What are the Firewall Requirements for PCI DSS?

Firewalls are one of the oldest computer security protections that are a vital foundation for network protection today. Because many aspects of data protection begin with firewalls, most of the Payment Card Industry Data Security Standard (PCI DSS) includes network firewall-related clauses.

You may not be PCI DSS compliant if your firewall is not configured correctly and properly maintained.

However, merely adding one firewall around your enterprise network will not make you PCI DSS compliant. The firewall must be properly installed, updated, and maintained to ensure your PCI DSS compliance. Also, firewall rules should be reviewed every six months.

You can find the firewall requirements included in the PCI DSS briefly as a list below:

• PCI DSS Requirement 1: Protect cardholder data with a firewall
• PCI DSS Requirement 1.1: Set and enforce firewall and router configuration standards
• PCI DSS Requirement 1.1.1: Establish a formal process to validate and test all network connections, changes to firewall and router configurations
• PCI DSS Requirement 1.1.4: Locate Internet connections and firewalls between the DMZ and the local network.
• PCI DSS Requirement 1.1.5: Create descriptions of groups, roles, and responsibilities for managing network components.
• PCI DSS Requirement 1.1.6: Document the security measures implemented for services and protocols considered unsafe and the business rationale for using all services, protocols, and ports allowed.
• PCI DSS Requirement 1.1.7: Review firewall and router rules at least every six months
• PCI DSS Requirement 1.2: Restrict connections between untrusted networks and all system components in the cardholder data environment with firewall and router configurations
• PCI DSS Requirement 1.2.1: Limit inbound and outbound traffic to only the data environment required for the cardholder and deny all other traffic.
• PCI DSS Requirement 1.2.3: Install firewalls between all wireless networks and the cardholder data environment, and configure them to allow only the permitted traffic between the wireless medium and the cardholder data medium.
• PCI DSS Requirement 1.3: Prohibit direct public access between the internet and any system components in the cardholder data environment.
• PCI DSS Requirement 1.3.1-2: Create a demilitarized zone (DMZ) to limit incoming traffic to system components that only provide publicly accessible authorized services, protocols, and ports.
• PCI DSS Requirement 1.3.3: Implement anti-counterfeiting measures to detect and prevent fraudulent source IP addresses from entering the network.
• PCI DSS Requirement 1.3.4: Do not allow unauthorized traffic from the cardholder data environment to the internet.
• PCI DSS Requirement 1.3.5: Allow only “established” connections to the network.
• PCI DSS Requirement 1.4: Install personal firewall software on all portable computing devices connected to the internet and access the CDE while off the network.
• PCI DSS Requirement 1.5: Ensure that security policies and operational procedures for the management of firewalls are documented in use and are known to all parties concerned.
• PCI DSS Requirement 2.1: Always change the vendor’s defaults before installing a system on the network and removing or disable unnecessary default accounts.
• PCI DSS Requirement 2.2: Establish configuration standards for all system components. Make sure these standards address all known vulnerabilities and are consistent with industry-accepted system tightening standards.
• PCI DSS Requirement 2.2.2: Enable only essential services, protocols, and procedures for the system to run.
• PCI DSS Requirement 2.2.3: Implement additional security measures for services and services considered unsafe but required.
• PCI DSS Requirement 8.3: Secure all non-console administrative access and all remote access to the CDE using multi-factor authentication.
• PCI DSS Requirement 10.1: Apply audit trails to associate all access to system components with individual users.
• PCI DSS Requirement 11: Regularly test security systems and processes.

You can find detailed descriptions of the PCI DSS firewall requirements for the rest of our article.

What Is a Firewall and Why Is It Used?

Network firewalls are software or hardware technologies that make up a network’s first-order line of defense. Firewalls block inbound and outbound network traffic using organizationally defined rules and requirements.

A hardware firewall is positioned between the corporate and the internet to protect the internal systems against outside attacks. Only the computer on which it is installed is protected by firewall software. A personal firewall is required to connect PCs to the cardholder data network remotely, and most computers come preinstalled with software firewalls.

See Also: What are the PCI DSS Firewall and Router Configuration Requirements

In short, while hardware firewalls protect systems from the outside world, software firewalls protect a single system. For example, if an attacker attempts to access your systems outside, your firewall has to block the hardware. The computer’s software firewall should stop the malware from infecting the computer if a user accidentally clicks on a phishing email scam.

Firewalls can often lead to configuration vulnerabilities if proper procedures are not followed. Therefore, it does not provide reliable protection for devices that communicate with data from payment cards.

There are more than 20 requirements related to firewalls in PCI DSS sub-requirements. Amount of firewall requirements can sometimes be challenging and time-consuming for organizations to meet PCI DSS firewall requirements. However, it should not be forgotten that firewalls are the first and most crucial protection shield of your network.

Protect Your Firewall: What to do first?

When an attacker gains administrative access to your firewall, they also take over your network defenses. This situation means that the game is over for you. The first and most crucial step in this process is, therefore, the securing of your firewall.

