3.3 Requirement 1 Part 2

00:01

Welcome to the side. Very de mystify ing P C I. D. S s compliance course

00:06

this module focus on the goals of the P C I. D. Assess and the requirements associated with

00:13

this video introduces you to requirement 1.2 through 1.5.

00:19

But learning objective of this video is to explore firewalls and ways you could implement them to satisfy the P. C. I. D. S s requirements 1.231 dot five

00:30

And this video will go over the rest of the PC I mandates associated with Requirement one,

00:35

which is the implementation and management of firewalls in your CD

00:42

PC high requirement Went out to is the build a firewall and Browder configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.

00:54

PC I defines an untrusted network as any network that is external to the networks belonging to the entity under review

01:00

and or which is out of the entities ability to control her manage.

01:04

These could be the Internet and include service providers. That interface with your network

01:12

requirement one dot to 1.0.1 is restrict inbound and outbound traffic to that which is necessary for the cardholder data environment and specifically deny all other traffic.

01:25

This requirement is closely related to the 1.1 dot six record.

01:30

Once you have developed a justification for all of the necessary service is imports, you must configure your firewalls and routers to reflect that

01:38

all inbound and outbound traffic must be restricted to that which has a documented justification.

01:46

Requirement one dot to 1.0.2 mandates that the merchant secure and synchronized router configuration files.

01:53

Now this is just a general best practice.

01:56

This image is an example of how you would do this on a Cisco device.

02:00

On many systems, the configuration that is currently running doesn't necessarily have to match the configuration that would be running after a reboot.

02:09

This is the difference between the startup configuration and the running configuration.

02:15

If these configurations don't match, you could have an unstable environment or configuration that does not reflect current operations.

02:23

The auditor will check to make sure that there's a process in place the synchronized configurations and that the configurations cannot be AK access by unauthorized personnel.

02:32

The best practices to offload the running and start of configuration to a centralized depository so that you're able to have multiple iterations of the network configurations.

02:45

Requirement one dot to 1.0.3 is to install perimeter firewalls between all wireless networks and the cardholder data environment

02:53

and configure these firewalls to deny

02:54

or, if traffic is necessary for business purposes, permit only authorized traffic.

03:01

This requirement extends on the protect from untrusted networks requirement.

03:07

Wireless technology is often an attack vector used by malicious actors, so PC I treats wireless as inherently insecure.

03:15

Auditors are to check to make sure that wireless networks cannot be used to infiltrate the CD

03:23

requirement. Group 1.3 is to prohibit direct public access between the Internet and any system components in the cardholder data environment.

03:32

Systems in the CD should not be directly accessible from the Internet unless it serves a specific mission critical function.

03:40

This is an example, such as an e commerce website.

03:45

This grouping focuses on how you will implement a D. M. Z

03:52

Requirement 1.3 dot one states that the D M Z must limit inbound traffic toe only secure system components that provide

04:00

off the rise publicly accessible service's protocols and ports

04:04

again, this is just making sure that your firewall denied all traffic unless explicitly authorized.

04:11

The auditor will look to match what your business has defined as necessary to the configuration of the firewall

04:19

requirement. 1.3 dot two mandates that any traffic that is initiated from the Internet

04:25

be restricted to systems in the D. M Z.

04:28

Access to these internal network should only be limited to service is that are absolutely necessary.

04:36

Requirement 1.3 dot three is that the firewall must have anti spoofing measures to detect and block forge source I P addresses from entering the network.

04:48

Most firewalls today have this capability natively and is not something that you as a merchant, will have to turn on manually.

04:57

Normally, this protection is on by default.

05:00

Now, this is a technique that an attacker could use to fool the fireball into thinking that traffic is coming from a trusted source and therefore let it bypassed traffic filters.

05:11

As a merchant, you should search for this capability with your firewall bender and verify the protection is in place.

05:17

The auditor will look to confirm this capability.

05:23

Requirement 1.3 dot four

05:25

is one that is generally missed by merchants in a lot of organizations in general.

05:30

This requirement is that the merchants should not allow unauthorized outbound traffic from the CD to the Internet.

05:38

A lot of places tend to focus on keeping the bad out instead of paying attention to bad things that may be leaving your network.

05:45

Even outbound traffic needs to be scrutinized and limited only to that which is explicitly authorized.

05:54

The 1.3 dot five requirement can be a confusing world.

05:58

The requirement states that the firewall should permit only established connections into the network.

06:03

Basically, the requirement is that the firewall must support state full packet inspection.

06:09

Where S P I.

06:11

S P I is typically enabled by default on most modern firewalls.

06:15

Staple packet inspection allows established connections to communicate back into your cardholder data environment and blocks unsolicited traffic.

06:25

An analogy

06:27

is that it works like a phone call that's only allowed to make outbound calls.

06:30

You can call other people, but they can't call you.

06:34

The only way they can talk to you is if you call them first,

06:42

the one that 3.6 requirement once merchants the place systems that store cardholder data in a more secure network zone than the application that users interact with.

06:53

They're tooth things here that merchants must pay attention to.

06:57

You must take measures to decouple the application in the data.

07:01

You cannot install a Web application and have the database that stores the cardholder information on the same system.

07:08

This requirement mandates that they be separated and that the database be more protected.

07:13

The database should be placed in an internal network zone that end users cannot directly access.

07:21

Requirement 123.7 is another feature that ships with most firewalls

07:27

users interact with the public i. P address that is assigned to your organization.

07:31

The firewall will map that public i p address to an internal one.

07:36

The details of the internal Network segment should not be disclosed to the public.

07:42

Honestly, this information typically isn't leaked. Do tow a firewall configuration.

07:46

Attackers will go after the application itself and can force it to lead these details,

07:53

while the auditor will look at the firewall configuration to determine the setting.

07:57

If it is discovered that the application divulges this information you as a merchant could fail. This requirement

08:05

requirement went out for is pretty straightforward.

08:07

Any portable system that connects to the C d. E from an untrusted network must have a software firewall installed, running and configured on it.

08:18

So any remote administrators that manage systems in the CD need to have a firewall running for additional protection.

08:26

Requirement 15 is one. That'll be recurring theme throughout the P. C. I. D. S s requirements.

08:33

Make sure you make a policy document The policy trained users on the policy and document that you follow The policy

08:41

requirement 1.5 states that the merchant must assure that security policies and operational procedures for managing firewalls are documented and use and known to all affected parties.

08:54

In this video, we discussed requirements 1.2 through 1.5

08:58

and some of the artifacts and nuances associated with running firewalls within the CD.

09:05

And now for a quick quiz

09:07

state. Full packet inspection insures that

09:11

packets are allowed into the CD,

09:13

connections are established,

09:16

malware is block to be a signatures,

09:18

and networks are stable.

09:24

Connections are established allowing for authorized network communications

09:31

tour falls.

09:33

Private I P addresses should be allowed to enter your network from the Internet.

09:41

This one's false,

09:45

true or false

09:46

running database servers on your Web application servers is permitted because it allows for the reduction of your attack surface by having fewer service is our servers