PCI DSS 3.2 Requirement 1: Install and Maintain a Firewall Configuration to Protect Cardholder Data

Applies to Product: USM Appliance™ AlienVault OSSIM®

Testing Procedure

How USM Appliance Delivers

USM Appliance Instructions

USM Appliance Documentation

1.1.1.c Identify a sample of actual changes made to firewall and router configurations, compare to the change records, and interview responsible personnel to verify the changes were approved and tested.

USM Appliance has built-in reports to assist in identifying changes made to router and firewall configurations for use in validating that changes were approved and tested.

Enable the plugin for your firewall/router devices, and enable forwarding of the syslog events from the firewall/router.

Enable Plugins

Run the existing “Firewall Configuration Change” PCI report to show changes made to the firewall.

How to Run Reports

Additionally, you can enable instant alerting of suspected device configuration changes by creating a directive to Alert on occurrences of the configuration-change events.

Tutorial: Create a New Directive to Detect DoS Attack

1.1.6.b Identify insecure services, protocols, and ports allowed; and verify that security features are documented for each service.

USM Appliance provides NetFlow collection, which assists in identifying insecure services, protocols and ports that are allowed.

NIDS in USM Appliance allows for reporting of suspicious or potentially insecure protocols through events.

AlienVault NIDS

Create a directive to Alert on occurrences of such NIDS events, which may detect possible misconfiguration or traffic that is not authorized.

Tutorial: Create a New Directive to Detect DoS Attack

1.3.2 Examine firewall and router configurations to verify that inbound Internet traffic is limited to IP addresses within the DMZ.

USM Appliance provides NetFlow collection, which assists in identifying traffic sources and destinations to help ensure that inbound internet traffic is limited to IP addresses within the DMZ.

Configure a directive to Alert on any activity from non-authorized networks to the DMZ, which allows for immediate alerting of suspicious traffic from any data source.

Correlation Directives