
	Home > Ask the Security Channel Experts > PCI DSS Compliance Questions & Answers > How to ensure PCI-compliant firewall configurations

Ask The Security Channel Expert: Questions & Answers

EMAIL THIS

How to ensure PCI-compliant firewall configurations

EXPERT RESPONSE FROM: Retired Expert - John Kindervag

		Pose a Question

		Other Security Channel Categories

		Meet all Security Channel Experts
		Become an Expert for this site

Security Channel Update

Digg This! StumbleUpon Del.icio.us

QUESTION POSED ON: 10 July 2007
Is there a common checklist that can be used for firewall configuration reviews? Or can you recommend any tools for finding weaknesses in a customer's firewalls? This is for compliance monitoring.

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	PCI DSS Compliance
	PCI DSS compliance: All or nothing?
	Vulnerability mitigation for PCI compliance
	Avoiding conflicts of interest in PCI security assessments
	Value-adds for PCI auditors

Application security introduction

Web application firewall market is hot for resellers, service providers

Network firewall vendors

How should VARs sell the new firewall technology?

Application firewalls create opportunities for VARs and integrators

Firewall management tools ease configuration woes

TJX admits losing credit card data to crackers

Protecting against cross-site request forgery (CSRF) attacks

Report: Oracle security is inferior to Microsoft's

Email firewalls: A good fit for your SMB customers

Burton Group: Web application firewall market maturing

PCI DSS compliance

Web application security best practices: Tips on implementation

Application security expertise a plus when offering WAF services

PCI wireless guidelines translate to dollars for VARs

PCI compliance guide: A resource for solution providers

PCI DSS pre-assessment services: Prelude to a QSA

The impact of PCI compliance on the channel

The importance of PCI compliance

PCI compliance services FAQ

Channel Checklist: Top five PCI compliance mistakes and how to avoid them

PCI compliance: Web application firewall vs. code review

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

There have been several questions coming in regarding firewall configuration reviews because of PCI Requirement 1.1 , which establishes firewall configuration standards. To create a firewall configuration checklist, you need to consider two things in place:

You must have a firewall configuration policy in place to test against.

You must develop a configuration testing methodology.

Because there are so many different brands of firewalls out there, each one should be analyzed by someone very familiar with that type of firewall. Additionally there are open source tools such as Firewalk and FTester that test firewalls. Also, there are several commercial software tools out there to automate the firewall auditing process.

The intent of PCI Requirement 1.1 is to get companies looking at their firewalls and then making some decisions about rules. For example, it is common to go to a client site and find out that they don't have any idea why a rule is in place. There is often a change control process in place for creating a new rule, but not for reviewing rules once they've been created.

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

SEARCH

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2006 - 2009, TechTarget \| Read our Privacy Policy