1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations.
1.1.2 Current network diagram that identifies all connections between the cardholder data environment and other networks, including any wireless networks.
1.1.3 Current diagram that shows all cardholder data flows across systems and networks.
1.1.4 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone.
1.1.5 Description of groups, roles, and responsibilities for management of network components.
1.1.6 Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.
1.1.7 Requirement to review firewall and router rule sets at least every six months.
1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment. Note: An “untrusted network” is any network that is external to the networks belonging to the entity under review, and/or which is out of the entity's ability to control or manage.
1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.
1.2.2 Secure and synchronize router configuration files.
1.2.3 Install perimeter firewalls between all wireless networks and the cardholder data environment, and configure these firewalls to deny or, if traffic is necessary for business purposes, permit only authorized traffic between the wireless environment and the cardholder data environment.
1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.
1.3.1 Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.
1.3.2 Limit inbound Internet traffic to IP addresses within the DMZ.
1.3.3 Implement anti-spoofing measures to detect and block forged source IP addresses from entering the network. Note: (For example, block traffic originating from the Internet with an internal source address.)
1.3.4 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.
1.3.5 Permit only “established” connections into the network.
1.3.6 Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.
1.3.7 Do not disclose private IP addresses and routing information to unauthorized parties. Note: Methods to obscure IP addressing may include, but are not limited to:
Network Address Translation (NAT)
Placing servers containing cardholder data behind proxy servers/firewalls
Removal or filtering of route advertisements for private networks that employ registered addressing
Internal use of RFC1918 address space instead of registered addresses
1.4 Install personal firewall software or equivalent functionality on any portable computing devices (including company and/or employee-owned) that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the CDE. Firewall (or equivalent) configurations include:
Specific configuration settings are defined.
Personal firewall (or equivalent functionality) is actively running.
Personal firewall (or equivalent functionality) is not alterable by users of the portable computing devices.
1.5 Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties.