Professional Documents
Culture Documents
Version 1.1
February 28, 2023
Statement of Confidentiality
This Confidential Information is being provided to Voxai Solutions, as a delivery of this consulting engagement. The sole
purpose of this document is to provide you with the results of, and recommendations derived from this consulting
engagement. Each recipient agrees that, prior to reading this document, it shall not distribute or use the information
contained herein and any other information regarding ControlCase for any purpose other than those stated.
Device Name
Meraki Firewall
DO Firewall
During the first round of firewall rule-set review, controlcase assessor observed compliance effecting rules which we reported to Voxai Solutions.
• Voxai_Summary_Sheet_Firewall_Review_H1_v1.0.xlsx
During the second round of client jusfication review we can accept the business justification provided by client.
• Voxai_Summary_Sheet_Firewall_Review_H1_v1.0-23rdFEB2023.xlsx
Harshvardhan Shukla
Penetration Timeline
Date Milestone
1.2.1.a Verify that inbound and outbound Assessor observed that inbound and outbound traffic were allowed through Compliant
traffic is limited to that which is necessary for unsecured port. Voxai Solutions team modified some rules and provided
the Cardholder Data Environment, and that relevant evidence. ControlCase assessor reviewed the evidence and
the restrictions are documented. concluded that the configured rules are as per PCI DSS requirements. Please
refer to the Section 6.1 for more information.
1.2.1.b Verify that all other inbound and Assessor observed that drop all rule has been implemented to deny all Compliant
outbound traffic is specifically denied, for inbound and outbound traffic not specifically needed which will prevent
example by using an explicit “deny all” or an inadvertent holes that would allow other, unintended and potentially
implicit deny after allow statement. harmful traffic in or out.
1.3.1 Verify that a DMZ is implemented to Assessor observed that DMZ is implemented to prevent malicious individuals Compliant
limit inbound traffic to only system from accessing the organization’s network via unauthorized IP addresses or
components that provide authorized publicly from using services, protocols, or ports in an unauthorized Manner.
accessible services, protocols, and ports.
1.3.2 Verify that inbound Internet traffic is Assessor observed that the inbound internet traffic was limited to IP Compliant
limited to IP addresses within the DMZ. addresses within the DMZ as per PCI requirement. ControlCase assessor
reviewed the evidence and concluded that the configured rules are as per
PCI DSS requirements.
1.3.3 Verify direct connections inbound or Assessor observed that the direct inbound or outbound connections are not Compliant
outbound are not allowed for traffic between allowed for traffic between internet and Cardholder Data Environment.
the Internet and the Cardholder Data ControlCase assessor reviewed the evidence and concluded that the
Environment. configured rules are as per PCI DSS requirements.
Potentially Dangerous Services Assessor observed that the access was allowed for clear text protocols and Not Applicable
potentially dangerous services as well. Voxai Solutions team either
removed/disabled or provided the business justifications for access allowed
to clear-text protocols but there are still few rules where potentially
dangerous services are allowed (refer finding no. 1).
The methods used to collect information included Interview with Voxai Solutions Team, manual review of firewall rule-sets and justification document to
understand the business requirements for the policies of firewall.
• DO+Firewall+ACL's.xlsx
• Meraki+Firewall+Rule+Set.docx