Visa PCI Firewall Requirements and Windows Networks

From: Eric Luke (eric_at_g2esolutions.com)
Date: 05/07/05

  • Next message: Greg Stiavetti: "Re: Visa PCI Firewall Requirements and Windows Networks" 
    Date: Fri, 06 May 2005 17:31:57 -0600
To: focus-ms@securityfocus.com

    Windows Security Experts and registered CISSP's:
    I am helping a company prepare for an upcoming on-site Visa PCI audit
    (now required for high volume companies storing credit card information)
    and I am wrestling with the firewall requirements and how they should be
    implemented in a Windows network.

    The requirements state that the card holder data must be protected from
    public networks (Internet) by a 2-tiered firewall architecture, this I
    can understand...the "edge" firewall protects the DMZ servers by
    limiting inbound traffic to selected ports (like 80 and 443) and the
    second firewall between the DMZ and a protected "Trusted Zone" where the
    cardholder data is stored. You now have 2 layers of "security" between
    the data and the Internet.

    So, I have set up that architecture and am now working on the rules for
    the firewalls. Lets say that the database servers are the only things
    behind the second firewall. In a perfect simple networking world I
    would now limit incoming and outgoing traffic through that second
    firewall to just the database ports (i.e. - 1433, 1434) and applications
    that need access to the data only need those ports open. Sounds simple...

    In a Windows network, Active Directory is a nice thing to have around
    for managing servers. Lets say I have an Active Directory Server in the
    DMZ (or another separate office network segment). If I want my Active
    Directory Server to interact with the Database servers now I need to
    open up port 445 (at least) both directions through the second firewall
    to have that functionality. Reading in "Hacking Exposed" it sounds to
    me like having port 445 opened up into the trusted zone is not the most
    secure thing to do if a hacker has made it through the first firewall
    and is now in the DMZ "poking around".

    How do I solve this dilemma? I would like those servers to be part of
    Active Directory and get the domain security policies, etc. Is there
    some other secure configuration that I am not seeing? If my active
    directory server is not in the DMZ but in a separate office segment I
    have the same problem for the web servers. Seems like port 445 is
    required in a windows network for ease of management...is that going to
    be interpreted by Visa as a "required business protocol"??
    Should I be worried about port 445 being open through that second
    firewall? Would I have to have a separate domain controller in my DMZ
    and the trusted zone?? That seems excessive. Please Help!!!

    OK, now my next dilemma is that when I read the PCI requirements it
    sounds like they want me to limit all outgoing traffic from behind the
    both firewalls down to a bare minimum. If I do that how do I get the
    Windows OS on the DMZ and database servers to do autoupdates for
    security patches, etc? (Up-to-date patches is also a PCI requirement.)
    Is there a PCI expert out there that really understands what outbound
    traffic they are really asking to be limited here?

     From reading Hacking Exposed I understand that if a hacker gets some
    trojan placed in the DMZ and the firewall allows all outgoing traffic he
    can do nasty things just having inbound 80 and all outbound ports
    open...so I understand the desire to limit outbound ports but how do you
    do updates...or browse the web for that matter...from inside your network?

     I am guessing I am missing a major conceptual idea here...anybody help
    clear me up???

    Thanks tons in advance!

    -Eric (alias confused)

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Greg Stiavetti: "Re: Visa PCI Firewall Requirements and Windows Networks"

    Relevant Pages

    • Re: DCOM 10009 errors on SBS2008 with NAS
      ... make a specific GP rule that allows the ports to that NAS unit. ... The DCOM event id 10009 will occur when a client workstation has a miss-configured firewall or other issues affecting its network communications within the domain, for example if the workstation is not managed by an SBS GPO. ... Depending on your firewall solution this might be implemented or might require opening several ports. ... If the workstation is on a different subnet than the SBS server and it is running Windows XP SP2 or higher, the firewall exceptions provided by the SBS group policies will not properly allow the required connectivity. ...
      (microsoft.public.windows.server.sbs)
    • Re: XP SP2 and ports required to view a remote event log
      ... So for Windows XP SP2 with an enabled firewall, to handle this, ... Group Policy Settings Reference for Windows XP Professional Service Pack 2 ... Windows Firewall: Allow remote administration exception ... TCP ports 135 and 445. ...
      (microsoft.public.windowsxp.setup_deployment)
    • Re: [fw-wiz] how prevelant
      ... over the same few ports), and the tendency of script kiddies to run ... Windows attack tools, I tend to suggest that if you open your firewall up ... > it amazing they were passing domain information across the internet. ...
      (Firewall-Wizards)
    • RE: Slow user logon on Terminal server after migration to Windows 2003
      ... The Terminal Servers are 2000 or 2003. ... "Inside the firewall zone" means that the Citrix Servers have a firewall ... available RPC ports? ...
      (microsoft.public.windows.server.active_directory)
    • Re: Windows Firewall on Domain Controllers
      ... Are you talking about Windows 2003 or Windows XP? ... confgured for all the AD ports and you do some voodoo with RPC ports. ... Don't use firewall on a DC, use a diferent machine, if you can don't join ... Global Catalog Server TCP 3269 ...
      (microsoft.public.windows.server.active_directory)