A WAF Does Not Make You PCI Compliant

Matt Keil

Category: PCI compliance

One of the most common questions that arises when PCI is discussed is whether or not Palo Alto Networks is a web application firewall (WAF) and can we address section 6.6 of the PCI DSS requirement. The short answer is no. The differences are pretty clear, so what is it that generates the question? It is my belief that the question arises because of the manner in which we classify traffic – by application as opposed to by port and protocol. And because of the term “application” there is a bit of a leap taken that we fall into the WAF category. Let’s take a look at the differences in a bit more detail.

Web Application Firewalls (WAF) are designed to look at web applications, monitoring them for security issues that may arise due to coding errors. Every corporation needs a firewall, in many cases, more than one is needed. Only those corporations that feel they have web application coding issues or want an added layer of security for their public facing web applications need a WAF.

Key attributes of a Web Application firewall:
* Designed to compensate for insecure coding practices – only those companies that use web applications and are concerned that their code is insecure need to buy a WAF.
* Highly customized for each environment – looking at how the web application is supposed to act and acting on any odd behavior. Threat prevention is typically focused on those that may take advantage of the coding errors.
* Unable to perform many of the functions that a network firewall will do such as network segmentation.
* Look only at the specific L7 fields of a web application – they do not look at any of the other layers in the OSI stack.
* Monitors a very small subset of the application traffic and as such, cannot address the network throughput requirements of a network firewall.

Palo Alto Networks next-generation firewalls enable policy based visibility and control over applications, users and content traversing the network. The knowledge of which application is traversing the network, who is using it and the associated threats is the basis of all firewall security policies, including access control, SSL decryption, threat prevention, and URL filtering.

Key attributes of Palo Alto Networks next-generation firewall:
* Designed to be a primary firewall, identifying and controlling applications users and content traversing the network.
* Controls access to card holder data based on the specific application (not just the port/protocol), the user identity from Active Directory (not the IP address) and the content (threats and data patterns).
* Powerful networking and routing infrastructure enables integration into any networking environment while a zone-based architecture facilitates network segmentation to isolate card holder data.
* All application, user and threat traffic is logged for analysis and forensics purposes.
* Designed to act as the primary firewall for enterprises of all sizes using a combination of custom hardware, function specific processing and innovative software design to deliver high performance, low latency throughput.

Rather than look only at the functionality of these two solutions, another way to look at it is to evaluate where each may be deployed according to the PCI DSS 1.2 docs. A WAF is deployed only in front of a public facing web application that accepts credit cards (Requirement 6.6). According to Requirement 1 of the PCI DSS docs, a network firewall can be deployed in many different scenarios including controlling traffic between the Internet and cardholder data network; placed between the cardholder data network and the production network; to create DMZs that separate Web servers and Internet-accessible resources; between the wired and wireless networks; to segment the network and reduce the scope of PCI.

I hope this helps clarify the key differences between Palo Alto Networks and web application firewalls.

Thanks for reading.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42