PCI DSS Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement Addressed
1: Install and maintain a firewall
configuration to protect cardholder data
1.2 Build
a firewall configuration that restricts connections between untrusted
networks and any system components in the cardholder data environment.
1.2.1 Restrict
inbound and outbound traffic to that which is necessary for the cardholder
data environment.
1.3.1 Implement a DMZ to limit inbound and outbound traffic to only protocols that are necessary for the cardholder data environment.
1.3.2 Limit
inbound internet traffic to IP addresses within the DMZ.
1.3.3 Do not allow any direct routes inbound or outbound for traffic between the internet and the cardholder data environment. |
1.3.5 Restrict
outbound traffic from the cardholder data environment to the internet such
that outbound traffic can only access IP addresses within the DMZ.
1.3.6 Implement stateful inspection, also known
as dynamic packet filtering. (That is, only “established” connections are
allowed into the network).
1.3.8
Implement IP masquerading to prevent internal addresses from being translated
and revealed on the Internet
1.4 Install
personal firewall software on any mobile and/or employee-owned computers with
direct connectivity to the internet (for example, laptops used by employees),
which are used to access the organisation’s network.
1.5 Ensure
that security policies and operational procedures for managing firewalls are
documented.
|
Solution Features
> Provide end users and company personnel dynamic feedback
relevant to each type of endpoint security policy.
> Provide a current diagram that shows cardholder data flows.
Enables network segmentation using virtual domains, VLANs and
switched ports for traffic segmentation/isolation. Prevents unauthorised
access to critical resources.
|
> Limit access to only explicitly allowed entities and using only
the protocols that are dictated as allowable on published services. IP
reputation checking and blacklisting also make it possible to explicitly
prevent access to application services by untrusted networks and hosts.
|
> Web proxy functionality usually integrated into WAF solutions. - Blocking ports using client firewall, in addition to blocking traffic types (TCP, IP, UDP), IP addresses, and allowing application rules to be set. Client firewall can be configured to allow only trusted connections to cardholder data. - Establish policies for accessing cardholder data with the client firewall. Access reporting is available for all allowed or blocked traffic in over a specified period of time. - Allow inbound traffic to a specific protocol and to specific IP addresses with the client firewall. - Allow inbound traffic to a specific protocol and to specific IP addresses with the client firewall. |
- Prevent computers with
cardholder data from accessing the internet with the client firewall. Also by
using application control to stop the use of internet-enabled applications. - Create Network Access Control (NAC) enforcement templates to prevent access to the DMZ from specific applications. - Inspect UDP, IP and TCP traffic types with the Sophos client firewall to prevent direct access from the internet to cardholder data on PCs. - Application Firewall functions as a fully proxy, only relaying traffic that it is configured to do so. Implement IP masquerading to prevent internal server addresses from being revealed to external clients, and protect connections from external clients to internal servers. - Continuously checking company computers - even laptops that are not connected to the network - to ensure that a company approved firewall is installed and running. If it is not, NAC blocks the computer from the network. Non-compliant guest computers receive a message directing users on how to fix the problem. |
Contact us today to discuss your requirements in more detail.
|