What are firewalls and how do they help protect your business?
Firewalls are one of the oldest computer security defenses that continue to remain a crucial foundation of network protection today. Because many aspects of data security start with firewalls, network firewalls comprise a huge part of the Payment Card Industry Data Security Standard (PCI DSS).
But simply installing a firewall on your organization’s network perimeter doesn’t make you compliant with the PCI DSS. A firewall must be correctly installed, updated, and maintained. Firewall rules must also be reviewed semiannually . . . a process most organizations have a difficult time with.
I’ve compiled five important tips that encompass PCI DSS Requirement 1’s main themes to help you accurately understand the basics behind some of the more complicated requirements. But before we dig in, let’s quickly cover some firewall basics.
See Also: PCI Compliant Firewalls: 5 Things You're Doing Wrong
White Paper: How to Implement and Maintain PCI Compliant Firewalls
Network firewalls can be software or hardware technologies that provide a first line of defense to a network. Firewalls restrict incoming and outgoing network traffic through rules and criteria configured by the organization.
A hardware firewall, or perimeter firewall, is installed between an organization’s network and the Internet to protect the systems inside. A software firewall only protects the device it is installed on. Many computers come preinstalled with software firewalls, but for computers connecting to the cardholder data environment remotely, a personal firewall is required.
In summary, a hardware firewall protects environments from the outside world, and a software firewall protects a specific device from internal threats. For example, if an attacker tries to access your systems from the outside, your hardware firewall should block him. If a sales manager accidentally clicks on a phishing email scam, their computer’s software firewall should stop the malware from infecting the computer.
Because they stand as an organization’s first line of defense, firewalls get a lot of attention from attackers. Most of the time, firewalls are riddled with configuration flaws, and aren’t accurately protecting systems that touch payment card data.
With over 20 PCI DSS sub-requirements outlining firewall specifics, your obligations can be overwhelming.
After you purchase a firewall that meets PCI DSS requirements, (SecurityMetrics Qualified Security Assessors (QSA) recommend network security firewalls by SonicWALL, Cisco, and Juniper) focus on the following five items to make the most of your firewall security strategy:
Just because your business has a firewall, doesn’t mean it’s effective. Many businesses incorrectly treat network firewalls as plug-and-play technology. Instead, establish rules (or Access Control Lists) that dictate to the firewall what you trust into and leaving your network. Firewall rules typically allow you to whitelist, blacklist, or block certain websites or IP addresses.
See also: Configuring and Maintaining Your Firewall with SecurityMetrics Managed Firewall
When no ACLs have been configured, everything is allowed into or out of the network. Rules are what give firewalls their security power, which is why they must constantly be maintained and updated to remain effective.
As you’re setting up your ACLs, remember that large rule lists will negatively impact your network’s performance. (This is why system administrators usually hate firewalls.) If you’re experiencing system bogs, or need help consolidating your giant rule set, you might benefit from security consulting with a QSA.
Learn how to correctly configure a simple firewall in 5 steps.
A massive chunk of your PCI firewall compliance process should be spent recording what you’ve completed. Also known as documentation (and largely considered a pain by most people) this process is absolutely necessary for true PCI DSS compliance…and your own sanity.
Firewall documentation helps your team comprehend what has been done, what still needs to be done, and where the problems are in your environment. Ultimately, it keeps your security efforts organized. As a bonus to you, documentation will make next year’s job easier. After all, updating already existing documentation is much easier than starting from scratch.
The most important documentation pieces from PCI DSS requirement 1 include:
An organization’s firewalls should be configured to protect the sensitive card data environment at all costs. The easiest way to do this is by restricting and controlling the flow of traffic as much as possible, specifically around the cardholder data environment.
Depending on how complex your environment is, you might require many firewalls to ensure all systems are separated correctly. The more control you have, the less chance an attacker has at getting through unprotected Internet connections. Don’t forget to consult your network diagram when considering firewall placement.
See also: How Does Network Segmentation Affect PCI Scope?
The PCI DSS does a great job of listing how firewalls should ensure blockage of all unwanted traffic through segmentation and rule sets. Here are a few examples:
See also: PCI Requirement 7: 5 Reasons You Should Limit Employee Access to Your Data
One of the biggest challenges firewalls face is that an organization’s network perimeter is no longer well defined, due to new technology practices like BYOD and cloud storage. Because mobile devices aren’t enabled with firewalls, and because they aren’t policed by traditional perimeter firewalls, they can potentially become a huge risk.
That’s why the PCI DSS requires businesses to install personal network firewall software on mobile and other employee-owned devices that connect to the Internet and also access the network.
As stated earlier, network firewalls aren’t a plug-and-forget technology. No matter the size of your environment, things change over time. The firewall rules in play today will need to be perfected in a few months. That’s why PCI DSS requirements state organizations must review firewall and router rule sets at least every six months. While forcing you to ensure all cracks are still sealed, it also gives you the chance to revamp your firewall strategy.
Log management also plays a vital role in monitoring firewall security (and is yet another PCI DSS requirement). Logs keep track of both normal and potentially damaging user actions happening against a firewall and help prevent, detect, and minimize the impact of a data breach. If event log software is configured correctly, administrators can be alerted if firewall logs indicate an attack.
Keep in mind nearly all network firewalls have very limited logging space, so it’s important to set up a logging server and configure your firewall logs to go to that server.
It’s unknown if network firewalls will stand the test of time. They are the bedrock of most data security strategies, but their technology is over 30 years old. To stay up to speed with attackers, future firewall manufacturers must increase program speeds, support the cloud, be more customizable, and withstand new hacking methodologies.
Instead, they should act as a compliment to other security technologies and add yet another layer on an already robust security posture.
.svg)
