PCI-DSS Compliance for an HP-UX Host
5
1.2 Build firewall and router configurations that restrict connections
between untrusted networks and any system components in the
cardholder data environment
This requirement mainly deals with securing internal network from malicious attacks.
HP-UX IPFilter provides firewall services and network address translation (NAT) for many UNIX-like operating
systems. HP-UX IPFilter is a stateful system firewall that filters IP packets to control packet flow in or out of a
system. The firewall functions as a security defense by reducing exposure points on a system.
HP-UX IPFilter provides the following features:
Protects an individual host on an intranet against internal attacks.
Protects an individual host on an intranet against external attacks that have breached perimeter defenses.
Provides an alternative to the restricted configuration of Internet Services.
Protects a bastion host on the perimeter of a protected network or in a DMZ.
For more information about HP-UX IPFilter, see Appendix A.
HP Network Automation (NA) provides an enterprise class solution that tracks and regulates configuration and
software changes across routers, switches, firewalls, load balancers, and wireless access points. HP NA provides
visibility into network changes, enabling an IT staff to identify and correct trends that could lead to problems, while
mitigating compliance issues, security hazards, and disaster recovery risks. HP NA also captures full audit trail
information about each device change.
Network engineers can use HP NA to pinpoint the following:
Which device configuration changed
What exactly was changed in the configuration
Who made the change
Why the change was made
In addition, HP NA can enforce security and regulatory policies at the network level by making sure that
configurations comply with pre-defined standards. The end result is a resilient and maintainable network that is
compliant with standards and regulations.
For more information about HPNA, see Appendix A.
1.3 Prohibit direct public access between the Internet and any system
component in the cardholder data environment
Verify that a DMZ is implemented and using HP-UX IPFilter can limit inbound traffic to only system components that
provide authorized publicly accessible services, protocols, and ports. HP-UX IPFilter protects a bastion host on the
perimeter of a protected network or in a DMZ and ensures that there is no direct access between the internet and
system components in the cardholder data environment.
The HP TippingPoint Intrusion Prevention Systems (IPS) and vController+vFW provides proactive network security
through inline, real-time protection of network traffic, and data centers apart from the previously mentioned
products. The IPS platform's architecture offers deep packet inspection of network traffic and its modular software
design enables the addition of valuable network protection services to its proven intrusion prevention solution.
For more information about HP Tipping Point, see Appendix A.
1.4 Install personal firewall software either on any mobile or on employee
owned computers or both with direct connectivity to the Internet (for
example, laptops used by employees), which are used to access the
organization’s network
This is not in purview of this document. Proper firewall software needs to be chosen and installed either on
employee mobiles or on employee laptops/computers or both with direct connectivity to the Internet and which are
used to access the organization’s network.