Firewall Hardening for PCI Compliance

pj255 · ‎09-30-2014

Hi, Does anyone have an overall guideline or check-list for hardening a 1000c. The firewall is currently being used for web filtering and application control, I will be adding some simple DLP sensors and IPS also. pj

neonbit · ‎07-15-2015

The FortiGate Admin guide has a section on PCI compliance here which goes through some of the ways you can harden your FortiGate to comply with PCI.

View solution in original post

emnoc · ‎07-15-2015

FWIW & IMHO that links is useless without reference to the actual PCI DSS specifications. IMHO experiences and thru various audits, you 're best to read/review the actual PCI DSS "Requirements and Security Assessment Procedures" document. It's only like 100 pages and 12 major areas with like 4-5 that really deals wth network, systems and firewalls. It would take you less than 1-2 hour to read it for a average reader.

OP, keep this thought in mind ; " as log as you read the areas that applicable to you and can demonstrate that you meet that requirement ( paragraph and all sub-paragrahs )". Then you will always PASS a audit.

Some things will be nik-picked on like " disabling of unused accounts or re-use of passphrases " ( both of these are very hard to do without a remote authentication system aka .....authenticator radius etc.....

So read the actual PCI DSS document, FIPS mode will get you by on any weak cipher and security protocols, but PCI-DSS is more than just that & is a complete practical procedure from end2end and everything in between.

PCNSE

NSE

StrongSwan

View solution in original post

seadave · ‎08-29-2015

As a follow up, here is a great article explaining ECC and why you should seriously consider using it:

https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/

emnoc · ‎08-28-2015

seadave has posted some very good info. EC- secp 384r1 is even being discuss as the min that should be support but I think that's the same sky is falling argument with a 2k vrs 4k bit RSA keysize . But with today's mathmatics you should be way secured for the life of your signing cert. Remember the chain is only as strong as the weakest link & if you exclude any RSA component in the cert chain & SSLv3 than you will be very secured for now and near future ;) Also your end-cert will never have a expiration date longer than the CAroot ;)

" So in another 2-4 years we will be re-discussing TLS security and it's short comings and with probably new suggestions "

Right now, you should follow the suggestions mention above, install all intermediate CAs so our cert-trust chain is not broken.

Than tighten up your endpoint, almost all modern browsers support TLS and ECC , secure your trust host statements and vpns & most importantly " Follow the PCI-DSS guide " and as long as you do that, you will be always be 100% COMPLIANCE and secured.

A big thumbs up for seadave reply, these items are always overlooked imho.

PCNSE

NSE

StrongSwan

Frosty · ‎08-30-2015

Thanks for the extra info posted. I'd dropped this issue for a few weeks due to other priorities. I've now imported both the Intermediate and the Root CA certs from GeoTrust, as per the advice from 'seadave'. Since the import process gave them default names like CA_Cert_1 and CA_Cert_2, I went back in to the CLI and renamed these as "GeoTrust-Intermediate-CA" and "GeoTrust-Root-CA" respectively. All seems okay. Fingers crossed.

Thanks also for mentioning some of the other hardening CLI commands. I had already picked up on those, some by my own research, but others only via logging a ticket with Fortinet. So I do now have a "clean scan" from Qualys, at least on the external stuff.

maednurm · ‎10-28-2015

Stephen > can you please send me PM or an email mati(at)aednurm.ee with a short description of "some other hardening CLI commands". I'm struggling to get clean scan, DH key exchange more specifically...

Thanks a lot!

Firewall Hardening for PCI Compliance

Nominate a Forum Post for Knowledge Article Creation