5

I'm currently evaluating different approaches to implement a web application firewall (WAF) in our architecture. We need the WAF due to PCI DSS.

I would prefer using a cloud based WAF (e.g. CloudFlare or Incapsula). However I have some concerns if it would comply with PCI.

The setup is as follow:

Client ---> WAF ---> Origin Server

The origin server (our web server) can check the source IP address to protect the server. However the source IP address can be spoofed and hence an attacker can bypass the WAF.

As per response Is it possible to pass TCP handshake with spoofed IP address? a spoofing of layer 7 (which the WAF should protect) is theoretically possible. In practice it does not seem to be a feasible attack.

Is a cloud based WAF PCI compliant or not?

EDIT: To this specific question I found out that CloudFlare provides client certificate authentication. This was added in the last few days: https://blog.cloudflare.com/protecting-the-origin-with-tls-authenticated-origin-pulls/ However other questions remains unanswered.

Community
  • 1
Thomas Hunziker
  • 189
  • 3

3 Answers3

3

I should think a QSA will be satisfied that IP addresses cannot be be spoofed in order to bypass a device that operates at the application layer.

As long as you can prove that access is properly locked down to the correct IP ranges, as Cloudflare are PCI compliant I expect this should be fine.

Also note that you are not required to have a WAF if you do vulnerability assessments and scans of your web infrastructure at least yearly and upon every deploy (emphasis mine):

6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods:

  • Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes Note: This assessment is not the same as the vulnerability scans performed for Requirement 11.2.

  • Installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic.

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
  • Thank you for your response. We are planning to use AWS. AWS has security groups. With those we are able to lock down the IP ranges from Cloudflare. – Thomas Hunziker Feb 18 '15 at 16:11
2

You may want to ask an expert in person, as PCI compliance is a specialty in and of itself, however at least Cloud Flare suggests that they are PCI compliant:

https://blog.cloudflare.com/cloudflare-is-pci-certified/

It seems like they underwent some stringent tests to get certified, so if you have to make a snap decision, it looks like you may be ok. I would consult an absolute expert on the process in person, however.

MrSynAckSter
  • 2,020
  • 10
  • 16
  • Thank you for your response. I have seen that they are certified. Otherwise we could never be certified. I will ask also our auditor. – Thomas Hunziker Feb 17 '15 at 19:32
1

Full disclosure, I work for Incapsula, we are a cloud-WAF provider.

To answer your questions

  1. To pass TCP handshakes with a spoofed IP you`ll need to be in control of the router, which means you need to be in an ISP-like position. For more info, please see the @gowenfawr answer in this discussion (also linked in the OP). In short, while theoretically possible, the access that would allow you to pass a TCP handshake with a spoofed address would enable you to do much (much) worse.

  2. Yes, cloud-WAFs can be PCI compliant. Our product is, and was so for over 3 years:
    https://www.incapsula.com/website-security/pci-compliance.html

    This means that you can use the product to comply with the 6.6 dreaded clause, that requires you to use a PCI-compliant WAF or undergo periodic application code reviews (after every update).

Community
  • 1
Igal Zeifman
  • 563
  • 3
  • 8