Build and Maintain a Secure Network and Systems

Topics:

The following are recommendations and information for the Build and Maintain a Secure Network and Systems requirements.

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Recommendations and Information for Requirement 1

  • Install iWay Service Manager (iSM), your application run-time environment and iWay Integration Tools (iIT), your design-time environment on an internal (trusted) network segment, unexposed to the Internet Demilitarization Zone (DMZ). This installation and the applications hosted on this server should be used for processing sensitive data and further access to the internal networks and systems. If no communication to the external systems is required, this approach is sufficient and is fully secured by the trusted network.
  • To enable external communication to the internal iWay applications, the client is advised to use the Reverse Verified Invocation (RVI) feature of the iWay product. This feature is also known as an iWay Proxy. This enables the installation of a secondary iWay Service Manager in the DMZ segment, where this server can communicate to the outside public systems and users. This server is also used to validate the incoming data, based on the chosen security standard, before the data gets to the internal (trusted) iWay application. This approach does not require opening of any ports within the firewall, as the secure communication is initiated and driven by the iWay application running on the internal network, which is capable of reaching out and getting messages from the DMZ hosted iWay application. This type of installation is required only if there is a need to interact with external systems. For more information, see the iWay Cross-Channel Services Guide and the following image.
  • Regardless of the installation and network configuration type, there are two ports used by iWay Service Manager for communication purposes, which can be changed by the user based on the user requirement. These ports can also be disabled, and monitoring and management aspects can be handled using other product components.

    Product Ports

    • Console port used for monitoring and management of applications (default 9999). Supports HTTPS and can be disabled completely in a production application.
    • SOAP channel used for internal communication (default 9000). Supports HTTPS. Should not be included in production applications. Used during the application development cycle for publishing and deploying applications into the runtime.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Recommendations and Information for Requirement 2.1

  • Change the default iWay Service Manager (iSM) Administrative Console credentials or enable the integration with external role or user management systems such as AD/LDAP, which can be used for authentication and authorization for the iSM Console.

Recommendations and Information for Requirement 2.2.1

  • Develop the applications in the modular approach so that different applications can be deployed utilizing different security models and having access to different systems.
  • Modular development of applications and segregation of business functions into separate applications ensures that if there is a need for a security model update, only relevant applications with business functions are impacted.

Recommendations and Information for Requirement 2.2.2 and 2.2.3 and 2.2.4

  • Secure the iSM Administrative Console by enabling HTTPS access and defining Access Control Lists for user management.
  • Ensure that any application logic utilizing externally visible protocols such as HTTP, SOAP, AS2, and Queuing protocols, has proper security settings in place.
  • Keep the relevant security files such as Keystores, Truststores, and others, in a secure location accessible only to Security personnel.
  • Ensure that all system access credentials are accessible only by authorized users during the development life cycle.

Recommendations and Information for Requirement 2.2.5

  • In a production environment, an iWay application does not require any other iWay component to run. It is a self-contained application, which runs in a java process. For Windows Services, it can run either an in-Java Process or an out-of Java Process.
  • Production iWay applications should not contain any test jars, unnecessary scripts, or any third-party components, unless they are required for an application to run and execute business logic.
  • Production applications should not contain any properties files, which were used during development to store and retrieve configuration values. Production applications should be packaged with production level properties files and any other relevant configuration properties. The values in the properties files can be encrypted for storage.
  • Production applications should be deployed with a proper deployment template, which contains the definition for any external connectivity to the systems.
  • The minimal environmental requirement for an iWay application to run is Java Virtual Machine version 8.

Recommendations and Information for Requirement 2.3 and 2.5

  • Deployed iWay applications do not require external access, except for the monitoring purposes.
  • The iWay Service Manager Administrative Console used for monitoring applications, should be HTTPS enabled.
  • The defaults for iSM Administrative Console access are documented and should be changed by the user.