Firewalls are computer devices that control computer traffic allowed into and out of a company's network, as well as traffic into more sensitive areas within a company's internal network. A firewall examines all network traffic and blocks those transmissions that do not meet the specified security criteria.

All systems must be protected from unauthorized access from the Internet, whether entering the system as e-commerce, employees' Internet-based access through desktop browsers, or employees' e-mail access. Often, seemingly insignificant paths to and from the Internet can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network.All Answers are set in blue type

1.1 Establish firewall configuration standards that include the following:

1.1.1 A formal process for approving and testing all external network connections and changes to the firewall configuration.

Firewall Access is limited to the IT Director and Network Administrator. Requests are submitted to he IT Director or Network Administrator thru email. All changes are approved by the IT Director and performed by the Network Administrator.

1.1.2 A current network diagram with all connections to cardholder data, including any wireless networks

The current network Diagram is located here

1.1.3 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone

We have a firewall located at each of our internet connections as well as between our DMZ and internal network

1.1.4 Description of groups, roles, and responsibilities for logical management of network
components
The following is a list of roles and responsibilites of IT Dept Staff:

• IT Director - Responsible for approving any changes to network topology or design
• Network Administrator - Responsible for Overall Connectivity and security on the network.
• System Administrator - Responsible for user access to Network resources
• Database Administrator - Responsible for securing and maintaining Database resources.

 

1.1.5 Documented list of services and ports necessary for business

Here is a list of Documented ports and services based on our needs:

• Port 80:HTTP
• Port 21:FTP
• Port 22:ssh
• port 25: smtp
• port 62515:Cisco VPN

1.1.6 Justification and documentation for any available protocols besides hypertext transfer protocol (HTTP), and secure sockets layer (SSL), secure shell (SSH), and virtual private network (VPN)

Port 25 is open because we host our own e-mail server on site.

1.1.7 Justification and documentation for any risky protocols allowed (for example, file transfer
protocol (FTP), which includes reason for use of protocol and security features implemented

We utilize ftp outside the network at this time. this is being shifted over to scp which utilizes ssh.

1.1.8 Quarterly review of firewall and router rule sets
Every quarter the Network Administrator verifies ports that are open and makes a backup of each router and firewall configuration.
Backups are kept in a private user share and are backed up weekly. We also verify that rule sets have not
been changed and any changes to system configuration is e-mailed to the IT Director.

 

1.1.9 Configuration standards for routers.

We follow the SANS best practices for router policies located here

1.2 Build a firewall configuration that denies all traffic from "untrusted" networks and hosts, except for
protocols necessary for the cardholder data environment.

We use a firewall policy that blocks all traffic that is not
listed specifically in an ACL by IP address and Port.

1.3 Build a firewall configuration that restricts connections between publicly accessible servers and
any system component storing cardholder data, including any connections from wireless
networks. This firewall configuration should include the following:

1.3.1 Restricting inbound Internet traffic to Internet protocol (IP) addresses within the DMZ
(ingress filters)

All inbound internet traffic is termiated in the DMZ to a specific IP address.

1.3.2 Not allowing internal addresses to pass from the Internet into the DMZ

All Internal requests to a server located in the DMZ will be routed directly to the server without traveling over the internet.

1.3.3 Implementing stateful inspection, also known as dynamic packet filtering (that is, only "established" connections are allowed into the network)

All of our Firewalls emply SPI (stateful packet inspection) technology.

1.3.4 Placing the database in an internal network zone, segregated from the DMZ

Our database is in located in on our internal network and is segrated from our DMZ.

1.3.5 Restricting inbound and outbound traffic to that which is necessary for the cardholder
data environment

We restrict all inbound traffic to only servers located in the DMZ by
specific IP address and port. Outbound traffic is only allowed to employees that need
access to the internet to perform their job function.

1.3.6 Securing and synchronizing router configuration files. For example, running configuration
files (for normal functioning of the routers), and start-up configuration files (when
machines are re-booted) should have the same secure configuration

All running and start up configs are synced and backed up offsite.

1.3.7 Denying all other inbound and outbound traffic not specifically allowed

We deny all inbound traffic by default unless listed in our ACL

1.3.8 Installing perimeter firewalls between any wireless networks and the cardholder data
environment, and configuring these firewalls to deny any traffic from the wireless
environment or from controlling any traffic (if such traffic is necessary for business
purposes)

All wireless Access Points are
located in their own DMZ separated form all servers and workstations. All
users that would like to access internal machines must VPN to gain access.

 

1.3.9 Installing personal firewall software on any mobile and employee-owned computers with
direct connectivity to the Internet (for example, laptops used by employees), which are
used to access the organization's network.

All mobile devices are not allowed to utilize work functions unless inspected by the Network Administrator or the IT Director for properly loaded software. Employee owned pc's have must be running windows xp sp2 on them which utilizes a software firewall solution.

1.4 Prohibit direct public access between external networks and any system component that stores
cardholder data (for example, databases, logs, trace files).

1.4.1 Implement a DMZ to filter and screen all traffic and to prohibit direct routes for inbound
and outbound Internet traffic

We utilize a dmz for our internal and external web presence. We also utilize Network address translation for our internal network.

1.4.2 Restrict outbound traffic from payment card applications to IP addresses within the DMZ.

All payment card applications are
locked down to access only specific servers that are needed to run the
business.

 

1.5 Implement IP masquerading to prevent internal addresses from being translated and revealed on
the Internet. Use technologies that implement RFC 1918 address space, such as port address
translation (PAT) or network address translation (NAT).

We utilize both Port address translation and Network address transaltion on our internal network to refelct an external IP address.