PCI DSS Req 1.3.5: Permit Only Established Connections into the Network

by KirkpatrickPrice / April 18th, 2017

PCI DSS Requirement 1.3.5 says to, “Permit only ‘established’ connections into the network.” The testing procedures for this requirement state that your assessor is to examine your firewall and router configurations to verify that only established connections are permitted into the internal network, and any inbound connections not associated with any previously established sessions, be denied. In years past, this configuration setting was called “stateful inspection,” also known as dynamic packet filtering, which is “a firewall technology that monitors the state of active connections and uses this information to determine which network packets to allow through the firewall.” Essentially, this ensures that your organization is only allowing established traffic back into your environment.

Jeff Wilder on PCI DSS Req 1.3.5

PCI DSS Requirement 1.3.5

When we look at the PCI DSS, it has a requirement that’s specific to Requirement 1.3.5, that says you need to allow established traffic. Effectively, what this is about is in years past, it was called “stateful inspection.” This is usually a configuration setting; most new hardware that you would implement today would support this by default. It’s either an actual setting that you use or it’s a checkbox on some types of devices. But effectively, we’re only allowing established traffic back into your environment.