1.4 Install personal firewall software on any mobile and/or employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization’s network.
1.4.a Verify that mobile and/or employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), and which are used to access the organization’s network, have personal firewall software installed and active.
Need help w/ 1.3.10
I wanted to know what others are doing to meet this requirement. Our problem is that some of our laptops on our network are not managed. We are looking at NAC as a solution. Anyone else have suggestions?
Thanks,
R
rafaelg,
First, I would try to reduce the footprint/scope of PCI-DSS audit by minimizing number of workstation/laptops with access to payment card data. The laptops are not in scope if they do not process,store or never are in the payment card processing network.
NAC will not protect laptops with sensitive data when traveling unless there is an effective network firewall filter to/from the laptop. AV with Malware capability is also a must.
Managed solution is the way to go but for a small shop, some of the options are running workstation with non-privilleage user (restricted) and using group policy/base line configuration that “restricted” user can not alter.
hth,
Dan
Windows XP built-in Firewall
Is WindowsXP built-in firewall considered a “Personal Firewall” for the purposes of this requirement?
For our laptop users coming over a VPN, it has been indicated by our QSA that we need to do an interity check on the laptop to make sure the personal firewall is running and is configured with the correct policy.
Our VPN solutions would need to interogate the laptop and not allow access to the corp LAN unless it passes these checks.
Obviously this does complicate our VPN solution and there is a cost implication to meet this requirment from the QSA.
I understand that we should to demonstrate control over the firewall software and there is a question of how we demonstrate that laptops connected to the LAN are actually running the Firwall but do you think we can successfully challenge the requirment for this integrity check ?
Thanks
Chris
our AV solution had a desktop FW solution that we added to meet the objective. It also had a HIPS solution which we deployed as well and has helped us with certain compensating controls. Our QSA indicated, that when properly configured, the windows desktop FW sol’n would meet teh objective.
Third parties and customers OR just company owned PCs/mobiles?
[quote=“admin, post: 21”]
1.4 Install personal firewall software on any mobile and/or employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization’s network.
Does this apply to just company owned mobiles and computers or does it apply to customers and third party computers/mobile accessing the organisation’s network?
Could I please get a clarification if the Requirment calls for Personal Firewall deployment only on the PCI In-Scope computers that access card holder data or all compy computers. Would appreciate a quick reply.
Many Thanks