PIN Security Requirements:
25-7.1 Certificate-processing system components operated online must be protected by a firewall(s) from all unauthorized access, including casual browsing and deliberate attacks. Firewalls must minimally be configured to:
- Deny all services not explicitly permitted.
- Disable or remove all unnecessary services, protocols, and ports.
- Fail to a configuration that denies all services and require a firewall administrator to re-enable services after a failure.
- Disable source routing on the firewall.
- Not accept traffic on its external interfaces that appears to be coming from internal network addresses.
- Notify the firewall administrator in near real time of any item that may need immediate attention such as a break-in, little disk space available, or other related messages so that an immediate action can be taken.
- Run on a dedicated computer: All non-firewall related software, such as compilers, editors, communications software, etc., must be deleted or disabled.
Testing Procedures:
25-7.1.a Examine network and system configurations to verify that certificate-processing system components operated online are protected from unauthorized access by firewall(s).
25-7.1.b Examine firewall configurations for verify they are configured to:
- Deny all services not explicitly permitted.
- Disable or remove all unnecessary services, protocols, and ports.
- Fail to a configuration that denies all services and require a firewall administrator to re-enable services after a failure.
- Disable source routing on the firewall.
- Not accept traffic on its external interfaces that appears to be coming from internal network addresses.
- Notify the firewall administrator in near real time of any item that may need immediate attention such as a break-in, little disk space available, or other related messages so that an immediate action can be taken.
- Run on a dedicated computer: All non-firewall related software, such as compilers, editors, communications software, etc., must be deleted or disabled.
