PCI DSS Requirement 1: Protect cardholder data with a firewall
Firewalls are devices that control traffic between the local network of the organization and untrusted external networks. The firewall analyzes all network traffic and blocks traffic that does not comply with the defined security requirements. The firewall ensures that the defined and desired traffic reaches the relevant areas.
Also, firewalls can be located in sensitive areas of the internal network, and the cardholder can protect the data environment by separating it from other networks of the organization.
Firewalls are an essential protection mechanism for any computer network. All connections, such as e-commerce systems, e-mail communication, or Internet access, should be protected from unauthorized access.
As long as different system components or applications meet the minimum requirements for firewalls defined in requirement 1, the firewall can provide functionality and be used in your systems. Where other system components are used in the cardholder data environment to provide firewall functionality, these devices must also be included in the PCI DSS scope and evaluation.
PCI DSS Requirement 1.1: Set and implement firewall and router configuration standards
Firewalls and routers are essential components of the architecture that control the network’s input and output. These devices are hardware or software which blocks undesirable access to and from the network and manage authorized access.
Configuration standards and procedures will help ensure that the first line of defense in protecting the organization’s data remains strong. In this way, only the configuration standards determined by the organization will be applied, and the application of configurations that may be inappropriate will be prevented.
PCI DSS Requirement 1.1.1: Create a formal process to confirm and test all network connections, changes in firewall and router configurations
Create a documented and implemented process to confirm and test all connections and changes in firewalls and routers; it will help prevent security problems that may arise from the improper configuration of the network, router, or firewall.
In progressing processes without formal approval and testing of changes, the records of the changes may not be updated as desired, which can lead to discrepancies between the network documentation and the actual configuration.
PCI DSS Requirement 1.1.2: Create a network topology diagram that defines all connections between the cardholder data environment and other networks, including wireless networks.
Network diagrams indicate how networks are designed and where all network devices are located. Without up-to-date network topology diagrams, devices can be overlooked and unwittingly excluded from security checks for PCI DSS. For this reason, these devices, which do not have the necessary controls, can expose the cardholder data environment to various risks.
Also, a process should be created to keep the network topology diagrams current, and the network topology diagrams should be updated to indicate the changes after the changes are made.
PCI DSS Requirement 1.1.3: Create valid and current card data flow diagrams showing all cardholder data streams between systems and networks.
Flow charts of cardholder data; identifies the location and flow paths of all cardholder data stored, processed, or transmitted in the network. Both network and cardholder data flow charts allow a company to understand and monitor coverage by showing how cardholder data flows across networks and systems.
Cardholder data flow diagrams should show all cardholder data flows between systems and networks and should be updated when any changes are made in the environment.
PCI DSS Requirement 1.1.4: Position firewalls between the Internet connections and the demilitarized zone (DMZ) and the local network.
Using firewalls on all Internet connections entering and leaving the network and between any DMZ and the local network helps the organization monitor and control access. In this way, the chance of malicious attackers to access the internal network through an unsecured connection is minimized.
Specifying your firewall configuration standards that a firewall must be installed for each Internet connection and between any DMZ and internal network zone will help prevent missing or incorrect positioning of the firewall in new installations or changes.
Besides, you can verify that firewall positioning is consistent with the configuration standards, thanks to a current and valid network topology diagram.
PCI DSS Requirement 1.1.5: Create descriptions of groups, roles, and responsibilities for the management of network components.
Determining roles and assigning responsibilities allows employees to know who is responsible for the security of all components of the network. It also ensures that people who are authorized to manage components are aware of their responsibilities.
Failure to formally assign and assign roles and responsibilities may lead to a variety of problems in device management and may result in some devices not being managed.
The firewall and router configuration standards include descriptions of groups, roles, and responsibilities for the management of network components, which will help employees fully understand and enforce their respective duties and roles.
PCI DSS Requirement 1.1.6: Document security measures applied for services and protocols considered to be unsafe and business rationales for the use of all allowed services, protocols, and ports.
