Avoid the Traps: What You Need to Know about PCI Requirement 1 (Part 2)

We’ve now reached part two of our three part series on PCI Requirement 1. In our previous blog post we reviewed the 1.1 sub-requirement which covers firewall and router configurations. In this post move on and take a detailed look at PCI Sub-requirement 1.2: Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.  

• Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic. (1.2.1):
  • This is a pretty standard requirement, but we should never take anything for granted, especially when it comes to PCI. The QSA will be looking and verifying that only the needed ports are open into and out of the cardholder data environment.  He/She is going to want to see that there’s an explicit DENY for access that’s not required. Expect to be asked to show the ports and protocols that you allow into the CDE, so be ready and have this information handy.

• Secure and synchronize router configuration files (1.2.2):
  • This requirement enforces the security of router configuration files.  This is a grey area which can sometimes mean different things to different QSAs.
    • For example if you’re saving the router passwords in the “clear” (i.e. unencrypted) within the config file you’re potentially allowing unauthorized access to your router. You need to make sure all passwords are properly hashed.
    • Also, a router’s startup config files need to be synchronized with their running config files. Since many routers can be left running unattended for months at a time, it’s easy to forget to submit changes to the startup configs. The startup config file should be checked each time a router reboot is performed in order to ensure all changes are up-to-date. 

• Install perimeter firewalls between all wireless networks and the cardholder data environment, and configure these firewalls to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment (1.2.3):
  • If you’re running a WLAN within your environment you must have this network segmented from your CDE with a firewall. Otherwise its an easy way for an attacker who’s not physically in your network to cause a lot of damage. In general, its normally a good idea not to allow wireless traffic into your CDE, but there are instances when wireless traffic is needed. If there is a business justification for this access it needs to be completely secured within the firewall to only allow authorized traffic from the WLAN into the CDE. For security purposes you should use some type of RADIUS or monitoring solution to lock this access down even further.

In our final blog post of the series, we’ll take on the remainder of PCI Requirement 1. Watch this space.