You can't secure what you don't acknowledge.SM

Wednesday, September 3, 2008

Upcoming PCI updates and the firewall change management disconnect

I was reading about the upcoming PCI DSS version 1.2 updates and noticed something that struck a chord. It's the requirement to review firewall rules every 6 months instead of every three. Wooo - what a nice break the Council has given everyone. Seriously folks, is anyone really reviewing their firewall rules on a regular basis? I don't mean loading up the PIX or Check Point or whatever interface, scrolling through the rules, and saying "Yep - looks good!". That's not what reviewing firewall rules is all about - at least for most organizations. With such complex configurations and often several people administering the system, good processes and tools have to be used if changes are going to be managed properly and PCI compliance is to be had.

The best way I've found to adequately review firewall rulebases is to use both manual analysis and automated tools to verify that what's in place (or assumed to be in place) is actually working. That means using - at the very least - a port scanner but ideally a network mapper/vulnerability scanner such as QualysGuard to see just what the firewall is allowing and not allowing. Beyond that, one of the most overlooked and underrated means of reviewing a firewall rulebase is using a tool like Traffic IQ Professional. You load it up, connect one interface of your test machine to the inside of the firewall, and another interface to the outside of the firewall, and fire away. It sends packets in both directions to see what can get in and what can get out.

Validating the rulebase like this is the only realistic way to know for sure how traffic is being processed through the firewall. For complex firewall configurations (and outside of a few small businesses, most are) this is an awesome way to test what's really going on...And to help ensure PCI compliance.

While I'm on the subject...if you're looking for a good set of firewall best practices, check out my Firewall Best Practices document.

1 comment: