Ask the Expert

How to ensure PCI-compliant firewall configurations

Is there a common checklist that can be used for firewall configuration reviews? Or can you recommend any tools for finding weaknesses in a customer's firewalls? This is for compliance monitoring.

    Requires Free Membership to View

There have been several questions coming in regarding firewall configuration reviews because of PCI Requirement 1.1, which establishes firewall configuration standards. To create a firewall configuration checklist, you need to consider two things in place:
  1. You must have a firewall configuration policy in place to test against.
  2. You must develop a configuration testing methodology.

Because there are so many different brands of firewalls out there, each one should be analyzed by someone very familiar with that type of firewall. Additionally there are open source tools such as Firewalk and FTester that test firewalls. Also, there are several commercial software tools out there to automate the firewall auditing process.

The intent of PCI Requirement 1.1 is to get companies looking at their firewalls and then making some decisions about rules. For example, it is common to go to a client site and find out that they don't have any idea why a rule is in place. There is often a change control process in place for creating a new rule, but not for reviewing rules once they've been created.

This was first published in July 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: