You will need a router (with DMZ and VLAN and SPI capability) and two subnets are required within the office to implement PCI compliance. These can be reasonably priced such as the easily configurable
SG-2440 pfSense router (approx $500 in 2015 prices) which has a lot of features. Please check
techsoup.org if you are a not for profit organization as they have full cisco routers that you may be eligible to purchase at a discount.
We only recommend a router/firewall that has the ability to isolate the apache computer (i.e. designate an ip address for the DMZ).
|
Your firewall need to restrict connections between untrusted networks and any system components in the card holder environment PCI requirement 1.2.
- Routers be a dedicated device, preferably a hardware router. If it is a software router such as one built on linux, then it must only be used only for this purpose and contain no other services.
- It should be configured to shut down all incoming and outgoing ports except those required for business as per the following:
|
|
When you need to set up firewalls on computers, the built in firewall on windows is very flexible. On macOS, do not manage the built in firewall via System Preferences on servers - instead, consider using a tool like Murus Firewall to unlock the power of the macOS PF Firewall.
|