PCI 101: Network Security Control Configuration Review, AKA firewall ruleset review
Posted by: Carla Brinker
The PCI DSS requires a review of all network security control (NSC) configurations at least once every six months (Req. 1.2.7). Sounds simple and easy enough, but it’s worth a review.
Let’s start with the definition of a network security control. From the glossary included within PCI DSS v4.0: A network security control is a firewall or other network security technology that acts as a network policy enforcement point. NSCs typically control network traffic between two or more logical or physical network segments (or subnets) based on pre-defined policies or rules.
The spirit of this control is to ensure that all connections to trusted networks have a proper business justification, are authorized, optimized, and are still needed, keeping in mind they could be cloud-based. The reviews should be driven by the subject matter experts who manage the NSCs and that know the network architecture, along with input from other departments as needed. Many NSCs are managed by more than one administrator. Each administrator may have their own way of following the change management process and implementation process. The review ensures each rule is implemented as expected.
With small configurations, a manual inspection of each rule is possible. The inspection would include reviewing the change ticket that includes the business justification, verifying (if necessary) with the requesting party/ department to ensure the business justification is still valid, and ensuring that the authorization remains in place. Both business justification and approval need to be documented. If any exceptions have been granted, this is also a good time to review those exceptions to see if they are still valid. It will be necessary to evaluate each rule to ensure it is not overly permissive and creating unnecessary risk. It will also be necessary to evaluate the ordering of the rules. Rules are processed from top to bottom, so a rule that appears later may override a previous rule. A misconfigured rule order can lead to unintended access. Redundant rules can reduce NSC performance.
The inspection is meant to cover both inbound and outbound traffic. Bi-directional access may have been used when one-way access was the only requirement. For larger configurations, performing such a review is not so easy. Tools can be used to document business justification, verify if a rule is used, etc. If a rule hasn’t been used in quite some time, an effort should be made to remove it. The acceptable inactive time period will need to be determined by the organization (keeping in mind that some processes happen only once a year and may need special access only once a year). Large organizations may also choose to use a third party to perform the review.
Whether the review is manual or automated, in-house or outsourced, documentation is needed. The first document is a procedure that identifies the necessary steps of the review. The results of the review must also be documented. This documentation would include participants, scope of the review (NSCs reviewed), dates of the review, date of the configuration that was reviewed, findings, remediation steps that were needed (including ticket numbers), and lessons learned. It’s always a good idea to have this review approved by management when it is completed.
While the PCI DSS only requires a review every six months, the guidance suggests networks with a high volume of changes should conduct reviews more often. A review may even be triggered by a security alert that requires further investigation. Again, the frequency of the review is something that needs to be determined by the organization.
It may be easier to maintain a list of all changes to NSCs each month. The review could start with the latest changes made and provide extra scrutiny to those changes, before moving into the verification phase of the previously existing rules. Either way, a sample of changes to the NSCs will be chosen as part of your PCI assessment. Having a list from each month makes this sampling effort easier for both the assessor and the assessed entity.
Such a review identifies any avenues into the trusted networks that are no longer needed. The fewer avenues into the trusted networks, the higher the chance of securing those networks. An NSC configuration review is just another layer in your defense in-depth strategy.
Carla Brinker
Principal Cybersecurity Consultant,
GuidePoint Security
Carla Brinker, Principal Cybersecurity Consultant at GuidePoint Security, began her career in the security industry in 2000. Her professional experience includes PCI assessments ranging from Fortune 25 companies to small companies, risk assessments, IT governance, oversight of new controls implementation, technical writing, and security education. She has both led and participated in assessments for industries such as banking, retail, ecommerce, and hospitality and has managed teams of consultants delivering information security services. Carla holds several industry certifications, including Certified Information Security Assessor (CISA), Certified Information Security Manager (CISM), and PCI Qualified Security Assessor (PCI QSA).