PCI DSS 1.2 – Restrict connections between untrusted networks

Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.

How do I comply with requirement 1.2? This requirement is all about network architecture, ensuing that a cardholder data environment has been created and that all access to /from this CDE has been approved and has a valid business justification (white listing approach as opposed to black listing approach).

This is often the most difficult requirement for organisations to comply with. As security consultants, our team has seen large organisations with either a flat network or a network designed without any consideration to placement of credit card data. As a result, a major re-design of the network is required (or else acceptance in the business that the scope for PCI DSS is far greater than what it should be).

As per any compliance program, the smaller the scope of the audit / assessment, the greater chance the organisation in question has of achieving compliance. Therefore it is highly recommended to create a CDE and segment it appropriately from the rest of the network using firewalls / secured VLANS.

Technologies to identify and remove un-necessary credit card information on the network (such as Enterprise Recon from Groundlabs) are also highly recommended and can greatly reduce the size of the CDE, reducing the scope and making compliance more manageable.

In the event that re-designing the network to create a ‘PCI CDE’ is considered ‘Too hard’, create budgets to estimate the cost of compliance with the ‘As-Is’ network and a budget to estimate compliance costs if a CDE has been created and the scope has been appropriately reduced. The difference in cost to the business between these two cases can often be used to create a business case for purchasing the required infrastructure or segmenting the network as required for compliance.

Requirement 1.2 also addresses the daily procedures of the firewall team (or person / team responsible for firewall management depending on size of organisation). Tools that can help with firewall management are:

– Firemon (www.firemon.com/)
– Titania (https://www.titania.com/nipperstudio/networksecuritytool)
– Solarwinds (http://www.solarwinds.com)

Secure router guidelines are freely available from the majority of manufacturers, e.g. Cisco guide to harden Cisco IOS devices:
http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html

In terms of wireless traffic, deny all traffic from any wireless environment (and be able to prove it) into the CDE. If required, ensure that only authorised wireless traffic permitted (this is linked to procedures required for Requirement 11).