Never place a firewall in a live environment that is not configured correctly. Apply the following necessary firewall configuration checks:

• Upgrade to the latest version of the firewall software.
• Delete, disable, or rename any default user accounts on the firewall. Also, change all default passwords. Make sure you only use complex and secure passwords.
• If more than one administrator manages the firewall, create additional administrator accounts based on roles with restricted privileges. Never use shared user accounts.
• Disable or configure a simple network management protocol (SNMP) to use a secure community string.

Design IP Addresses and Firewall Zones and Create Your Infrastructure

To ensure the security of your network’s valuable assets, you must first determine what the assets are. Next, you must design the network structure to group and position these entities into networks or zones according to a similar sensitivity and purpose level.

For example, all servers providing internet infrastructure must be located in a particular zone that allows limited internet incoming traffic (Demilitarized zone, DMZ). Instead, servers that are not directly accessible from the internet, such as database servers, should be placed in internal server zones. Similarly, workstations, point-of-sale devices, and Internet Protocol (VOIP) audio systems can typically be installed in internal network regions.

In general terms, the more zones you create, the more secure your network is. However, keep in mind that it takes more time and energy to tackle more zones. Therefore, you need to be careful when determining how many network areas you want to use.

If you are using IP v4, all your internal networks will have internal IP addresses used. Network address translation (NAT) should be designed to allow internal devices to communicate on the internet when appropriate.

You’re ready to set up your firewall zones and create them on the firewall interface once your network zone structure is configured, and the corresponding IP address scheme has been created. When designing network infrastructure, switches supporting Virtual LANs (VLANs) should maintain network separation.

How Should the PCI DSS Firewall Configuration Be?

Having a firewall in your company does not mean that your organization is secure, and your firewall is working effectively. Many businesses mistakenly view firewalls as plug-and-play technology and think they can safely use them without any configuration.

That’s why you need to understand what you trust and create access control lists (ACLs) that determine when you leave your network at the firewall. Usually, firewall rules allow you to whitelist, blacklist, or ban other websites or IP addresses.

See Also: Firewall Rule Configuration Best Practices for PCI Compliance

The requested traffic is allowed using firewall rules called access control lists (ACLs) that apply to the firewall interface. If possible, your ACLs should be made specific to the exact IP addresses and port numbers of the source or destination.

Firewalls do not work effectively when ACLs are not configured, allowing traffic to enter and exit the network without adequate control. Rules are what give firewalls security forces and tight management. For this reason, firewall rules need to be continuously reviewed and updated to fulfill their duties successfully.

Ensure there is a “deny all” rule at the end of each access control list to clean up unwanted traffic. Apply both incoming and outgoing ACLs to each interface and sub-interface in your firewall so that only permitted traffic is allowed inside and outside each zone.

See Also: Firewall Policy Guidelines

If possible, it is recommended that you block external access to your firewall management interfaces. Blocking external access to management interfaces will help protect your firewall configuration from external threats.

Make sure that all unencrypted firewall management protocols such as Telnet and HTTP connections are disabled.

Your firewall can also be a dynamic host configuration protocol (DHCP) server, network time protocol (NTP) server, intrusion prevention system (IPS), etc. can serve as. However, disable any extra services that you do not plan to use on the firewall.

Network administrators often do not like dealing with firewall rules and, therefore, create broadly defined firewall rules. However, when configuring your ACLs, keep in mind that large lists of rules will have a negative impact on your network.

If you run into system and network issues or need help consolidating your giant rule set, you can use a QSA security advisory service.

Restrict As Much Traffic As Possible

An organization’s firewalls should be designed to secure the environment of sensitive card data at all costs. The best way to do this is to restrict and monitor traffic flow as much as possible, especially around the cardholder’s data environment.

Depending on how complex your environment is, several firewalls may be required to ensure all systems are adequately segregated. The more layers of control you have, the less chance the attacker has access to and exploit unsafe connections. When considering firewall location, don’t forget to check your network diagram and card data flowcharts.

PCI DSS has requirements detailing how all unsolicited traffic should be blocked by segmentation and rule sets and firewalls. Below are a few examples of PCI DSS requirements for firewalls:

• PCI DSS Requirement 1.2.1: Limit inbound and outbound traffic to what is required for the cardholder data environment and deny all other traffic.
• PCI DSS Requirement 1.3: Prohibit direct public access between the internet and any system component in the cardholder data environment.
• PCI DSS Requirement 1.3.7: Place system components that store cardholder data, such as a database, in an internal network zone separated from untrusted networks.

Monitor and Tighten Control

As mentioned earlier, network firewalls are not a plug, play, and forget system. It doesn’t matter how big your IT environment is or how small; things and processes change over time. You may need to add or change the rules for several months to the firewall rules you have created for your existing structure.

