Answer

How to support compliance efforts with customized firewall rule sets

I'm setting up firewalls to support compliance efforts, particularly the Payment Card Industry Data Security Standard (PCI DSS). Our firewall vendor offers a PCI rule set, but it needs some customization. What best practices can you offer for taking a generic set of firewall rules and customizing them for our own specific needs, and then how often should rule sets that support compliance be reviewed?

    Requires Free Membership to View

Ask the Expert

Have questions about network security for expert Brad Casey? Send them via email today! (All questions are anonymous)

As always, when presented with a question consisting of how often or how much, my default answer is: It depends on your organization's budget, manpower and other resources. With that established, I will offer some general best practices.

First and foremost, security personnel should perform some basic penetration tests on the firewall to ensure that it is blocking the traffic that it claims to be blocking. For example, your firewall is most likely configured to block all incoming Telnet traffic. If your security testers are still able to perform some type of Telnet connection from outside the perimeter, the firewall vendor must be contacted immediately.

While testing is being conducted, and perhaps even long before, some type of metric must be established with regard to what is considered "normal" traffic. This will help security personnel determine proper heuristics, and this is the most effective way to customize firewall rules for your specific needs.

In this case, your organization will be charged with adhering the PCI DSS framework, meaning a large part of compliance depends on how well cardholder information is protected. Most likely this data will be stored on some type of database, which must be guarded against SQL-based attacks. Therefore, your security administrators and database administrators should collaborate to determine what constitutes an authorized SQL statement and what does not. Test your findings during the heuristic determination phase and this should result in a fairly accurate -- and not to mention highly customized -- firewall rule set.

This was first published in October 2013

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: