Managing Firewall Security for PCI DSS Compliance

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello I'm Dave Hurst CTO of Athena security and today we're going to talk about managing firewall security for PCI DSS compliance you know data breaches at merchant locations and credit card processors are occurring with increasing frequency unfortunately all too often misconfigured firewalls were found to be involved in the reasons for these data breaches consequently the pci data security standard requirements are becoming much more stringent q SAS are looking at networks in much more detail and firewalls play an important role in securing your network so q SAS are looking at these firewalls in much more detail so today we're going to discuss what are the compliance requirements for firewall security what it auditor is looking for during an assessment review what are common pitfalls during an assessment and what can you do to be prepared for a PCI assessment by doing your own self-assessment PCI DSS 1.2 defines 12 high-level requirements for PCI compliance many of these address application security vulnerability management or process issues of these 12 requirement 1 and some of the control items in requirement to specifically address firewall configurations let's look at these in a little more detail control items 1 point 1 and 1 point to specifically address how the configuration addresses insecure services what services are being allowed what services are actually necessary and it requires you to justify the services that are passed by the firewall requirement 1 point 3 specifically addresses the DMZ and restricting traffic into and out of the DMZ and to make sure that access is not available to the locations where PCI data is being stored in your network section 2 point 2 point 1 requires that you implement only one primary function for per server this means that you cannot implement web services and FTP and Mail and DNS and so forth on one server in your DMZ instead they have to be separated and provided by separate pieces of hardware this can also be enforced by your firewall in that it will only allow one service to any given server and then section 2.3 addresses access to the firewall and requires that any console administrative access must be encrypted either using SSH or using VPNs the role of a firewall in your network is to partition the network into separate zones and to control access to services between those zones so within that context the qsa will be looking for these issues in the firewall configs the first one is segmentation how does the firewall divide the network into different segments traditional segmentation divides the network into three zones the external zone which would be basically the internet or the public zone the internal network which is all of your internal systems and the DMZ which is the semi public zone where the internet has access to services that you are providing when credit card data is involved segmentation issues become much more complex as we'll see shortly the second thing your auditor is going to look for is inbound access controls that is what services are allowed to the DMZ what services are allowed to credit cardholder data stores and he's going to look at what networks have access to these things the third thing the auditor is going to look at is outbound access that is what is allowed out from the systems that are managing credit card data and this is going to look at all the networks that are reached that are reachable through the firewall so let's look at an example this is actually derived from a network of a large a retailer that has many locations around the country we notice in this diagram that there are already a number of different zones that have been defined there is the e-commerce infrastructure there are payment processors there retail sites there's transaction processing and then there's general corporate internal networks and we notice that these are all divided in a number of different ways looking at the e-commerce infrastructure we see for example a web DMZ this would provide servers that implement websites and these are publicly accessible we see that there's a firewall that separates the web DMZ from the internet and controls access from the public side there's also a firewall on the back end of the network that controls access into the internal network of the company there may be other elements of an e-commerce infrastructure as well we see VPNs for partner connections these may allow communication with the partner companies or other business partners and these again are protected by firewalls that segment out those DMZ s as necessary so when a customer comes to the corporate website and initiates a transaction data is going to travel from that web DMZ through the corporate network to the transaction processing center these are where the mainframes process the transaction they may provide inventory management they'll keep track of customer data records and they may also be storing credit card data so this section of the network has to be protected and we see that there is a firewall here as well segmenting it from the rest of the internal corporate network finally the completion of the transaction processing will send the credit card data to the payment processors so that the transaction can be cleared in this example we see connections to several payment processors RBC payment tech pay point and so forth these are external connections the data here is leaving the organization and once it does so it's no longer of your concern but these connections again have to be protected by a firewall and segmented off so that there is no way for malicious access through the payment processors into your network another place where credit card transactions may come from are from the actual retail sites again partitioned out and identify two separate zones each store will have many point-of-sale terminals these terminals will collect credit card data and perform some initial transaction but that data again gets transmitted through the corporate backbone back to the transaction processing mainframes where the transactions are completed and then the data is sent on to the payment processors so we see that there are actually multiple modes of access for the credit card data to enter the network and that data in motion has to be controlled it has to be encrypted so that cannot be intercepted and when the data is being stored for example in the transaction processing area that has to be again protected so that people cannot access it in an unauthorized manner finally we see the internal corporate network and this is going to be administrative networks may be accounting it may be application development and other operational areas relevant to the business of the organization we see corporate land there may be server farms and so forth and again segmentation plays an important role here because we don't want Joe and accounting to have unauthorized access to the the credit card data that might be stored in the transaction processing area so again segmentation becomes very important the firewall configurations define these network segments but they also define the security posture at layer 3 and 4 for your network as such these configurations reveal how well your security policies have been implemented this is this is because the configurations are actually a defining the behavior of the firewalls and therefore that indicates what the actual policy is on the network and so that defines your security posture Q SAS will be looking at the configurations so you need to review them as well there are a number of things that will reveal how well your security policy has been implemented these include things like the access control lists in the configuration address translations routing configurations VPN configurations and so forth these will all show how the security policy has been implemented another thing to keep in mind is that every time a configuration changes your security posture changes as well and so you need to make sure that the changes that are being applied are actually the correct changes and that they don't introduce side-effects that might open up access that was unintended or allowed dangerous or potentially risky services through the firewall so you want to be reviewing your security policy on a regular basis particularly when they change and to make sure that the the configurations and network behavior are actually in sync with your security policy as I mentioned earlier proper segmentation is key to your security posture but this is only the first step making sure that zones are properly separated is important but next you have to identify all of the services that are allowed into or out of the zones and justify them for example we see here that HTTP is being allowed into a particular network which may be containing the sensitive credit card data why is that being allowed the qsa is going to ask you to justify these services so you have to come up with a business reason for these services to be implemented if they're not required then again you have to detect them and make sure that they are removed from the firewalls so that those modes of access are disallowed in addition to the access lists address translations will add significantly to your complexity so reviewing the firewall configuration is not enough you have to understand how the configuration will make the firewall behave a firewall in a typical organization may have hundreds or even thousands of rules these configurations are very complex even in a small configuration with maybe 50 or 60 rules a lot of objects and maybe four or five network interfaces will quickly get beyond your ability to understand all the interactions and implications of what's going on when the configuration gets even larger to hundreds or thousands of rules at this scale it becomes impossible to manually understand what's going on there's just too many things too much complexity for the human mind to understand in order to deal with this you need to use automated tools that are capable of evaluating the access control lists the network address translations routes VPN configurations and so forth and to understand all of the combinations of these configurations for all sources destinations and services the automated tools will identify precisely what hosts have access to the critical servers and what your exposures are too dangerous or potentially risky services these tools will then generate reports consistently quickly and accurately you will you know that the queue SAS are using these tools because they are required to show a very detailed level of understanding when of the network security when doing an audit so you can use these same tools to do your own self-assessment on a regular basis so that when the PCI compliance audit time comes around you can be sure that you're not going to fall into any of these possible pitfalls as we've discussed automated tools are the best approach for ensuring PCI compliance athena's security offers tools and services for automated firewall auditing and PCI compliance our fire pack product delivers a state-of-the-art network security solution for these kinds of audits and compliance assessments for more information please visit our website wwf/e no security net

Info

Channel: athenasecurity

Views: 34,103

Rating: 4.9509201 out of 5

Keywords: firewall security, pci compliance, athena firepac

Id: gkYLkOCB51c

Channel Id: undefined

Length: 13min 27sec (807 seconds)

Published: Fri Sep 03 2010