PCI Compliance: Implementing Effective PCI Data Security Standards

When thinking about securing a network, it is best to think of it in terms of defense-in-depth or a layered security approach. It would be great if we could rely on one type of technology or a single device to provide all of our security, but that s not realistic. Some professionals use the analogy that security is like an onion it has layers. Each layer doesn t stand alone, but together they re tough and solid. A firewall is one layer, but not necessarily the first layer. Figure 4.1 shows the different layers. The packet-filtering router that actually connects your company to the Internet is the first layer. Configure a small rule set to filter out basic unwanted traffic like Internet Control Message Protocol (ICMP), finger, and anything else that you can live without ever crossing into your network space. The next layer is the devices that make up your internal network infrastructure. Firewalls, intrusion detection systems (IDses), and switches all contribute to this layer of security. Layer three is the host-based security that you might have installed on each host. Host-based intrusion detection, antivirus software, and so forth would cover this layer to include the hardening of the operating system itself. The fourth layer covers the application itself. Any hardening of the application, access controls, and file/library permissions fall into this layer. The final layer covers protecting the data itself. Encrypting the data stored on the system is one of the easiest ways to protect it.