It seems like the list of stress inducing security demands on the IT profession keeps getting longer. I guess that’s because it does! Government and industry mandates are piling up. The Payment Card Industry Data Security Standard (PCI-DSS) has been in existence since 2004 but it was a toothless tiger-that is until recently. Over the years this standard has shifted from a “best practice” guideline to a requirement for web facing applications.
Organizations that store, process or transmit primary account numbers (PAN) such as credit cards or medical ID records are required to ensure application security. Fines and lost customer confidence hang in the balance and plaintiff attorneys are just begging to drag you to court. There is a way out of this pressure. Breeze past the auditors and go play a round of golf early. With the NetScaler Application Firewall, organizations can easily comply with the PCI-DSS requirements as they pertain to Web applications and ease security audits. The following are just a few of the ways Citrix NetScaler overcomes these mandates and prevent a migraine headache.

Deploy a Web Application Firewall and economically conform to Section 6.6

This requirement forces your organization to either undergo expensive regular application code susceptibility audits and correct deficiencies or implement a web application firewall. The choice is up to you. Considering the cost advantages of an application firewall I would suggest that option. Code checks are very expensive and they are only valid until some hyperactive employee modifies the application or a new attack vector is developed that is beyond the scope of the code review. The NetScaler Application Firewall provides continuous protection against attacks with instantaneous attack blockage, dynamically adjusts to code changes, and supports multiple applications simultaneously. Paying a one-time upfront capital charge beats paying a multi-period code review fee forever.

Thou shall block traffic from un-trusted hosts and networks

PCI-DSS section 1.2 requires that organizations build and maintain a secure network by using core Web protocols and VPN technologies to deliver and secure cardholder data across networks. The only exception is for protocols necessary for the cardholder data environment. NetScaler Application Firewall in conjunction with NetScaler’s Citrix Access Gateway-Enterprise Edition restricts access to applications and data by allowing: only the use of approved protocols and methods; only connections from trusted networks; and only access to users who are authenticated and authorized. Problem solved! The NetScaler Application Firewall has obtained ICSA Labs Web application firewall certification for additional assurance. Obtain the ICSA certification report here.

Selectively block account numbers from public view

We have all witnessed credit card numbers display only a few digits. Per section 3.3 only the first six and last four digits of PANs can be shown with all other digits being masked out.  Rather than write elaborate code or employ a magic PAN genie, the easiest way to conform is with the NetScaler Application Firewall. This appliance is easily configured to mask or block PANs and otherwise prevent the leakage of sensitive cardholder data, regardless of programmer oversight, logic flaws, or targeted attacks. Complete server responses with PAN data can be blocked from being transmitted to the requesting client. Wizards and other short cuts provide specific pre-defined configurations that include all major cards like Visa and MasterCard. NetScaler “Data objects” can be added in minutes for custom blocking of social security, health ID or any other private information.

Employee ultra-strength cryptography and security protocols or else

According to section 4.1, when transmitting confidential data over open, public networks, strong encryption methods must be used. Fortunately, NetScaler Application Firewalls can be used to SSL-enable applications that were not designed to use secure communication protocols. NetScaler supports strong SSL cryptography with key lengths up to 4096-bit. Try that on your server and see what happens! The application firewall inspects the contents of SSL/TLS encrypted sessions, ensures session validity and blocks attacks. You can’t typically achieve these functions with your conventional network firewall or intrusion prevention system as these capabilities are usually not present.

Guard encryption keys as you would nuclear attack codes

The nebulous section 3.5 states these keys must be protected against disclose and misuse. What the heck does that mean? It is obvious that the protection of encryption keys is paramount to maintaining the confidentiality of encrypted data. If an encryption key can be uncovered, all previous, current, and future transactions that use the key can be decrypted and disclosed as clear text. But just how far do you have to go? Hire a private army? Not quite, but you never know. Luckily, cryptographic protection standards such as FIPS 140-2 have proven to be a best practice for financial organizations that require strong key protection; FIPS is a consideration within PCI DSS compliance. Four NetScaler appliances including the integrated application firewall module are FIPS 140-2 Level 2 compliant. These appliances securely maintain the certificates and encryption keys used for SSL/TLS and are all available in the FIPS versions of MPX 9700, MPX 10500, MPX 12500, and MPX 15500. Problem solved.

Back to that audit thing, how do I know I will pass?

You need a cookbook of PCI-DSS compliance mandates that show step-by-step if you are in conformance or not. NetScaler’s Web Application Firewall has such a tool, the integrated compliance reporting tool to be exact. Each security measure required for PCI DSS compliance is listed to assist with an audit. The compliance report shows application firewall settings relevant to PCI-DSS, how they should be configured and if they are being met. If a setting is found to be non-compliant, NetScaler provides steps to rectify the situation. At a glance it is easy to determine if credit card blocking has been enabled and whether confidential fields have been configured and activated. Passing an audit has never been simpler. Now relax and grab your golf clubs.