Payment Card Industry (PCI) Solution

1.1 Establish firewall configuration standards.

As the industry's number one stateful firewall solution, VPN-1 (which includes the market leading FireWall-1) sets the standard for the very best first line of defense. VPN-1 supports all PCI firewall requirements including the ability to establish proper configuration standards. As specified in sub-requirements to 1.1, these capabilities include granular logical management of network components, internal network zone segmentation to protect cardholder components or segments from other portions of the network, assignment and documentation of ports, firewall configuration policy setting, audit and reporting requirements, and the ability to display network connectivity.

Using Check Point's Security Management Architecture (SMART), administrators can centrally manage, approve, view network topology, and verify all external network connections and changes to the firewall configuration. SMART management enables administrators to list and review firewall security policies, protocols, and rule sets and manage and deploy a centralized firewall policy to an unlimited number of VPN-1 gateways.

1.2 Build a firewall configuration that denies all traffic from "untrusted" networks and hosts, except for protocols necessary for the cardholder data environment.

VPN-1 approaches network security with a, "That which is not explicitly permitted is prohibited" default setting. Thus, only traffic defined in the firewall security policy is allowed to pass through the VPN-1 firewall. Thus, a security policy can easily deny traffic from "untrusted" networks and hosts, while allowing traffic from Web protocols, system administration protocols, and others as required by the data environment.

1.3 Build a firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data, including any connections from wireless networks.

VPN-1 allows enterprises to protect sensitive network components and segments, such as cardholder databases and file and print servers, from publicly accessible servers by segmenting them into different network zones and applying a security policy between network segments. This includes separate segments for "trusted" networks, DMZs, wireless networks, and "untrusted" networks as mandated by the requirements comprising the majority of section 1.3.

1.4 Prohibit direct public access between external networks and any system component that stores cardholder information (for example, databases, logs, trace files).

Using VPN-1, enterprises can define and implement a demilitarized zone (DMZ) to filter and screen all traffic, prohibiting direct routes for inbound and outbound Internet traffic and prohibiting outbound traffic from the DMZ as required in section 1.4.

1.5 Implement IP masquerading to prevent internal addresses from being translated and revealed on the Internet. Use technologies that implement RFC 1918 address space, such as port address translation (PAT) or network address translation (NAT).

VPN-1 products include extensive IP masquerading capabilities to prevent internal addresses from being revealed on the Internet. VPN-1 uses the NAT technology. SMART management makes it easy to define these policies across the organization and centrally view these policies to ensure that they are correctly applied.