This is why firewall and router rule sets, one of the PCI DSS requirements, need to be reviewed every six months. While PCI DSS pressures you to detect potential rule failures and make sure it’s safe, it also allows you to refresh your firewall strategy.

See Also: What is Firewall Rule Analysis for PCI Compliance?

Log management plays an essential role in controlling the protection of firewalls. Logs track user behavior against a common and potentially harmful firewall and help prevent, detect, and mitigate data breach effects.

If the event logging program is configured correctly, firewall logs notify the relevant administrators if it detects an attack.

You should configure your firewall to report to your log server to meet PCI DSS requirements, and ensure that sufficient data is provided to meet PCI DSS requirements 10.2 to 10.3.

Almost all network firewalls have minimal storage space, so it is crucial to set up a storage server for the firewall generated logs and configure your firewall logs to go to that server.

Document Everything About Firewall

A large part of your compliance loop with PCI DSS firewall requirements will be spent logging everything you do and creating related records. This stage, commonly known as paperwork and registration, is crucial for PCI DSS compliance.

See Also: How to Prepare Network Documentation for PCI DSS Compliance Requirements?

Documentation and records about the firewall allow you to understand what the team is doing, what needs to be done, and where problems are. Besides, change records indicate which changes you have made in the past for what purpose.

Documents created in firewall-related processes allow you to control the changes made. This way, you can determine which change has led to positive or negative consequences.

Also, the documentation processes will encourage research as a benefit for you next year. After all, it’s much easier to review documents that already exist than to start from scratch.

The most critical document sections of PCI DSS requirement one will include:

Network and cardholder data flow diagrams: As explained in PCI DSS, “Sometimes routes to untrusted networks and seem trivial from these networks can provide key systems with different unsafe paths.” Without a clear view of how your network is set up, you might miss devices that should be part of your firewall rule collection.

Network and cardholder data-flow diagrams help determine all network devices’ location and how card data flows through each network segment. When analyzing these diagrams, you should be able to thoroughly examine which areas should be protected and which redundant services, protocols, and ports should be disabled.

Group definition, roles, and responsibilities: By recording involved in the firewall creation process, you ensure that those authorized are aware of their responsibilities. When roles and responsibilities are not formally defined according to PCI DSS, systems management may be incomplete.

Set allowed services, protocols, and ports: Make sure your firewall allows only the minimum number of connections required for your operation. When you need any available ports or networks to run your business, you need to state why you need these open spaces and what protection you have implemented.

Tips and Best Practices on How to Adhere to PCI DSS Requirement 1

See Also: PCI DSS Requirement 1 Explained

Here are a few things to consider to be compliant with PCI DSS Requirement 1:

• Pay attention to and review firewall logs: If your firewall detects an attacker attempting to log into your network hundreds of times in the middle of the night, it should generate the necessary alerts and notify authorized people.
• Check firewall rules and configuration settings regularly: Business conditions and requirements change frequently, but firewall rules and configuration settings also need to be updated according to the changes.
• Create Firewall Configuration Standard: Carefully document settings and procedures such as security settings, port, and service rules. Consider both inbound and outbound traffic before applying firewall settings and hardware rules.
• Trust, But Always Verify: Once firewall rules and settings are applied, validate settings with penetration tests and vulnerability scans. Properly check the firewall externally and internally to verify the rules and settings.
• Limit Outbound Traffic: Sometimes, we worry too much about blocking inbound ports and services and forget that traffic going through the network must be limited to what is needed. This situation restricts the attackers’ ways of data theft.
• Use Personal Firewalls: Configure personal firewalls on mobile computing platforms to reduce attack surfaces and reduce malware spread on unsecured networks.
• Securely Manage Your Firewalls: Manage the firewall from within your network. Disable external management services on your firewall.
• Get help installing and configuring firewalls: Firewalls can have many technical details. So it might be a good idea for a third party to set them up and configure them correctly.

Remember, firewalls are your first and foremost line of defense. So make sure they are ready to deal with any possible attacks.

However, keep in mind that firewalls will not protect you from data breaches. Many businesses that breach, often through unsecured remote access, also use a firewall. To protect your business data comprehensively, you must also have other security technologies.

Basically, for PCI DSS compliance, firewall logs should be reviewed. The firewall should be updated regularly, security vulnerabilities should be scanned, and firewall rules should be reviewed every six months.

Besides, make sure you document your entire firewall process and be diligent in performing these ongoing tasks to ensure that your firewall continues to protect your network.

What is the Future of Firewalls?

Firewalls are the cornerstones of most data protection approaches, but their basic principles and technologies are over 20 years old. Firewalls of the future need to increase software speeds, adopt the cloud, be more flexible, and rely on attackers’ new methods.

Of course, future firewalls will serve as a complement to other security technologies and add another layer of defense postures that are already solid.

What is certain is that the requirements of the PCI DSS firewall will change as the features of the firewall evolve.

For detailed information, you can review the “PCI Firewall Fundamentals” document published by PCI SSC.