PCI Resources
A structured approach to the PCI standards

PCI DSS Requirement 1

The firewall requirement comes first since the first technical layer of information security is generally at the network level, by preventing "unauthorized access from untrusted networks" (PCI DSS 3.2, p.20) . Firewall functionality can be provided by multiple types of devices, from firewalls themselves to routers and switches, all of which can be physical devices or even virtual ones. Whenever we refer to 'firewall', we refer to the devices providing that functionality. The goal of requirement 1 is to reduce access to the network to the smallest number possible that are required for business. As with in everything in PCI DSS and information security, we should always default to "closed", meaning that we start in a locked-down secure state and then only open what is required for business.

The PCI DSS requires the presence of an externally-facing demilitarized zone (DMZ) for all systems that are exposed to what PCI DSS calls "open, public networks" (networks not under the organization's control), most often referring to the internet. The goal of this intermediate zone is to make an attacker's job more difficult by having them need to subvert a first set of systems with limited access to the internal network.

And while segmenting the internal network to create the CDE (the internal PCI zone) is not a PCI DSS requirement, it is a strong recommendation from both the council and most information security practitioners. In the absence of adequate network segmentation, the complete internal network is in scope and forms the CDE.

One often forgotten item is the fact to no system in the CDE should access the internet directly. In fact, for security's sake, standard best practices dictate that most systems in an organization should never access the internet directly (if this can be avoided), but should go through filtering systems that may restrict access to undesirable sites (undesirable is to be defined by the organization) including filtering for malware or illegal sites. Many attacks involve the use of social engineering, such as phishing emails, to users who click on links to infected sites which leverage web browser vulnerabilities to infect the end-user's computer and give an entry point on the network for the attacker.

PCI DSS calls for Firewall Configuration Standards to be established. Those standards cover default initial (and secure) configurations (covered in requirement 2 hardening for other types of systems) as well as the process to manage changes to the firewall. The firewall devices must be managed so that any changes are appropriately approved, and the rules allowing for traffic must be reviewed periodically (at least twice a year).

Documentation of the scope, covered in the PCI DSS Scoping Model and Approach is also part of this requirement from a network and data flow perspective, but the complete scope includes more than these requirements.

Personal Firewall (requirement 1.4) will be covered along with other Remote Access requirements.

Further readings: