PCI 1:: Difference between revisions

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search
No edit summary
No edit summary
Line 3: Line 3:
*Firewalls are computer devices that control computer traffic allowed into a company’s network from outside, as well as traffic into more sensitive areas within a company’s internal network. All systems need to be protected from unauthorized access from the Internet, whether for e-commerce, employees’ Internet-based access via desktop browsers, or employees’ email access. Often, seemingly insignificant paths to and from the Internet can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network.<br>
*Firewalls are computer devices that control computer traffic allowed into a company’s network from outside, as well as traffic into more sensitive areas within a company’s internal network. All systems need to be protected from unauthorized access from the Internet, whether for e-commerce, employees’ Internet-based access via desktop browsers, or employees’ email access. Often, seemingly insignificant paths to and from the Internet can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network.<br>
<br>
<br>
----
:'''PCI-1.1 Establish firewall configuration standards that include:'''<br>
:'''PCI-1.1 Establish firewall configuration standards that include:'''<br>
[[Image:Key-control.jpg]]<br>
::[[PCI-1.1.1:|'''PCI-1.1.1 A formal process for approving and testing all external network connections and changes to the firewall configuration.''']]<br>
::[[PCI-1.1.1:|'''PCI-1.1.1 A formal process for approving and testing all external network connections and changes to the firewall configuration.''']]<br>
 
[[Image:Key-control.jpg]]<br>
::[[PCI-1.1.2:|'''PCI-1.1.2 A current network diagram with all connections to cardholder data, including any wireless networks.''']]<br>
::[[PCI-1.1.2:|'''PCI-1.1.2 A current network diagram with all connections to cardholder data, including any wireless networks.''']]<br>
 
[[Image:Key-control.jpg]]<br>
::[[PCI-1.1.3:|'''PCI-1.1.3 Requirements for a firewall at each Internet connection and between any DMZ and the Intranet.''']]<br>
::[[PCI-1.1.3:|'''PCI-1.1.3 Requirements for a firewall at each Internet connection and between any DMZ and the Intranet.''']]<br>
 
[[Image:Key-control.jpg]]<br>
::[[PCI-1.1.4:|'''PCI-1.1.4 Description of groups, roles, and responsibilities for logical management of network components.''']]<br>
::[[PCI-1.1.4:|'''PCI-1.1.4 Description of groups, roles, and responsibilities for logical management of network components.''']]<br>
 
[[Image:Key-control.jpg]]<br>
::[[PCI-1.1.5:|'''PCI-1.1.5 Documented list of services/ports necessary for business.''']]<br>
::[[PCI-1.1.5:|'''PCI-1.1.5 Documented list of services/ports necessary for business.''']]<br>
 
[[Image:Key-control.jpg]]<br>
::[[PCI-1.1.6:|'''PCI-1.1.6 Justification and documentation for any available protocols besides HTTP and SSL, SSH, and VPN.''']]<br>
::[[PCI-1.1.6:|'''PCI-1.1.6 Justification and documentation for any available protocols besides HTTP and SSL, SSH, and VPN.''']]<br>
 
[[Image:Key-control.jpg]]<br>
::[[PCI-1.1.7:|'''PCI-1.1.7 Justification and documentation for any risky protocols allowed (FTP, etc.), which includes reason for use of protocol and security features implemented.''']]<br>
::[[PCI-1.1.7:|'''PCI-1.1.7 Justification and documentation for any risky protocols allowed (FTP, etc.), which includes reason for use of protocol and security features implemented.''']]<br>
 
[[Image:Key-control.jpg]]<br>
::[[PCI-1.1.8:|'''PCI-1.1.8 Periodic review of firewall/router rule sets.''']]<br>
::[[PCI-1.1.8:|'''PCI-1.1.8 Periodic review of firewall/router rule sets.''']]<br>
 
[[Image:Key-control.jpg]]<br>
::[[PCI-1.1.9:|'''PCI-1.1.9 Configuration standards for routers''']]<br>
::[[PCI-1.1.9:|'''PCI-1.1.9 Configuration standards for routers''']]<br>
<br>
<br>
----
:'''PCI-1.2 Build a firewall configuration that denies all traffic from “untrusted” networks/hosts, except for:'''<br>
:'''PCI-1.2 Build a firewall configuration that denies all traffic from “untrusted” networks/hosts, except for:'''<br>
 
[[Image:Key-control.jpg]]<br>
::[[PCI-1.2.1:|''''PCI-1.2.1 Web protocols - HTTP (port 80) and Secure Sockets Layer (SSL) (typically port 443).''']]<br>
::[[PCI-1.2.1:|''''PCI-1.2.1 Web protocols - HTTP (port 80) and Secure Sockets Layer (SSL) (typically port 443).''']]<br>
 
[[Image:Key-control.jpg]]<br>
::[[PCI-1.2.2:|'''PCI-1.2.2 System administration protocols (e.g., Secure Shell (SSH) or Virtual Private Network (VPN).''']]<br>
::[[PCI-1.2.2:|'''PCI-1.2.2 System administration protocols (e.g., Secure Shell (SSH) or Virtual Private Network (VPN).''']]<br>
 
