Requirement 1: Install and Maintain a Firewall Configuration to Protect Cardholder Data

From the PCI DSS:

Firewalls are computer devices that control computer traffic allowed between a company’s network (internal) and untrusted networks (external), as well as traffic into and out of more sensitive areas within a company’s internal trusted network. The cardholder data environment is an example of a more sensitive area within the trusted network of a company.

A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria.

All systems must be protected from unauthorized access from untrusted networks, whether entering the system via the Internet as e-commerce, employees’ Internet access through desktop browsers, employees’ e-mail access, dedicated connection such as business to business connections, via wireless networks, or via other sources. Often, seemingly insignificant paths to and from untrusted networks can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network.

Although EFT Server is not a firewall, certain features of EFT Server can facilitate compliance with the sub requirements indicated below.

PCI DSS Requirement		How Requirement is Addressed with EFT Server
1.1 Establish firewall and router configuration standards.		Firewall and router configuration is independent of EFT Server. Reference the Test Procedures of the PCI DSS Security Audit Procedures for more information on firewall configuration requirements.
1.2 Build a firewall configuration that restricts connections between untrusted networks and any system components in the cardholder data environment.		EFT Server supplements your existing firewall IP address filters with an easy-to-use IP address filter page, letting you grant or deny access to specific IP addresses or ranges of IP addresses.
1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.		Storing cardholder in the DMZ where it is publicly accessible or storing the data internally but allowing inbound connections between the perimeter and internal firewalls in a "west-to-east" fashion violates this security best practice. How can a company make its cardholder data available for business partners while protecting it from publicly accessible systems or networks? EFT Server’s optional DMZ Gateway Server module solves this problem through brokering of communications between the DMZ and the internal network.
	1.3.1 Restricting inbound Internet traffic to internet protocol (IP) addresses within the DMZ (ingress filters)	External to EFT Server
	1.3.2 Not allowing internal addresses to pass from the Internet into the DMZ	Configured at the firewall, router, or NAT. EFT Server never discloses your internal IP addressing scheme when external connections are made to it.
	1.3.3 Implementing stateful inspection, also known as dynamic packet filtering (that is, only "established" connections are allowed into the network)	External to EFT Server
	1.3.4 Perimeter Security	The DMZ Gateway greatly facilitates compliance with this requirement. DMZ Gateway can be deployed alongside EFT Server to provide increased security by eliminating the need to store data or authenticate users in the DMZ or open up inbound holes in your internal network firewall.
	1.3.5 - 1.3.9 Specific firewall related requirements	External to EFT Server
1.4 Prohibit direct public access between external networks and any system component that stores cardholder data.		The DMZ Gateway is designed to reside in the demilitarized zone to provide secure communications with EFT Server behind intranet firewalls without requiring any inbound firewall holes between the internal network and the DMZ.
	1.4.1 Implement a DMZ to filter and screen all traffic to prohibit direct routes for inbound and outbound Internet traffic	Use the DMZ Gateway to prevent any inbound connections from the DMZ to the internal network.
	1.4.2 Restrict outbound traffic from payment card applications to IP addresses within the DMZ	The DMZ Gateway can work as a reverse proxy as well. EFT Server’s file offload feature can use the DMZ Gateway as an outbound proxy.
1.5 Implement IP address masquerading to prevent internal addresses from being translated and revealed on the Internet. Use technologies that implement RFC 1918 address space, such as port address translation (PAT) or network address translation (NAT)		Configured with a NAT or similar device

Did this topic solve your problem/answer your question?

- For the most up-to-date information regarding EFT Server and its modules;

- To view version history, updates, and activation instructions;

- To download a PDF of this user guide;

- And to search the Knowledge Base and User Forum,

Visit the GlobalSCAPE Support Center, http://www.globalscape.com/support .

Refer to Copyright Information for copyright information.

Last modified: October 14, 2009