You are here

Requirement 1: Install and maintain a firewall

Subscribe to Syndicate
Install and maintain a firewall and router configuration to protect cardholder data

Firewalls are devices that control computer traffic allowed between an entity’s networks (internal) and untrusted networks (external), as well as traffic into and out of more sensitive areas within an entity’s internal trusted networks. The cardholder data environment is an example of a more sensitive area within an entity’s trusted network.

A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria.

All systems must be protected from unauthorized access from untrusted networks, whether entering the system via the Internet as e-commerce, employee Internet access through desktop browsers, employee e-mail access, dedicated connections such as business-to-business connections, via wireless networks, or via other sources. Often, seemingly insignificant paths to and from untrusted networks can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network.

Other system components may provide firewall functionality, provided they meet the minimum requirements for firewalls as provided in Requirement 1. Where other system components are used within the cardholder data environment to provide firewall functionality, these devices must be included within the scope and assessment of Requirement 1.

Section PCI Requirement Comments Provided by Artsman Cloud
1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data (including wireless); that use various technical settings for each implementation; and stipulate a review of configuration rule sets at least every six months. You will need a hardware router to protect your network.

However, if you need to set up firewalls on computers themselves, the built in firewall on windows is very flexible. On OSX, do not manage the built in firewall via System Preferences on servers - instead, consider using a tool like Murus Firewall to unlock the power of the OSX PF firewall.

1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations
1.1.2 Current network diagram with all connections to cardholder data, including any wireless networks Refer to Recommended Network Diagram and adapt as neccessary N/A
1.1.3 Current diagram that shows all cardholder data flows across systems and networks Refer to cardholder flow N/A
1.1.4 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone Refer to NGINX Server setup to describe DMZ with one or two router situation. SPLIT
  • Artsman: Web sales and database
  • Customer: Workstations
1.1.5 Description of groups, roles, and responsibilities for logical management of network components   YES
1.1.6 Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure

Examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP v1 and v2.

Refer to Firewall rules for purpose of ports that are open. YES
1.1.7 Requirement to review firewall and router rule sets at least every six months   YES
1.2 Build a firewall configuration that denies all traffic from "untrusted" networks and hosts, except for protocols necessary for the cardholder data environment.

Note: An "untrusted network" is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity's ability to control or manage.

Refer to Firewall rules to see the ports to open. YES
1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment.   YES
1.2.2 Secure and synchronize router configuration files.   YES
1.2.3 Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment. refer to venue lan setup. Wireless is not to be used in the Theatre Manager LAN segment and should be setup carefully on another separate, isolated VLAN SPLIT
  • Artsman: Web sales and database
  • Customer: Workstations
1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.   YES
1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols and ports   YES
1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.   YES
1.3.3 Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment.   SPLIT
  • Artsman: Web sales and database
  • Customer: Workstations
1.3.4 Implement anti-spoofing measures to detect and block forged source IP address from entering the network.

(For example, block traffic originating from the internet with internal source addresses).

Use commercial grade firewall YES
1.3.5 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. Implement specific permissions as per the firewall rules SPLIT
  • Artsman: Web sales and database
  • Customer: Workstations
1.3.6 Implement stateful inspection, also known as dynamic packet filtering. (That is, only "established" connections are allowed into the network.) Use commercial grade firewall YES
1.3.7 Place the components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks. This is generally interpreted to mean:
  • The web server should be on its own machine or VM so that it can, in effect, be sacrificed if hacked. It should have really tight firewall rules managing traffic into the device and out to ONLY the web lsitener on specific ports
  • The database and web listeners could be on the same machine as long as access to each is carefully managed with appropriate firewall rules and they are not exposed to traffic from the the main firewall appliance directly
1.3.8 Do not disclose private IP addresses and routing information to unauthorized parties.

Note: Methods to obscure IP addressing may include, but are not limited to:

  • Network Address Translation (NAT)
  • Placing servers containing cardholder data behind proxy servers/firewalls or content caches
  • Removal or filtering of route advertisements for private networks that employ registered addressing
  • Internal use of RFC1918 address space instead of registered addresses.
1.4 Install personal firewall software on any mobile and/or employee-owned computers that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the organization's network.

Firewall configurations include:

  • Specific configuration settings are defined for personal firewall software
  • Personal firewall software is actively running
  • Personal firewall software is not alterable by users of mobile and/or employee-owned devices.
These days, alll computers have one - it just needs enabled. SPLIT
  • Artsman: YES
  • Customer: Enable Firewall on Workstations
1.5 Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties.   YES