Vulnerabilities are often caused by unused or unsafe services and ports because overlooked, non-updated services and ports often have known vulnerabilities.
Many organizations do not cover security gaps for services, protocols, and ports that they do not use. By clearly defining and documenting the services, protocols, and ports required for business, companies can enable or disable all other services, protocols, and ports.
In such updates or changes, approvals must be given by different employees, regardless of configuration management personnel.
If insecure services, protocols, or ports are required for business purposes, the risk arising from the use of these protocols should be clearly understood and accepted by the organization. The use of the protocol should be considered in detail and implemented using the security features that allow the implementation of these protocols safely.
If insecure services, protocols, or ports are not required for the job, they should be disabled or removed from the system.
Create a documented list of all services, protocols, and ports, including business rationale and approval, for each of the firewall and router configuration standards.
For guidance on systems, protocols, or ports that are considered insecure, you can refer to industry standards and guidelines, such as NIST, ENISA, OWASP.
PCI DSS Requirement 1.1.7: Review firewall and router rules at least every six months
Firewall rule set analysis allows companies to clear unnecessary, old, or incorrect rules at least every six months and states that all rule sets contain approved services and ports only for documented business reasons.
Organizations that make many changes to firewall and router rule sets can investigate more frequently if they wish to ensure that their rule sets continue to meet the business needs.
Also, the firewall and router configuration standards should indicate that firewall and router rule sets should be reviewed at least every six months.
PCI DSS Requirement 1.2: Restrict connections between untrusted networks and all system components in the cardholder data environment with firewall and router configurations
It is essential to set up network protection between a trusted network and any external untrusted network that is outside the control and management capacity of an organization. Failure to adequately implement this measure may result in the organization being vulnerable to unauthorized access by malicious individuals or software.
The definition of an “untrusted network” refers to networks that belong to the organization or are outside the organization’s ability to control or manage.
For the firewall function to be useful, it must be designed and configured to control or limit traffic entering and leaving the organization network.
PCI DSS Requirement 1.2.1: Limit inbound and outbound traffic to only what is required for the cardholder data environment and specifically reject all other traffic.
Inspection of both incoming and outgoing connections allows for control and traffic restrictions depending on the source or destination address. Traffic restrictions prevent unfiltered access between trusted and untrusted media. It also prevents malicious attackers from accessing and infiltrating the organization’s network through unauthorized IP addresses or unauthorized use of networks, protocols, or ports.
Applying a rule that rejects all the inbound and outbound traffic that is not explicitly necessary helps prevent unwanted and potentially harmful incoming or outgoing traffic.
PCI DSS Requirement 1.2.2: Securely store and synchronize router configuration files.
While the effective router configuration files contain valid and secure settings, the startup files must also be updated with secure settings to ensure that these settings are applied when the initial configuration is run.
Initial configuration files may be forgotten and may not be updated as they are not usually run too much. When a router restarts and loads an initial configuration that is not updated with the same security settings as the running configuration, it can cause weaker rules that allow malicious people to enter the network.
PCI DSS Requirement 1.2.3: Set up and configure firewalls between all wireless networks and the cardholder data environment to allow traffic between the wireless environment and the cardholder data environment only.
The known or unknown use of wireless technology within a network is a common way for malicious people to access the network and cardholder data. If a wireless device or network is installed without the knowledge of the organization, a malicious person can easily and invisibly access and enter the network.
When firewalls do not limit the cardholder data environment and wireless network connections, malicious attackers who gain unauthorized access to the wireless network can easily connect to the cardholder data environment and steal sensitive account information.
Firewalls must be positioned between all wireless networks and the cardholder data environment, regardless of the purpose of the environment where the wireless network is connected.
PCI DSS Requirement 1.3: Prohibit public direct access between the internet and any system component in the cardholder data environment.
This requirement aims to prevent malicious individuals from accessing the organization’s local network over the internet or unauthorized use of services, protocols, or ports.
Although unreliable connection permissions to systems located in the demilitarized zone (DMZ) are justifiable reasons, these connection permissions should never be granted to local network systems. The purpose of the firewall is to manage and control all communications between general and local networks, especially those that store, process, or transmit cardholder data.
When direct access between public systems open to external networks and CDE is allowed, the protections performed by the firewall are bypassed, and system components stored by cardholder data may be exposed to potential risks.
A demilitarized zone (DMZ) must be created to limit traffic to Internet-facing system components. All traffic from the internet must be restricted to IP addresses in the demilitarized zone (DMZ).
The demilitarized zone (DMZ) is the part of the network that manages connections between the internet or other unreliable networks and the services that an organization needs to be public. This functionality aims to prevent malicious individuals from accessing the organization’s local network from the internet or unauthorized use of services, protocols, or ports.
PCI DSS Requirement 1.3.3: Apply anti-spoofing measures to detect and prevent spoofed IP addresses from entering the network.
Usually, a packet originally contains the IP address of the computer that sent it, so other computers on the network know where the packet originated and came from. In many cases, malicious people try to mislead the target device by imitating the recipient’s IP address so that the packet arriving at the target device thinks that it is from a secure source.
For this reason, filtering and blocking traffic coming to the network with the local source address on the internet will prevent the packets from appearing as if they are coming from the organization’s internal network and will be understood to be counterfeit.
All traffic from the cardholder data environment needs to be evaluated to ensure that it meets the established authoritative rules. All connections must be monitored, and unauthorized connections and communications must be restricted to restrict traffic to only authorized connections and communications.
PCI DSS Requirement 1.3.5: Only allow “established” connections to the network.
The status of each connection must be known through a firewall. In this way, it is crucial to understand whether the response to the previous connection is a legitimate, permissible response, or whether malicious traffic is attempting to trick the firewall into enabling the connection.
Allowing only pre-established connections to the network will be a useful measure against such tricks.
PCI DSS Requirement 1.3.6: Place system components that store cardholder data in a local network zone separated from DMZ and other untrusted networks.
If the cardholder data is stored in the DMZ, malicious individuals who may leak will encounter fewer layers, making access to sensitive information easier. Separating the cardholder data from DMZ and other unreliable networks with firewalls will prevent unauthorized network traffic from entering the system component, and it will create an extra layer.
Seeing and knowing IP addresses belonging to the local network will make it easier for them to access the network by revealing information about the local network and providing them with information about the network. Therefore, it is necessary to prevent local or private IP addresses from being seen and to restrict their disclosure.
The methods that can be used to meet this requirement may vary depending on the network technology used. For example, the controls used to meet this requirement for IPv4 networks may differ from those for IPv6 networks.
Examples of methods to hide IP addressing include the following ways:
- Network Address Translation (NAT)
- Place servers containing cardholder data behind proxy servers/firewalls
- Removal or filtering of route information for private networks using registered addressing
- Using RFC1918 address space instead of local registered addresses
PCI DSS Requirement 1.4: Install personal firewall software on all portable computing devices that are connected to the internet when used outside the network and used to access the CDE.
Portable computers and devices that are allowed to connect to the internet from outside the company firewall are more vulnerable to attacks from the internet. Using the personal firewall function helps protect the device used to access the organization’s networks and data after the devices are reconnected to the network, from internet-based attacks.
Personal firewall configurations should include the following items:
- Custom configuration settings must be defined.
- A personal firewall should work effectively.
- Users of portable computing devices cannot change the personal firewall.
This requirement applies to employee and company portable computing devices. Systems that cannot be managed by the corporate policy can cause various and unpredictable weaknesses and offer opportunities for malicious people to benefit. Allowing non-trusted systems to connect to the CDE of an organization can provide access for attackers and other malicious users.
PCI DSS Requirement 1.5: Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties.
Staff must know and follow security policies and operational procedures to prevent unauthorized access to the network and to ensure ongoing management, within the rules set by the organization, of firewalls and routers.
For detailed information, see the PCI DSS Quick Reference Guide from the PCI SSC Documentation library.