Check out these 5 firewall guidelines for PCI DSS Requirement 1 compliance

Mike Riesen, SecurityMetrics
By: Mike Riesen
Firewalls are one of the oldest computer security defenses that continue to remain a crucial foundation of network protection today. Because many aspects of data security start with firewalls, network firewalls comprise a huge part of the Payment Card Industry Data Security Standard (PCI DSS).

But simply installing a firewall on your organization’s network perimeter doesn’t make you compliant with the PCI DSS. A firewall must be correctly installed, updated, and maintained. Firewall rules must also be reviewed semiannually . . . a process most organizations have a difficult time with.

I’ve compiled five important tips that encompass PCI DSS Requirement 1’s main themes to help you accurately understand the basics behind some of the more complicated requirements. But before we dig in, let’s quickly cover some firewall basics.

SEE ALSO: PCI Compliant Firewalls: 5 Things You're Doing Wrong

Firewall basics

Network firewalls can be software or hardware technologies that provide a first line of defense to a network. Firewalls restrict incoming and outgoing network traffic through rules and criteria configured by the organization.

A hardware firewall, or perimeter firewall, is installed between an organization’s network and the Internet to protect the systems inside. A software firewall only protects the device it is installed on. Many computers come preinstalled with software firewalls, but for computers connecting to the cardholder data environment remotely, a personal firewall is required.

In summary, a hardware firewall protects environments from the outside world, and a software firewall protects a specific device from internal threats. For example, if an attacker tries to access your systems from the outside, your hardware firewall should block him. If a sales manager accidentally clicks on a phishing email scam, her computer’s software firewall should stop the malware from infecting the computer.

5 tips for meeting PCI DSS Requirement 1

Because they stand as an organization’s first line of defense, firewalls get a lot of attention from attackers. Most of the time, firewalls are riddled with configuration flaws, and aren’t accurately protecting systems that touch payment card data.

With over 20 PCI DSS sub-requirements outlining firewall specifics, your obligations can be overwhelming.

After you purchase a firewall that meets PCI DSS requirements, (SecurityMetrics Qualified Security Assessors (QSA) recommend network security firewalls by SonicWALL, Cisco, and Juniper) focus on the following five items to make the most of your firewall security strategy:

1. Spend time on (and revisit) configuration
Just because your business has a firewall, doesn’t mean it’s effective. Many businesses incorrectly treat network firewalls as plug-and-play technology. Instead, establish rules (or Access Control Lists) that dictate to the firewall what you trust into and leaving your network. Firewall rules typically allow you to whitelist, blacklist, or block certain websites or IP addresses.

SEE ALSO: Configuring and Maintaining Your Firewall with SecurityMetrics Managed Firewall

When no ACLs have been configured, everything is allowed into or out of the network. Rules are what give firewalls their security power, which is why they must constantly be maintained and updated to remain effective.

As you’re setting up your ACLs, remember that large rule lists will negatively impact your network’s performance. (This is why system administrators usually hate firewalls.) If you’re experiencing system bogs, or need help consolidating your giant rule set, you might benefit from security consulting with a QSA.

Learn how to correctly configure a simple firewall in 5 steps.

2. Document everything
A massive chunk of your PCI firewall compliance process should be spent recording what you’ve completed. Also known as documentation (and largely considered a pain by most people) this process is absolutely necessary for true PCI DSS compliance…and your own sanity.

Firewall documentation helps your team comprehend what has been done, what still needs to be done, and where the problems are in your environment. Ultimately, it keeps your security efforts organized. As a bonus to you, documentation will make next year’s job easier. After all, updating already existing documentation is much easier than starting from scratch.

The most important documentation pieces from PCI DSS requirement 1 include:
  • Network and cardholder data flow diagrams: As the PCI DSS states, “Often, seemingly insignificant paths to and from untrusted networks can provide unprotected pathways into key systems.” Without an accurate view into how your network is set up, you could overlook devices that need to be part of your firewall rule set. Network and cardholder data flow diagrams help identify the location of all network devices and how card data flows through each piece of the network. While analyzing these diagrams, you should be able to study exactly what areas must be protected, and the unnecessary services, protocols, and ports to disable. (Learn how to make a card flow diagram.)
  • Description of groups, roles, and responsibilities: By documenting who is involved in the firewall process, you ensure those assigned are aware of their responsibilities. According to the PCI DSS, “if roles and responsibilities are not formally assigned, devices could be left unmanaged.“
  • Business justification for allowed services, protocols, and ports: Compromise often occurs in areas that are unused, unpatched, and unmonitored. Ensure your firewall only allows the minimum amount of connections required for your business to operate. If you need any ports or services open for your business to function, the PCI DSS wants to know why, and how you’re going to protect against those open areas.
3. Restrict as much traffic as possible
An organization’s firewalls should be configured to protect the sensitive card data environment at all costs. The easiest way to do this is by restricting and controlling the flow of traffic as much as possible, specifically around the cardholder data environment.

Depending on how complex your environment is, you might require many firewalls to ensure all systems are separated correctly. The more control you have, the less chance an attacker has at getting through unprotected Internet connections. Don’t forget to consult your network diagram when considering firewall placement.

SEE ALSO: How Does Network Segmentation Affect PCI Scope?

The PCI DSS does a great job of listing how firewalls should ensure blockage of all unwanted traffic through segmentation and rule sets. Here are a few examples:
  • 1.2.1: Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.
  • 1.3: Prohibit direct public access between the Internet and any system component in the cardholder data environment.
  • 1.3.7: Place system components that store cardholder data (such as a database) in an internal network zone, segregated from untrusted networks.

SEE ALSO: PCI Requirement 7: 5 Reasons You Should Limit Employee Access to Your Data

4. Protect new technology
One of the biggest challenges firewalls face is that an organization’s network perimeter is no longer well defined, due to new technology practices like BYOD and cloud storage. Because mobile devices aren’t enabled with firewalls, and because they aren’t policed by traditional perimeter firewalls, they can potentially become a huge risk.

That’s why the PCI DSS requires businesses to install personal network firewall software on mobile and other employee-owned devices that connect to the Internet and also access the network.

5. Monitor and tighten control
As stated earlier, network firewalls aren’t a plug-and-forget technology. No matter the size of your environment, things change over time. The firewall rules in play today will need to be perfected in a few months. That’s why PCI DSS requirements state organizations must review firewall and router rule sets at least every six months. While forcing you to ensure all cracks are still sealed, it also gives you the chance to revamp your firewall strategy.

Log management also plays a vital role in monitoring firewall security (and is yet another PCI DSS requirement). Logs keep track of both normal and potentially damaging user actions happening against a firewall and help prevent, detect, and minimize the impact of a data breach. If event log software is configured correctly, administrators can be alerted if firewall logs indicate an attack.

Keep in mind nearly all network firewalls have very limited logging space, so it’s important to set up a logging server and configure your firewall logs to go to that server.

The future of firewalls

It’s unknown if network firewalls will stand the test of time. They are the bedrock of most data security strategies, but their technology is over 30 years old. To stay up to speed with attackers, future firewall manufacturers must increase program speeds, support the cloud, be more customizable, and withstand new hacking methodologies.
For now, firewalls shouldn’t be your only line of defense.
Instead, they should act as a compliment to other security technologies and add yet another layer on an already robust security posture.

Mike Reisen is a Security Analyst and has been with SecurityMetrics for over 2 years, doing PCI DSS assessments. He is a graduate from the University of Utah, and has worked in the IT industry for over 15 years. 

PCI learning center, SecurityMetrics