Network Gateway

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data.

Secure Firewall (Sidewinder) and Secure SnapGear® firewalls provide for all PCI firewall requirements including the ability to establish proper configuration standards. Firewall policy restricts outbound connections, and by using a positive security model that allows only proper traffic, enterprises can be sure policy is sufficiently restrictive to protect against unknown attacks. In addition policy is easy to read and print for regular review. When an application firewall evolves into a PCI DSS requirement in June 2008 (Requirement 6), with Secure Firewall (Sidewinder) you can fulfill both stateful inspection and application firewall requirements with just one firewall.

Secure Firewall (Sidewinder) avoids this common security hole since it doesn't provide default system passwords and instead requires the administrator to configure a password for any administrative accounts. Plus built on the industry leading SecureOS® operating system, Secure Firewall's (Sidewinder) hardened system ensures the security of the firewall device while running OSI layer 7 application inspection to validate protocol compliance, and is among the few to be certified by application-level Common Criteria. Secure Firewall (Sidewinder) management occurs over an SSL encrypted communications channel and also supports SSH access for administrative communication. In addition Secure Firewall (Sidewinder) allows segmentation of hosted cardholder data through a combination of policy controls and security zones (burbs).

Secure SnapGear® has extensive password control capabilities with reminders, lockout for too many incorrect tries, format requirements, time passwords are valid, and more. In fact, an entire section of the Secure SnapGear® GUI is dedicated to password controls.

Requirement 4 (specifically 4.1): Encrypt transmission of cardholder data across open, public networks.

Secure Firewall (Sidewinder) and Secure SnapGear® appliances include IPSec VPN capabilities to safeguard sensitive cardholder data during transmission over open, public networks. This capability is a global standard that allows companies to share the cardholder data with necessary partners by creating secure gateway-to-gateway tunnels.

For those environments that require wireless networking capabilities, Secure SnapGear® can provide the appropriate encryption technology (WPA, WPA2, IPSEC VPN, WEP, MAC address restrictions, etc) - to ensure secure wireless transmissions of data.

Requirement 5: Use and regularly update anti-virus software.

It is increasingly unjustified to only perform basic rule checks on downloads into your network. File transfers (HTTP or FTP) and mail attachments should be processed at your perimeter to protect the internal network. Secure Firewall (Sidewinder) and Secure SnapGear® go beyond standard reactive, signature-based anti-virus solutions by using the reputation-based technology of TrustedSource™ global intelligence to provide proactive security at the network edge. Enterprises need to know more about traffic identity (IP address, URL, image, message) to have more than reactive security. TrustedSource takes anti-virus to the next level by using reputation scores to drop more than 60% of unwanted traffic at the network edge. And with SecurityReporter built into Secure Firewall (Sidewinder) and Secure SnapGear®, audit logs are consolidated, correlated, monitored and reported on automatically with full template reports for auditors. Easily sift through the data for the evidence you need.

This is a critical requirement since the vast majority of successful attacks (>70%) make application-layer attacks the new norm, not network-layer attacks. In fact, SANS claims that over 80% of successful attacks against organizations are the result of exploiting a web application. With Secure Firewall (Sidewinder) application technology, enterprises are prepared for these application attacks, as well as for June 30, 2008, when an application-layer firewall evolves into a PCI DSS requirement.

Unlike competitors, patching Secure Firewall (Sidewinder) is effective and time efficient because when you patch the Secure Firewall (Sidewinder) firewall, the integrated SecureOS operating system is patched at the same time. What's more, with the patented Type Enforcement® technology of SecureOS, Secure Firewall (Sidewinder) has never had an emergency patch in more than 12 years. Imagine the luxury of quitting the patch-of-the-month club and becoming PCI compliant at the same time!

Requirement 7: Restrict access to cardholder data by business need-to-know.

Strong authentication and access control are key components of Secure Computing's product line including Secure Firewall (Sidewinder) and Secure SnapGear®. Secure Firewall (Sidewinder) allows for granular access control to network segments, individual hosts, and specified users. Secure Firewall (Sidewinder) also supports a variety of authentication mechanisms, such as Secure SafeWord, RADIUS, Windows NTLM, Active Directory, and LDAP, that can increase the granularity of the access control to the user level. Apart from LDAP, Secure SnapGear has all this capability as well. In addition, Secure Firewall (Sidewinder) by default deploys a positive security model which means the administrator must explicitly define the allowed access including the resource and the subject or user attempting to access the resource.

Requirement 10 (specifically 10.6, 10.7): Track and monitor all access to network resources and cardholder data.

Logging and audit trails are essential pieces of information to determine security breaches and to identify security anomalies and abnormal user and network behavior. Both Secure Firewall (Sidewinder) and Secure SnapGear provide the SecurityReporter™ security information event management (SIEM) tool to help enterprises sift through the wealth of volumes of data. SecurityReporter centrally collects, monitors, and reports on audit streams of multiple firewalls to provide actionable information. With more than 300 graphical reports and real-time personalized monitoring through a web-based portal, SecurityReporter significantly eases the burden of pinpointing "interesting" events, and with full template regulatory compliance reports for PCI DSS and regulations like Sarbanes-Oxley (SOX), GLBA, HIPAA and FISMA, it takes the pain out of regulatory compliance.

Intrusion detection systems try to detect attacks by looking for data patterns in network messages that have also appeared in messages carrying a known attack. These patterns or "signatures" are developed in much the same way that anti-virus vendors produce "signatures" to detect viruses. The PCI DSS requirement for an intrusion detection system does not have to be a stand-alone IPS system - Secure Firewall (Sidewinder) and Secure SnapGear are next generation UTM firewalls that integrate IPS capabilities to provide cutting edge intrusion detection and prevention in one device, and can aid with required application-layer penetration tests as well.