Chapter 7 – PCI DSS Compliance

Logging wireless network activity

To ensure that wireless network actiity is logged, go to Log & Report > Log Settings, enable Event Logging and select WiFi activity event.

 

Protecting stored cardholder data

The Fortinet FortiDB and FortiWeb products can provide security for your sensitive cardholder data.

The Fortinet Database Security (FortiDB) device provides vulnerability assessment, database activity monitoring, auditing and monitoring.

The Fortinet FortiWeb Web Application Firewall deployed in front of public-facing web applications protects Web applications, databases, and the information exchanged between them. In particular, it addresses the PCI DSS requirements 6.5 and 6.6 regarding web application vulnerabilities such as cross-site scripting, SQL injection, and information leakage.

FortiGates support some web application firewall security features and allow you to offload selected HTTP and HTTPS traffic to an external FortiWeb device. To offload HTTP traffic to go System > External Security Devices, enable HTTP service and select FortiWeb.

Protecting communicated cardholder data

If cardholder data must be communicated over an untrusted network, such as the Internet, use the FortiGate unit’s IPsec VPN capability to exchange the data securely. If you support customer online transactions, use HTTPS (SSL or TLS encryption) for security. The relevant PCI DSS requirement is:

  • Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks. (4.1)

This does not prescribe particular cryptography, but it can be interpreted as a requirement to follow industry best practices.

 

Configuring IPsec VPN security

The security considerations for IPsec VPNs are encryption and authentication.

 

Encryption

Go to VPN > IPsec Tunnels to configure an IPsec VPN. In both Phase 1 and Phase 2 parts of the configuration, you select the encryption to use.

These are advanced settings, overriding defaults that are not necessarily the strongest algorithms. VPNs negotiate over standards, so you can list multiple proposed algorithms. The VPN will use the strongest encryption that both ends support.

Choose strong encryption. The available encryption algorithms in descending order of strength are AES256, AES192, AES128, 3DES, DES. DES encryption is the weakest with only a 64-bit key and does not meet the 80-bit key length minimum that PCI DSS requires.

The message digest (authentication) algorithms in descending order of strength are SHA512, SHA384, SHA256, SHA1 and MD5. MD5 is particularly weak and should be avoided.

 

Authentication

VPN peers authenticate each other before establishing a tunnel. FortiGate units support two different authentication methods: pre-shared key and RSA signature (certificate). Certificates provide the best security. PCI DSS does not prohibit pre-shared keys, but you should limit access to the keys to the personnel who are responsible for the FortiGate units or other equipment at either end of the VPN.

 

Configuring SSL VPN security

The SSL VPN configuration includes a choice of encryption algorithm. You can only configure encryption key algorithms for SSL VPN in the CLI:

config vpn ssl settings

set algorithm {low | medium | high}

end

The default option of Medium at RC4 (128 bits) is acceptable, but the High option, AES (128/256 bits) and 3DES

is more secure. The Low option, RC4 (64 bits), DES and higher does not meet PCI DSS requirements.

 

Protecting the CDE network from viruses

PCI DSS requires the use of regularly updated antivirus protection. The antivirus functionality of the FortiGate unit protects both the FortiGate unit and the networks it manages. Workstations on these networks can be protected using FortiClient Endpoint Security. Both FortiGate and FortiClient antivirus protection can receive updates from Fortinet’s FortiGuard service. Workstations can also use third-party antivirus applications with update services.

The FortiGate unit can enforce the use of antivirus software, denying unprotected workstations access to the network.

 

Enabling FortiGate antivirus protection

The antivirus profile must apply AV scanning to all protocols. You also need to enable SSL inspection to include secure protocols in antivirus scanning. The extended AV database contains the largest number of virus signatures.

To enable SSL inspection

 

1. Go to Security Profiles > SSL/SSH Inspection.

2. Set Inspection Method to Full SSL Inspection.

3. Set each listed protocol to On and then select Apply.

 

To select the extended antivirus database

The antivirus database is selectable using the CLI:

config antivirus settings set default-db extended

end

For detailed information about the Antivirus feature, see the Security Profiles chapter of the FortiOS Handbook.

 

Configuring antivirus updates

On the dashboard, check the License Information widget. The Support Contract section should indicate that the FortiGate is registered and show future expiry dates for the FortiGuard Antivirus license. If your FortiGate unit is not registered, you can register it from the License Information widget.

In the FortiGuard Services section, check the Antivirus field. If the service is unreachable, see the online Help for information about troubleshooting your connectivity to FortiGuard Services.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in FortiOS 5.4 Handbook on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.