RE: Re: Firewalls and PCI

[Scott Williamson <swilliamson () choicepay com>]

For our PCI acceptance we had 1 set of physical firewalls protecting our lan from the dmz and wan, but we also moved 
our systems that were in Scope with PCI into multiple internal networks our auditor dubbed the castles.  We placed 
physical firewalls between our lan and these internal Castle Zones.  It was more work up front, however since these 
servers are separate from our lan we no longer have to worry about things like our Exchange Servers being subject to 
PCI scrutiny.

Hope this helps

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Josh Haft
Sent: Friday, January 18, 2008 12:14 PM
To: Honer, Lance
Cc: security-basics () securityfocus com
Subject: Re: Re: Firewalls and PCI

On Jan 18, 2008 10:21 AM, Honer, Lance <lhoner () smartgrp com> wrote:
> Well, PCI does not mandate or even suggest anything regarding network
> segmentation. PCI says anything that could cause a card exposure must be
> evaluated for compliance.
>
> It's really up to the company in question to follow this thought process
> to completion. When they do they'll realize that if the limit the scope
> of things in the environment that could lead to an exposure the fewer
> things in the environment that will need to be evaluated for compliance.
>
> So in the context of network segmentation this means separating your
> card data related systems from the non-card data related systems and
> protecting access into the card data related systems.
>
> Lance
The section of PCI I was referring to is 1.1.3
    "Requirements for a firewall at each Internet connection and
between any demilitarized zone (DMZ) and the internal network zone."

So, I have a firewall that separates these networks. However, it's
only one physical. The client is requesting that we have our network
separated by multiple physical firewalls. I can only assume the
aforementioned section of PCI includes both configurations (one or
multiple physical firewalls), but I am wondering how others have
interpreted this.

We'll probably end up adding at least one firewall and putting the LAN
and database network behind it, leaving the DMZ behind only one
firewall. I'm just curious how others have treated these situations.

Thanks everyone for your responses.

DISCLAIMER:

This e-mail is only intended for the person(s) to whom it is addressed and may contain confidential information. If you 
have received this e-mail in error, please notify us immediately by reply e-mail and then delete this message from your 
system. Please do not copy it or use it for any purposes, or disclose its contents to any other person without the 
consent of the sender. Unless expressly stated herein to the contrary, only agreements in writing, signed by an 
authorized officer of the Company, may be enforced against it.