Problem solve Get help with specific problems with your technologies, process and projects.

How to ensure PCI-compliant firewall configurations

Learn how to ensure that your client's firewalls are compliant with PCI firewall configuration standards.

Is there a common checklist that can be used for firewall configuration reviews? Or can you recommend any tools for finding weaknesses in a customer's firewalls? This is for compliance monitoring.
There have been several questions coming in regarding firewall configuration reviews because of PCI Requirement 1.1 , which establishes firewall configuration standards. To create a firewall configuration checklist, you need to consider two things in place:
  1. You must have a firewall configuration policy in place to test against.
  2. You must develop a configuration testing methodology.

Because there are so many different brands of firewalls out there, each one should be analyzed by someone very familiar with that type of firewall. Additionally there are open source tools such as Firewalk and FTester that test firewalls. Also, there are several commercial software tools out there to automate the firewall auditing process.

The intent of PCI Requirement 1.1 is to get companies looking at their firewalls and then making some decisions about rules. For example, it is common to go to a client site and find out that they don't have any idea why a rule is in place. There is often a change control process in place for creating a new rule, but not for reviewing rules once they've been created.

Dig Deeper on Managed network security services