PCI Requirement 1 Archives

What is PCI Requirement 1.2.3?

Requirement 1.2.3 requires that organizations, “Install perimeter firewalls between all wireless networks and the Cardholder Data Environment, and configure these firewalls to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment.” So, what exactly does that mean? Requirement 1.2.3 is saying that your organization must install a firewall between any wireless network or device and your CDE. The purpose of Requirement 1.2.3 is to ensure that if an attacker should compromise your wireless network or device, only inbound and outbound protocols, ports, and services that have been previously authorized are allowed. Remember Requirement 1.1.6? That list you’ve made of management-approved protocols, ports, and services? That list that is one of the most important documents? That list that is the basis of many other requirements? You guessed it: you’ll need it again for Requirement 1.2.3. Assessors look to see that your organization is providing as must security as possible to your CDE, especially wherever wireless networks and devices exist.

As an organization, you may not have wireless networks or devices that you’re using to transmit cardholder data. But if you do have wireless networks or devices that have a business justification for access, those areas are most likely in-scope of your PCI DSS assessment.

PCI DSS Requirement 1.2.3

Requirement 1.2.3 requires that we install a firewall between any wireless and device and your cardholder data environment. The purpose for this is that if somebody should somehow compromise your wireless device, we want to make sure that only inbound and outbound ports and services that are authorized are allowed. We want to make sure that we provide as much possible security from all aspects into and out of your cardholder data environment, wherever wireless is being used.

Looking at this requirement, Requirement 1.2.3, it establishes the need to have a firewall there. When we look at that list of authorized protocols, ports, and services that we’ve talked about in Requirement 1.1.6, we’re going to look for the wireless protocols, ports, and services that you’re allowing in and out of the wireless.

As an organization, you may not have wireless that you’re using to transmit cardholder data, and that’s perfectly fine. But if you do have wireless, chances are wireless is in-scope of the assessment. As assessors, we often find that where wireless exists within the environment, your network or administration staff are using their laptops to connect into that environment per management.

What is PCI Requirement 1.2.2?

PCI DSS Requirement 1.2.2 states, “Secure and synchronize router configuration files.” This requirement focuses on enforcing the security and controls surrounding your organization’s firewall and router configurations. Before your PCI DSS assessment, your organization needs to determine, “Are our router and configuration files secured from unauthorized access?”

There is a significant amount of information located within those configuration files; authentication information, certificates, keys, etc. This sensitive information, if fallen into the wrong hands, could lead to a detrimental compromise. Requirement 1.2.2 is so important, and your assessor needs to ensure that wherever your firewall and router configurations are located – offsite or in backups – that these files are maintained securely. Your assessor must also ensure that the configurations within the devices themselves are maintained securely. Ask your organization the following questions:

Do you back-up your firewall and router configurations?
Where are they kept?
How are they kept?
Who has access to them?
What are the controls around them?

In order to follow Requirement 1.2.2, assessors will also expect you to have reviewed your organization’s configuration standards and examined the files and configurations prior to your PCI DSS assessment.

PCI DSS Requirement 1.2.2

When we look at the actual firewall and router configs, there’s an incredible amount of information in those that lend to being hacked if they fell into the wrong hands. There’s authentication information, there’s certificates, there’s keys, there’s all sorts of good, sensitive information in there that could lend itself into a compromise if it fell into the wrong hands.

We need to make sure that where you have your firewall and router configurations – if you’re storing them offsite, if you’re backing them up – that these particular files are going to be maintained securely. We also want to make sure that the configs within the devices themselves are maintained securely.

So as assessors, we’re going to ask you: Do you back-up your firewall and router configs? If you do, where are they kept? How are they kept? Who has access to them? What are the controls around them? We’re also going to have those same types of conversations about the physical devices and the ability to console into those and gain access to that configuration information.

What is PCI Requirement 1.2.1?

PCI DSS Requirement 1.2.1 focuses around organizations developing policies and procedures that restrict traffic to that which is absolutely necessary, both inbound and outbound, for business purposes. PCI Requirement 1.2.1 states, “Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.” The goal of PCI Requirement 1.2.1 is to limit traffic to only essential, required protocols, ports, or services and have business justification for those required elements.

As we learned from Requirement 1.1.6, your organization is required to maintain a list of authorized protocols, ports, or services. During your PCI DSS audit, that list is compared against your router and firewall configurations to verify that the documented security features are implemented. PCI Requirement 1.2.1, though, requires that your organization is only allowed to use protocols, ports, and services that are required for the operation of your business. If you need a protocol, port, or service, then it is absolutely appropriate to use it.

As an assessor, we’re not looking to define your business justification; we’re looking to see that you’ve done your due diligence to decide that a protocol, port, or service is absolutely required for your business operability and know why it’s required. Your organization should be asking: what’s the business justification for that protocol, port, or service? Why are we using that? If it is not required for business, it’s required that you deny that traffic.

PCI DSS Requirement 1.2.1

As an organization, you’re required to maintain the security of the traffic, inbound and outbound. As we said in Requirement 1.1.6, you have to maintain a list of authorized services, protocols, and ports. We need to now look to make sure you’ve actually implemented those. So we take that list of the protocols, ports, and services in your environment that you’ve approved, and we compare that against your actual routers and firewalls and make sure that those lists appropriately match up.

