I'm setting up firewalls to support compliance efforts, particularly the Payment Card Industry Data Security Standard (PCI DSS). Our firewall vendor offers a PCI rule set, but it needs some customization. What best practices can you offer for taking a generic set of firewall rules and customizing them for our own specific needs, and then how often should rule sets that support compliance be reviewed?
Ask the Expert
Have questions about network security for expert Brad Casey? Send them via email today! (All questions are anonymous)
As always, when presented with a question consisting of how often or how much, my default answer is: It depends on your organization's budget, manpower and other resources. With that established, I will offer some general best practices.
First and foremost, security personnel should perform some basic penetration tests on the firewall to ensure that it is blocking the traffic that it claims to be blocking. For example, your firewall is most likely configured to block all incoming Telnet traffic. If your security testers are still able to perform some type of Telnet connection from outside the perimeter, the firewall vendor must be contacted immediately.
While testing is being conducted, and perhaps even long before, some type of metric must be established with regard to what is considered "normal" traffic. This will help security personnel determine proper heuristics, and this is the most effective way to customize firewall rules for your specific needs.
In this case, your organization will be charged with adhering the PCI DSS framework, meaning a large part of compliance depends on how well cardholder information is protected. Most likely this data will be stored on some type of database, which must be guarded against SQL-based attacks. Therefore, your security administrators and database administrators should collaborate to determine what constitutes an authorized SQL statement and what does not. Test your findings during the heuristic determination phase and this should result in a fairly accurate -- and not to mention highly customized -- firewall rule set.
This was first published in October 2013