What are the PCI DSS Firewall and Router Configuration Requirements?
It is essential to design and maintain a secure network infrastructure where cardholder data can be processed and stored. PCI DSS requirements include the configuration of routers and firewalls used to protect the CDE.
Set up firewall and router configurations to protect Cardholder Data Environments as follows:
- All changes to firewall or network configurations should be formally documented and retained for future review.
- For each CDE, there must be a network diagram documenting the systems and devices connected to that network.
- A data flow diagram showing the movement of all cardholder data between systems and networks should be created.
- You should update the network diagram and data flow diagrams based on changes in systems or processes.
- Firewalls must exist at the CDE boundaries and between the DMZ and untrusted networks (i.e., non-CDE networks).
- You should document groups, roles, and responsibilities for managing network components.
- Firewalls must be configured to block access to all systems and system ports, except those defined in data flow diagrams.
- You must document the reasons for each exception.
- Rulesets for firewalls and routers should be reviewed at least every six months.
- You should document review reports.
- Examine and document firewall and router configurations and make sure of the following:
- Verify that the configurations define the inbound and outbound traffic required for the cardholder data environment.
- Verify that configurations are protected from unauthorized access.
- Verify that working and stored configurations are synchronized.
- Verify that perimeter firewalls are installed between all wireless networks and the cardholder data environment.
Examine firewall and router configurations to ensure there is no direct access between the Internet and system components in cardholder data environments and do the following:
- A DMZ must be implemented to restrict incoming traffic only to system components that provide authorized public services, protocols, and ports.
- Verify that incoming Internet traffic is limited to IP addresses within the DMZ.
- Verify that anti-fraud measures are in place, e.g., internal addresses cannot pass from the Internet to the DMZ.
- Verify that traffic from the cardholder data environment to the Internet is explicitly prohibited.
- Verify that firewalls only allow connections to CDE.
- Verify that cardholder data is not stored inside the DMZ (outside of the CDE).
- Verify that private IP addresses and routing information are not accessible to unauthorized persons.
- Install the personal firewall software on all portable devices used to access the CDE that connects to the Internet while outside the network.
- End users should not be able to change the firewall’s configuration.
- Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties.
As a general rule, each PCI Standard should be reviewed annually and updated as needed to reflect changes in business objectives or the risk environment.
How Should Firewalls Be Located and Configured?
Firewalls are devices or programs that control network traffic flow between networks or hosts that use different security postures. Although firewalls are commonly addressed in relation to Internet access, they can also be used in other forms of networks.
For example, many corporate networks use firewalls to restrict connectivity to and from internal networks to serve more sensitive functions such as accounting or reporting. An organization can block unauthorized access to its systems and resources by using firewalls to control these areas’ connectivity.
The installation of a firewall that is sufficient for your environment adds an extra layer of protection. Firewalls are commonly used by companies to fulfill mandated security standards such as FISMA or PCI DSS.
Payment Card Industry (PCI) Data Security Standard requirement one specifically requires a firewall. Several types of firewall technologies are available. One way to compare its capabilities is to look at the Transmission Control Protocol / Internet Protocol (TCP/IP) layers that each can examine.
TCP / IP communications consist of four layers that work together to transfer data between hosts. Data is transferred from the highest layer to the lowest layer when a user wants to migrate data between networks, and each layer adds more information.
The lowest layer sends the collected data over the physical network, and the data is then transmitted from the layers upwards to its destination. Simply put, the data generated by one layer is encapsulated in a larger container by the underlying layer.
Addresses in the data link layer assigned to network interfaces are called media access control (MAC) addresses. As an example, we can give an Ethernet address that belongs to an Ethernet card. Firewall policies rarely deal with the data link layer. Addresses on the network layer are called IP addresses.
In comparison to network addresses, the transport layer defines unique network applications and communication sessions. A host can have any number of transport-layer sessions with other hosts on the same network.
The transport layer can also include the concept of anchor points. A destination port number generally identifies a service that is listening on the destination host, while a source port number typically identifies the source host port number to which the destination host can respond.
