Meet all applicable PCI DSS requirements pertaining to system components in the cardholder data environment.

Profense WAF meets all PCI DSS requirements pertaining to system components in the cardholder data environment.

React appropriately (defined by active policy or rules) to threats against relevant vulnerabilities as identified, at a minimum, in the OWASP Top Ten and/or PCI DSS Requirement 6.5.

Profense WAF provides defenses against all of the OWASP Top Ten application vulnerabilities.

Inspect web application input and respond (allow, block, and/or alert) based on active policy or rules, and log actions taken.

Profense WAF inspects all incoming web traffic and responds by enforcing the applicable security policy to allow or log and block or alert on the events.

Prevent data leakage—meaning have the ability to inspect web application output and respond (allow, block, mask and/or alert) based on the active policy or rules, and log actions taken.

Data leak prevention allows for completely configurable policies matching and rewriting or blocking confidential data like Payment Card Numbers, Social Security Numbers, etc.

Enforce both positive and negative security models. The positive model (“white list”) defines acceptable, permitted behavior, input, data ranges, etc., and denies everything else. The negative model (“black list”) defines what is NOT allowed; messages matching those signatures are blocked, and traffic not matching the signatures (not “black listed”) is permitted.

Profense WAF supports positive and negative filtering and combinations thereof.

Inspect both web page content, such as Hypertext Markup Language (HTML), Dynamic HTML (DHTML), and Cascading Style Sheets (CSS), and the underlying protocols that deliver content, such as Hypertext Transport Protocol (HTTP) and Hypertext Transport Protocol over SSL (HTTPS). (In addition to SSL, HTTPS includes Hypertext Transport Protocol over TLS.)

Profense WAF inspects all of the content types and protocols mentioned.

Inspect web services messages, if web services are exposed to the public Internet. Typically this would include Simple Object Access Protocol (SOAP) and eXtensible Markup Language (XML), both document- and RPC-oriented models, in addition to HTTP.

Profense WAF supports inspection of XML based web services requests, including SOAP, JSON and XML RPC.

XML based requests are learned like other queries and positive and negative policies and combinations thereof can be enforced.

Inspect any protocol (proprietary or standardized) or data construct (proprietary or standardized) that is used to transmit data to or from a web application, when such protocols or data are not otherwise inspected at another point in the message flow.

Profense WAF supports inspection of HTTP and should only be used for HTTP(S) based traffic.

Defend against threats that target the WAF itself.

Profense WAF is a software appliance based on a stripped and hardened version of OpenBSD which is regarded to be the most secure OS you can get. Profense WAF components are run in a non-privileged and closed run-time environment. ProPolice, W^X protection, non-executable stack, etc. further hardens the system.

Support SSL and/or TLS termination, or be positioned such that encrypted transmissions are decrypted before being inspected by the WAF. Encrypted data streams cannot be inspected unless SSL is terminated ahead of the inspection engine.

Profense WAF terminates HTTPS and optionally re-encrypts requests before being sent to the web system.

Prevent and/or detect session token tampering, for example by encrypting session cookies, hidden form fields or other data elements used for session state maintenance. (additional recommendation for certain environments).

Session cookies are bound to client IPs by issuing a validation cookie containing a cryptographic token (a checksum) which validates that the client IP is the one the session token was originally issued to. In order for an attacker to perform session attacks he also have to steal the IP address of the target or give his IP to the target in case of session fixation attacks.

Automatically receive and apply dynamic signature updates from a vendor or other source. In the absence of this capability, there should be procedures in place to ensure frequent update of WAF signatures or other configuration settings. (additional recommendation for certain environments).

Profense WAF automated inline update system ensures that latest signatures are applied and that the Profense WAF software stays updated.

Fail open (a device that has failed allows traffic to pass through uninspected) or fail closed (a device that has failed blocks all traffic), depending on active policy. (additional recommendation for certain environments).

Profense WAF fails closed. For debugging purposes a bypass mode allows for load balancing and acceleration only.

In certain environments, the WAF should support Secure Sockets Layer (SSL) client certificates and proxying client authentication via certificates. Many modern web applications use client SSL certificates to identify end users. Without this support, these applications cannot reside behind a web application firewall. Many modern web application firewalls will integrate with Lightweight Directory Access Protocol (LDAP) or other user directories and can even perform initial authentication on behalf of the underlying application. (additional recommendation for certain environments).

Profense WAF supports SSL client authentication, authorization and SSL client certificate forwarding to backend.

Some ecommerce applications may require FIPS hardware key store support. If this is a consideration in your environment, make sure that the WAF vendor supports this requirement in one of their systems and be aware that this feature may drastically increase the cost of the solution. (additional recommendation for certain environments).

As a software appliance Profense WAF does not provide hardware key store out-of-the-box.

2.1 Always change vendor-supplied defaults before installing a system on the network (for example, include passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts).

Profense is a software appliance.

It includes a hardened OS and installs on most standard hardware.

No unnecessary services are running and only two passwords should be changed upon installation.

2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards as defined, for example, by SysAdmin Audit Network Security Network (SANS), National Institute of Standards Technology (NIST), and Center for Internet Security (CIS).

Profense is based on a stripped and hardened version of OpenBSD which is regarded to be the most secure OS you can get. Profense components are run in a non-privileged and closed run-time environment. ProPolice, W^X protection, non-executable stack, etc. further hardens the system.

2.3 Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS (transport layer security) for web-based management and other non-console administrative access.

Access to the web based management interface is only allowed through HTTPS (SSL/TLS)