PCI DSS 3.0 Firewall

PCI DSS 3.0 Firewall Recomondations? Does anyone have a full list of what the firewall requirements are for PCI DSS 3.0  and a suggestion on which Firewalls will provided the best / the ability to pass?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ffleismaSenior Network EngineerCommented:
Here is a copy of the PCI-DSS 3.0, it can be downloaded for free on their website anyway.

On how to pass, I'll let security experts who has experience on this answer.

My experience as a network admin, the guideline where pretty straight-forward and we just try and adhere to them and provide everything to the auditor. If they find something we need to change, we conform, and provide proof that change was done and documentation that current network conforms to the guidelines provided.

On which FW vendor, I don't think the PCI-DSS specifies vendors but I'm sure most enterprise grade FW can accomplish the guidelines. We were using Cisco ASA on ours by the way.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JPDU4Author Commented:
Thank you, Any issues from any folks using a Cisco ISR
ffleismaSenior Network EngineerCommented:
Well to be honest I'm not to sure about using a router acting as the primary firewall/filtering component to the environment. One page 19 of the guidelines, you can read the following:

All systems must be protected from unauthorized access from untrusted networks, whether entering the system via the Internet as e-commerce, employee Internet access through desktop browsers, employee e-mail access, dedicated connections such as business-to-business connections, via wireless networks, or via other sources. Often, seemingly insignificant paths to and from untrusted networks can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network.
Other system components may provide firewall functionality, as long as they meet the minimum requirements for firewalls as defined in Requirement 1.

I'm no security expert, this can be something you can bring up with your security team or auditor.

I think you closed the question a bit soon, other experts might not be able to comment as question will be tagged as closed now since you awarded me the points. Appreciate it, but you might want to post another question or re-open this one for discussion.
Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

JPDU4Author Commented:
The ISR is a Zone Based firewall, so we can created different "zones" I am wondering if its strong enough. Seeing that it does not have IPD/IDS or Next Gen features like app support,  wondering how important those features are.
ffleismaSenior Network EngineerCommented:
In terms of basic FW functions, the ISR should do fine and will fit the mentioned "Other system components may provide firewall functionality"

However on page 95 of PCI-DSS v3 document, you'll run into the requirement for IPS/IDS.
Requirement 11: Regularly test security systems and processes
11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises.
Keep all intrusion-detection and prevention engines, baselines, and signatures up to date.
With my previous company, we ended up upgrading all our ASA with IPS modules. Just sharing my experience as network admin, we had a separate security team that handles the interaction with the PCI auditors, we just provide them what is requested and implement change when necessary.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.