Some transport protocols, such as TCP and UDP, have ports, while others don’t. Combining the source IP address and port with the destination IP address and port helps identify the session. The highest tier represents end-user applications. Firewalls can examine application traffic and use it as the basis for policy decisions.
Basic firewalls run on one or more layers, while more advanced firewalls examine all layers. People who examine more layers can make more detailed and comprehensive examinations.
Advanced applications and protocols can theoretically be accommodated by firewalls that recognize the application layer, and user-oriented services can be provided. For example, a firewall that only processes lower layers cannot usually identify specific users. However, a firewall with application-layer capabilities can apply user authentication and log events to specific users.
- NAT can be thought of as a form of routing rather than a firewall.
- Organizations must allow outbound traffic using only source IP addresses used by the organization.
- A compliance check is useful in a firewall only when it can block communication that could harm protected systems.
- It’s crucial to determine if the firewall can serve as an application proxy when selecting the type of firewall to deploy.
- The management of personal firewalls should be centralized to efficiently create, deploy and enforce policies for all users and groups.
Firewalls are used to separate networks with different security requirements, such as the Internet and internal network hosting servers with sensitive data. Organizations should use firewalls where their internal networks and systems interface with external networks and systems and where security requirements differ between internal networks.
Below we will examine where organizations’ firewalls should be placed and where other networks and systems should be located in relation to their firewalls.
Since one of the firewall’s primary roles is to prevent unauthorized traffic from entering and, in certain instances, exiting a network, it should be positioned at the edge of logical network boundaries.
Firewalls are usually installed as a node where the network is divided into several paths or inline along a single route. In routed networks, the firewall is usually located on the network at a location just before the traffic enters the router (entry point) and is sometimes located in the same location as the router.
For a multipath node, it is rare to place the firewall after the router because the firewall device must follow each of the multiple egress paths that are typically present in such cases.
The vast majority of hardware firewall devices include routing capabilities. In switched networks, a firewall is usually part of the switch itself to allow the switch to protect as many segments as possible.
A firewall receives unchecked traffic, controls it according to the firewall’s policy, and then acts appropriately, passing or blocking the traffic. Since all traffic on a network has one direction, policies are based on the traffic moves’ direction.
Some firewalls control traffic in both directions. For example, if they are set up to prevent certain traffic from an organization’s local area network (LAN) from escaping to the Internet, they control traffic in both directions. The protected side of the firewall is the side facing the outside network in these situations.
- Generally, a firewall should conform to the layout of an existing network. However, an organization can change its network architecture while deploying a firewall as part of an overall security upgrade.
- Different common network architectures lead to different options for where to place a firewall, so an organization should consider which architecture works best for security objectives.
- If an edge firewall has a DMZ, consider which outward facing services from the DMZ should be run and remain on the internal network.
- Do not rely on NATs to take advantage of firewalls.
- Putting one firewall behind another will accomplish the desired security target in certain cases, but having several layers of firewalls can be cumbersome.
Based on the organization’s information security policies, a firewall policy specifies how firewalls can handle network traffic for various IP addresses and address ranges, protocols, applications, and content types.
Before a firewall policy can be established, some form of risk analysis should be performed to develop a list of traffic types the organization needs and to classify how they should be secured. The risk analysis should include what types of traffic under which conditions may pass through a firewall.
This risk analysis should be based on the evaluation of threats. Security vulnerabilities; the measures are taken to reduce security vulnerabilities, and the effects that will occur if systems or data are compromised should be identified.
The firewall policy should be documented in the system security plan and should be maintained and updated frequently as new classes of attacks or vulnerabilities emerge, or the organization’s needs for networking applications change. The policy should also provide detailed guidelines on how to comply with rule changes.
In general, firewalls can block both inbound and outbound traffic that isn’t expressly allowed by the firewall policy, i.e., traffic that the company doesn’t need. This practice, known as a denial by default, reduces the risk of attacks and reduces traffic volume carried on the organization’s networks.
Due to hosts’ dynamic nature, networks, protocols, and applications, denying by default is a more secure approach than allowing all traffic that is not explicitly prohibited.
- The firewall strategy of a company should be based on a rigorous risk analysis.
- Both inbound and outbound traffic should be blocked by firewall rules, with exceptions for requested traffic.
