- You must have a firewall configuration policy in place to test against.
- You must develop a configuration testing methodology.
Because there are so many different brands of firewalls out there, each one should be analyzed by someone very familiar with that type of firewall. Additionally there are open source tools such as Firewalk and FTester that test firewalls. Also, there are several commercial software tools out there to automate the firewall auditing process.
The intent of PCI Requirement 1.1 is to get companies looking at their firewalls and then making some decisions about rules. For example, it is common to go to a client site and find out that they don't have any idea why a rule is in place. There is often a change control process in place for creating a new rule, but not for reviewing rules once they've been created.
This was first published in July 2007