The PCI Security Standards Council has developed a standard for the security of cardholder data that serves to protect cardholder data from the outside world. This standard consists of a total of 12 requirements, each of which have further been broken down into further sub-requirements. Here we will discuss the first requirement of the PCI DSS and how organizations should comply to this requirement.
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
A simple installation of a firewall on the network does not necessarily make an organization compliant to PCI DSS requirement 1. There is a lot of extra work that needs to be done to fulfill the requirement. The firewall not only needs to be configured for inward and outward traffic but should also be configured within different wireless networks. Organizations need to review their policies related to the inflow and outflow of traffic in a detailed manner.
Since customer needs keep on changing with time, business applications keep on updating and new rules keep forming in terms of initiation of new services and ports. These changes need to be regularly reviewed, documented and accepted before they are implemented. This is necessary to ensure that information flows securely between different network areas and all standards are met during the documentation process.
It is also important to remember that all assets involved in storing, processing or transmitting cardholder data must be secured by the configurations. To achieve this, information must be separated through network segmentation from mobile and wireless devices.
- Establish and implement firewall and router configuration standards
Firewalls and routers control the entry and exit points of the network and are responsible for controlling access to the network. Developing and implementing configuration standards is important to ensure that the data remains protected as it goes in and out of a network.
To achieve compliance, it is important to examine all firewall and router configuration standards and verify their complete implementation. A well documented process should be developed for implementation which should approve and test every connection and firewall/router changes. This documentation is important to avert security threats that can occur as a result of network, firewall or router misconfiguration. All network diagrams should be examined and their connections to cardholder data should be verified. The data flow diagram should also be examined and concerned personnel should be interviewed to verify that it represents all cardholder data across the network and that it is regularly updated.
Firewall should be used on every internet connection that goes into or out of the network, and between demilitarized zones and internal network. The firewall and router configuration standards should be verified by interviewing the personnel responsible for management of network. This way it would be easy to ensure that every individual is aware of their responsibility and that the responsibilities assigned are being fulfilled. The router and firewall configuration rules should be reset after every six months to rule out any unnecessary or irrelevant rules. Finally, for compliance purposes, it is important to verify documented list of services, ports and protocols.
1.2. Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.
A network shield is a must between the internal trusted network and the external untrusted network. If this protection is not implemented, it gives an open invitation to malicious users to intervene. To implement effective firewall and ensure compliance to achieve this requirement, the firewall needs to be correctly configured so that it prevents or limits access to the network. All outbound and inbound traffic should be restricted so that no one can enter the network through unauthorized IP address.
Firewalls must be installed between a wireless network and the cardholder data environment, even if the wireless network is installed for a legitimate purpose of the organization.
1.3. Prohibit direct public access between the Internet and any system component in the cardholder data environment.
All router and firewall configurations need to be checked to verify that there is no direct contact between the system components holding cardholder data and the internet. If a direct access is provided between the two, the firewall security is evaded and the cardholder data in the system components can be exposed and compromised.
Inbound traffic should only be able to access those system components that allow ports and services that are available to be open for all. This protects the internal network of the company from the intervention of any malicious users. Firewall and router configurations should also be checked to verify that no inbound or outbound connections are allowed to transmit any data between the internet and CDE. This prevents a cyber criminal from sending your information from your network to any other untrusted location.
For compliance it is also very important that anti-spoofing measures are correctly implemented. Normally a malicious user would try to imitate the IP address of the original computer sending the information so that the receiver thinks that the packet was sent by a trusted sender. Any traffic that is going out of the cardholder data environment should be checked to make sure that it is being sent according to the established rules. All cardholder data should be examined and ensured to be within a trusted network. Any data found in a demilitarized zone or an untrusted network could easily become a target for cyber criminals. IP address and routing information should be strictly hidden from any external networks.
1.4. Install personal firewall software on any mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network. Firewall configurations include:
- Specific configuration settings are defined for personal firewall software.
- Personal firewall software is actively running.
- Personal firewall software is not alterable by users of mobile and/or employee-owned devices
Threats that arise out of the internet have a higher probability of emerging on devices that are not only used within the organization’s network but also used outside the network, and hold sensitive data. When used outside the network, the corporate firewall cannot provide any protection. Compliance to this requirement can be achieved by installing personal firewall on such devices to prevent an internet-based attack. Specific configuration settings that are suitable according to the organizational needs should be defined for the firewall and the configuration should be such that the software cannot be altered by the individual using the device.
For achieving real time compliance, a sample of such devices should be checked from time to time to make sure that the personal firewall is installed and updated according to the organizational policy and is running actively.
1.5. Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties.
In order to ensure the continuous management of firewall and router configurations, personnel should be completely aware of their organization’s security policies and operational procedures. Interviews of the personnel should be conducted to verify that these policies are properly documented and put into effect within the organization.