- In addition to content, policies should consider the traffic’s source and destination.
- Many types of IPv4 traffic, such as invalid or private addresses, should be blocked by default.
- Organizations must have policies to handle inbound and outbound IPv6 traffic.
- An organization should determine which applications can send traffic to or from its network and establish firewall policies to block traffic for other applications.
PCI DSS Firewall Configuration Tips
Your firewall is an essential part of your network security because it is the first line of protection against online attackers. Configuring a firewall can be a challenging task, but breaking it down into smaller tasks can make it much easier to handle.
The steps required for PCI DSS and involved in firewall configuration are outlined in the following guide. Many suitable firewall models can be used to protect your network. The following steps are important regardless of the firewall model you choose.
Ensure the security of your firewall
Your network security is “game over” if an intruder gains administrative access to your firewall. As a consequence, protecting your firewall is the first and most important step in this process. Never deploy a firewall that isn’t properly protected, at the very least with the following configuration actions:
- Update your firewall to the latest firmware.
- Delete, disable or rename default user accounts and change all default passwords.
- Be sure to use only complex and secure passwords.
- If more than one administrator will manage the firewall, create additional administrator accounts with limited privileges depending on responsibilities.
- Never use a user account that has been shared.
- Disable the simple network management protocol (SNMP) or configure the community string to be secure.
Design your firewall zones and IP addresses
To secure your network’s valuable properties, you must first find out what they are. Then plan your network structure so these assets can be grouped and placed in networks (or zones) based on similar sensitivity level and functionality.
For example, all of your servers that provide Internet services must be located in a special zone that allows only minimal inbound traffic from the Internet (this zone is often called the demilitarized zone or DMZ).
Internal server zones should be used for servers that should not be accessed directly from the Internet, such as database servers. Similarly, workstations, point-of-sale devices, and voice over Internet protocol (VOIP) systems can often be located in internal network regions.
The more zones you make, the more stable your network will be in general. Bear in mind, however, that handling more zones requires more time and money, so you should be vigilant when determining how many network zones to use.
Internal IP addresses must be used by all internal networks if you’re using IP version 4. Network address translation (NAT) must be configured to allow internal devices to communicate on the Internet as required.
You can start designing firewall zones and assigning them to your firewall interfaces or sub-interfaces once you’ve built your network zone structure and created the corresponding IP address scheme.
Configure access control lists
You must determine precisely what traffic should enter and exit each zone. This traffic will be allowed using firewall rules called access control lists (ACLs) that apply to each interface or sub-interface in the firewall.
Make your ACLs as specific as possible to the exact source or destination IP addresses and port numbers. To filter out all unapproved traffic, make sure each access control list has a “deny all” rule at the top. Apply inbound and outbound ACLs to each interface and sub-interface in your firewall to ensure that only permitted traffic enters and exits each sector.
It is generally recommended that your firewall management interfaces (including both secure shell (SSH) and web interfaces) be disabled from public access whenever possible. This will help protect your firewall configuration from outside threats. Be sure to disable all unencrypted protocols for firewall management, including Telnet and HTTP connections.
Configure your firewall services and logging
If your firewall can also act as a dynamic host configuration protocol (DHCP) server, network time protocol (NTP) server, or intrusion prevention system (IPS), configure the services you want to use. Disable any extra services you don’t want to use.
To meet the PCI DSS requirements, configure your firewall to report to your logging server and ensure that the logs have enough detail to meet the 10.2 to 10.3 PCI DSS requirements.
Test your firewall configuration
Verify that your firewall is functioning properly in a test setting. Remember to verify that your firewall is blocking traffic that should be blocked based on your ACL configurations. Vulnerability scanning and penetration testing can also be done on your firewall.
Always maintain a copy of your firewall settings in a secure location so that all of your hard work isn’t wasted if your hardware fails. Have your setup checked by a security professional to ensure that it is set up to keep your data as protected as possible.
Manage your firewall
Firewall logs should be monitored, firmware updated, vulnerability scans performed, and firewall rules reviewed at least every six months. Finally, make sure you document your process and are diligent in performing these ongoing tasks to ensure that your firewall continues to protect your network.