All,

I was hoping for some clarification on control 6.6 within the DSS. Will 6.6 require that application firewalls be placed in front of INTERNET facing (i.e., publicly accessible) web applications only? Or, does it require that an application firewall be placed in front of ALL web applications; even applications that can only be accessed from a company's private network?

To put this another way, the requirement specifically says "Ensure that all web-facing applications are protected against known attacks...". Does anyone have a definition of what a web-facing application is? Does web facing mean it is available from the Internet, or does web facing mean any web application... period?

Thanks!

All,

I was hoping for some clarification on control 6.6 within the DSS. Will 6.6 require that application firewalls be placed in front of INTERNET facing (i.e., publicly accessible) web applications only? Or, does it require that an application firewall be placed in front of ALL web applications; even applications that can only be accessed from a company's private network?

To put this another way, the requirement specifically says "Ensure that all web-facing applications are protected against known attacks...". Does anyone have a definition of what a web-facing application is? Does web facing mean it is available from the Internet, or does web facing mean any web application... period?

Thanks!


If your internal web applications are only accessible via non-public IP ranges, like a private network, then internet users couldn't access them and they would be an example of a non 'web-facing' web app. I think they should say INTERNET facing to make this requirement slightly more clear. If users are VPN'ing in then the VPN server is effectively a firewall.

Doesn't DSS just make you all warm and fuzzy?

I also think some minor clarification here will help.
In a 3-tier architecture, the application server is typically behind the discrete (physically and or network segregated) web/HTTP layer, and thus could be seem as not public/Internet facing. This is particularly true in many production Java-based App servers - Tomcat, SunOne, WebSphere, JBoss environments , in my experience.

I think its clearer to say "If the intent is for access by external partners or the public at large to the web application, the WAF criteria should apply."

Lyal

Note, WAFs do not protect against badly designed buisiness logic or back doors. Where as code reviews give a warmer feeling. I believe your clients should be advised of this.

How much do they trust the developers of the application and what is at stake - only the client can make that call

Rgds
Richard