The first requirement of PCI DSS is part of a 2 requirements directed at building and maintaining a secure network. Requirement 1: Install and maintain a firewall configuration to protect cardholder data. This requirement is broken down into 4 subrequirements of which 2 of them are broken down into further subrequirements. All the subrequirements are directed towards installing and maintaining a firewall for protection.
The first subrequirement is 1.1 defined as establishing firewalls and routers configuration standards based on Subrequirement 1.1’s subrequirements. Firewalls and routers control outside access into the network and what information goes out of the network. They also control access privileges allows to groups of users. To better understand how networks work, watch the following 3d videos. While the movies are somewhat old, they give a basic understanding of network routers/switches and firewalls. Pay particular attention to the section on routers and firewalls at the top of the TCP/IP stack.
You’ll note in the above video that the router and switches movie the informational packets around on the internal company network. These routers and switches must be correctly configured to grant or deny access to certain portions of the network. They can be located inside the network and just outside the network.
You should also note the Network Interface or Proxy (also known as a Proxy Server). The packet content is inspected as it goes into and out of the internal network. If you saw the unacceptable address which is “summarily” dealt with, the information regarding unacceptable addresses must be configured by a systems administrator for the proxy server. This would fall under this subrequirement 1.1.
The firewall is another layer that looks at the IP (information) packets to examine the content. Towards the end of the presentation, the firewall is configured for ports 80 and 25. The ports are similar to doors. Some doors are open and other doors are closed. Configuring which doors are open and closed is up to a systems administrator or network administrator. The same goes for the internal firewall policeman.
Firewalls and routers can either be software based and/or hardware based. This simply means that they are either physical plugged in hardware which probably requries some configuration and/or software based or both. While this is all very well, configuring them is the core of Requirement 1.1. The requirement clearly states a “standard” or basically a policy for configuring the firewalls and routers within a secure network. A company needs policies and procedures in place to have staff correctly configure the routers and firewalls to work as a cohesive unit in a network. It also supplies documentation that substantiates a company’s procedures.
It’s important to note that a QSA (Qualified Security Assessor) will ask for documentation and diagrams of the firewall/router and network configurations. This helps them determine the scope of the network that must be compliant and what policies and procedures are being followed. The documentation itself is a requirement as well as the network configuration. The QSA will test the network against the documentation as well as security scans and tests.
In my next post, I’ll begin detailing the rest of Subrequirement 1.1.
