- You must have a firewall configuration policy in place to test against.
- You must develop a configuration testing methodology.
Because there are so many different brands of firewalls out there, each one should be analyzed by someone very familiar with that type of firewall. Additionally there are open source tools such as Firewalk and FTester that test firewalls. Also, there are several commercial software tools out there to automate the firewall auditing process.
The intent of PCI Requirement 1.1 is to get companies looking at their firewalls and then making some decisions about rules. For example, it is common to go to a client site and find out that they don't have any idea why a rule is in place. There is often a change control process in place for creating a new rule, but not for reviewing rules once they've been created.
Dig Deeper on Managed network security services
Related Q&A from John Kindervag
Network security audits should not be performed by the same individual who later patches the network security holes found by that network security ... Continue Reading