comprehensive Web Site Protection
Many applications are vulnerable to such attacks because application developers do not consistently employ secure coding practices. Barracuda Web Application Firewall is designed to combat all attack types that have been categorized as significant threats, including:
- Cross Site Scripting (XSS)
- SQL injection flaws
- OS command injections
- Site reconnaissance
- Session hijacking
- Application denial of service
- Malicious probes/crawlers
- Cookie/session tampering
- Path traversal
- Information leakage
A Single Solution to a Multifaceted Problem
Online Web-based applications are increasingly at risk from professional hackers who target such applications in order to commit data theft or fraud. Being compromised can damage an enterprise's reputation, result in loss of customers and impact the organization's bottom line.
In addition, companies that transact online are faced with a host of growing industry regulations such as the Payment Card Industry Data Security Standard (PCI DSS), which mandates that all enterprise and Web applications handling credit card and account information must undergo an extensive and costly audit of custom application code. The alternative to satisfy PCI DSS compliance is simply installing a Web application firewall.
The combination of these factors along with banking industry PCI DSS compliance concerns, creates demand for a more technologically and cost-effective risk protection solution for online Web applications.
Backed by the worldwide leader in email and Web security appliances, the Barracuda Web Application Firewall will continue to dominate the market by breaking technology barriers.
Web Application Firewall PCI DSS Compliance
The Barracuda Web Application Firewall helps organizations of all types that store, process and/or transmit credit card numbers, comply with the Payment Card Industry Data Security Standard (PCI DSS) requirements. In response to increased identity theft incidents and security breaches, major credit card companies collaborated in Sept. 2006 to create the 12 procedural and system requirements, commonly known as PCI DSS version 1.1, to standardize how to store and access Primary Account Number (PAN) information.
Most immediate for today's merchants and organizations is Section 6.6 of the PCI DSS compliance deadline on June 30, 2008, addressing the development and maintenance of secure systems and applications. Section 6.6 mandates all enterprise and Web applications handling credit card and account information must undergo an extensive audit of all custom application code that can be time consuming, labor intensive and a costly process to visit and revisit with each change to the application code. The alternative to satisfy PCI DSS Section 6.6 compliance is simply installing a Web application firewall.
Payment Card Industry Data Security Standard (PCI DSS) Requirements
The 12 PCI DSS requirements are organized into 6 main categories. To be fully compliant, an organization must satisfy all 12 requirements.
Source: PCI Security Standards version 1.1 - http://www.PCISecurityStandards.org.
- Maintain a Secure Network: Requirements 1 and 2
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect Cardholder Data: Requirements 3 and 4
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Maintain a Vulnerability Management Program: Requirements 5 and 6
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
- Implement Strong Access Controls: Requirements 7, 8, and 9
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Regularly Monitor and Test Networks: Requirements 10 and 11
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain an Information Security Policy: Requirement 12
- Maintain a policy that addresses information security
Barracuda Networks Enables PCI DSS Compliance
The Barracuda Web Application Firewall is designed as an easy and cost-effective solution to achieve PCI DSS compliance. In addition to satisfying the time-sensitive need to install a Web application firewall into your network for PCI DSS Section 6.6 compliance, the Barracuda Web Application Firewall further ensures PCI DSS compliance with a host of other advanced technologies.
The Barracuda Web Application Firewall enables PCI DSS compliance across major requirements:
|1 - Install a Firewall
||Acts as a Web application firewall|
|3 - Protect data
||Proxies Web traffic and insulates Web servers from direct
access by attackers|
|4 - Encryption
||Provides easy SSL encryption even if the application or
server does not enable SSL|
|6 - Protect Against Vulnerabilities
||Blocks known and zero-day attacks as well as the
industry-accepted top 10 Web application vulnerabilities for custom
development, legacy and third-party applications|
|7 - Restrict Access
||Provides role-based administration to security policies
|10 - Track and Monitor Access
||Logs and reports application access and security violations
PCI DSS section 6.5 is perhaps the most significant set of detailed requirements as it addresses application vulnerability, including coding guidelines, such as those outlined by Open Web Application Security Project (OWASP). The Barracuda Web Application Firewall directly addresses each of the requirements in section 6.5.
|6.5.1 Unvalidated input (i.e., hidden field manipulation)
||Validates incoming and outgoing session content against legitimate application behavior and usage
|6.5.2 Broken access control (i.e., malicious use of user IDs)
||Prevents cookie tampering and corruption of an application's access control system
|6.5.3 Broken authentication and session management (i.e. cookie tampering, session hijacking)
||Automatically encrypts session cookies and assigns unique session-IDs to ensure secure user sessions
|6.5.4 Cross-site scripting (XSS) attacks
||Inspects and verifies user input and incoming requests for any malicious code before forwarding it to backend servers
|6.5.5 Buffer overflows
||Detects and prevents attempts via the header or input fields to exceed memory capacity
|6.5.6 Injection flaws (i.e., SQL injection)
||Validates legitimacy of all Web requests and code accessing backend systems
|6.5.7 Improper error handling
||Cloaks Web application infrastructure from hackers attempting to expose vulnerabilities in error response and other messages
|6.5.8 Insecure storage
||Filters and intercepts outbound traffic to prevent transmission of sensitive information, such as passwords, credit card numbers, account records or proprietary information
|6.5.9 Application Denial of service (DoS)
||Slows down access requests to the Web site if a violation is detected, preventing application DoS attacks
|6.5.10 Insecure configuration management
||Proxies all inbound and outbound Web traffic to neutralize any configuration vulnerabilities