THE 12 REQUIREMENTS

THE 12 REQUIREMENTS
REQ. 1: KEEP A FIREWALL
Requirement 1 (Install and Maintain a Firewall Configuration)
is about protecting your CDE from traffic (both inbound and
outbound).
- Not only that, it’s about having a proper change
management process for changes, as well as keeping
documentation on network topology + flows;

Sub-requirements include:
- 1.1 Set Configuration Standards;
- 1.2 Restrict Connections Between Untrusted Networks;
- 1.3 Prohibit Public Direct Access From Internet to CDE;
- 1.4 Install Firewall SW on All Computers Accessing the CDE;
- 1.5 Document/Enforce Policies and Procedures;
THE 12 REQUIREMENTS

THE 12 REQUIREMENTS
REQ. 1: KEEP A FIREWALL
1.1 Set Configuration Standards is all about having standards
for traffic configurations, security protocols and roles.
- Both network topology and CHD flows documented;
- A DMZ must separate local networks and Internet;
- Change management process for configurations;
- Regular (6m) review of procedures and configurations;

1.2 Restrict Connections Between Untrusted Networks. Is all

about preventing external, untrusted traffic. Isolate the CDE;
- Limiting inbound/outbound traffic to CDE required;
- Securely storing router config files;
- Positioning firewalls between all Wireless<>CDE traffic;
THE 12 REQUIREMENTS

THE 12 REQUIREMENTS
REQ. 1: KEEP A FIREWALL
1.3 Prohibit Public Direct Access From Internet to CDE is all
about preventing public traffic from reaching CHD data:
- Creating a DMZ to limiting inbound traffic;
- Anti-spoofing to prevent spoofed IPs from entering;
- No direct traffic from Internet to CDE;
- All CDE devices in local, isolated networks;

1.4 Install Firewall SW on All Computers Accessing the CDE is

all about forcing all portable computers to use a firewall,
preventing vulnerabilities from individual computers.
- Although settings cannot always be standardized and may
need to be customized, individual users may not be able to
change their settings;
THE 12 REQUIREMENTS

THE 12 REQUIREMENTS
REQ. 1: KEEP A FIREWALL
1.5 Document/Enforce Policies and Procedures is simply about
making sure that staff know and follow the security policies
and procedures established.
- It’s about staff training, in essence. Making sure that
employees that deal with equipment that is vulnerable to
Internet traffic know the procedures to avoid
vulnerabilities;
 THE 12 REQUIREMENTS

THE 12 REQUIREMENTS
REQ. 1: KEEP A FIREWALL
EXAMPLES

/01 RIGOROUS DOCUMENTS

The more rigorous the network topology and the CHD
flowchart are, the less vulnerabilities will go unnoticed,
and the more protected the CDE is.

/02 OUTBOUND ALSO

Although a lot of firewall admins focus on the inbound
traffic to prevent attackers, outbound must also be
managed, to prevent exfiltration of info.

/03 DENY BY NATURE

This requirement shares one principle in common
with PCI-DSS - deny by nature. If there is no
justification for a service or open port, block it.
 THE 12 REQUIREMENTS

THE 12 REQUIREMENTS
REQ. 1: KEEP A FIREWALL
KEY TAKEAWAYS

/01 KEEP A FIREWALL /02 1.1 SET STANDARDS

Requirement 1 is all about restricting traffic, isolating 1.1 is all about having documents (network topology,
the CDE, and making sure that documentation and CHD flows), having a change management process,
processes support that. and ensuring frequent review of these.

/03 1.2 RESTRICT CONNECTIONS /04 1.3 NO DIRECT ACCESS

1.2 is all about restricting traffic from untrusted 1.3 is all about preventing unsecured traffic from
networks, positioning firewalls between all networks public sources, using the DMZ as an intermediary, as
adjacent to the CDE, and storing config. securely. well as minimizing open ports and vulnerabilities.

/05 1.4 FIREWALL ON ALL PCS /06 1.5 DOCUMENT/ENFORCE

1.4 is all about enforcing firewall usage on all portable 1.5 is all about making sure that employees know the
computers, and not letting users change that, to correct policies and standards, and that they enforce
minimize vulnerabilities. them.