PCI DSS 3.0 Firewall

PCI DSS 3.0 Firewall Recomondations? Does anyone have a full list of what the firewall requirements are for PCI DSS 3.0  and a suggestion on which Firewalls will provided the best / the ability to pass?
Who is Participating?
ffleismaSenior Network EngineerCommented:
Here is a copy of the PCI-DSS 3.0, it can be downloaded for free on their website anyway.

On how to pass, I'll let security experts who has experience on this answer.

My experience as a network admin, the guideline where pretty straight-forward and we just try and adhere to them and provide everything to the auditor. If they find something we need to change, we conform, and provide proof that change was done and documentation that current network conforms to the guidelines provided.

On which FW vendor, I don't think the PCI-DSS specifies vendors but I'm sure most enterprise grade FW can accomplish the guidelines. We were using Cisco ASA on ours by the way.
JPDU4Author Commented:
Thank you, Any issues from any folks using a Cisco ISR
ffleismaSenior Network EngineerCommented:
Well to be honest I'm not to sure about using a router acting as the primary firewall/filtering component to the environment. One page 19 of the guidelines, you can read the following:

All systems must be protected from unauthorized access from untrusted networks, whether entering the system via the Internet as e-commerce, employee Internet access through desktop browsers, employee e-mail access, dedicated connections such as business-to-business connections, via wireless networks, or via other sources. Often, seemingly insignificant paths to and from untrusted networks can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network.
Other system components may provide firewall functionality, as long as they meet the minimum requirements for firewalls as defined in Requirement 1.

I'm no security expert, this can be something you can bring up with your security team or auditor.

I think you closed the question a bit soon, other experts might not be able to comment as question will be tagged as closed now since you awarded me the points. Appreciate it, but you might want to post another question or re-open this one for discussion.
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

JPDU4Author Commented:
The ISR is a Zone Based firewall, so we can created different "zones" I am wondering if its strong enough. Seeing that it does not have IPD/IDS or Next Gen features like app support,  wondering how important those features are.
ffleismaSenior Network EngineerCommented:
In terms of basic FW functions, the ISR should do fine and will fit the mentioned "Other system components may provide firewall functionality"

However on page 95 of PCI-DSS v3 document, you'll run into the requirement for IPS/IDS.
Requirement 11: Regularly test security systems and processes
11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises.
Keep all intrusion-detection and prevention engines, baselines, and signatures up to date.
With my previous company, we ended up upgrading all our ASA with IPS modules. Just sharing my experience as network admin, we had a separate security team that handles the interaction with the PCI auditors, we just provide them what is requested and implement change when necessary.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.