PCI DSS Requirement 1.1.4: Establishing a Firewall and DMZ

by KirkpatrickPrice / April 18th, 2017

What is PCI Requirement 1.1.4?

PCI DSS Requirement 1.1.4 requires “a firewall at each internet connection and between any demilitarized zone (DMZ) and the internal network zone.” PCI DSS v3.2, the current version of the standard, says that the purpose behind PCI Requirement 1.1.4 is, “Using a firewall on every internet connection coming in to (and out of) the network, and between any DMZ and the internal network, allows the organizations to monitor and control access and minimize the chances of a malicious individual obtaining access to the internal network via an unprotected connection.”

Your organization needs to establish a DMZ for your inbound internet access, including a supporting web server, email services, or FTP. A DMZ is a physical or logical subnetwork containing an organization’s external facing services to untrusted networks, such as the internet. It adds an additional layer of security to your internal network by acting as a buffer between your internal corporate network and untrusted networks. By segmenting this untrusted network from your corporate environment, you are minimizing the threat of unauthorized access to your internal network.

We have to establish a DMZ, a demilitarized zone, for your inbound internet access. If you have inbound internet access – supporting a web server, supporting email services, supporting FTP – we want to make sure that those particular assets do not reside within the corporate aspect of your environment. We want to establish a small area that allow for those assets to sit in that have more open ports and a little less security than your entire corporate environment.

What we look for as an assessor is that you have a firewall that exists between your internet connection and the DMZ. And then, between your corporate network or area where you’re trying to secure your data/CDE, we look to see that there’s another firewall there. This doesn’t necessarily have to be 2 physical assets. It could be the same asset, as long as you’re routing traffic into an area of the network that is then managed, secured, and controlled. As the traffic flows in from the internet, we want to terminate it into the DMZ, we want to inspect it for authorize services, protocols, and ports before that traffic is then allowed into your network.