[[Image:Key-control.jpg]]<br>
::[[PCI-1.2.3:|'''PCI-1.2.3 Other protocols required by the business (e.g., for ISO 8583).''']]<br>
::[[PCI-1.2.3:|'''PCI-1.2.3 Other protocols required by the business (e.g., for ISO 8583).''']]<br>
<br>
<br>
----
:'''PCI-1.3 Build a firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data, including any connections from wireless networks. This firewall configuration should include:'''<br>
:'''PCI-1.3 Build a firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data, including any connections from wireless networks. This firewall configuration should include:'''<br>
[[Image:Key-control.jpg]]<br>
::[[PCI-1.3.1:|'''PCI-1.3.1 Restricting inbound Internet traffic to IP addresses within the DMZ (ingress filters)''']]<br>
::[[PCI-1.3.1:|'''PCI-1.3.1 Restricting inbound Internet traffic to IP addresses within the DMZ (ingress filters)''']]<br>
 
[[Image:Key-control.jpg]]<br>
::[[PCI-1.3.2:|'''PCI-1.3.2 Restricting inbound and outbound Internet traffic to ports 80 and 443.''']]<br>
::[[PCI-1.3.2:|'''PCI-1.3.2 Restricting inbound and outbound Internet traffic to ports 80 and 443.''']]<br>
 
[[Image:Key-control.jpg]]<br>
::[[PCI-1.3.3:|'''PCI-1.3.3 Not allowing internal addresses to pass from the Internet into the DMZ (egress filters).''']]<br>
::[[PCI-1.3.3:|'''PCI-1.3.3 Not allowing internal addresses to pass from the Internet into the DMZ (egress filters).''']]<br>
 
[[Image:Key-control.jpg]]<br>
::[[PCI-1.3.4:|'''PCI-1.3.4 Stateful inspection, also known as dynamic packet filtering (only ”established” connections are allowed into the network).''']]<br>
::[[PCI-1.3.4:|'''PCI-1.3.4 Stateful inspection, also known as dynamic packet filtering (only ”established” connections are allowed into the network).''']]<br>
 
[[Image:Key-control.jpg]]<br>
::[[PCI-1.3.5:|'''PCI-1.3.5 Placing the database in an internal network zone, segregated from the DMZ.''']]<br>
::[[PCI-1.3.5:|'''PCI-1.3.5 Placing the database in an internal network zone, segregated from the DMZ.''']]<br>
 
[[Image:Key-control.jpg]]<br>
::[[PCI-1.3.6:|'''PCI-1.3.6 Restricting outbound traffic to that which is necessary for the payment card environment.''']]<br>
::[[PCI-1.3.6:|'''PCI-1.3.6 Restricting outbound traffic to that which is necessary for the payment card environment.''']]<br>
 
[[Image:Key-control.jpg]]<br>
::[[PCI-1.3.7:|'''PCI-1.3.7 Securing and synchronizing router configuration files (e.g., running configuration files – used for normal running of the routers, and start-up configuration files - used when machines are re-booted, should have the same, secure configuration).''']]<br>
::[[PCI-1.3.7:|'''PCI-1.3.7 Securing and synchronizing router configuration files (e.g., running configuration files – used for normal running of the routers, and start-up configuration files - used when machines are re-booted, should have the same, secure configuration).''']]<br>
 
[[Image:Key-control.jpg]]<br>
::[[PCI-1.3.8:|'''PCI-1.3.8 Denying all other inbound and outbound traffic not specifically allowed.''']]<br>
::[[PCI-1.3.8:|'''PCI-1.3.8 Denying all other inbound and outbound traffic not specifically allowed.''']]<br>
 
[[Image:Key-control.jpg]]<br>
::[[PCI-1.3.9:|'''PCI-1.3.9 Installation of perimeter firewalls between any wireless networks and the payment card environment, and configuration of these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment.''']]<br>
::[[PCI-1.3.9:|'''PCI-1.3.9 Installation of perimeter firewalls between any wireless networks and the payment card environment, and configuration of these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment.''']]<br>
 
[[Image:Key-control.jpg]]<br>
::[[PCI-1.3.10:|'''PCI-1.3.10 Installation of personal firewall software on any mobile and/or employee-owned computers with direct connectivity to the Internet (e.g., laptops used by employees), which are used to access the organization’s network.''']]<br>
::[[PCI-1.3.10:|'''PCI-1.3.10 Installation of personal firewall software on any mobile and/or employee-owned computers with direct connectivity to the Internet (e.g., laptops used by employees), which are used to access the organization’s network.''']]<br>
<br>
<br>
----
:'''PCI-1.4 Prohibit direct public access between external networks and any system component that stores cardholder information (e.g., databases).'''<br>
:'''PCI-1.4 Prohibit direct public access between external networks and any system component that stores cardholder information (e.g., databases).'''<br>
[[Image:Key-control.jpg]]<br>
::[[PCI-1.4.1:|'''PCI-1.4.1 Implement a DMZ to filter and screen all traffic, to prohibit direct routes for inbound and outbound Internet traffic.''']]<br>
::[[PCI-1.4.1:|'''PCI-1.4.1 Implement a DMZ to filter and screen all traffic, to prohibit direct routes for inbound and outbound Internet traffic.''']]<br>
 
