Meet PCI compliance with hyperguard - solution by a Forefront TMG business partner

  • Article

Industry
Financial services

The Solution
Web application firewall plug-in hyperguard

Payment gateway provider fulfills Web application security specific requirements of PCI Data Security Standard with ISA Server/Forefront TMG and art of defence´s Web application firewall plug-in hyperguard.

The Challenge

Payment Card Industry Data Security Standard requires comprehensive security at the network and the web application layer

Businesses in the financial services sector, particularly those companies who process or store credit card data, have to comply with many legal and industry standards, including PCI compliance. Non-compliance leads to increasing transaction costs, fines, or claims for any damages, which vary depending on the size of the organization.

The current version 1.2 of PCI DSS consists of 12 requirements that comprise specific security measures for the security of the network level and of Web applications, e.g. anti-virus protection. Specifically, PCI requirement 6.6 states that all Web-facing applications must be protected against known attacks, such as Cross Site Scripting (XSS), SQL-injection and other OWASP Top10 threats. This additional requirement is fulfilled by installing a Web application firewall in front of Web-facing applications. A leading European payment gateway provider looked for a comprehensive security solution that helped cover both network and application layer specific requirements of PCI DSS.

Technical Solution

ISA Server/Forefront TMG plus Web application firewall hyperguard as software plug-in

After evaluating different solutions, the company chose the combination of Microsoft ISA Server with art of defence´s Web application firewall hyperguard as a software plug-in. One key advantage this combination offered was reliable Web application security, Web publishing capabilities and comprehensive network protection in a single device. Other solutions needed at least separate network firewalls and Web application proxies, which would have doubled the number of components.

Installing an enterprise array of three ISA Server installations fulfilled the high available requirements of the customer. These new servers could easily be integrated into the existing Active Directory, without changing any global configurations. In addition, the sophisticated logging and monitoring features of ISA Server allow tracking of all access to network resources and cardholder data (PCI DSS 1.2.1 Requirement 10). Web publishing rules for certain Web-applications provide centralized protection of IIS Web servers at the backend.

hyperguard enhances the Microsoft ISA Server/Forefront TMG 2010 protections with additional Web application security features, allowing administrators to:

  • Analyze bi-directional HTTP requests to protect against common attack patterns such as those defined under the OWASP Top10 risks
  • Manage white, black and grey listing in real-time, to create Web application-specific protection
  • Secure session management  activity in order to deny attackers the ability to steal real users’ passwords, keys or session tokens
  • Protect form field use, thereby securing against Cross Site Request Forgery (CSRF) attacks
  • Ensure that an application’s internal URL structure is not visible online through URL encryption
  • Enforce proper site usage to avoid malicious activity
  • Prevent deep linking which forces all users to start interacting at the predefined entry points of the Web application
  • Check the validity of HTTP requests for syntax corruption in real-time
  • Assume the role of a Web Services Security Gateway (XML/SOAP) to check the integrity of XML data against specified document type definitions (DTDs)

These proactive security features of hyperguard are continually, regularly and automatically updated to protect against the latest known vulnerabilities. Each protection level can be customized to the users needs, taking into account the risk level of the Web applications being protected. Separate rulesets for enforcement and monitoring can be used simultaneously (protection ruleset/detection ruleset) to avoid false positives. Advanced logging and monitoring are enabled, to provide an overview of all internal system events, error messages, application-independent events that are not tied to a specific host (e.g. invalid requests), as well as the load and status of all the serves and clusters.

The Web application firewall hyperguard was easy to configure and offered a variety of protection levels, ranging from pure Web application attack detection over intermediate levels, such as baseline protection against known attacks, up to complete Web application shielding. hyperguard also offered hierarchical administration for applications based on roles with Active Directory support.

Result

PCI compliance was met and higher levels of security were reached

Using the integrated solution, the customer not only passed the PCI audit, but also continues to improve protection levels by iteratively using more proactive security features of hyperguard.

Company profile

art of defence provides comprehensive application security technology for every scale. Our flagship product, the pure software distributed Web application firewall (dWAF) hyperguard, protects Web and cloud applications against known and unknown attacks at the application layer (such as OWASP Top10). Today, art of defence helps leading banks, financial services providers and e-commerce businesses to fulfill industry standards such as PCI compliance (PCI DSS v1.2). The company is based in San Francisco, USA, and Regensburg, Germany.

For more information, visit:  http://www.artofdefence.com/en

Compiled by:
Nady Gorodetsky, Program Manager, Forefront TMG

Reviewed by:
Rachel Aldams, Technical Writer, Forefront TMG