PCI Compliance test - checklist

Description

Who needs a PCI compliance test?

PCI DSS came about to ensure proper standards were in place to secure all organizations with credit/debit cards. 

What does the PCI DSS secure?

Employees, visitors, services, and technology that your business involves around can have physical, mobile or online payment from major card brands. PCI DSS mainly focuses on securing your credit card data that is stored, processed, or transferred to trusted card vendors.

PCI compliance requirements:

  1. Secure network - maintain a firewall and unique (non-vendor supplied) password 
  2. Protect card-holder data - encryption of data stored and/or transmitted
  3. Vulnerability program - endpoint  anti-virus, anti-malware software and always with the latest patch
  4. Access control - limit details, identify access and/or restrict physical access
  5. Tracking and monitoring - periodic monitoring and testing of security systems and cardholders data
  6. Information security - implement clear policies and processes to everyone regarding the seriousness and significance

This KB explains the basic and best Practices for administrators managing SonicWall Firewall Appliances to increase the overall security of an end-to-end architecture. Please be advised these are designed with the most common errors that we see regularly.

  1. Always be on the latest firmware release. A new patch is released to clean a bug, remediate the vulnerability, better process handling, new feature, and so forth. How can I upgrade SonicOS Firmware?
  2. Change admin default name and password. How can I change the administrator password?
  3. Disable all unsecured port access (HTTP, RDP, SSH) from an untrusted zone. Disable HTTP management access on all WAN zones and change the HTTPS port from the default (TCP 443) to custom (say TCP 8443) How can I change the HTTP and HTTPS management ports
  4. Make timely backup. Document and label each backup, this will help you to roll back to a good known state. How can I save a backup settings file from a SonicWall firewall?  and How can I create cloud backup of SonicWall settings?
  5. Security services. Gateway anti-virus, IPS, Anti-spyware need to be enabled as explained in Common configurations to protect against Ransomware
  6. Enable Stealth mode to not respond (RST or DENY packet) to port scans. Stealth Mode

Most common PCI compliance failure reports:

  • SSL self-signed certificates on port TCP 443. Even if you are using a secured port 443 HTTPS, a self-signed certificate will be a security threat if the Management page is accessed from WAN. How do I generate a new SSL certificate from my SonicWall firewall? The certificate will have a domain name that needs to be resolved to the public IP of SonicWall
  • HTTP Security Header Not Detected - Upgrade firmware to the latest. The HSTS error is fixed. How can I upgrade SonicOS Firmware?
  • General remote services on port TCP 4433. SSL VPN Certificate self-signed certificate. How to upload a CA signed certificate to SSL VPN service?
  • TLSv1.1 is supported - the latest browsers have all disabled TLSv1.1 and SSLv3 Disable TLS 1.1 Support
  • SSL Certificate has an IP Address as the Common Name. The certificate used in HTTP web management or SSL VPN has an IP address instead of FQDN in the Common Name (CN) field. Obtain a certificate with an FQDN as its CN or Subject Alternative Name
  • Subject Common Name Does Not Match Server FQDN. Obtain a certificate whose Subject Common Name (CN) or Subject Alternative Name (SAN) matches the FQDN used to access it. For example, if the scan is being done using the FQDN www.example.com, the certificate must have its CN or SAN as www.example.com or *.example.com.
  • SSL Certificate - Signature Verification Failed Vulnerability This error occurs when the certificate in the HTTP web management or SSL VPN is signed by an unknown Certificate Authority (CA). In most cases, this happens when the CA is private. For example, a Windows CA. Obtain a certificate signed by a public CA.
  • Pre-shared Key Off-line Bruteforcing Using IKE Aggressive Mode. UDP 500 is for all types of IPsec VPN tunnels, which includes the WAN GroupVPN (GVC) connections. Please increase the complexity of the shared secret by including special characters, numbers, and don't include any patterns. A digital certificate is the most secure option available with WANGroup VPN.
  • Use 2FA for any login - IPsec VPN client, SSL VPN client or HTTPS admin login. How to configure two-factor authentication using TOTP for HTTPS Management and How do I configure 2FA for SSL VPN with TOTP? Two factor authentication using RSA Radius and SecurID for SonicWall GVC
  • Restrict inbound access. Do not allow inbound access over unsecured ports like HTTP, FTP, SSH, RDP and so forth. Wherever possible have source-based access rules. How to Configure Access Rules

For more information on vulnerabilities and the impact on your device, please visit the Vulnerability List published by SonicWall. This has details about the CVE, impacted products and the fix

Related Articles

  • SonicOS 8.1.0 FAQ
    Read More
  • SonicWall GEN8 TZs and GEN8 NSas Settings Migration
    Read More
  • Getting started with SonicWall firewalls
    Read More

Categories

Firewalls
NSa Series
Firewalls
NSsp Series
Firewalls
TZ Series
not finding your answers?
Ask the Community