[[Image:Key-control.jpg]]<br>
::[[PCI-1.4.2:|'''PCI-1.4.2 Restrict outbound traffic from payment card applications to IP addresses within the DMZ..''']]<br>
::[[PCI-1.4.2:|'''PCI-1.4.2 Restrict outbound traffic from payment card applications to IP addresses within the DMZ..''']]<br>
<br>
<br>
----
[[Image:Key-control.jpg]]<br>
:[[PCI-1.5:|'''PCI-1.5 Implement Internet Protocol (IP) masquerading to prevent internal addresses from being translated and revealed on the Internet. Use technologies that implement RFC 1918 address space, such as Port Address Translation (PAT) or Network Address Translation (NAT).''']]<br>
:[[PCI-1.5:|'''PCI-1.5 Implement Internet Protocol (IP) masquerading to prevent internal addresses from being translated and revealed on the Internet. Use technologies that implement RFC 1918 address space, such as Port Address Translation (PAT) or Network Address Translation (NAT).''']]<br>
<br>
<br>


--[[User:Mdpeters|Mdpeters]] 08:20, 26 June 2006 (EDT)
--[[User:Mdpeters|Mdpeters]] 08:33, 26 June 2006 (EDT)

Revision as of 12:33, 26 June 2006

Requirement 1: Install and maintain a firewall configuration to protect data.

  • Firewalls are computer devices that control computer traffic allowed into a company’s network from outside, as well as traffic into more sensitive areas within a company’s internal network. All systems need to be protected from unauthorized access from the Internet, whether for e-commerce, employees’ Internet-based access via desktop browsers, or employees’ email access. Often, seemingly insignificant paths to and from the Internet can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network.



PCI-1.1 Establish firewall configuration standards that include:


PCI-1.1.1 A formal process for approving and testing all external network connections and changes to the firewall configuration.


PCI-1.1.2 A current network diagram with all connections to cardholder data, including any wireless networks.


PCI-1.1.3 Requirements for a firewall at each Internet connection and between any DMZ and the Intranet.


PCI-1.1.4 Description of groups, roles, and responsibilities for logical management of network components.


PCI-1.1.5 Documented list of services/ports necessary for business.


PCI-1.1.6 Justification and documentation for any available protocols besides HTTP and SSL, SSH, and VPN.


PCI-1.1.7 Justification and documentation for any risky protocols allowed (FTP, etc.), which includes reason for use of protocol and security features implemented.


PCI-1.1.8 Periodic review of firewall/router rule sets.


PCI-1.1.9 Configuration standards for routers



PCI-1.2 Build a firewall configuration that denies all traffic from “untrusted” networks/hosts, except for:


'PCI-1.2.1 Web protocols - HTTP (port 80) and Secure Sockets Layer (SSL) (typically port 443).


PCI-1.2.2 System administration protocols (e.g., Secure Shell (SSH) or Virtual Private Network (VPN).


PCI-1.2.3 Other protocols required by the business (e.g., for ISO 8583).



PCI-1.3 Build a firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data, including any connections from wireless networks. This firewall configuration should include:


PCI-1.3.1 Restricting inbound Internet traffic to IP addresses within the DMZ (ingress filters)


PCI-1.3.2 Restricting inbound and outbound Internet traffic to ports 80 and 443.


PCI-1.3.3 Not allowing internal addresses to pass from the Internet into the DMZ (egress filters).


PCI-1.3.4 Stateful inspection, also known as dynamic packet filtering (only ”established” connections are allowed into the network).


PCI-1.3.5 Placing the database in an internal network zone, segregated from the DMZ.


PCI-1.3.6 Restricting outbound traffic to that which is necessary for the payment card environment.


PCI-1.3.7 Securing and synchronizing router configuration files (e.g., running configuration files – used for normal running of the routers, and start-up configuration files - used when machines are re-booted, should have the same, secure configuration).


PCI-1.3.8 Denying all other inbound and outbound traffic not specifically allowed.


PCI-1.3.9 Installation of perimeter firewalls between any wireless networks and the payment card environment, and configuration of these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment.


PCI-1.3.10 Installation of personal firewall software on any mobile and/or employee-owned computers with direct connectivity to the Internet (e.g., laptops used by employees), which are used to access the organization’s network.



PCI-1.4 Prohibit direct public access between external networks and any system component that stores cardholder information (e.g., databases).


PCI-1.4.1 Implement a DMZ to filter and screen all traffic, to prohibit direct routes for inbound and outbound Internet traffic.


PCI-1.4.2 Restrict outbound traffic from payment card applications to IP addresses within the DMZ..




PCI-1.5 Implement Internet Protocol (IP) masquerading to prevent internal addresses from being translated and revealed on the Internet. Use technologies that implement RFC 1918 address space, such as Port Address Translation (PAT) or Network Address Translation (NAT).


--Mdpeters 08:33, 26 June 2006 (EDT)