3.3 Requirement 1 Part 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
3 hours 37 minutes
Difficulty
Beginner
CEU/CPE
4
Video Transcription
00:01
Welcome to the side. Very de mystify ing P C I. D. S s compliance course
00:06
this module focus on the goals of the P C I. D. Assess and the requirements associated with
00:13
this video introduces you to requirement 1.2 through 1.5.
00:19
But learning objective of this video is to explore firewalls and ways you could implement them to satisfy the P. C. I. D. S s requirements 1.231 dot five
00:30
And this video will go over the rest of the PC I mandates associated with Requirement one,
00:35
which is the implementation and management of firewalls in your CD
00:42
PC high requirement Went out to is the build a firewall and Browder configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.
00:54
PC I defines an untrusted network as any network that is external to the networks belonging to the entity under review
01:00
and or which is out of the entities ability to control her manage.
01:04
These could be the Internet and include service providers. That interface with your network
01:12
requirement one dot to 1.0.1 is restrict inbound and outbound traffic to that which is necessary for the cardholder data environment and specifically deny all other traffic.
01:25
This requirement is closely related to the 1.1 dot six record.
01:30
Once you have developed a justification for all of the necessary service is imports, you must configure your firewalls and routers to reflect that
01:38
all inbound and outbound traffic must be restricted to that which has a documented justification.
01:46
Requirement one dot to 1.0.2 mandates that the merchant secure and synchronized router configuration files.
01:53
Now this is just a general best practice.
01:56
This image is an example of how you would do this on a Cisco device.
02:00
On many systems, the configuration that is currently running doesn't necessarily have to match the configuration that would be running after a reboot.
02:09
This is the difference between the startup configuration and the running configuration.
02:15
If these configurations don't match, you could have an unstable environment or configuration that does not reflect current operations.
02:23
The auditor will check to make sure that there's a process in place the synchronized configurations and that the configurations cannot be AK access by unauthorized personnel.
02:32
The best practices to offload the running and start of configuration to a centralized depository so that you're able to have multiple iterations of the network configurations.
02:45
Requirement one dot to 1.0.3 is to install perimeter firewalls between all wireless networks and the cardholder data environment
02:53
and configure these firewalls to deny
02:54
or, if traffic is necessary for business purposes, permit only authorized traffic.
03:01
This requirement extends on the protect from untrusted networks requirement.
03:07
Wireless technology is often an attack vector used by malicious actors, so PC I treats wireless as inherently insecure.
03:15
Auditors are to check to make sure that wireless networks cannot be used to infiltrate the CD
03:23
requirement. Group 1.3 is to prohibit direct public access between the Internet and any system components in the cardholder data environment.
03:32
Systems in the CD should not be directly accessible from the Internet unless it serves a specific mission critical function.
03:40
This is an example, such as an e commerce website.
03:45
This grouping focuses on how you will implement a D. M. Z
03:52
Requirement 1.3 dot one states that the D M Z must limit inbound traffic toe only secure system components that provide
04:00
off the rise publicly accessible service's protocols and ports
04:04
again, this is just making sure that your firewall denied all traffic unless explicitly authorized.
04:11
The auditor will look to match what your business has defined as necessary to the configuration of the firewall
04:19
requirement. 1.3 dot two mandates that any traffic that is initiated from the Internet
04:25
be restricted to systems in the D. M Z.
04:28
Access to these internal network should only be limited to service is that are absolutely necessary.
04:36
Requirement 1.3 dot three is that the firewall must have anti spoofing measures to detect and block forge source I P addresses from entering the network.
04:48
Most firewalls today have this capability natively and is not something that you as a merchant, will have to turn on manually.
04:57
Normally, this protection is on by default.
05:00
Now, this is a technique that an attacker could use to fool the fireball into thinking that traffic is coming from a trusted source and therefore let it bypassed traffic filters.
05:11
As a merchant, you should search for this capability with your firewall bender and verify the protection is in place.
05:17
The auditor will look to confirm this capability.
05:23
Requirement 1.3 dot four
05:25
is one that is generally missed by merchants in a lot of organizations in general.
05:30
This requirement is that the merchants should not allow unauthorized outbound traffic from the CD to the Internet.
05:38
A lot of places tend to focus on keeping the bad out instead of paying attention to bad things that may be leaving your network.
05:45
Even outbound traffic needs to be scrutinized and limited only to that which is explicitly authorized.
05:54
The 1.3 dot five requirement can be a confusing world.
05:58
The requirement states that the firewall should permit only established connections into the network.
06:03
Basically, the requirement is that the firewall must support state full packet inspection.
06:09
Where S P I.
06:11
S P I is typically enabled by default on most modern firewalls.
06:15
Staple packet inspection allows established connections to communicate back into your cardholder data environment and blocks unsolicited traffic.
06:25
An analogy
06:27
is that it works like a phone call that's only allowed to make outbound calls.
06:30
You can call other people, but they can't call you.
06:34
The only way they can talk to you is if you call them first,
06:42
the one that 3.6 requirement once merchants the place systems that store cardholder data in a more secure network zone than the application that users interact with.
06:53
They're tooth things here that merchants must pay attention to.
06:57
You must take measures to decouple the application in the data.
07:01
You cannot install a Web application and have the database that stores the cardholder information on the same system.
07:08
This requirement mandates that they be separated and that the database be more protected.
07:13
The database should be placed in an internal network zone that end users cannot directly access.
07:21
Requirement 123.7 is another feature that ships with most firewalls
07:27
users interact with the public i. P address that is assigned to your organization.
07:31
The firewall will map that public i p address to an internal one.
07:36
The details of the internal Network segment should not be disclosed to the public.
07:42
Honestly, this information typically isn't leaked. Do tow a firewall configuration.
07:46
Attackers will go after the application itself and can force it to lead these details,
07:53
while the auditor will look at the firewall configuration to determine the setting.
07:57
If it is discovered that the application divulges this information you as a merchant could fail. This requirement
08:05
requirement went out for is pretty straightforward.
08:07
Any portable system that connects to the C d. E from an untrusted network must have a software firewall installed, running and configured on it.
08:18
So any remote administrators that manage systems in the CD need to have a firewall running for additional protection.
08:26
Requirement 15 is one. That'll be recurring theme throughout the P. C. I. D. S s requirements.
08:33
Make sure you make a policy document The policy trained users on the policy and document that you follow The policy
08:41
requirement 1.5 states that the merchant must assure that security policies and operational procedures for managing firewalls are documented and use and known to all affected parties.
08:54
In this video, we discussed requirements 1.2 through 1.5
08:58
and some of the artifacts and nuances associated with running firewalls within the CD.
09:05
And now for a quick quiz
09:07
state. Full packet inspection insures that
09:11
packets are allowed into the CD,
09:13
connections are established,
09:16
malware is block to be a signatures,
09:18
and networks are stable.
09:24
Connections are established allowing for authorized network communications
09:31
tour falls.
09:33
Private I P addresses should be allowed to enter your network from the Internet.
09:41
This one's false,
09:45
true or false
09:46
running database servers on your Web application servers is permitted because it allows for the reduction of your attack surface by having fewer service is our servers
09:58
is when it's false.
Up Next