This question is a follow-up to this forum topic:
One PCI DSS requirement says that all externally-facing websites should be behind a Web Application Firewall (WAF) product. In theory this makes sense, because a WAF product should be able to protect against maliciously malformed data, such as a 500 character response in a field that is configured with MaxLength=5. Typical web application developers cannot anticipate and test for all possible malformed responses, so a specialized product is needed.
Additionally, PCI DSS specifies that remote access should use two-factor authentication, with good reason. Unfortunately, the SmarterMail implementation of 2-factor is hard to love, because it is not sensitive to whether a connection is remote or local. Administrators can control which users require 2-factor logins, but we cannot control whether an account can be used remotely. Consequently, a defense based on 2-factor authentication requires that it be enabled on all accounts, including generic accounts that are shared by multiple users. For users who usually or always access SmarterMail locally, adding 2-factor to their internal work environment is an unattractive burden that will produce complaints.
Consequently, I am looking to implement a WAF site which:
- Is positioned at the network perimeter, to intercept remote connections,
- Authenticates users to decide whether a particular account can be used remotely with webmail, and
- Provides 2-factor authentication for those connections.
SmarterMail support has already told me that I am on my own for this undertaking. I don't think I should be, because PCI DSS requirements (and general network security principles) apply to everybody.
So far, I have tried two different WAF products, but have been unable to get either of them working. Has anyone found a WAF product that can co-exist with SmarterMail?
Am I the only one that has this concern?