With growing data breaches, being compliant to PCI DSS requirement is of utmost importance for merchants dealing with payment card data. Being compliant to this regulatory mandate strengthens network security. Complying to this requirement is a continuous process and it requires constant monitoring of your network traffic, configuration changes, audit trails and more.
ManageEngine's Firewall Analyzer - firewall configuration management and security device log analytics software for multiple firewall vendors, helps you to comply with PCI -DSS Version 3.0 requirements that address firewall policy issues with its out-of-the-box reports
Rules |
Description |
How Firewall Analyzer meets this requirement |
---|---|---|
1.1.1 |
A formal process for approving and testing all network connections and changes to the firewall and router configurations |
Firewall Analyzer provides you detailed information on firewall configuration changes which facilitates approval and testing of network connections.The solution triggers real-time alerts upon any configuration changes that helps administrators to take immediate actions upon any misconfiguration. |
1.1.5.a |
Verify that firewall and router configuration standards include a documented list of services, protocols and ports necessary for business for example, hypertext transfer protocol (HTTP) and Secure Sockets Layer (SSL), Secure Shell (SSH), and Virtual Private Network (VPN) protocols |
Firewall Analyzer provides you exhaustive information on all allowed services, protocols and policies that helps you to verify your firewall and router configuration standards
|
1.1.5.b |
Identify insecure services, protocols, and ports allowed; and verify they are necessary and that security features are documented and implemented by examining firewall and router configuration standards and settings for each service |
Firewall Analyzer provides you information on all allowed services, protocols and ports that helps you to analyze and identify the insecure services. This report serves as the security feature documentation that allows you to examine the firewall & router configuration standards. With this solution, you can also exclude certain services from the insecure services list, based on your internal business requirement
|
1.1.6 |
Review Firewall rule sets at least once in every six months |
Firewall Analyzer has the capability of automatically reviewing all your firewall rule sets at regular intervals |
1.2.1.a |
Verify that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment, and that the restrictions are documented | Firewall Analyzer's exhaustive report on Network traffic facilitates verification of traffic to/from the PCI zone. This report provides you precise details on all inbound and outbound traffic of the cardholder data environment. Firewall Analyzer documents the restricted traffic to the PCI data environment thus allowing you to verify/ block the unnecessary network traffic
|
1.2.1.b |
Verify that all other inbound and outbound traffic is specifically denied, for example by using an explicit deny all or an implicit deny after allow statement | Firewall Analyzer allows you to configure 'Explicit Deny Rules' to avoid unauthorized/malicious traffic to your PCI Zone. It also provides you reports on all Explicitly Denied rules and Allowed Traffic |
1.3.2 |
Limit inbound Internet traffic to IP addresses within the DMZ |
Firewall Analyzer documents all the allowed traffic from an untrust source to DMZ/Non DMZ network. This report facilitate you to limit inbound traffic to IP addresses within your perimeter network |
1.3.3 |
Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment |
Firewall Analyzer provides you precise report on all allowed Non-NATed Traffic from untrust source to your PCI Zone. The reporthelps you to secure your cardholder environment by blocking any direct connection between the Internet and the cardholder data environment |
1.3.4 |
Do not allow internal addresses to pass from the Internet into the DMZ |
Firewall Analyzer's 'Allowed Traffic from Internal IPs to DMZs via WAN Interface' report enables you to block internal addreses to pass from the Internet into the DMZ |
1.3.5 |
Do not disclose private IP addresses and routing information to unauthorized parties |
Firewall Analyzer provides you with an exhaustive report for all addresses in the PCI Zone that are not NATed and which access the external network. This report provides various information such as the address's Policy name, rule name, source, destination, service utilized and Source/Destination interface. With this report, the users can easily check which private IP addreses are exposed to the outside world and which are not thus helping you to protect your private IPs and routing information from unauthorized parties |
2.1 |
Always change vendor-supplied defaults before installing a system on the network, including but not limited to passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts |
With Firewall Analyzer's out-of-the-box report, the user can check whether all the veondor supplied defaults such as the passwords, encryption keys, SNMP Community strings has been changed or not. The solution also provides you a report that provides all the user account details and helps you to remove unnecessary accounts |
2.3 |
Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access
|
Firewall Analyzer provides you with all the insecure services details such as HTTP Access Details, TelNet Access details that helps you to check the status of encryption in all non-console administrative access and web based management |
10.1 |
Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user |
Firewall Analyzer provides you with 'Configuration Change History' report which helps you to associate all access to system components by users specifically privileged users |
10.2.1 |
All individual accesses to cardholder data |
Firewall Analyzer allows you to create custom report profile which helps you to monitor all user's access to cardholder data in your PCI Network |
10.2.2 |
All actions taken by any individual with root or administrative privileges |
Firewall Analyzer's out-of-the-box Configuration Change reports over a period of time helps you to monitor all your privilege user/root user's actions.This report provides you with the 'where,when, what, who' information on all firewall configuration changes |
10.2.4 |
Invalid logical access attempts | With Firewall Analyzer's 'Failed Logon Details' report, users can get information on invalid logical access attempts to their network devices |
10.2.6 |
Initialization of the audit logs |
Firewall Analyzer helps complying to 'Audit Trail of User executed commands' (10.2.6 a) of PCI-DSS mandate with its configuration Change report that records all user activities, configuration changes that makes your audit trail simple. The solution also supports 'Automated Audit Trail requirement' (10.2.6 b) of PCI DSS mandate with this report |
10.4 |
Using time-synchronization technology, synchronize all critical system clocks and times |
Firewall Analyzer uses time-synchronization technology to synchronize all critical system clocks and times
|
10.6 |
Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion-detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS) |
Firewall Analyzer has the capability to review the logs periodically and it has alerting mechanisms for security functions like Intrusion Detection System and AAA servers (like RADIUS). With this solution, you can configure alerts to meet your security related log reviews |
11.5 |
Deploy file-integrity monitoring tools to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly |
Firewall Analyzer facilitates file integrity monitoring feature.The solution can alert network administrators upon unauthorized modification of critical configuration files and more. Users can create alert profiles that triggers instant notification upon any configuration changes. Users can automatically generate configuration change reports at regular time intervals by scheduling them. The reports can also be redistributed via email |