From the PCI DSS:
Firewalls are computer devices that control computer traffic allowed into and out of a company’s network, as well as traffic into more sensitive areas within a company’s internal network. A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria.
All systems must be protected from unauthorized access from the Internet, whether entering the system as e-commerce, employees’ Internet-based access through desktop browsers, or employees’ e-mail access. Often, seemingly insignificant paths to and from the Internet can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network.
Although EFT Server is not a firewall, certain features of EFT Server can facilitate compliance with the sub requirements indicated below.
PCI DSS Requirement |
How Requirement is Addressed with EFT Server | |
1.1 Establish firewall configuration standards. |
Firewall configuration is independent of EFT Server. Reference the Test Procedures of the PCI DSS Security Audit Procedures for more information on firewall configuration requirements. | |
1.2 Build a firewall configuration that denies all traffic from untrusted networks and hosts, except for protocols necessary for the cardholder data environment. |
EFT Server supplements your existing firewall IP address filters with an easy-to-use IP address filter page, letting you grant or deny access to specific IP addresses or ranges of IP addresses. | |
1.3 Build a firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data, including any connections from wireless networks. |
Storing cardholder in the DMZ where it is publicly accessible or storing the data internally but allowing inbound connections between the perimeter and internal firewalls in a "west-to-east" fashion violates this security best practice. How can a company make its cardholder data available for business partners while protecting it from publicly accessible systems or networks? EFT Server’s optional DMZ Gateway module solves this problem through brokering of communications between the DMZ and the internal network. | |
|
1.3.1 Restricting inbound Internet traffic to internet protocol (IP) addresses within the DMZ (ingress filters) |
External to EFT Server |
|
1.3.2 Not allowing internal addresses to pass from the Internet into the DMZ |
Configured at the firewall, router, or NAT. EFT Server never discloses your internal IP addressing scheme when external connections are made to it. |
|
1.3.3 Implementing stateful inspection, also known as dynamic packet filtering (that is, only "established" connections are allowed into the network) |
External to EFT Server |
|
1.3.4 Perimeter Security |
EFT Server's DMZ Gateway server greatly facilitates compliance with this requirement. DMZ Gateway can be deployed alongside EFT Server to provide increased security by eliminating the need to store data or authenticate users in the DMZ or open up inbound holes in your internal network firewall. |
|
1.3.5 - 1.3.9 Specific firewall related requirements |
External to EFT Server |
1.4 Prohibit direct public access between external networks and any system component that stores cardholder data. |
EFT Server's DMZ Gateway is designed to reside in the demilitarized zone to provide secure communications with EFT Server behind intranet firewalls without requiring any inbound firewall holes between the internal network and the DMZ. | |
|
1.4.1 Implement a DMZ to filter and screen all traffic to prohibit direct routes for inbound and outbound Internet traffic |
Use EFT Server’s DMZ Gateway to prevent any inbound connections from the DMZ to the internal network. |
|
1.4.2 Restrict outbound traffic from payment card applications to IP addresses within the DMZ |
EFT Server's DMZ Gateway can work as a reverse proxy as well. EFT Server’s file offload feature can use the DMZ Gateway as an outbound proxy. |
1.5 Implement IP address masquerading to prevent internal addresses from being translated and revealed on the Internet. Use technologies that implement RFC 1918 address space, such as port address translation (PAT) or network address translation (NAT) |
Configured with a NAT or similar device |