Software vs. Hardware

The PCI Information Supplement states that a WAF can be implemented in software on a standard server running a common operating system or an appliance. It may be a stand-alone device or integrated into other network components. So, you can choose from the full range of WAFs on the market.

Software WAFs are usually cheaper and more flexible. Appliances are typically easier to install and configure, partly because their operating system has already been hardened, whereas a software firewall will require you to harden it. (A WAF won't protect you against poor configurations or vulnerabilities in your servers.)

If you opt for a software-based product, choose one that works on a platform with which your IT department is familiar. Either way, check out what type of training and support is provided by the firewall vendor--and at what cost.

There are, of course, open source software WAFs, such as ModSecurity[http://modsecurity.org] and AQTRONIX WebKnight [http://www.aqtronix.com]. If they meet your requirements you can greatly reduce your costs, but you will still need staff to learn, install, configure, and maintain it. Many open source projects have excellent support forums but unlike a purchased product you won't be able to call a help desk in an emergency.

Performance and scalability are other important considerations when evaluating hardware or software options. Some devices may be limited as to how many transactions per hour it can handle. Other appliances may have bandwidth limitations. You will need to choose a scalable and flexible firewall if you're planning on increased Web activity or adding applications in the near future.

Software products often provide an easier upgrade path than appliances, but hardware WAFs are better suited for high-volume sites, which require high throughput.

If you are running a large-scale application, which requires more ...

Our advice is not to get hung up on whether the WAF is hardware or software, as long as it can meets your objectives and you have the in-house skills to configure and manage it.

THE PAYMENT CARD INDUSTRY Data Security Standard (PCI DSS) was developed by the PCI Security Standards Council, an open forum launched in 2006. The council is part of PCI, a joint industry organization set up by a group of the major credit card companies, and is responsible for the ongoing development, management, education, and awareness of the PCI DSS.

However, it doesn't enforce the PCI DSS, nor does it set the penalties for any violations. Enforcement is left to the specific credit card companies and acquirers. PCI DSS does not replace individual credit card company's compliance programs but has been incorporated as the technical requirements for data security compliance. The PCI DSS must be met by all merchants that accept credit and debit cards issued by the major credit card companies.

Under the PCI DSS, an organization must be able to assure their customers that their credit card data, account information, and transaction information is safe from hackers or any malicious system intrusion by adopting various specific measures to ensure data security. These include building and maintaining a secure IT network, protecting cardholder data and maintaining a vulnerability management program and information security policy.

The standard's compliance requirements are ranked in four levels, and the level of compliance required of a merchant is based upon the annual volume of payment card transactions it processes. Level 1, the highest level, can also be imposed on organizations that have been attacked or are otherwise deemed as high risk. A single violation of any of the requirements can trigger an overall non-compliant status, resulting in fines, and, possibly, suspension or revocation of card processing privileges until the merchant is PCI compliant.

For more details, visit the PCI Security Standards Council website.

< PREV PAGE   |   1  |   2  |   3  |   4  |   5  |   6  |   NEXT PAGE  >