1.3 |
Prohibit direct public access between the Internet and any system component in the cardholder data environment. |
1.3.1 |
Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports. |
1.3.2 |
Limit inbound Internet traffic to IP addresses within the DMZ. |
1.3.3 |
Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment. |
1.3.4 |
Implement anti-spoofing measures to detect and block forged source IP addresses from entering the network. |
1.3.5 |
Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. |
1.3.6 |
Implement stateful inspection, also known as dynamic packet filtering. (That is, only "established" connections are allowed into the network.) |
1.3.7 |
Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks. |
1.3.8 |
Do not disclose private IP addresses and routing information to unauthorized parties. Note: Methods to obscure IP addressing may include, but are not limited to:
- Network Address Translation (NAT),
- Placing servers containing cardholder data behind proxy servers/firewalls or content caches,
- Removal or filtering of route advertisements for private networks that employ registered addressing,
- Internal use of RFC1918 address space instead of registered addresses.
|