PCI DSS requirements say many things about network security to make the card holder data safe and protected when it is stored, transmitted & processed. How we can achieve the maximum level of security through network devices? PCI DSS requirement talk about installation and maintenance of infrastructure devices like firewalls, IPS, routers, switches, etc. How we are going to make them secure?
We will start with access control. We have to prevent unauthorized access to the scope through these devices. There should be strict policies and procedures to access these devices and data processing facilities. A two factor authentication is an ideal solution to to access these devices. Stricter procedures should be implemented to access the data processing facilities (Physical access to the devices). All the default passwords should be replaced with memorable and non-guessable strong passwords in the operational environment. Access to this equipment should be restricted only to authorized person with unique user id so that the tracking is possible. Apart from this, access to console port and configuration ports must be restricted and controlled. All the unnecessary ports and protocols should be disabled. Also remote access to these devices should be encrypted and enable filtering on gateways.
Implement strict policies and procedures for the configuration changes and management. As the time passes we may require changes to the configuration of these devices for short term & permanent. The change request should contain the need for temporary changes and the duration the change needs to exist. After the requirement, the device should be brought back to the original configuration and must be reported to concerned authorities. Always vigilant during this time so that the bad guys exploit these changes to access the card holder data or interrupt the operations. Always adhere to the standards to harden these devices (NIST / IEEE). Keep up to date with latest patches released by vendors. Experiment them in the lab environment and bring them to operational environment as early as possible, maximum within one month.
As we know, PCI is very sensitive and critical industry. Even a single minute mistake can take a financial institution to bankrupt and a nation in to financial crisis, we have to keep us vigilant always to make things safer and protected. Hope we can have better sleep by taking all these but not limited to these measures. Whenever we have a new idea to make things better, experiment it, make it fool proof, and implement it for a safer tomorrow.