Cisco and Imperva recently made an announcement to running the Imperva SecureSphere WAF on Cisco's Nexus 1010 Virtual Services Appliance.
More and more organizations are starting to virtualize their web applications and/or host them in cloud infrastructures due to operational benefits. This further increases the complexity of meeting the PCI DSS requirement 6.6
For the uninitiated, compliance with PCI DSS (payment card industry data security standard) is required for anyone involved actively or passively with credit card transactions. Requirement 6.6 specifically deals with web application security and is related to applications hosted on web servers. It allows for two options. The first being application code reviews to ensure web applications and interfaces are securely coded. The second option allows for inserting a web application firewall (WAF) to protect the web services. As it is impossible for most organizations to ensure all their code is 100% secure, most deployments opt for a WAF in conjunction with regular automated/manual code reviews.
A WAF although a firewall is generally a very advanced piece of software capable of understanding how a hosted web application behaves and then protecting from any insecure behaviors. Generally this means protecting against atleast the top 10 vulnerabilities in web applications as tracked by OWASP (Open Web Application Security Project), the most exploited ones being SQL Injection, Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF).
Running a WAF in virtualized environments is complicated, as a virtual instance may consume precious resources which could instead be used for running virtual workloads. Also as a core principle of security, separation of duties is generally hampered when a WAF is loaded as a virtual machine and control handed over to the virtual servers team. This is where the Cisco Imperva announcement starts to make sense as it addresses these very issues.
The Cisco Nexus 1010-X is a dedicated platform for hosting virtual service nodes, like the Cisco virtual switch Nexus 1000V virtual supervisor module (VSM), virtual firewalls (Cisco VSG or ASA1000v), and the virtual network analysis module (NAM). By moving these above services and now the WAF from the application server to the virtual services appliance, the virtual solution will provide separation of duties between the security administrator and server administrators, while offloading security processing from application servers to a dedicated appliance.
You can read more about this announcement on the Imperva website here and the Cisco website here
Stay Secure!
More and more organizations are starting to virtualize their web applications and/or host them in cloud infrastructures due to operational benefits. This further increases the complexity of meeting the PCI DSS requirement 6.6
For the uninitiated, compliance with PCI DSS (payment card industry data security standard) is required for anyone involved actively or passively with credit card transactions. Requirement 6.6 specifically deals with web application security and is related to applications hosted on web servers. It allows for two options. The first being application code reviews to ensure web applications and interfaces are securely coded. The second option allows for inserting a web application firewall (WAF) to protect the web services. As it is impossible for most organizations to ensure all their code is 100% secure, most deployments opt for a WAF in conjunction with regular automated/manual code reviews.
A WAF although a firewall is generally a very advanced piece of software capable of understanding how a hosted web application behaves and then protecting from any insecure behaviors. Generally this means protecting against atleast the top 10 vulnerabilities in web applications as tracked by OWASP (Open Web Application Security Project), the most exploited ones being SQL Injection, Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF).
Running a WAF in virtualized environments is complicated, as a virtual instance may consume precious resources which could instead be used for running virtual workloads. Also as a core principle of security, separation of duties is generally hampered when a WAF is loaded as a virtual machine and control handed over to the virtual servers team. This is where the Cisco Imperva announcement starts to make sense as it addresses these very issues.
The Cisco Nexus 1010-X is a dedicated platform for hosting virtual service nodes, like the Cisco virtual switch Nexus 1000V virtual supervisor module (VSM), virtual firewalls (Cisco VSG or ASA1000v), and the virtual network analysis module (NAM). By moving these above services and now the WAF from the application server to the virtual services appliance, the virtual solution will provide separation of duties between the security administrator and server administrators, while offloading security processing from application servers to a dedicated appliance.
You can read more about this announcement on the Imperva website here and the Cisco website here
Stay Secure!
No comments:
Post a Comment