3 hours 37 minutes
Welcome to the side. Very de mystify ing P C I. D. S s compliance course
this module focus on the goals of the P C I. D. Assess and the requirements associated with
this video introduces you to requirement 1.2 through 1.5.
But learning objective of this video is to explore firewalls and ways you could implement them to satisfy the P. C. I. D. S s requirements 1.231 dot five
And this video will go over the rest of the PC I mandates associated with Requirement one,
which is the implementation and management of firewalls in your CD
PC high requirement Went out to is the build a firewall and Browder configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.
PC I defines an untrusted network as any network that is external to the networks belonging to the entity under review
and or which is out of the entities ability to control her manage.
These could be the Internet and include service providers. That interface with your network
requirement one dot to 1.0.1 is restrict inbound and outbound traffic to that which is necessary for the cardholder data environment and specifically deny all other traffic.
This requirement is closely related to the 1.1 dot six record.
Once you have developed a justification for all of the necessary service is imports, you must configure your firewalls and routers to reflect that
all inbound and outbound traffic must be restricted to that which has a documented justification.
Requirement one dot to 1.0.2 mandates that the merchant secure and synchronized router configuration files.
Now this is just a general best practice.
This image is an example of how you would do this on a Cisco device.
On many systems, the configuration that is currently running doesn't necessarily have to match the configuration that would be running after a reboot.
This is the difference between the startup configuration and the running configuration.
If these configurations don't match, you could have an unstable environment or configuration that does not reflect current operations.
The auditor will check to make sure that there's a process in place the synchronized configurations and that the configurations cannot be AK access by unauthorized personnel.
The best practices to offload the running and start of configuration to a centralized depository so that you're able to have multiple iterations of the network configurations.
Requirement one dot to 1.0.3 is to install perimeter firewalls between all wireless networks and the cardholder data environment
and configure these firewalls to deny
or, if traffic is necessary for business purposes, permit only authorized traffic.
This requirement extends on the protect from untrusted networks requirement.
Wireless technology is often an attack vector used by malicious actors, so PC I treats wireless as inherently insecure.
Auditors are to check to make sure that wireless networks cannot be used to infiltrate the CD
requirement. Group 1.3 is to prohibit direct public access between the Internet and any system components in the cardholder data environment.
Systems in the CD should not be directly accessible from the Internet unless it serves a specific mission critical function.
This is an example, such as an e commerce website.
This grouping focuses on how you will implement a D. M. Z
Requirement 1.3 dot one states that the D M Z must limit inbound traffic toe only secure system components that provide
off the rise publicly accessible service's protocols and ports
again, this is just making sure that your firewall denied all traffic unless explicitly authorized.
The auditor will look to match what your business has defined as necessary to the configuration of the firewall
requirement. 1.3 dot two mandates that any traffic that is initiated from the Internet
be restricted to systems in the D. M Z.
Access to these internal network should only be limited to service is that are absolutely necessary.
Requirement 1.3 dot three is that the firewall must have anti spoofing measures to detect and block forge source I P addresses from entering the network.
Most firewalls today have this capability natively and is not something that you as a merchant, will have to turn on manually.
Normally, this protection is on by default.
Now, this is a technique that an attacker could use to fool the fireball into thinking that traffic is coming from a trusted source and therefore let it bypassed traffic filters.
As a merchant, you should search for this capability with your firewall bender and verify the protection is in place.
The auditor will look to confirm this capability.
Requirement 1.3 dot four
is one that is generally missed by merchants in a lot of organizations in general.
This requirement is that the merchants should not allow unauthorized outbound traffic from the CD to the Internet.
A lot of places tend to focus on keeping the bad out instead of paying attention to bad things that may be leaving your network.
Even outbound traffic needs to be scrutinized and limited only to that which is explicitly authorized.
The 1.3 dot five requirement can be a confusing world.
The requirement states that the firewall should permit only established connections into the network.
Basically, the requirement is that the firewall must support state full packet inspection.
Where S P I.
S P I is typically enabled by default on most modern firewalls.
Staple packet inspection allows established connections to communicate back into your cardholder data environment and blocks unsolicited traffic.
is that it works like a phone call that's only allowed to make outbound calls.
You can call other people, but they can't call you.
The only way they can talk to you is if you call them first,
the one that 3.6 requirement once merchants the place systems that store cardholder data in a more secure network zone than the application that users interact with.
They're tooth things here that merchants must pay attention to.
You must take measures to decouple the application in the data.
You cannot install a Web application and have the database that stores the cardholder information on the same system.
This requirement mandates that they be separated and that the database be more protected.
The database should be placed in an internal network zone that end users cannot directly access.
Requirement 123.7 is another feature that ships with most firewalls
users interact with the public i. P address that is assigned to your organization.
The firewall will map that public i p address to an internal one.
The details of the internal Network segment should not be disclosed to the public.
Honestly, this information typically isn't leaked. Do tow a firewall configuration.
Attackers will go after the application itself and can force it to lead these details,
while the auditor will look at the firewall configuration to determine the setting.
If it is discovered that the application divulges this information you as a merchant could fail. This requirement
requirement went out for is pretty straightforward.
Any portable system that connects to the C d. E from an untrusted network must have a software firewall installed, running and configured on it.
So any remote administrators that manage systems in the CD need to have a firewall running for additional protection.
Requirement 15 is one. That'll be recurring theme throughout the P. C. I. D. S s requirements.
Make sure you make a policy document The policy trained users on the policy and document that you follow The policy
requirement 1.5 states that the merchant must assure that security policies and operational procedures for managing firewalls are documented and use and known to all affected parties.
In this video, we discussed requirements 1.2 through 1.5
and some of the artifacts and nuances associated with running firewalls within the CD.
And now for a quick quiz
state. Full packet inspection insures that
packets are allowed into the CD,
connections are established,
malware is block to be a signatures,
and networks are stable.
Connections are established allowing for authorized network communications
Private I P addresses should be allowed to enter your network from the Internet.
This one's false,
true or false
running database servers on your Web application servers is permitted because it allows for the reduction of your attack surface by having fewer service is our servers
is when it's false.