We’ve already talked about Requirement 1.1.6 that says that your organization must maintain a list of authorized protocols, ports, and services. Specific to PCI DSS 1.2.1, it says that your organization is only allowed to use the protocols, ports, and services that are required for the operation of your business. So if you need a protocol, port, or service, that’s absolutely appropriate. Understand, however, that as an assessor, it’s not our role to define your business justification or why you might need a protocol, port, or service. What we’re looking for as an assessor, is that you’ve done your due diligence to say, “Yes, this protocol, port, or service is absolutely required and this is why it’s required.”

So as part of that documentation in 1.1.6, we look to see that the protocols, ports, and services that are authorized are listed. But what’s the business justification for that? Why are you using that? If it’s required, great, fine, we don’t have a problem with that. But we’re looking to see that as an organization, you’ve done your due diligence in making sure that the protocols, ports, and services, the inbound traffic that you’re allowing within your environment, is required of your business. If it is not required for business, it’s required that you as an organization shut that traffic down.

PCI Requirement 1.2 states, “Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.” The PCI DSS considers any network that is out of your organization’s ability to control, or external to your organization’s network, as untrustworthy. Assessors will take the data found in PCI Requirement 1.1.6, which is your organization’s authorized ports, protocols, and services, and compare that data to your router and firewall configurations. Assessors are looking to ensure that your organization is only using the authorized ports, protocols, and services defined in Requirement 1.1.6.

It is essential that your organization develops the proper policies and procedures to carry out PCI Requirement 1.2. These policies and procedures must outline how your organization restricts network traffic to that which is required for inbound and outbound traffic. Failure to develop these policies and procedures can lead to a failure to implement PCI Requirement 1.2, potentially leaving your organization susceptible to unauthorized access.

PCI Requirement 1.2

We’re going to talk about Requirement 1.2 now. The primary focus of Requirement 1.2 is that you as an organization develop policies and procedures that restrict your traffic to the absolute necessary that’s required for inbound and outbound traffic. From an assessment perspective, what we do is we take the data that we found in Requirement 1.1.6, which is your authorized ports, services, and protocols, and we pull your router and firewall configs and we compare the two, basically making sure that only the authorized ports and services that management has authorized are actually what’s being used.

What is PCI Requirement 1.1.6?

Your organization needs to restrict inbound and outbound traffic in and out of sensitive environments. PCI DSS Requirement 1.1.6 relates specifically to the documentation of business justification and approval for use of all services, ports, and protocols.

PCI DSS v3.2 insists that organizations restrict inbound and outbound traffic to and from sensitive areas to only that which is needed for business purposes. We find that organizations are typically great at establishing inbound traffic rules, but what happens when someone is already in your environment? Are your outbound network traffic controls sufficient? Will they prevent someone trying to exfiltrate data from your network? Looking at past breaches, a primary reason that sensitive data was successfully taken was because the established traffic rules were insufficient. For this reason, it’s necessary to have a documented list of protocols, ports, and services that will be allowed in and out of your environment. PCI Requirement 1.1.6 requires this documentation, and specifically states, “Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.” If a protocol, port, or service is not required for your environment, disable it.

As assessors, we seek out this list of management-approved protocols, ports, and services to compare against your router and firewall configurations. We look to see that the traffic you’re allowing does not exceed that which is documented.

This documentation is one of the most important pieces of your PCI DSS assessment. Assessors will need this early on in the process because it is the basis for other aspects of your PCI DSS audit; other pieces of the assessment hinge on this document. It is also necessary to maintain this piece of documentation as part of your Change Control Program. If you will be making changes to your network, ports, or services, you will need to ensure this document is updated.

Your organization needs to restrict inbound and outbound traffic out of those environments that are considered sensitive or risky. What we find is that organizations are really, really good at establishing inbound traffic rules to prevent the bad guys from getting in, but think about what happens when somebody’s actually already in your environment. Are your networking controls sufficient to prevent them from exfiltrating the data? It’s interesting to look at all of the breaches that have happened throughout the years, and the only reason that cardholder data or health information or financial information was taken from these organizations is because the rules that they had established were insufficient to prevent the exfiltration of information.

Many of the requirements, such as PCI DSS Requirement 1.1.6, require that we actually have a documented list of the protocols, ports, and services that we’re going to allow in and out of our environment. It’s absolutely appropriate, if you need those protocols, ports, and services, to allow them, however if they’re not required, they need to be disabled. What we do from an assessment perspective, is we get that list of management-approved protocols, ports, and services and we compare that list against your router configs and your firewall configs. We look to see that whatever traffic you’re allowing out, does exceed that which has been documented within your management-approved protocols, ports, and services.

This is one area that’s probably the most important piece of the assessment. This is the basis of a lot of other assessments that we need. It’s often a piece of information that we need very early on in the assessment. Other pieces of the assessment are hinging on this one piece of data. It’s also necessary to maintain this piece of documentation as part of your Change Control Program. If you’re going to be making changes to your network or opening ports and services to allow things to happen, you need to update this document as well.