Sub-Requirements 1.1.5, 1.1.6, 1.2, 1.3.2 and 1.3.5 (Update: v3.0 11/2013)
- 1.1.5 Documented list of services and ports necessary for business
- 1.1.6 Justification and documentation for any available protocols besides HTTP and SSL, SSH, and VPN. (Maps to prior Requirement. 1.1.5)
- 1.2 Build a firewall configuration that denies all traffic from “untrusted” networks and hosts, except for protocols necessary for the cardholder data environment
- 1.3.2 Not allowing internal addresses to pass from the Internet into the DMZ
- 1.3.5 Restricting inbound and outbound traffic to that which is necessary for the cardholder data environment
Illustrative Controls and the TIBCO LogLogic Solution
Administrators must document all services and ports necessary for business and identify all ports and protocols passed through the firewall besides HTTP (generally port 80/tcp), SSL (generally port 443/tcp), SSH (generally port 22/tcp), and VPN (Virtual Private Network, generally IP protocols 50 and 51 and port 500/udp – though other ports and protocols may be used). Once identified, administrators must review the exception list and document any justification related to the allowance of these protocols.
If necessary, administrators should identify the timeframe in which these protocols should be allowed, and promptly remove them from the configuration after this period has expired. Administrators should setup network policy alerts to detect any unauthorized traffic passing through the firewalls.