Your firewall is one of the most critical protection mechanisms for your network, so choosing the right firewall is an important step in establishing a secure network and maintaining PCI DSS compliance. The PCI Council does not maintain a list of approved firewall brands or models. However, The PCI DSS does have specific requirements that your firewall must meet. If you are preparing to purchase a firewall to protect your cardholder data environment, keep the following feature requirements in mind:
Network Security Control - A New PCI DSS 4 Term
You may have noticed that as of version 4.0 of the PCI DSS, the Requirements that previously applied to firewalls and routers now apply more broadly to Network Security Controls (NSCs). This change of terminology is meant to still include firewalls and routers, but is more inclusive for the various evolving current technologies that now perform the functions of traditional firewalls and routers. Virtualized firewall and routing rulesets are often used now in place of traditional firewall and routers. While this terminology has changed, most of the PCI DSS previous requirements remain the same and apply to any technology used to perform these critical functions. Keep this in mind as you seek out hypervisor and virtually hosted solutions.
Stateful Packet Inspection
For compliance with requirement 1.4.2 of the PCI DSS (Version 4), a firewall must support stateful packet inspection (SPI). Stateful packet inspection allows “established” connections to communicate back into your cardholder data environment (CDE), and blocks unsolicited inbound traffic. SPI works like a phone that only allows outbound calls. You can call other people, but they can’t call you. The only way they can talk to you is if you call them first. SPI protects your network from prying eyes and uninvited traffic. Don’t use a firewall to protect your CDE unless you can confirm that it supports SPI.
Firewall Zones
If you have any services that require outside access such as an Email server, VPN server, or web server then these servers must be placed in a demilitarized zone (DMZ) for compliance with Requirement 1.4.4. In addition, all devices that store cardholder data must be located in an internal network zone segregated from the DMZ and other untrusted networks . Firewalls that can segregate and protect multiple inside networks using customizable access control lists give you the best flexibility to meet these requirements.
Logging
Logs from your firewall need to be sent to a centralized, log server or media device (Requirement 10.3.3). The easiest way to meet this requirement is to use a firewall that can send logs to a syslog server for aggregation and analysis.
Intrusion Prevention/Intrusion Detection
Keep in mind that your CDE must also be protected with intrusion-prevention systems (IPS) or intrusion-detection systems (IDS) (PCI DSS Requirement 11.5). It is not required that the IPS/IDS be integrated in your firewall, but it can be, and many business-grade firewalls include it. Firewalls that include IPS or IDS protection can be used to meet this requirement in a simple and cost-effective way. If your IPS/IDS is not integrated into your firewall, make sure that you are able to mirror port traffic on your network switch so that your IDS can monitor traffic into and out of your CDE.
Ongoing Support from the Vendor
All devices used in your CDE must be updated and patched from emerging threats (see PCI DSS Requirement 6.3.3). If your firewall is nearing “End of Life” then patches from the manufacturer may not be available for much longer. Check the support timeframe before you purchase a firewall because unsupported firewalls cannot be used to protect CDE networks.