Requirement 1 Install and maintain a firewall configuration to protect cardholder data

PCI DSS

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Firewalls are computer devices that control computer traffic allowed between a company’s network (internal) and untrusted networks (external), as well as traffic into and out of more sensitive areas within a company’s internal trusted network. The cardholder data environment is an example of a more sensitive area within the trusted network of a company.

A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria. All systems must be protected from unauthorized access from untrusted networks, whether entering the system via the Internet as e-commerce, employees’ Internet access through desktop browsers, employees’ e-mail access, dedicated connection such as business to business connections, via wireless networks, or via other sources. Often, seemingly insignificant paths to and from untrusted networks can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network.

PCI DSS 1.1 Establish firewall and router configuration standards that include the following:

1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations
1.1.2 Current network diagram with all connections to cardholder data, including any wireless networks
1.1.3 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone
1.1.4 Description of groups, roles, and responsibilities for logical management of network components
1.1.5 Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure. Examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP.
1.1.6 Requirement to review firewall and router rule sets at least every six months

PCI DSS 1.2 Build a firewall configuration that restricts connections between untrusted networks and any system components in the cardholder data environment.

Note: An “untrusted network” is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity's ability to control or manage.

1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment.
1.2.2 Secure and synchronize router configuration files.
1.2.3 Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment.

PCI DSS 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.

1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.
1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.
1.3.3 Do not allow any direct routes inbound or outbound for traffic between the Internet and the cardholder data environment.
1.3.4 Do not allow internal addresses to pass from the Internet into the DMZ.
1.3.5 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.
1.3.6 Implement stateful inspection, also known as dynamic packet filtering. (That is, only ”established” connections are allowed into the network.)
1.3.7 Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.
1.3.8 1.3.8 Do not disclose private IP addresses and routing information to unauthorized parties.

Note: Methods to obscure IP addressing may include, but are not limited to:

Network Address Translation (NAT)
Placing servers containing cardholder data behind proxy servers/firewalls or content caches,
Removal or filtering of route advertisements for private networks that employ registered addressing,
Internal use of RFC1918 address space instead of registered addresses.

PCI DSS 1.4 Install personal firewall software on any mobile and/or employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization’s network.

Firewall Partners

At Castleforce we are partnered with several leading firewall vendors and we can provide pre and post technical assistance with all the products listed.

NETASQ is best known for designing and building the NETASQ EAL4 certified UTM Firewalls. Key features include intrusion prevention, firewall, antivirus, antispyware, antispam, content filtering, VPN and SSL-VPN access. EAL4 Certified on all Netasq firewalls.

Check Point is a leader in network security software, firewall solutions, VPN solutions, endpoint security, network protection, security management, data protection and Pointsec data encryption technologies. Check Point provides leading enterprise, small business and consumer network security solutions. EAL4 Certified Firewalls

Stonesoft specialise in High Availability Security Appliances including Firewalls, IDS/IPS and SSL VPN in both hardware and virtual appliances. EAL4 Certified Firewalls

Networking and security solutions from Juniper Networks helps consolidate network security issues for small, medium and large enterprises EAL4 Certified Firewalls

Palo Alto Networks’ next-generation firewalls provide network security by enabling enterprises to see and control applications, users, and content – not just ports, IP addresses, and packets – using three unique identification technologies: App-ID, User-ID, and Content-ID. These identification technologies, found in Palo Alto Networks' enterprise firewalls, enable enterprises to create business-relevant security policies – safely enabling organizations to adopt new applications, instead of the traditional “all-or-nothing” approach offered by traditional port-blocking firewalls used in many security infrastructures.

The XTM family of network security appliances is a new class of performance-driven solutions. Blazing fast throughput combines with advanced networking features to handle high-volume traffic securely - and at an affordable price. Includes a suite of flexible management tools that allows IT administrators to manage security through an intuitive centralized console, command line interface, and web UI.

The MSA security appliance from Celestix is specifically designed for network security, running a hardened version of Microsoft ISA Server 2006.

SonicWALL provides firewall products with unified threat management services such as network anti-virus, anti-spyware, virtual private networking (VPN), content filtering and other security services.

PCI DSS Core Principles

The core of the PCI DSS is a group of principles and accompanying requirements, around which the specific elements of the DSS are organised:

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Requirement 3: Protect stored cardholder data

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Requirement 5: Use and regularly update anti-virus software

Requirement 6: Develop and maintain secure systems and applications

Requirement 7: Restrict access to cardholder data by business need-to-know

Requirement 8: Assign a unique ID to each person with computer access

Requirement 9: Restrict physical access to cardholder data

Requirement 10: Track and monitor all access to network resources and cardholder data

Requirement 11: Regularly test security systems and processes

Requirement 12: Maintain a policy that addresses information security

Card Holder Data Protection

nuBridges Protect is designed to make it easier for IT to make your operations PCI DSS compliant. Here are just a few examples:

No database or file layout changes required — encrypt a 16-digit credit card number without changing your pre-defined file layout, your application screens, your reports
No database downtime during encryption, encryption processes run in the background, allows high availability systems to remain active

Supports two data protection methods:

Distributed encryption with centralized key management that does not require a persistent connection between the hub and the spokes – the optimum in performance and availability;
Format Preserving Tokenization™ with central data vault

Wireless LAN (WLAN) Security

Aruba's integrated policy-enforcement firewall, high-security encryption, standards-based authentication, wireless intrusion detection/prevention, and compliance audit reporting assistance meet or exceed the wireless LAN-specific security requirements in PCI DSS. Merchants using an Aruba solution can cost-effectively implement the security controls required for PCI compliance without compromising the performance of business applications or upgrading legacy networks.

The Extricom WLAN product family is purpose-built to deliver robust, reliable connectivity. Extricom innovation makes the All-Wireless Enterprise possible by delivering voice (VoWLAN), data, video, and location services with an always-on, consistent, and mobile Wi-Fi connection to any client, in any environment.