Re: Re: Firewalls and PCI

["Josh Haft" <pacmansyu () gmail com>]

On Jan 18, 2008 10:21 AM, Honer, Lance <lhoner () smartgrp com> wrote:
> Well, PCI does not mandate or even suggest anything regarding network
> segmentation. PCI says anything that could cause a card exposure must be
> evaluated for compliance.
>
> It's really up to the company in question to follow this thought process
> to completion. When they do they'll realize that if the limit the scope
> of things in the environment that could lead to an exposure the fewer
> things in the environment that will need to be evaluated for compliance.
>
> So in the context of network segmentation this means separating your
> card data related systems from the non-card data related systems and
> protecting access into the card data related systems.
>
> Lance
The section of PCI I was referring to is 1.1.3
    "Requirements for a firewall at each Internet connection and
between any demilitarized zone (DMZ) and the internal network zone."

So, I have a firewall that separates these networks. However, it's
only one physical. The client is requesting that we have our network
separated by multiple physical firewalls. I can only assume the
aforementioned section of PCI includes both configurations (one or
multiple physical firewalls), but I am wondering how others have
interpreted this.

We'll probably end up adding at least one firewall and putting the LAN
and database network behind it, leaving the DMZ behind only one
firewall. I'm just curious how others have treated these situations.

Thanks everyone for your responses.