A   formal process for approving and testing all network   connections   and changes to the firewall and router configurations

Verify that firewall and router configuration standards   include  a documented list of services, protocols and ports necessary   for business for     example, hypertext transfer protocol (HTTP) and Secure Sockets Layer (SSL),   Secure   Shell (SSH), and Virtual Private Network (VPN) protocols

Identify insecure services, protocols, and ports allowed;   and   verify they are necessary and that security features are   documented and   implemented by examining firewall and router   configuration standards and   settings for each service

Firewall Analyzer provides you information on all allowed services, protocols and ports that helps you to analyze and identify the insecure services. This report serves as the security feature documentation that allows you to examine the firewall & router configuration standards. With this solution, you can also exclude certain services from the insecure services list, based on your internal business requirement

Firewall Analyzer allows you to configure 'Explicit Deny Rules' to avoid unauthorized/malicious traffic to your PCI Zone. It also provides you reports on all Explicitly Denied rules and Allowed Traffic

Limit inbound Internet traffic to IP addresses within the DMZ

Do not allow any direct connections inbound or outbound   for   traffic between the Internet and the cardholder data   environment

Do not allow internal addresses to pass from the Internet   into   the DMZ

Firewall Analyzer's 'Allowed Traffic from Internal IPs to DMZs via WAN Interface' report enables you to block internal addreses to pass from the Internet into the DMZ

Do not disclose private IP addresses and routing information   to   unauthorized parties

Firewall Analyzer provides you with an exhaustive report for all addresses in the PCI Zone that are not NATed and which access the external network. This report provides various information such as the address's Policy name, rule name, source, destination, service utilized and Source/Destination interface. With this report, the users can easily check which private IP addreses are exposed to the outside world and which are not thus helping you to protect your private IPs and routing information from unauthorized parties

Always change vendor-supplied defaults before installing   a   system on the network, including but not limited to passwords,   simple network   management protocol (SNMP) community strings, and   elimination of unnecessary   accounts

With Firewall Analyzer's out-of-the-box report, the user can check whether all the veondor supplied defaults such as the passwords, encryption keys, SNMP Community strings has been changed or not. The solution also provides you a report that provides all the user account details and helps you to remove unnecessary accounts

Firewall Analyzer provides you with all the insecure services details such as HTTP Access Details, TelNet Access details that helps you to check the status of encryption in all non-console administrative access and web based management

Establish a process for linking all access to system   components   (especially access done with administrative privileges   such as root) to each   individual user

Firewall Analyzer provides you with 'Configuration Change History' report which helps you to associate all access to system components by users specifically privileged users

All   individual accesses to cardholder data

Firewall Analyzer allows you to create custom report profile which helps you to monitor all user's access to cardholder data in your PCI Network

All   actions taken by any individual with root or administrative     privileges

Firewall Analyzer's out-of-the-box Configuration Change reports over a period of time helps you to monitor all your privilege user/root user's actions.This report provides you with the 'where,when, what, who' information on all firewall configuration changes

With Firewall Analyzer's 'Failed Logon Details' report, users can get information on invalid logical access attempts to their network devices

Initialization of the audit logs

Firewall Analyzer helps complying to 'Audit Trail of User executed commands' (10.2.6 a) of PCI-DSS mandate with its configuration Change report that records all user activities, configuration changes that makes your audit trail simple. The solution also supports 'Automated Audit Trail requirement' (10.2.6 b) of PCI DSS mandate with this report

Using time-synchronization technology, synchronize all   critical   system clocks and times

Review logs for all system components at least daily.   Log   reviews must include those servers that perform security   functions like   intrusion-detection system (IDS) and   authentication, authorization, and   accounting protocol (AAA)   servers (for example, RADIUS)

Firewall Analyzer has the capability to review the logs periodically and it has alerting mechanisms for security functions like Intrusion Detection System and AAA servers (like RADIUS). With this solution, you can configure alerts to meet your security related log reviews

Deploy file-integrity monitoring tools to alert personnel   to   unauthorized modification of critical system files, configuration   files, or   content files; and configure the software to perform   critical file   comparisons at least weekly

Firewall Analyzer facilitates file integrity monitoring feature.The solution can alert network administrators upon unauthorized modification of critical configuration files and more. Users can create alert profiles that triggers instant notification upon any configuration changes. Users can automatically generate configuration change reports at regular time intervals by scheduling them. The reports can also be redistributed via email