The Internet represents the primary source of information security risks to the enterprise. Clearly the best risk mitigation strategy would be to cut the enterprise’s connection to the Internet. However, we all understand that’s not feasible due to business needs.

There are two key constituencies that require the enterprise to be connected to the Internet:

1. Internal users like employees and contractors
2. External users like customers, vendors, and other partners.

Most organizations respond to these constituencies by creating two networks which I will call Corporate and Commercial, although there can be shared back-end services and databases. Historically, the primary network security technical control for the former is the Firewall and for the latter it is the Web Application Firewall.

Corporate Network Security

Since Internet usage became popular in the mid-90′s, the firewall has been the primary network security technical control. While several alternative firewall technologies originally competed, “stateful inspection” came to dominate the market by the late 90′s. And to this day is still the most popular firewall technology, although, as I will discuss further on, completely inadequate considering today’s usage of the Internet and cyber predators’ goals and methods.

By the early 2000′s, it became clear that stateful inspection firewalls by themselves could not provide adequate protection because of the increasing complexity of the threat landscape and the proliferation of web-based productivity applications specifically designed to bypass the stateful inspection firewall. Therefore a variety of additional network security solutions came to market such as Intrusion Detection and Protection Systems, Proxies, and URL Filters. This added dramatically to capital, administrative, and operational costs. By the late 2000′s, enterprises began to realize that this combination of firewalls and “firewall helpers” were not effectively mitigating the risks they were intended to.

In October 2009, Gartner released a research report on a new type of network security control – the “Next Generation Firewall”. (Please contact me for a copy using the form on the side panel of this page)

Here are Cymbel’s requirements for corporate network security which can be achieved with the right Next Generation Firewall:

• Provide visibility and understanding of application traffic regardless of evasive tactics including SSL
• Build a Positive Enforcement Model at the application and user level as well as port, protocol, and IP address level
• Provide backward compatibility with existing firewall technology
• Detect and block threats on allowed traffic
• Simplify risk management
• Reduce administrative and operational costs
• Improve the security team’s ability to respond to changing business needs

Here is the link to Cymbel’s analysis of Next Generation Firewalls, which we consider to be the cornerstone of our next-generation defense-in-depth architecture.

Commercial Network Security

Most enterprises use the Internet to (1) facilitate information sharing with customers, vendors, and other partners and (2) provide self-service transaction processing applications to reduce commerce friction and transaction costs. These web-based applications provide a very attractive attack surface to cyber predators. In response, organizations like OWASP, SANS, and the Payment Card Industry Security Standards Council have developed recommendations of varying detail and effectiveness to mitigate the risks associated with these web applications.

The most impactful web application security regulatory organization by far is the Payment Card Industry Security Standards Council. It was established in 2006 by founding members American Express, Discover, JCB International, Mastercard, and Visa. The credit card regulations they promulgate (commonly referred to as PCI DSS) must be met or the enterprise risks losing its ability to take payments via these credit card brands.

PCI DSS 6.6 states that for public-facing web applications the enterprise must EITHER perform an annual vulnerability security assessment OR deploy a web application firewall. However, when 6.6 is coupled with other requirements of Requirement 6 (Develop and maintain secure systems and applications), the vulnerability assessment is the “must have” and the WAF becomes unnecessary to meet PCI DSS. This is most unfortunate.

In theory, it ought to be possible to have a rigorous Security Development Life Cycle (SDLC) such that a WAF would not be necessary. But in practice it does not happen. Application development resources are always in short supply and must be divided between fixing deployed systems and developing new ones. And since the Application Vulnerability Assessment need only be performed once per year, you can be PCI DSS compliant while having unpatched vulnerabilities.

Therefore rather than PCI DSS being the end goal of information security, Cymbel sees it as the end of the beginning. In other words, PCI DSS is a floor, not a ceiling.

Cymbel, as does the SANS 20 Critical Security Controls, sees Web Application Firewalls as a required control in addition to the SDLC for web application security for the following reasons:

• Protects more valuable assets than credit cards – As expensive as a credit card breach can be to remediate, in general, there have been no long term financial consequences (stock price) to enterprises that have experienced credit card breaches as long as they make a good faith effort to remediate the breach and to meet PCI DSS requirements. However, the range and value of an organization’s intellectual property is far greater than credit card information. Losing trade secrets to a competitor is much more likely to have long term financial consequences.
• Provides immediate vulnerability mitigation – It is simply impossible to have vulnerability-free applications. But even when vulnerabilities are discovered there may be reasons that immediate patching is not feasible. What enterprise has not faced the choice, due to resource constraints, of fixing vulnerabilities in a deployed application or meeting a business-defined deadline on a new application?
• Supports 3rd party applications which you cannot control – Not all web-facing applications are home grown. For example, are you providing external access to SharePoint, for example?

If you have a question or a comment, or would like more information, please let us know by completing the Contact Us box on the upper right side of this page.